librelist archives

« back to archive

Attic and pull backup

Attic and pull backup

From:
Henrik Christensen
Date:
2014-07-01 @ 13:35
Hi,

 

I do not have that much experience with Attic but I am planning to use it
for backing up all my servers. I have been testing it for a while an like
what I have experience, great work!

 

I prefer to have a standalone backup server that takes care of backing up
all servers, pull backup. It is only on this server Attic is installed and
all servers I make backup of are mounted with SSHFS and I therefore don't
need to have Attic installed on every server.

 

But I did run into a little problem when restoring, the mounting point on
the backup server are also getting restored . Are there anything I can do
in my settings to avoid this, or is pull backup with Attic not
recommended?

 

Kind regards,

 

Re: [attic] Attic and pull backup

From:
Randy Syring
Date:
2014-07-01 @ 17:05
FWIW, I've always considered push backup superior for security reasons.  
With pull backup, you have one server that, if compromised, has access 
to all your other servers.  With the push model, if your server gets 
compromised, only it's data need be compromised.  Just a thought.  :)

*Randy Syring*
Husband | Father | Redeemed Sinner

/"For what does it profit a man to gain the whole world
and forfeit his soul?" (Mark 8:36 ESV)/

On 07/01/2014 09:35 AM, Henrik Christensen wrote:
>
> Hi,
>
> I do not have that much experience with Attic but I am planning to use 
> it for backing up all my servers. I have been testing it for a while 
> an like what I have experience, great work!
>
> I prefer to have a standalone backup server that takes care of backing 
> up all servers, pull backup. It is only on this server Attic is 
> installed and all servers I make backup of are mounted with SSHFS and 
> I therefore don’t need to have Attic installed on every server.
>
> But I did run into a little problem when restoring, the mounting point 
> on the back up server are also getting restored . Are there anything I 
> can do in my settings to avoid this, or is pull backup with Attic not 
> recommended?
>
> Kind regards,
>

Re: [attic] Attic and pull backup

From:
Henrik Christensen
Date:
2014-07-01 @ 18:58
Hi Randy,



Yes, I know that there are and have been many opinions about security risks 
with push vs pull backup, however I look at it the opposite way. My backup 
server is locked down behind a firewall and have no access to the outside so 
not that big a chance to get compromised. All my server do have access to 
the outside and they are in more danger. If I do push backup all my servers 
will have to have access to my backup server, that information will have to 
be located on all of them.



I also fell that I have more control of all the backups this way, this is 
actually the my main reason for pull backup together with that I don’t need 
to install Attic on all servers  :)



Kind regards,



From: attic@librelist.com [mailto:attic@librelist.com] On Behalf Of Randy 
Syring
Sent: 1. juli 2014 19:06
To: attic@librelist.com
Subject: Re: [attic] Attic and pull backup



FWIW, I've always considered push backup superior for security reasons. 
With pull backup, you have one server that, if compromised, has access to 
all your other servers.  With the push model, if your server gets 
compromised, only it's data need be compromised.  Just a thought.  :)


Randy Syring
Husband | Father | Redeemed Sinner

"For what does it profit a man to gain the whole world
and forfeit his soul?" (Mark 8:36 ESV)

On 07/01/2014 09:35 AM, Henrik Christensen wrote:

Hi,



I do not have that much experience with Attic but I am planning to use it 
for backing up all my servers. I have been testing it for a while an like 
what I have experience, great work!



I prefer to have a standalone backup server that takes care of backing up 
all servers, pull backup. It is only on this server Attic is installed and 
all servers I make backup of are mounted with SSHFS and I therefore don’t 
need to have Attic installed on every server.



But I did run into a little problem when restoring, the mounting point on 
the back up server are also getting restored . Are there anything I can do 
in my settings to avoid this, or is pull backup with Attic not recommended?



Kind regards,




Re: [attic] Attic and pull backup

From:
Jonas Borgström
Date:
2014-07-01 @ 20:19
On 2014-07-01 20:58, Henrik Christensen wrote:
> Hi Randy,
> 
>  
> 
> Yes, I know that there are and have been many opinions about security
> risks with push vs pull backup, however I look at it the opposite way.
> My backup server is locked down behind a firewall and have no access to
> the outside so not that big a chance to get compromised. All my server
> do have access to the outside and they are in more danger. If I do push
> backup all my servers will have to have access to my backup server, that
> information will have to be located on all of them.

