Replies: 4 comments 17 replies
-
It sounds doable, just try it. :) If zfs-autobackup gets some kind of permission error, you'll see it. Normally zfs-autobackup shows all the errors and raises exceptions if something fails. Since its just using the zfs-command via ssh, i dont expect any weird problems. You would need to run it with --no-snapshot and --no-thinning i think. And maybe --no-holds. Edwin |
Beta Was this translation helpful? Give feedback.
-
Hey there, small update on the matter: The concept turned out to work perfectly, and I'll put some details here for anyone interested. Essentially, this workflow properly separates local snapshotting and remote dataset replication, even for multiple backup sites. You will additionaly get proper privilege separation and the guarantee that the backup servers will not be able to access your data, if you have the source datasets encrypted with ZFS. I primarily wanted to decouple source and backup snapshots. This means having all clients create their local snapshots independently, and have the backup machines handle their replicas independently. There basically will be a snapshotting service on each client that acts on its own, and each backup machine can pull any of those local snapshots. This also integrates perfectly with the way the hold system works in zfs_autobackup, so each backup machine has its own holds and you will never accidentally get in a desynced state. To be prepared for multiple servers in different timezones, it might be a good idea to use a UTC snapshot time format. This way the snapshot times on your backup system stay consistent. (As of now, this feature is not yet released, but you can add SetupThe backup machines (
For each machine to backup (clients):
The backup machines never create snapshots, to prevent having multiple snapshots at the same time for each backup machine. That's why we use Systemd Timers (cron jobs)Finally, all of the snapshotting and replication should be done routinely and automatically. I'd recommend using systemd timers for this, as they are resilient against missed jobs (power outage), and can be randomized in time a little (to avoid having all your 3 backup sites pull snapshots at the same time from your client machines). But of course you also use cron jobs for this task. In this example, the two backup machines should replicate all of the client's local snapshots once per day. zfs-local-snapshot.service
zfs-local-snapshot.timer (runs every 15 minutes by default)
zfs-replicate-pull.service (example for
|
Beta Was this translation helpful? Give feedback.
-
Thank you for writing this up, not having to have root login via ssh enabled makes me feel much happier. |
Beta Was this translation helpful? Give feedback.
-
Great write-up! I am testing it on my system. I'm wondering about setting the base dataset for a client to read-only though |
Beta Was this translation helpful? Give feedback.
-
I was thinking about a more secure solution to automatically managing remote backups. Yet, I am not familiar enough with this codebase to judge whether my imagined approach would work out in practice.
The problem
With both push and pull configurations, you have to allow server A or B remote access to the other. This is not ideal. The "obvious" solution is using the 0-trust configuration, but that essentially requires a third server with access to both A and B. For manual backups this is perfect, but for automated backups this has some downsides (more required bandwidth, requires additional server).
Unprivileged pull configuration
Instead, I'd like to use a better version of the pull configuration with non-root access to the source server for backups. By using
zfs allow
, this unprivileged user is just given the permission to use thesend
subcommand and maybehold
if required. That way, the source server has no access to the backup server at all, and the backup server has only unprivileged access to the source server.A classic pull or push approach always compromises both the backup and the source if the "privileged" side is hijacked. By using this unprivileged proxy-user, we can alleviate the risk significantly and protect the source servers in case the backup is compromised. The worst case scenarios I can think of right now:
Implications
Additionally, this requires separate snapshotting and pruning on all source servers, as the backup server cannot modify the source datasets. Therefore:
(Aside: This idea is not compatible with push-configurations, because dataset creation requires the
mount
permission. Having the mount-permissions allows whoever pushes the data to compromise the target system unconditionally, e.g. by mounting a dataset at/etc
)I'd like to implement this approach on my servers but I am not sure whether zfs_autobackup requires any permissions I am not aware of. I'd be happy to receive feedback.
Beta Was this translation helpful? Give feedback.
All reactions