Difference between pages "Zero Configuration Networking" and "Cloud Backup"

From Funtoo
(Difference between pages)
Jump to: navigation, search
 
 
Line 1: Line 1:
Zero Configuration Networking, also called Zeroconf or [[wikipedia:Bonjour_(software)|Bonjour]] ([http://developer.apple.com/softwarelicensing/agreements/bonjour.html Apple's trademark] for their Zero Configuration Networking implementation) is a suite of related technologies that allow networked devices to interoperate on a local network without requiring explicit configuration.
+
[[Category:HOWTO]]
  
== Requirements ==
+
This howto will describe a method for automatically backing up your funtoo install to the internet, in this case dropbox, but any online storage will do. Gentoo describes a method of creating a stage 4 archive. The problem with a stage 4 is that it is large and it archives a lot of unnecessary files. Such as applications that can be reinstalled from an emerge world. Instead, this method will aim for more of a "stage 3.5."
  
Zero Configuration Networking requires the following things to operate:
+
{{fancynote| This method does not attempt to backup everything. The intention is only to backup the system. Optionally you can also archive and copy your <tt>/home</tt> folder if you have enough online storage.}}
  
* A valid IP address, obtained either by:
+
== Use Case ==
** Static assignment
+
A backup machine currently provides network drives on a home LAN to allow clients on the LAN to backup to, using apps such as Time Machine (Mac) and Genie Timeline (Windows). As this machine ''is'' the backup machine it doesn't have anywhere to backup to itself. In this situation a backup solution is provided by backing up to somewhere online - dropbox. If a restore from the backup is required, the client machine's backups would be trashed, and the backup machine restored.
** DHCP
+
** Link-local Addressing (part of Zero Configuration Networking)
+
* A means to address other devices by name, provided either by:
+
** DNS
+
** multicast DNS (mDNS -- part of Zero Configuration Networking)
+
  
== Service Discovery ==
+
== Automatic Backup Archives With Etckeeper ==
 +
Etckeeper is a tool that is used to save versions of <tt>/etc</tt>, including meta-data in a version control repository such as git.
 +
As etckeeper is not in the funtoo portage tree, layman is used to provide an overlay.
 +
=== Install etckeeper via layman ===
 +
Before you install layman it is worth mentioning that you probably want <tt>USE="git subversion"</tt> in <tt>/etc/portage/make.conf</tt>. After adjusting use flags, to install layman you run:
 +
<console>
 +
###i## emerge layman
 +
</console>
 +
In order to backup the layman configuration, but not the portage overlay trees, make the following modifications to the default install.
 +
Tell Portage about layman-fetched repositories by adding the following line to <tt>/etc/portage/make.conf</tt>:
  
On top of this, Zero Configuration Networking also provides a means to discover what services are available on each device. This is something that is provided exclusively by Zero Configuration Networking and is called Zeroconf Service Discovery.
 
  
== Configuration ==
+
<pre>
 +
source /etc/layman/make.conf
 +
</pre>
  
In order to get these sort of networking services running, some configuration needs to happen initially.
+
Modify the following lines in <tt>/etc/layman/layman.cfg</tt>:
  
== Link-local Addresses ==
 
  
{{Fancynote|It's only necessary to use link-local addressing if you have no other means of obtaining a valid IP address on your LAN. Typically, this is the case if you are setting up a small or ad-hoc network where no DHCP server has been configured.}}
+
<pre>
 +
storage  : /var/lib/layman
 +
installed : /etc/layman/installed.xml
 +
make_conf : /etc/layman/make.conf
 +
</pre>
  
To use link-local addressing, first set up the proper routes:
+
Add the bgo-overlay. As described on their web page, [http://bgo.zugaina.org/ bgo.zugaina.org].
 
<console>
 
<console>
###i## route add default dev eth0 metric 99
+
###i## layman -o http://gpo.zugaina.org/lst/gpo-repositories.xml -L
###i## route add -net 169.254.0.0 netmask 255.255.0.0 dev eth0 metric 99
+
###i## layman -a bgo-overlay -o http://gpo.zugaina.org/lst/gpo-repositories.xml
 
</console>
 
</console>
  
Then, use <tt>avahi-autoipd</tt> to discover a valid link-local IP address:
+
More information about layman can be found here: http://www.gentoo.org/proj/en/overlays/userguide.xml
 +
 
 +
Then unmask and install etckeeper.
 
