1SAFEKEEP(1)                     SafeKeep Manual                    SAFEKEEP(1)
2
3
4

NAME

6       safekeep - Client/server backup script
7

SYNOPSIS

9       safekeep --server [-q] [-v] [--noemail] [--force] [-c file] [--cleanup]
10       <clientid>*
11
12       safekeep --keys [-q] [-v] [--noemail] [-c file] [-i file] [--status]
13       [--print] [--deploy] <clientid>*
14
15       safekeep --list [-q] [-v] [--noemail] [-c file] [--increments]
16       [--parsable-output] [--sizes] [--changed=<time>] [--at-time=<time>]
17       <clientid>*
18
19       safekeep --client [--cleanup]
20
21       safekeep -h | -V
22

DESCRIPTION

24       SafeKeep is a client/server backup script which enhances the power of
25       rdiff-backup with simple configuration and use.
26
27       SafeKeep can work in server mode, client mode, SSH key management mode
28       or list mode.
29
30       In server mode, SafeKeep parses a set of configurations files which
31       defines a set of backup clients. For each backup client, SafeKeep
32       connects to the client host over SSH (using a public key
33       authentification system previously set up using safekeep --keys
34       --deploy), and launches safekeep --client onto the client host. The
35       client does the real backup and sends the data over SSH to the SafeKeep
36       server which stores it in the specified location.
37
38       In client mode, SafeKeep does a few setup steps, depending on the
39       client configuration (database dump, LVM device snapshot), then backups
40       the client data using rdiff-backup, and then cleanups the state
41       (removes the database dumps, deactivates the LVM snapshots)
42
43       Note that the client mode of SafeKeep should never be invoked manually,
44       this mode is meant to be used only by the server mode of SafeKeep. The
45       only exception to this is if run with the --cleanup option, which is
46       used to remove LVM snapshots and mounts created by Safekeep, after a
47       crash or some other failure, without a connection to the server.
48       Normally this cleanup would be performed through the server command
49       safekeep --server --cleanup.
50
51       The SSH key management mode is a helper mode for deploying or verifying
52       the setup of the SSH authentification keys.
53
54       In list mode, SafeKeep lists the details of existing archives. This is
55       basically an interface to the relevant options for rdiff-backup.
56
57       In server, keys management and list mode, you can restrict the
58       operation to a specific set of clients by listing the desired client
59       IDs as arguments. If no client ID is given, SafeKeep will operate over
60       all known clients.
61
62       Each mode accepts a few options as described below.
63

OPERATION MODE

65       --server
66           Selects the server mode
67
68       --client
69           Selects the client mode. This should never be invoked manually, the
70           clients are started automatically by the server on the client
71           machines using SSH.
72
73       --keys
74           Selects the SSH key management mode
75
76       --list
77           Selects the list mode
78       Please note that you must always specify an operation mode. Earlier
79       versions used do default to --server mode, but that proved to work out
80       poorly in practice.
81

GENERAL OPTIONS

83       -c, --conf=FILE
84           Specifies the configuration file location. If not specified at all,
85           SafeKeep will default to /etc/safekeep/safekeep.conf, or optionally
86           in ~/.safekeep/safekeep.conf for non-root users, if it exists.
87           Simply using this default is the recommended usage.
88
89       -h, --help
90           Selects the help mode, in which safekeep prints out the online help
91           and exits.
92
93       -V, --version
94           Selects the version mode, in which safekeep prints out the version
95           number and exits.
96
97       -q, --quiet
98           Decreases the verbosity level. Can be specified more than once.
99
100       -v, --verbose
101           Increases the verbosity level. Can be specified more than once.
102
103       --noemail
104           Disables the sending of email, no matter what the settings within
105           the configuration file.
106