It is possible to configure the backup server to only allow each server
to access their own repository using attic and nothing else.

First install Attic on the backup server and add a unix account called
"attic".
Then generate a new ssh key on each server and add the public key part
to the "attic" user's authorized_keys file on the backup server.
By prefixing the public key with a "forced command" we can restrict the
access to running attic on a specific repository and nothing else:

in /home/attic/.ssh/authorized_keys:
command="/usr/bin/attic serve --restrict-to-path=/data/server1.attic"
server1-public-key
command="/usr/bin/attic serve --restrict-to-path=/data/server2.attic"
server2-public-key
...

> I also fell that I have more control of all the backups this way, this
> is actually the my main reason for pull b ackup together with that I
> don’t need to install Attic on all servers  :)

That's true. But running attic on both sides will be a lot more
efficient than sshfs.

*snip*
>     But I did run into a little problem when restoring, the mounting
>     point on the back up server are also getting restored . Are there
>     anything I can do in my settings to avoid this, or is pull backup
>     with Attic not recommended?

I'm not sure I follow, can you give some more details on what's
happening and how you would like it to work?

/ Jonas

Re: [attic] Attic and pull backup

From:
Henrik Christensen
Date:
2014-07-02 @ 06:26
Hi Jonas,

Sorry for not explaining it in more dept  :)

On the backup server I mount '/mnt/servername'  to the folder on the backup 
client server from where I need backup ex. '/opt'. When Attic makes the 
backup the hole path are also in the backup incl. the local path on the 
backup server '/mnt/servername'. If I want to restore the backup to another 
location ex. on the local backup server in the folder '/restore' I get the 
path '/restore/mnt/servername/<mountpoint/...>' where I would like to get 
'/restore/<mountpoint/...>'.

I would be nice if I could tell Attic to only backup from the mountpoint and 
forward.

Kind Regards,

-----Original Message-----
From: attic@librelist.com [mailto:attic@librelist.com] On Behalf Of Jonas 
Borgström
Sent: 1. juli 2014 22:19
To: attic@librelist.com
Subject: Re: [attic] Attic and pull backup

On 2014-07-01 20:58, Henrik Christensen wrote:
> Hi Randy,
>
>
>
> Yes, I know that there are and have been many opinions about security
> risks with push vs pull backup, however I look at it the opposite way.
> My backup server is locked down behind a firewall and have no access
> to the outside so not that big a chance to get compromised. All my
> server do have access to the outside and they are in more danger. If I
> do push backup all my servers will have to have access to my backup
> server, that information will have to be located on all of them.

It is possible to configure the backup server to only allow each server to 
access their own repository using attic and nothing else.

First install Attic on the backup server and add a unix account called 
"attic".
Then generate a new ssh key on each server and add the public key part to 
the "attic" user's authorized_keys file on the backup server.
By prefixing the public key with a "forced command" we can restrict the 
access to running attic on a specific repository and nothing else:

in /home/attic/.ssh/authorized_keys:
command="/usr/bin/attic serve --restrict-to-path=/data/server1.attic"
server1-public-key
command="/usr/bin/attic serve --restrict-to-path=/data/server2.attic"
server2-public-key
...

> I also fell that I have more control of all the backups this way, this
> is actually the my main reason for pull b ackup together with that I
> don’t need to install Attic on all servers  :)

That's true. But running attic on both sides will be a lot more efficient 
than sshfs.

*snip*
>     But I did run into a little problem when restoring, the mounting
>     point on the back up server are also getting restored . Are there
>     anything I can do in my settings to avoid this, or is pull backup
>     with Attic not recommended?

I'm not sure I follow, can you give some more details on what's happening 
and how you would like it to work?