<console>
 
<console>
###i## /usr/sbin/avahi-autoipd --daemonize --syslog --wait eth0
+
###i## emerge etckeeper --autounmask-write
 +
###i## emerge etckeeper
 
</console>
 
</console>
  
Once a valid link-local IP address is found, eth0 will now have a <tt>169.254.x.x</tt> address that can be used to communicate on the local LAN.
+
{{fancynote| To update layman overlays do:}}
 +
<console>
 +
###i## layman -S
 +
</console>
  
As an alternative, you can have dhcpcd built with <code>USE="zeroconf"</code>, and it will provide a link local address if no DHCP server is found.
 
  
== Multicast DNS ==
+
If you see the following error -- apply this fix:
 +
<console>
 +
###i## emerge etckeeper
 +
Calculating dependencies... done!
 +
>>> Verifying ebuild manifests
 +
!!! A file is not listed in the Manifest: '/var/lib/layman/bgo-overlay/sys-apps/etckeeper/files/etckeeper-gentoo-0.58.patch'
  
Multicast DNS, or mDNS, is a means by which individual machines can broadcast their DNS information to machines on the local LAN so that a DNS server is not required to address local devices by name. The ".local" domain is typically used for multicast DNS, so your laptop might be addressable by pinging "mylaptop.local", for example. mDNS is not necessary if you have some other means of addressing machines by name, such as unicast (regular) DNS. But many LANs do not have their own DNS server configured, in which case mDNS can be very handy.
+
###i## cd /var/lib/layman/bgo-overlay/sys-apps/etckeeper
 +
###i## ebuild etckeeper-0.58-r2.ebuild manifest
 +
###i## emerge etckeeper
 +
</console>
  
=== .local Hostname Suffix ===
+
== Configure etckeeper ==
 +
Move any config files that do not live in <tt>/etc</tt>. i.e.
 +
Check <tt>/root</tt> for any files to be archive, such as iptables scripts and move them to <tt>/etc</tt>.
 +
 
 +
{{fancynote| because funtoo uses [[Boot-Update]], this means <tt>/boot/grub/grub.cfg</tt> does not need to be archived.}}
 +
 
 +
To ensure your portage world file is archived, make the following link:
 +
<console>
 +
###i## ln /var/lib/portage/world /etc/world
 +
</console>
 +
 
 +
Initialise the git repository.
 +
<console>
 +
###i## etckeeper init
 +
Initialized empty Git repository in /etc/.git/
 +
###i## etckeeper commit "Initial commit."
 +
</console>
 +
 
 +
If you don't already have cron installed, emerge it now.
 +
<console>
 +
###i## emerge vixie-cron
 +
</console>
 +
And write the cron job to save an hourly version of <tt>/etc</tt>.
 +
 
 +
{{fancynote| git will only create a new version (commit) if there are changes from the previous one.}}
 +
Edit the file <tt>/etc/cron.hourly/etckeeper:
  
If you want to configure your Funtoo Linux system to be addressable on your LAN using a <tt>myhostname.local</tt> address, first ensure that you set your system's hostname in <tt>/etc/conf.d/hostname</tt>, and use ''only'' the non-qualified name, so don't add a <tt>.local</tt> yourself. Multicast DNS will automatically use that suffix. Here is a sample <tt>/etc/conf.d/hostname</tt> for a machine on my network that I can ping from other machines as <tt>antec.local</tt>:
 
  
 
<pre>
 
<pre>
hostname="antec"
+
#! /bin/bash
 +
etckeeper commit "Hourly auto-commit"
 
</pre>
 
</pre>
  
== Receiving mDNS ==
+
== Encrypt and copy backups online ==
 +
=== Copy To Dropbox ===
 +
<console>
 +
###i## emerge dropbox
 +
</console>
  
The package {{Package|sys-auth/nss-mdns}} provides the necessary functionality for your Funtoo/Gentoo Linux machine to receive mDNS broadcasts, so that it can do things like ping mybox.local, or ssh mylaptop.local.
+
Add a dropbox user:
 +
<console>
 +
###i## useradd dropbox
 +
</console>
  
From the [http://0pointer.de/lennart/projects/nss-mdns/#overview nss-mdns] home page:
+
Write the dropbox init files in <tt>/etc/conf.d/dropbox</tt>:
  