SERVER OPTIONS

108       --force
109           Pass the --force option to rdiff-backup, allowing it to overwrite
110           the backup directory metadata. This option is potentially
111           dangerous, and should only be used if the backup directory becomes
112           corrupt, and rdiff-backup error logs tells you to use this option.
113
114       --cleanup
115           Remove LVM snapshots and mounts left by Safekeep after a crash or
116           other failure. This will run also run the standard cleanup
117           processes, such as the removal of an DB dumps, and forces a
118           consistency check of the rdiff-backup destination directory. This
119           is the prefered cleanup procedure and can be run with no danger of
120           corrupting the system if there is nothing to cleanup.
121

CLIENT OPTIONS

123       --cleanup
124           Remove LVM snapshots and mounts left after a crash or other failure
125           from the local system. Unlike the equivalent --server option, it
126           does not do any other of the standard cleanups. This option should
127           only be used when it is not possible to refer to the server, for
128           example, when the network connection to the server is no longer
129           available.
130

KEYS OPTIONS

132       -i FILE
133           Forces ssh(1) to use FILE for the identity (private key) in RSA/DSA
134           authentication. If not specified, ssh(1) will use its default
135           identity files.
136
137       --status
138           Display the key status for the clients. It is implied if no other
139           option is specified. In effect this option prints the steps that
140           will be taken when the keys are deployed to the client.
141
142       --print
143           Display the authorization keys for the clients. This is useful in
144           case you want to manually copy it into the client’s
145           ~/.ssh/authorized_keys file. This option is seldom useful.
146
147       --deploy
148           Deploy the authorization keys on the clients.
149

LIST OPTIONS

151       --increments
152           Pass the --list-increments option to rdiff-backup, to list the
153           number and date of partial incremental backups for the given or all
154           clients. This is the default list option.
155
156       --parseable-output
157           Pass the --parsable-output option to rdiff-backup to generate
158           output in a format that is easily parsed by other programs. This
159           currently only works with the --increments.
160
161       --sizes
162           Pass the --list-increment-sizes option to rdiff-backup, to list the
163           total size of all increment and mirror files by time for the given
164           or all clients. Note, this may take some time.
165
166       --changed=TIME
167           Pass the --list-changed-since option for TIME to rdiff-backup, to
168           list the files changed since TIME for the given clients. TIME is
169           passed directly to rdiff-backup. Note, this may take some time and
170           generate considerable output. Also, unlike rdiff-backup the is no
171           option to select sub-directories.
172
173       --at-time=TIME
174           Pass the --list-at-time option for TIME to rdiff-backup, to list
175           the files in the archive that were present at the given time for
176           the given clients. Note, this may take some time and generate
177           considerable output. Also, unlike rdiff-backup the is no option to
178           select sub-directories.
179

CONFIGURATION

181       Normally the configuration files are placed in the
182       /etc/safekeep/backup.d/ directory, or optionally in
183       ~/.safekeep/backup.d/ for non-root users, from where they will get
184       picked up automatically by SafeKeep. Each backup client is described by
185       a configuration file in XML format. The minimum configuration file is:
186
187
188           <backup>
189             <host name="my_workstation" />
190           </backup>
191
192       This will simply backup all relevant files (excluding temporary files,
193       caches, etc) from the client with the address my_workstation.
194
195       A more realistic example:
196
197
198           <backup>
199             <host name="my_workstation" />
200             <repo retention="10D" />
201             <setup>
202                 <dump type="postgres" dbuser="postgres" file="/var/lib/pgsql/backups/all_dbs" />
203                 <dump type="mysql" user="mysql" dbuser="dbbackup" db="adatabase" file="/var/backups/dumps/adatabase_dbs" />
204                 <dump type="mysql" user="mysql" dbuser="dbbackup" db="mysql" file="/var/backups/dumps/mysql_dbs" cleanup="true" />
205                 <snapshot device="/dev/mapper/VolGroup00-LogVol00" size="500M" />
206             </setup>
207
208             <data>
209               <exclude regexp=".*\.ogg"/>
210               <exclude regexp=".*\.mp3"/>
211
212               <include path="/etc"/>
213
214               <exclude glob="/home/*/tmp"/>
215               <include path="/home"/>
216
217               <include path="/root"/>
218
219               <include path="/srv"/>
220
221               <exclude path="/var/cache"/>
222               <exclude path="/var/lock"/>
223               <exclude path="/var/run"/>
224               <exclude path="/var/tmp"/>
225               <include path="/var/named/chroot/etc"/>
226               <include path="/var/named/chroot/var/named"/>
227               <exclude path="/var/named/chroot"/>
228               <include path="/var"/>
229
230               <exclude path="/"/>
231             </data>
232           </backup>
233
234       In this case, SafeKeep will dump all databases managed by PostgreSQL,
235       snapshot the disk via LVM, and proceed to backup /etc, /home, /root,
236       /srv, /var, while excluding some unneeded files and directories. Older
237       data will be retained for 10 days.
238
239       For full reference documentation of the configuration format, see
240       safekeep.backup(5).
241

