A backup machine currently provides network drives on a home LAN to allow clients on the LAN to backup to, using apps such as Time Machine (Mac) and Genie Timeline (Windows). As this machine is the backup machine it doesn't have anywhere to backup to itself. In this situation a backup solution is provided by backing up to somewhere online - dropbox. If a restore from the backup is required, the client machine's backups would be trashed, and the backup machine restored.
Automatic Backup Archives With Etckeeper
Etckeeper is a tool that is used to save versions of /etc, including meta-data in a version control repository such as git. As etckeeper is not in the funtoo portage tree, layman is used to provide an overlay.
Install etckeeper via layman
Before you install layman it is worth mentioning that you probably want USE="git subversion" in /etc/portage/make.conf. After adjusting use flags, to install layman you run:
# emerge layman
In order to backup the layman configuration, but not the portage overlay trees, make the following modifications to the default install. Tell Portage about layman-fetched repositories by adding the following line to /etc/portage/make.conf
Modify the following lines in /etc/layman/layman.cfg:
Add the bgo-overlay. As described on their web page, bgo.zugaina.org.
# layman -o http://gpo.zugaina.org/lst/gpo-repositories.xml -L # layman -a bgo-overlay -o http://gpo.zugaina.org/lst/gpo-repositories.xml
More information about layman can be found here: http://www.gentoo.org/proj/en/overlays/userguide.xml
Then unmask and install etckeeper.
# emerge etckeeper --autounmask-write # emerge etckeeper
# layman -SIf you see the following error -- apply this fix:
# emerge etckeeper Calculating dependencies... done! >>> Verifying ebuild manifests !!! A file is not listed in the Manifest: '/var/lib/layman/bgo-overlay/sys-apps/etckeeper/files/etckeeper-gentoo-0.58.patch' # cd /var/lib/layman/bgo-overlay/sys-apps/etckeeper # ebuild etckeeper-0.58-r2.ebuild manifest # emerge etckeeper
Move any config files that do not live in /etc. i.e. Check /root for any files to be archive, such as iptables scripts and move them to /etc.
To ensure your portage world file is archived, make the following link:
# ln /var/lib/portage/world /etc/world
Initialise the git repository.
# etckeeper init Initialized empty Git repository in /etc/.git/ # etckeeper commit "Initial commit."
If you don't already have cron installed, emerge it now.
# emerge vixie-cron
And write the cron job to save an hourly version of /etc.
Encrypt and copy backups online
Copy To Dropbox
# emerge dropbox
Add a dropbox user:
# useradd dropbox
Write the dropbox init files.
Start dropbox now and at boot time.
# chmod 0755 /etc/init.d/dropbox # /etc/init.d/dropbox start # rc-update add dropbox default
After starting the dropbox daemon, it will provide a http link. You will need to visit this site just once to associate your computer with your dropbox account.
Write the cron job to make the backup archive and move it online.
Make the script executable:
# chmod +x /etc/cron.daily/backup
It is a good idea to encrypt your backup before moving it online. This can be done with gpg, using a symmetric (password only) or public/private key encryption. Additionally you can chose to sign the backup to check its integrity before restoring.
# emerge gpg
There is no preparation required to use a symmetric key as all that is required is simply a passphrase. Just modify the cron job.
Remember to change "encryption_password"
As there is now sensitive information in this file you might want to remove read permission.
# chmod og-r /etc/cron.daily/backup
Private/Public key Encryption
Make a private/public encryption/decryptions key pair. The public key will be used to encrypt and the private key to decrypt.
# gpg --gen-key
The public key is used to create the encrypted backup and needs to live on the computer being backed up. A copy of the private key needs to be made and stored securely in another place. If this machine becomes unbootable, and this is the only place the private key lives, the backup dies with it. The private key should not be kept:
- In the same place as the back up
- On the machine being backed up
List the private keys:
# gpg -K /root/.gnupg/secring.gpg ------------------------ sec 2048R/0EF13559 2012-01-21 uid my_key <firstname.lastname@example.org> ssb 2048R/67417FEB 2012-01-21
The private key can be exported using either the key name or key number. In this case "my_key" or "0EF13559". To cut and paste the key. Ie, if logging in remotely.
# gpg -a --export-secret-key 0EF13559
To create a key file:
# gpg -o private_decryption.gpgkey --export-secret-key 0EF13559
Now store this key somewhere secure. The backup is only as secure as the private key.
Modify the cron job:
Replace "my-key" with the appropriate name from the key list. Also note the change from -c for symmetric encryption to -e for private/public key encryption
Create a 2nd private/public (signing) key pair. The private key is used to sign and the public key is used to check the authenticity/integrity.
# gpg --gen-key
In this case the private key is required to sign the backup and the public key is used to check the integrity of the backup. Follow a similar process as above to copy the public key to to another computer/storage media.
List the private keys:
# gpg -k
Then export this public key via cut and paste:
# gpg -a --export <key name or number>
Or to create a key file:
# gpg -o public_signing.gpgkey --export <key name or number>
Now store this key somewhere secure.
Modify the backup cron job:
And as there is sensitive information in this file don't forget to remove read permission.
# chmod og-r /etc/cron.daily/backup
To Restore From A Backup
This restore will assume your are starting with a new blank disk. Start by performing a stage 3 install, upto and including section 5 "Chroot into your new system." http://www.funtoo.org/wiki/Funtoo_Linux_Installation
Then the restore process is:
- Download backup from dropbox
- Link world file
- Emerge world
- Compile the kernel
- Restore grub bootloader
Download backup from dropbox
Log into your dropbox account and find your backup file. Move it to a public area if it isn't already in one. Then right click on it and click "copy public link." Now on the computer to be restored, delete the contents of the /etc folder and download the backup file.
(Need to check if this needs done before chrooting into the new install).
# cd /etc # rm -rf * # cd /tmp # wget http://dl.dropbox.com/link-to-backup-file/backup.gpg
If you used a public/private key to encrypt, and optionally signed the backup, import the decryption and signing keys.
- The decryption key is the private key of the encryption key pair - private_decryption.gpgkey
- The signing key is the public key of the signing key pair - public_signing.gpgkey
To import the keys by cut and paste:
# gpg --import <<EOF
Repeat for both keys.
To import the keys by file:
# gpg --import private_decryption.gpgkey # gpg --import public_signing.gpgkey
Decrypt the backup:
# gpg -d backup.gpg > backup.bundle
If the backup was signed and you have correctly imported the signing public key you should see a message similar to:
gpg: Good signature from "my_signing_key <email@example.com>"
# git clone /tmp/backup.bundle /etc/
Link world file
# ln /etc/world /var/lib/portage/world
# emerge --sync # layman -S # emerge -uDaNv world
Compile the kernel (genkernel)
If you have genkernel set to save config files (the default):
# cp /etc/kernels/kernel-config-x86_64-<latest version>-gentoo /usr/src/linux/.config
Otherwise use the currently loaded kernel's config:
# zcat /proc/config.gz > /usr/src/linux/.config
Then compile the kernel:
# genkernel --oldconfig --no-mrproper all
Restore grub bootloader
# grub-install --no-floppy /dev/sda # boot-update
Adjust the device as required if installing to another location.