''nss-mdns is a plugin for the GNU Name Service Switch (NSS) functionality of the GNU C Library (glibc) providing host name resolution via Multicast DNS (aka Zeroconf, aka Apple Rendezvous, aka Apple Bonjour), effectively allowing name resolution by common Unix/Linux programs in the ad-hoc mDNS domain .local.
+
<pre>
 +
DROPBOX_USERS="dropbox"
 +
</pre>
 +
<br>
 +
<pre>
 +
#!/sbin/runscript
 +
# Copyright 1999-2004 Gentoo Foundation
 +
# Distributed under the terms of the GNU General Public License, v2 or later
 +
# $Header: /var/cvsroot/gentoo-x86/sys-fs/dropbox/files/dropbox.init-1.0,v 1.4 2007/04/04 13:35:25 cardoe Exp $
  
''nss-mdns provides client functionality only, which means that you have to run a mDNS responder daemon seperately from nss-mdns if you want to register the local host name via mDNS. I recommend Avahi.
+
NICENESS=5
  
''nss-mdns is very lightweight (9 KByte stripped binary .so compiled with -DNDEBUG=1 -Os on i386, gcc 4.0), has no dependencies besides the glibc and requires only minimal configuration.
+
depend() {
 +
    need localmount net
 +
    after bootmisc
 +
}
  
''By default nss-mdns tries to contact a running avahi-daemon for resolving host names and addresses and making use of its superior record cacheing. Optionally nss-mdns can be compiled with a mini mDNS stack that can be used to resolve host names without a local Avahi installation. Both Avahi support and this mini mDNS stack are optional, however at least one of them needs to be enabled. If both are enabled a connection to Avahi is tried first, and if that fails the mini mDNS stack is used.
+
start() {
 +
    ebegin "Starting dropbox..."
 +
    for dbuser in $DROPBOX_USERS; do
 +
        start-stop-daemon -S -b -m --pidfile /var/run/dropbox-$dbuser.pid  -N $NICENESS -u $dbuser -v -e HOME="/home/$dbuser" -x /opt/dropbox/dropboxd
 +
    done
 +
    eend $?
 +
}
 +
 
 +
stop() {
 +
    ebegin "Stopping dropbox..."
 +
    for dbuser in $DROPBOX_USERS; do
 +
        start-stop-daemon --stop --pidfile /var/run/dropbox-$dbuser.pid
 +
    done
 +
    eend $?
 +
}
 +
 
 +
status() {
 +
    for dbuser in $DROPBOX_USERS; do
 +
        if [ -e /var/run/dropbox-$dbuser.pid ] ; then
 +
            echo "dropboxd for USER $dbuser: running."
 +
        else
 +
            echo "dropboxd for USER $dbuser: not running."
 +
        fi
 +
    done
 +
    eend $?
 +
}
 +
</pre>
 +
Start dropbox now and at boot time:
 
<console>
 
<console>
###i## emerge -av nss-mdns
+
###i## chmod 0755 /etc/init.d/dropbox
 +
###i## /etc/init.d/dropbox start
 +
###i## rc-update add dropbox default
 
</console>
 
</console>
  
Set up multicast route:
+
After starting the dropbox daemon, it will provide a http link. You will need to visit this site just once to associate your computer with your dropbox account.
 +
 
 +
Write the cron job to make the backup archive and move it online. Edit the file <tt>/etc/cron.daily/backup</tt>:
 +
 
 +
 
 +
<pre>
 +
#! /bin/bash
 +
cd /etc
 +
git bundle create /tmp/backup.bundle --all
 +
cd /tmp
 +
mv -v -f backup.bundle /home/dropbox/Dropbox/Private/
 +
</pre>
 +
 
 +
Make the script executable:
 
<console>
 
<console>
###i## route add -net 224.0.0.0 netmask 240.0.0.0 dev eth0
+
###i## chmod +x /etc/cron.daily/backup
 
</console>
 
</console>
  
Note: Adding <code>multicast="yes"</code> in <code>/etc/conf.d/netif.foo</code> (replace foo with your actual network interface name) will set up the multicast route automatically at startup.
+
=== Encrypt Backups ===
 +
It is a good idea to encrypt your backup before moving it online. This can be done with gpg, using a symmetric (password only) or public/private key encryption. Additionally you can chose to sign the backup to check its integrity before restoring.
 +
<console>
 +
###i## emerge gpg
 +
</console>
  
Now, it's necessary to modify <tt>/etc/nsswitch.conf</tt> so that your system will use multicast DNS for hostname lookup. In the example, we use the <tt>mdns_minimal</tt> and <tt>mdns</tt> words, which enable multicast DNS for IPv4 and IPv6. If you only want to enable IPv4-based multicast DNS, which is recommended for IPv4-only networks, use <tt>mdns4_minimal</tt> and <tt>mdns4</tt> instead. This will improve hostname lookup performance.
+
==== Symmetric Encryption ====
 +
There is no preparation required to use a symmetric key as all that is required is simply a passphrase. Just modify the cron job. Edit <tt>/etc/cron.daily/backup</tt>:
  
