用cvsup備份系統到另一部server
(已閱讀: 137 次)     (http://bsdvault.net/sections.php?op=printpage&artid=105)    How to do 100% system automated backups via cvsup     Q: Before i get all fired up about this what do i need? 
A: You need two boxes using FreeBSD stable and cvsup installed. I use 4.6-STABLE But this is not needed.. For all i know you can backup to another variant of BSD that uses cvsup? Possible? email me.     Before we get started you should learn what cvsup is: http://www.unixhideout.com/freebsd/doc/en_US.ISO8859-1/books/handbook/cvsup.html and how to use it.. You should also be VERY certain the daemon we execute on the box to be updated should NOT be accessible by the internet because i dont go into access or auth in this tutorial, I have a router, so people cannot hit the port that the daemon listens on. If you do not have a router, or some sort of firewall disallowing access to this port, you can let the entire internet access your backups! Another thing.. Even though i do this this way, i still zip and download the files and burn them onto a CDR at least once a month (most of the time more) so i never lose more then a months work. If by some sad reason You do get rooted, or let's say they find a vulnerable script and rm -rf www cvsup will run and backup exactly what it sees. NOTHING. You should feel very secure about your box before you do this and still put your important files on cdr or tape backup as often as possible. DO NOT RELY ON THIS METHOD EXCLUSIVELY. This happens. I remember when i first started with unix i ran redhat linux, and i was using a program called mirrordir that would "mirror" /var/www to /some/safe/dir every few hours. A script kiddie found a vulnerability in redhat, gained access to the webserver account and deleted my website. mirrordir ran and in moments i had nothing. I lost my entire site. At the time i could have cried like a schoolgirl, but im glad it happened. I learned not to run linux and looked into BSD.. Here i am today years later. Let me say it one more time. "CDR" as well as this method.. For those of you that have the new book "FreeBSD unleashed" please turn to the bottom of page 537 where it says "mirrors" and read it through page 540. If i didnt drop my scanner and smash it into fifty thousand pieces i would scan the pages but youll have to buy the book. It is an excellent book with around a thousand pages that any sysadmin in his right mind should own. Even though these are my own words, and hopefully, im making it a bit easier on you in my wording, i have to give the FreeBSD Unleashed book full credits as that is what taught me. I would also like to thank logic from www.logical-security.com who is one of my best friend's and bought me the book and donated it to unixhideout.com by mailing it to me free of charge. As with everything else i write, i proof read everything i write several times and go over it a lot. But if this messes up your box OOPS. I am not responsible. Of course however i am open to criticism. If you feel there is a better way to do something i mention or if its outright wrong, you are to email me right away so i dont harm peoples boxes, or simply provide the wrong information as that is not my goal. However anything i tell you to do not only have i DONE it on my own box with no problems, but if i lead you into anything risky i guide you in backing up the files first. So your all set.. If i didnt scare the shit out of you yet, read on.. I am assuming you have two boxes running FreeBSD. FOr these examples i will backup the "labs" server to the "labs2" server. The first thing you should do is install cvsup on both servers. 
[labs] /etc# cd /usr/ports/net/cvsup 
[labs] /usr/ports/net/cvsup# make install     *please note that if you do not have X installed, there is a port for cvsup for users without a need for a GUI. Simply replace the above lines with     [labs] ~# cd /usr/ports/net/cvsup-without-gui 
[labs] /usr/ports/net/cvsup-without-gui# make install     Do know that this could take quite some time depending on your net connection as well as your processor speed but i do not care if you are on 56k i recommend you get the latest packages off of the internet using /usr/ports.     For this tutorial i am going to have you backup your /home directory. To add other directories, simply follow practically the same steps except replace the filenames. I already have cvsup installed and i have a cvsup file, due to me being a cvsup server, and i wasnt sure whether it would clash with my existing cvsup directory so i made a new one.. So let's begin with the box we want to BACKUP 
let the commands begin.. follow my lead.     #cd /usr/local/etc/ 
#mkdir cvsup-backup 
#cd cvsup-backup 
#mkdir sup 
#cd sup 
#mkdir home 
#cd home 
edit home.cvs and inside place this: 
upgrade home    rsymlink *     now close the file and of course save it.. 
edit releases and inside place this:     home list=home.cvs prefix=/     close the file and save. Now we start the cvsupd daemon. 
You have something to think about here. How often are you going to backup? Are you going to make a cronjob to do this periodically? Are you going to add the command to /etc/daily.local or /etc/weekly.local? or will you run it manually as often as you make changes? 
I run it 24/7 and have the system run it in /etc/daily.local which is how i will set you up. But whatever you want to do here just make your changes.. Ok so obviously if you run cvsupd already like i do you can not use the default port as its already in use. I specified one via the command line, and made a script and dropped it in /usr/local/etc/rc.d/ with the name cvsupd.backup.sh *note be sure to chmod it executable by root like this..     #chown root cvsupd.backup.sh 
#chgrp wheel cvsupd.backup.sh 
#chmod 700 cvsupd.backup.sh 
#cd /usr/local/etc/rc.d/     edit cvsupd.backup.sh and inside place     #!/bin/sh     /usr/local/sbin/cvsupd -b /usr/local/etc/cvsup-backup -p port -C 1 -l /dev/stdout     change "port" to the port you want cvsupd to listen on for connections, and save the file and make it executable by root as shown above. Now remember the port you used because we are about to go to the server we will back up on now, and you will need to remember it.. Now log into the second server which is the server you want to backup into.. and cd to the /etc/ directory.     [labs2] ~# cd /etc 
[labs2] /etc# 
again i made a seperate directory for this cvsup process. 
#mkdir cvsup-backup 
#cd cvsup-backup     and inside i created a file called simply enough cvsup-backup inside i created this:     *default host= 
*default delete use-rel-suffix 
*default compress 
*default preserve     *default base=/usr/cvsup-backup 
*default release=home 
home     save and exit the file. 
now.. default host= here you put the ip of the server that you are backing up. 
You have to make sure on "labs2" You are backing up to a partition in which you have enough space to backup onto. Look at the df output of "home" on the server to be backed up, and then go back to "labs2" and find a directory to backup into. For me this destination was /usr/cvsup-backup     #cd /usr 
#mkdir cvsup-backup     Now if you want to run this command once a night, you can add this command to /etc/daily.local or /etc/weekly.local     /usr/local/bin/cvsup -p PORTYOUCHOSE -L 2 /etc/cvsup-backup/cvsup-backup     Now before you go and try this and say its not working i will tell you why it will not work if you execute it now. "permissions" We made all these directories as root. On my servers, i like to create a shell script called security.sh and place it in my root directory. I am not sure about posting this here as it is huge as well as giving you a list of important users on my system so heres an old one with non existant users www.unixhideout.com/ro0t-tuts/security Obviously you will have to edit it tremendously but you should have a great idea of many things including how my website is writable by the user "webmaster" which is other remote webmasters, however it is read only to the webserver process, and of course you also see the permissions of cvsup which is why i posted it in the first place. Writing a security scripts is very good to lock down the box and fix erroneous permissions from you working, whenever i am not sure about permissions i simply cd to my root dir and as root i type sh security.sh although it is a bit of work its a very good thing. I hope this helped you, I have proof read this. There might be a typo or two, but if you perform this on your box nothing bad *should happen.    Submitted by BSDVault Member Ro0t
http://www.unixhideout.com/