Hello

After lots of hardware and network failures I get to the conclusion that I need to find out some good solution to backup my mail and web services.
My first try was copying things and archive them to a backup server which is on a separate network (ISP failure cases). Finally that scenario didn't work that well.

After this I found some information about rsync and it seems to me that it can be a good solution.
I need to backup emails > two directories /var/spool/mail and /imap. (for example)

It works with rsync very well: rsync -a --size-only /imap/* rmhost:/imap. But when I try to make it automatically by script I get into a little "situation".
I use the public/private key by ssh for no-password connection. There is a warning about the use of it. The very simplest way is to run the rsync as root for me.
rsync -a --size-only /home/* rmhost:/home
It updates the home of every user on the backup. As in warning with ssh keys it is not a good idea to use keys for root. So I need to run it as some other user (syncer for example) but this user won't be able to access all user directories on the MASTER server. It also won't be able access them on backup.

Is there any "nice" way to manage this problem?
I was thinking about that I can save the ownership of files, change it to syncer before I rsync it with the remote directory and then recover the user ownership of files.
Is this a good idea?

you have a few options...

PermitRoot in sshd_config allows yes, no, and without-password. without-password only allows keys to be used. this is not a huge security problem in most cases but it certainly depends on the network design that it is being deployed in.


the other option for rsync as root to preserve permissions and backup everything.

this requires ntp to be set up to work correctly as time is a major concern for this to work properly.

to help explain it i will call one server mail and one server backup.

on both servers set up a backup user and configure keys for the backup user.

on the mail server write a cron that checks for a certain file in a backup user writable location. e.g. /tmp/.backupstart
this script checks for the .backupstart file and changes sshd to permitroot without-password and restarts sshd then sleeps for 3-5 minutes then changes the config back to permitroot no and restarts sshd again

on the backup server there are 2 scripts.

one script will ssh to the mail server and touch the .backupstart script and then exit

the other will be the script run as root that starts the backup over ssh with root keys in that 3-5 minute period. this is why the NTP is so important in this case. timing must be perfect.


In a real-world environment the backup server would be placed on a out-of-band network only that is not accessible to the world.

2 members found this post helpful.