  
 
<pre>
 
<pre>
hosts:      files mdns_minimal [NOTFOUND=return] dns mdns
+
#! /bin/bash
 +
cd /etc
 +
git bundle create /tmp/backup.bundle --all
 +
cd /tmp
 +
echo 'encryption_password' | gpg -o backup.gpg --batch --homedir /root/.gnupg -vvv  --passphrase-fd 0 --yes -c backup.bundle
 +
mv -v -f router.gpg /home/dropbox/Dropbox/Private/
 
</pre>
 
</pre>
 +
{{fancyimportant| Remember to change "encryption_password"}}
  
== Sending Multicast DNS ==
+
{{fancywarning| If you forget this password the backup will be unusable. Lose the password and you lose the backup.}}
  
Avahi-daemon handles the task of '''sending''' multicast DNS broadcasts, as well as service discovery broadcasts, on your local LAN. If you want other devices to be able to reach your Funtoo/Gentoo Linux machine via multicast DNS, and Zeroconf Service Discovery, you'll want to enable avahi-daemon. This will also improve the efficiency of performing multicast DNS lookups locally.
+
As there is now sensitive information in this file, you might want to remove read permission:
 +
<console>
 +
###i## chmod og-r /etc/cron.daily/backup
 +
</console>
  
 +
==== Private/Public key Encryption ====
 +
Make a private/public encryption/decryptions key pair. The public key will be used to encrypt and the private key to decrypt.
 
<console>
 
<console>
###i## rc-update add avahi-daemon default
+
###i## gpg --gen-key
###i## rc
+
 
</console>
 
</console>
 +
The public key is used to create the encrypted backup and needs to live on the computer being backed up. A copy of the private key needs to be made and stored securely in another place. If this machine becomes unbootable, and this is the only place the private key lives, the backup dies with it.
 +
The private key should not be kept:
 +
# In the same place as the back up
 +
# On the machine being backed up
 +
{{fancynote| The private key is the only key that will decrypt the backup. Lose this key and/or it's password and you lose the backup.}}
  
Test:
+
List the private keys:
 
<console>
 
<console>
###i## ping daniel-pc.local
+
###i## gpg -K
PING daniel-pc.local (10.0.1.11) 56(84) bytes of data.
+
/root/.gnupg/secring.gpg
64 bytes from Daniel-PC.local (10.0.1.11): icmp_req=1 ttl=128 time=3.73 ms
+
------------------------
64 bytes from Daniel-PC.local (10.0.1.11): icmp_req=2 ttl=128 time=0.905 ms
+
sec  2048R/0EF13559 2012-01-21
64 bytes from Daniel-PC.local (10.0.1.11): icmp_req=3 ttl=128 time=0.922 ms
+
uid                  my_key <noone@example.com>
64 bytes from Daniel-PC.local (10.0.1.11): icmp_req=4 ttl=128 time=0.827 ms
+
ssb  2048R/67417FEB 2012-01-21
 
</console>
 
</console>
  
== Service Discovery ==
+
The private key can be exported using either the key name or key number. In this case "my_key" or "0EF13559".
 +
To cut and paste the key. Ie, if logging in remotely.
 +
<console>
 +
###i## gpg -a --export-secret-key 0EF13559
 +
</console>
  
Get a list of services on the LAN:
+
To create a key file:
 
<console>
 
<console>
###i## avahi-browse -ac
+
###i## gpg -o private_decryption.gpgkey --export-secret-key 0EF13559
 
</console>
 
</console>
  
== Resources ==
+
Now store this key somewhere secure. The backup is only as secure as the private key.
  
* [http://developer.apple.com/library/mac/#qa/qa2004/qa1357.html Apple Technical Q&A QA1357]
+
Modify the cron job at <tt>/etc/cron.daily/backup</tt>:
* [http://en.gentoo-wiki.com/wiki/Avahi Gentoo Wiki Avahi]
+
* [http://www.ibiblio.org/pub/linux/docs/HOWTO/other-formats/html_single/Multicast-HOWTO.html#toc2 Multicast over TCP/IP HOWTO]
+
* [http://sitka.triumf.ca/pub/linux/multicast-FAQ Linux Multicast FAQ]
+
* [http://www.multicastdns.org/ multicastdns.org]
+
  
