fork 0k-charms
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
Valentin Lab d84472a277 new: [rsync-backup-target] add ``ssh-key get-type IDENT`` to get backup type info 4 years ago
..
build new: [rsync-backup-target] add ``ssh-key get-type IDENT`` to get backup type info 4 years ago
hooks fix: [rsync-backup-target] service would not be restarted upon admin key change 4 years ago
resources/bin new: [rsync-backup-target] allow dynamic management of backup keys 4 years ago
README.org new: [rsync-backup-target] add recover key mechanism 4 years ago
metadata.yml new: [rsync-backup-target] allow dynamic management of backup keys 4 years ago

README.org

rsync-backup-target

Usage of this service

Configuration example

rsync-backup-target:
  # docker-compose:
  #   ports:
  #     - "10023:22"
  options:
    admin:   ## These keys are for the allowed rsync-backup to write stuff with rsync
      myadmin:
      - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDESdz8bWtVcDQJ68IE/KpuZM9tAq\
        ZDXGbvEVnTg16/yWqBGQg0QZdDjISsPn7D3Zr64g2qgD9n7EZghfGP9TkitvfrBYx8p\
        7JkkUyt8nxklwOlKZFD5b3PF2bHloSsmjnP8ZMp5Ar7E+tn1guGrCrTcFIebpVGR3qF\
        hRN9AlWNR+ekWo88ZlLJIrqD26jbWRJZm4nPCgqwhJwfHE3aVwfWGOqjSp4ij+jr2ac\
        Arg7eD4clBPYIqKlqbfNRD5MFAH9sbB6jkebQCAUwNRwV7pKwCEt79HnCMoMjnZh6Ww\
        6TlHIFw936C2ZiTBuofMx7yoAeqpifyzz/T5wsFLYWwSnX rsync@zen"

Adding new keys for backup

This can be done through the admin accounts configured in compose.yml.

You can use then ssh myadmin@$RSYNC_BACKUP_TARGET ssh-key:

$ ssh myadmin@$RSYNC_BACKUP_TARGET ssh-key ls
$ ssh myadmin@$RSYNC_BACKUP_TARGET ssh-key add "ssh-rsa AAA...Jdhwhv rsync@sourcelabel"
$ ssh myadmin@$RSYNC_BACKUP_TARGET ssh-key ls
..Jdhwhv sourcelabel
$ ssh myadmin@$RSYNC_BACKUP_TARGET ssh-key rm sourcelabel
$ ssh myadmin@$RSYNC_BACKUP_TARGET ssh-key ls
$

Requesting a recover only key

As an admin, by requesting a recover-only key on an ident that you own, you are allowed to read (and only read) the content of the given ident. This will allow you to give the credentials to any new host to have a direct read access so-as to deploy the backup on a new host.

$ ssh myadmin@$RSYNC_BACKUP_TARGET ssh-key request-recovery-key myident > /tmp/private_key
$ chmod 500 /tmp/private_key
$ rsync -e "ssh -p 22 -i /tmp/private_key -l rsync" \
      -azvArH --delete --delete-excluded \
      --partial --partial-dir .rsync-partial \
      --numeric-ids $RSYNC_BACKUP_TARGET:/var/mirror/myident/etc/ /tmp/etc

This key will expire after 15 mn of the last recovery.

Troubleshooting

Faking access from client

This should work:

RSYNC_BACKUP_TARGET_IP=172.18.0.2
rsync -azvA -e "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no" \
  /tmp/toto "$RSYNC_BACKUP_TARGET":/var/mirror/client1

Direct ssh access should be refused

RSYNC_BACKUP_TARGET_IP=172.18.0.2
ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no \
  "$RSYNC_BACKUP_TARGET"

Wrong directory should be refused

RSYNC_BACKUP_TARGET_IP=172.18.0.2
rsync -azvA -e "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no" \
  /tmp/toto "$RSYNC_BACKUP_TARGET":/var/mirror/client2