CLIENT IDS

243       Normally the client IDs are generated automatically from the
244       configuration filenames without the extension. E.g. if a configuration
245       file is named my_workstation.conf, the client ID becomes
246       my_workstation. For more information on this topic, see
247       safekeep.backup(5).
248

KEY DEPLOYMENT

250       The safekeep(1) server needs to access the clients in order to conduct
251       the backup. To that end, it establishes two ssh(1) pipes: one for
252       control, and one for data. To simplify the deployment of the keys,
253       safekeep(1) has a key deploy mode.
254
255       When deploying keys using the built-in key management functionality,
256       safekeep(1) needs to be invoked as the user under which it will
257       function as a server. By default, that user is safekeep. For extra
258       security, you can not login into that account, so you have to invoke
259       safekeep(1) as root:
260
261
262                   [root@yourbox ~] # safekeep --keys --deploy
263

RESTORING

265       Since safekeep(1) is built around rdiff-backup(1), it doesn’t have any
266       built-in restore capabilities. It simply relies on rdiff-backup to
267       perform this task.
268
269       To do so, you just need to know the directory where the data is
270       actually stored. In a typical installation, for a box configured via
271       the file /etc/safekeep/backup.d/mybox.backup, the data will be stored
272       under /var/lib/safekeep/mybox/. Please refer to safekeep.backup(5) for
273       more information on this matter.
274
275       Once you have determined where the data will be stored (we’ll continue
276       the example above), all you have to do is run rdiff-backup:
277
278
279                   # rdiff-backup -r 1s /var/lib/safekeep/mybox my-restore-dir
280
281       You will be able to find more information on the restore procedure in
282       the rdiff-backup(1) man page.
283

FILE SELECTION

285       It is important to note that the include/exclude directives that
286       control file selection are matched in the order they appear in the
287       configuration file, and the first one that matches dictates whether the
288       file will be included or excluded. As a result, you have to add the
289       more specific ones first, or the more generic specifications will
290       always win. For example:
291
292
293           ...
294               <include path="/home"/>
295               <exclude path="/home/joe"/>
296           ...
297
298       will NOT do what you expect, because the /home will match before
299       /home/joe, and thus all files under /home will be included. The correct
300       way is to flip the two around
301
302
303           ...
304               <exclude path="/home/joe"/>
305               <include path="/home"/>
306           ...
307
308       Please see safekeep.backup(5) for more information on file selection.
309

SEE ALSO

311       rdiff-backup(1), safekeep.conf(5), safekeep.backup(5)
312

AUTHOR

314       Written by Dimi Paun <dimi@lattica.com[1]> and Stelian Pop
315       <stelian@lattica.com[2]>.
316

NOTES

318        1. dimi@lattica.com
319           mailto:dimi@lattica.com
320
321        2. stelian@lattica.com
322           mailto:stelian@lattica.com
323
324
325
326safekeep                          02/23/2019                       SAFEKEEP(1)
Impressum