   
+
 
[[Category:HOWTO]]
+
<pre>
[[Category:Networking]]
+
#! /bin/bash
 +
cd /etc
 +
git bundle create /tmp/backup.bundle --all
 +
cd /tmp
 +
gpg -o backup.gpg -r 'my-key' --batch --homedir /root/.gnupg -vvv --passphrase-fd 0 --yes -e backup.bundle
 +
mv -v -f backup.gpg /home/dropbox/Dropbox/Private/
 +
</pre>
 +
 
 +
Replace "my-key" with the appropriate name from the key list.
 +
Also note the change from -c for symmetric encryption to -e for private/public key encryption
 +
 
 +
==== Sign Backups ====
 +
Create a 2nd private/public (signing) key pair. The private key is used to sign and the public key is used to check the authenticity/integrity.
 +
<console>
 +
###i## gpg --gen-key
 +
</console>
 +
 
 +
{{fancynote| The password for this key will be required in the script below.}}
 +
In this case the private key is required to sign the backup and the public key is used to check the integrity of the backup.
 +
Follow a similar process as above to copy the public key to to another computer/storage media.
 +
 
 +
List the private keys:
 +
<console>
 +
###i## gpg -k
 +
</console>
 +
{{fancynote| <tt>-K</tt> lists private keys while <tt>-k</tt> lists public keys.}}
 +
 
 +
Then export this public key via cut and paste:
 +
<console>
 +
###i## gpg -a --export <key name or number>
 +
</console>
 +
 
 +
Or to create a key file:
 +
<console>
 +
###i## gpg -o public_signing.gpgkey --export <key name or number>
 +
</console>
 +
 
 +
Now store this key somewhere secure.
 +
 
 +
Modify the backup cron job at <tt>/etc/cron.daily/backup</tt>:
 +
 
 +
 
 +
<pre>
 +
#! /bin/bash
 +
cd /etc
 +
git bundle create /tmp/backup.bundle --all
 +
cd /tmp
 +
echo 'signing_key_password' | gpg -s -o backup.gpg -r 'my-encryption-key' --batch --homedir /root/.gnupg -vvv  --passphrase-fd 0 --yes -e backup.bundle
 +
mv -v -f backup.gpg /home/dropbox/Dropbox/Private/
 +
</pre>
 +
 
 +
{{fancynote| the script will require the password for your private (signing) key to sign the backup. Replace "password" with the password for your signing private key.
 +
And as there is sensitive information in this file don't forget to remove read permission.}}
 +
<console>
 +
###i## chmod og-r /etc/cron.daily/backup
 +
</console>
 +
 
 +
== To Restore From A Backup ==
 +
This restore will assume your are starting with a new blank disk.
 +
Start by performing a stage 3 install, upto and including section 5 "Chroot into your new system." http://www.funtoo.org/wiki/Funtoo_Linux_Installation
 +
 
 +
Then the restore process is:
 +
# Download backup from dropbox
 +
# Decrypt
 +
# Clone
 +
# Link world file
 +
# Emerge world
 +
# Compile the kernel
 +
# Restore grub bootloader
 +
# Reboot
 +
 
 +
== Download backup from dropbox ==
 +
Log into your dropbox account and find your backup file. Move it to a public area if it isn't already in one. Then right click on it and click "copy public link."
 +
Now on the computer to be restored, delete the contents of the /etc folder and download the backup file.
 +
 
 +
(Need to check if this needs done before chrooting into the new install).
 +
<console>
 +
###i## cd /etc
 +
###i## rm -rf *
 +
###i## cd /tmp
 +
###i## wget http://dl.dropbox.com/link-to-backup-file/backup.gpg
 +
</console>
 +
 
 +
{{fancynote| if you have to copy the link from another computer and therefore can not cut and paste it, there is a "shorten link" option.}}
 +
 
 +
== Decrypt ==
 +
If you used a public/private key to encrypt, and optionally signed the backup, import the decryption and signing keys.
 +
 
 +
Note:
 +
# The decryption key is the private key of the encryption key pair - private_decryption.gpgkey
 +
# The signing key is the public key of the signing key pair - public_signing.gpgkey
 +
 
 +
To import the keys by cut and paste:
 +
<console>
 +
###i## gpg --import <<EOF
 +
</console>
 +
{{fancynote| The last line after pasting the key should be "EOF"}}
 +
Repeat for both keys.
 +
 
 +
To import the keys by file:
 +
<console>
 +
###i## gpg --import private_decryption.gpgkey
 +
###i## gpg --import public_signing.gpgkey
 +
</console>
 +
 
 +
Decrypt the backup:
 +
<console>
 +
###i## gpg -d backup.gpg > backup.bundle
 +
</console>
 +
 