/ Jonas

Re: [attic] Attic and pull backup

From:
Jonas Borgström
Date:
2014-07-03 @ 20:13
On 2014-07-02 08:26, Henrik Christensen wrote:
> Hi Jonas,
> 
> Sorry for not explaining it in more dept  :)
> 
> On the backup server I mount '/mnt/servername'  to the folder on the backup 
> client server from where I need backup ex. '/opt'. When Attic makes the 
> backup the hole path are also in the backup incl. the local path on the 
> backup server '/mnt/servername'. If I want to restore the backup to another 
> location ex. on the local backup server in the folder '/restore' I get the 
> path '/restore/mnt/servername/<mountpoint/...>' where I would like to get 
> '/restore/<mountpoint/...>'.
> 
> I would be nice if I could tell Attic to only backup from the mountpoint and 
> forward.

Ah, that is currently not possible but I think it should be.
I've created an enhancement ticket for this with some additional
background information about what this feature is called and how it
works on similar tools like "tar" and "patch".

https://github.com/jborg/attic/issues/95

I hope to get this implemented in Attic 0.14.

/ Jonas


Re: [attic] Attic and pull backup

From:
Henrik Christensen
Date:
2014-07-03 @ 21:17
This is really great news Jonas, thank you! I will look forward to this
:)

If it has your interest James I mount each server I backup to a folder
inside /mnt/<servername> and use the following sshfs command and Attic
just do its work nicely.

sshfs -o Ciphers=arcfour -o Compression=no
${REMOTE_USER}@${REMOTE_SERVER_IP}:${REMOTE_MOUNTPOINT}
${LOCAL_MOUNTPOINT}


Kind regards,

-----Original Message-----
From: attic@librelist.com [mailto:attic@librelist.com] On Behalf Of Jonas
Borgström
Sent: 3. juli 2014 22:13
To: attic@librelist.com
Subject: Re: [attic] Attic and pull backup

On 2014-07-02 08:26, Henrik Christensen wrote:
> Hi Jonas,
>
> Sorry for not explaining it in more dept  :)
>
> On the backup server I mount '/mnt/servername'  to the folder on the
> backup client server from where I need backup ex. '/opt'. When Attic
> makes the backup the hole path are also in the backup incl. the local
> path on the backup server '/mnt/servername'. If I want to restore the
> backup to another location ex. on the local backup server in the
> folder '/restore' I get the path
> '/restore/mnt/servername/<mountpoint/...>' where I would like to get
'/restore/<mountpoint/...>'.
>
> I would be nice if I could tell Attic to only backup from the
> mountpoint and forward.

Ah, that is currently not possible but I think it should be.
I've created an enhancement ticket for this with some additional
background information about what this feature is called and how it works
on similar tools like "tar" and "patch".

https://github.com/jborg/attic/issues/95

I hope to get this implemented in Attic 0.14.

/ Jonas


Re: [attic] Attic and pull backup

From:
James Holland
Date:
2014-07-03 @ 17:17
On 01/07/14 14:35, Henrik Christensen wrote:
> Hi,
>
> I do not have that much experience with Attic but I am planning to use
> it for backing up all my servers. I have been testing it for a while an
> like what I have experience, great work!
>
> I prefer to have a standalone backup server that takes care of backing
> up all servers, pull backup. It is only on this server Attic is
> installed and all servers I make backup of are mounted with SSHFS and I
> therefore don’t need to have Attic installed on every server.

I also like pull-backups. Can Attic do:

attic create --stats $REPOSITORY::hostname-`date +%Y-%m-%d` 
ssh://username@hostname:port/home/username

Re: [attic] Attic and pull backup

From:
Jonas Borgström
Date:
2014-07-03 @ 20:18
On 2014-07-03 19:17, James Holland wrote:
> On 01/07/14 14:35, Henrik Christensen wrote:
>> Hi,
>>
>> I do not have that much experience with Attic but I am planning to use
>> it for backing up all my servers. I have been testing it for a while an
>> like what I have experience, great work!
>>
>> I prefer to have a standalone backup server that takes care of backing
>> up all servers, pull backup. It is only on this server Attic is
>> installed and all servers I make backup of are mounted with SSHFS and I
>> therefore don’t need to have Attic installed on every server.
> 
> I also like pull-backups. Can Attic do:
> 
> attic create --stats $REPOSITORY::hostname-`date +%Y-%m-%d` 
> ssh://username@hostname:port/home/username

No, Attic can only archive already mounted filesystems.

But Henrik's approach of archiving a previously mounted sshfs filesystem
would give the same end result.

/ Jonas