 +
If the backup was signed and you have correctly imported the signing public key you should see a message similar to:
 +
<console>
 +
gpg: Good signature from "my_signing_key <noone@example.com>"
 +
</console>
 +
 
 +
== Clone ==
 +
<console>
 +
###i## git clone /tmp/backup.bundle /etc/
 +
</console>
 +
 
 +
== Link world file ==
 +
<console>
 +
###i## ln /etc/world /var/lib/portage/world
 +
</console>
 +
 
 +
== Emerge world ==
 +
<console>
 +
###i## emerge --sync
 +
###i## layman -S
 +
###i## emerge -uDaNv world
 +
</console>
 +
 
 +
== Compile the kernel (genkernel)==
 +
If you have genkernel set to save config files (the default):
 +
<console>
 +
###i## cp /etc/kernels/kernel-config-x86_64-<latest version>-gentoo /usr/src/linux/.config
 +
</console>
 +
 
 +
Otherwise use the currently loaded kernel's config:
 +
<console>
 +
###i## zcat /proc/config.gz > /usr/src/linux/.config
 +
</console>
 +
 
 +
Then compile the kernel:
 +
<console>
 +
###i## genkernel --oldconfig --no-mrproper all
 +
</console>
 +
 
 +
== Restore grub bootloader ==
 +
<console>
 +
###i## grub-install --no-floppy /dev/sda
 +
###i## boot-update
 +
</console>
 +
 
 +
Adjust the device as required if installing to another location.
 +
 
 +
== Reboot ==
 +
<console>
 +
###i## reboot
 +
</console>

Revision as of 22:42, 19 February 2014


This howto will describe a method for automatically backing up your funtoo install to the internet, in this case dropbox, but any online storage will do. Gentoo describes a method of creating a stage 4 archive. The problem with a stage 4 is that it is large and it archives a lot of unnecessary files. Such as applications that can be reinstalled from an emerge world. Instead, this method will aim for more of a "stage 3.5."

Note: This method does not attempt to backup everything. The intention is only to backup the system. Optionally you can also archive and copy your /home folder if you have enough online storage.

Use Case

A backup machine currently provides network drives on a home LAN to allow clients on the LAN to backup to, using apps such as Time Machine (Mac) and Genie Timeline (Windows). As this machine is the backup machine it doesn't have anywhere to backup to itself. In this situation a backup solution is provided by backing up to somewhere online - dropbox. If a restore from the backup is required, the client machine's backups would be trashed, and the backup machine restored.

Automatic Backup Archives With Etckeeper

Etckeeper is a tool that is used to save versions of /etc, including meta-data in a version control repository such as git. As etckeeper is not in the funtoo portage tree, layman is used to provide an overlay.

Install etckeeper via layman

Before you install layman it is worth mentioning that you probably want USE="git subversion" in /etc/portage/make.conf. After adjusting use flags, to install layman you run:

# emerge layman

In order to backup the layman configuration, but not the portage overlay trees, make the following modifications to the default install. Tell Portage about layman-fetched repositories by adding the following line to /etc/portage/make.conf:


source /etc/layman/make.conf

Modify the following lines in /etc/layman/layman.cfg:


storage   : /var/lib/layman
installed : /etc/layman/installed.xml
make_conf : /etc/layman/make.conf

Add the bgo-overlay. As described on their web page, bgo.zugaina.org.

# layman -o http://gpo.zugaina.org/lst/gpo-repositories.xml -L
# layman -a bgo-overlay -o http://gpo.zugaina.org/lst/gpo-repositories.xml

More information about layman can be found here: http://www.gentoo.org/proj/en/overlays/userguide.xml

Then unmask and install etckeeper.

# emerge etckeeper --autounmask-write
# emerge etckeeper 
Note: To update layman overlays do:
# layman -S


If you see the following error -- apply this fix:

# emerge etckeeper
Calculating dependencies... done!
>>> Verifying ebuild manifests
!!! A file is not listed in the Manifest: '/var/lib/layman/bgo-overlay/sys-apps/etckeeper/files/etckeeper-gentoo-0.58.patch'

# cd /var/lib/layman/bgo-overlay/sys-apps/etckeeper
# ebuild etckeeper-0.58-r2.ebuild manifest
# emerge etckeeper

Configure etckeeper

Move any config files that do not live in /etc. i.e. Check /root for any files to be archive, such as iptables scripts and move them to /etc.

Note: because funtoo uses Boot-Update, this means /boot/grub/grub.cfg does not need to be archived.

To ensure your portage world file is archived, make the following link:

# ln /var/lib/portage/world /etc/world

Initialise the git repository.

# etckeeper init
Initialized empty Git repository in /etc/.git/
# etckeeper commit "Initial commit."

If you don't already have cron installed, emerge it now.

# emerge vixie-cron

And write the cron job to save an hourly version of /etc.

Note: git will only create a new version (commit) if there are changes from the previous one.

Edit the file /etc/cron.hourly/etckeeper:


#! /bin/bash
etckeeper commit "Hourly auto-commit"

Encrypt and copy backups online

Copy To Dropbox

# emerge dropbox

Add a dropbox user:

# useradd dropbox

Write the dropbox init files in <tt>/etc/conf.d/dropbox:

DROPBOX_USERS="dropbox" 


#!/sbin/runscript 
# Copyright 1999-2004 Gentoo Foundation 
# Distributed under the terms of the GNU General Public License, v2 or later 
# $Header: /var/cvsroot/gentoo-x86/sys-fs/dropbox/files/dropbox.init-1.0,v 1.4 2007/04/04 13:35:25 cardoe Exp $ 

NICENESS=5 

depend() { 
    need localmount net 
    after bootmisc 
} 

start() { 
    ebegin "Starting dropbox..." 
    for dbuser in $DROPBOX_USERS; do 
        start-stop-daemon -S -b -m --pidfile /var/run/dropbox-$dbuser.pid  -N $NICENESS -u $dbuser -v -e HOME="/home/$dbuser" -x /opt/dropbox/dropboxd 
    done 
    eend $? 
} 

stop() { 
    ebegin "Stopping dropbox..." 
    for dbuser in $DROPBOX_USERS; do 
        start-stop-daemon --stop --pidfile /var/run/dropbox-$dbuser.pid 
    done 
    eend $? 
} 

status() { 
    for dbuser in $DROPBOX_USERS; do 
        if [ -e /var/run/dropbox-$dbuser.pid ] ; then 
            echo "dropboxd for USER $dbuser: running." 
        else 
            echo "dropboxd for USER $dbuser: not running." 
        fi 
    done 
    eend $? 
}

Start dropbox now and at boot time:

# chmod 0755 /etc/init.d/dropbox 
# /etc/init.d/dropbox start
# rc-update add dropbox default

After starting the dropbox daemon, it will provide a http link. You will need to visit this site just once to associate your computer with your dropbox account.

Write the cron job to make the backup archive and move it online. Edit the file /etc/cron.daily/backup:


#! /bin/bash
cd /etc
git bundle create /tmp/backup.bundle --all
cd /tmp
mv -v -f backup.bundle /home/dropbox/Dropbox/Private/

Make the script executable:

# chmod +x /etc/cron.daily/backup 

Encrypt Backups

It is a good idea to encrypt your backup before moving it online. This can be done with gpg, using a symmetric (password only) or public/private key encryption. Additionally you can chose to sign the backup to check its integrity before restoring.

# emerge gpg

Symmetric Encryption

There is no preparation required to use a symmetric key as all that is required is simply a passphrase. Just modify the cron job. Edit /etc/cron.daily/backup:


#! /bin/bash
cd /etc
git bundle create /tmp/backup.bundle --all
cd /tmp
echo 'encryption_password' | gpg -o backup.gpg --batch --homedir /root/.gnupg -vvv  --passphrase-fd 0 --yes -c backup.bundle
mv -v -f router.gpg /home/dropbox/Dropbox/Private/
Important: Remember to change "encryption_password"
Warning: If you forget this password the backup will be unusable. Lose the password and you lose the backup.

As there is now sensitive information in this file, you might want to remove read permission:

# chmod og-r /etc/cron.daily/backup 

Private/Public key Encryption

Make a private/public encryption/decryptions key pair. The public key will be used to encrypt and the private key to decrypt.

# gpg --gen-key

The public key is used to create the encrypted backup and needs to live on the computer being backed up. A copy of the private key needs to be made and stored securely in another place. If this machine becomes unbootable, and this is the only place the private key lives, the backup dies with it. The private key should not be kept:

  1. In the same place as the back up
  2. On the machine being backed up
Note: The private key is the only key that will decrypt the backup. Lose this key and/or it's password and you lose the backup.

List the private keys:

# gpg -K
/root/.gnupg/secring.gpg
------------------------
sec   2048R/0EF13559 2012-01-21
uid                  my_key <noone@example.com>
ssb   2048R/67417FEB 2012-01-21

The private key can be exported using either the key name or key number. In this case "my_key" or "0EF13559". To cut and paste the key. Ie, if logging in remotely.

# gpg -a --export-secret-key 0EF13559

To create a key file:

# gpg -o private_decryption.gpgkey --export-secret-key 0EF13559

Now store this key somewhere secure. The backup is only as secure as the private key.

Modify the cron job at /etc/cron.daily/backup:


#! /bin/bash
cd /etc
git bundle create /tmp/backup.bundle --all
cd /tmp
gpg -o backup.gpg -r 'my-key' --batch --homedir /root/.gnupg -vvv  --passphrase-fd 0 --yes -e backup.bundle
mv -v -f backup.gpg /home/dropbox/Dropbox/Private/

Replace "my-key" with the appropriate name from the key list. Also note the change from -c for symmetric encryption to -e for private/public key encryption

Sign Backups

Create a 2nd private/public (signing) key pair. The private key is used to sign and the public key is used to check the authenticity/integrity.

# gpg --gen-key
Note: The password for this key will be required in the script below.

In this case the private key is required to sign the backup and the public key is used to check the integrity of the backup. Follow a similar process as above to copy the public key to to another computer/storage media.

List the private keys:

# gpg -k
Note: -K lists private keys while -k lists public keys.

Then export this public key via cut and paste:

# gpg -a --export <key name or number>

Or to create a key file:

# gpg -o public_signing.gpgkey --export <key name or number>

Now store this key somewhere secure.

Modify the backup cron job at /etc/cron.daily/backup:


#! /bin/bash
cd /etc
git bundle create /tmp/backup.bundle --all
cd /tmp
echo 'signing_key_password' | gpg -s -o backup.gpg -r 'my-encryption-key' --batch --homedir /root/.gnupg -vvv  --passphrase-fd 0 --yes -e backup.bundle 
mv -v -f backup.gpg /home/dropbox/Dropbox/Private/
Note: the script will require the password for your private (signing) key to sign the backup. Replace "password" with the password for your signing private key.

And as there is sensitive information in this file don't forget to remove read permission.

# chmod og-r /etc/cron.daily/backup 

To Restore From A Backup

This restore will assume your are starting with a new blank disk. Start by performing a stage 3 install, upto and including section 5 "Chroot into your new system." http://www.funtoo.org/wiki/Funtoo_Linux_Installation

Then the restore process is:

  1. Download backup from dropbox
  2. Decrypt
  3. Clone
  4. Link world file
  5. Emerge world
  6. Compile the kernel
  7. Restore grub bootloader
  8. Reboot

Download backup from dropbox

Log into your dropbox account and find your backup file. Move it to a public area if it isn't already in one. Then right click on it and click "copy public link." Now on the computer to be restored, delete the contents of the /etc folder and download the backup file.

(Need to check if this needs done before chrooting into the new install).

# cd /etc
# rm -rf *
# cd /tmp
# wget http://dl.dropbox.com/link-to-backup-file/backup.gpg
Note: if you have to copy the link from another computer and therefore can not cut and paste it, there is a "shorten link" option.

Decrypt

If you used a public/private key to encrypt, and optionally signed the backup, import the decryption and signing keys.

Note:

  1. The decryption key is the private key of the encryption key pair - private_decryption.gpgkey
  2. The signing key is the public key of the signing key pair - public_signing.gpgkey

To import the keys by cut and paste:

# gpg --import <<EOF
Note: The last line after pasting the key should be "EOF"

Repeat for both keys.

To import the keys by file:

# gpg --import private_decryption.gpgkey
# gpg --import public_signing.gpgkey

Decrypt the backup:

# gpg -d backup.gpg > backup.bundle

If the backup was signed and you have correctly imported the signing public key you should see a message similar to:

gpg: Good signature from "my_signing_key <noone@example.com>"

Clone

# git clone /tmp/backup.bundle /etc/

Link world file

# ln /etc/world /var/lib/portage/world

Emerge world

# emerge --sync
# layman -S
# emerge -uDaNv world

Compile the kernel (genkernel)

If you have genkernel set to save config files (the default):

# cp /etc/kernels/kernel-config-x86_64-<latest version>-gentoo /usr/src/linux/.config 

Otherwise use the currently loaded kernel's config:

# zcat /proc/config.gz > /usr/src/linux/.config 

Then compile the kernel:

# genkernel --oldconfig --no-mrproper all 

Restore grub bootloader

# grub-install --no-floppy /dev/sda
# boot-update

Adjust the device as required if installing to another location.

Reboot

# reboot