1SAFEKEEP(1) SafeKeep Manual SAFEKEEP(1)
2
6 safekeep - Client/server backup script
7
9 safekeep --server [-q] [-v] [--noemail] [--force] [-c file] [--cleanup]
10 <clientid>*
11 safekeep --keys [-q] [-v] [--noemail] [-c file] [-i file] [--status]
13 [--print] [--deploy] <clientid>*
14 safekeep --list [-q] [-v] [--noemail] [-c file] [--increments]
16 [--parsable-output] [--sizes] [--changed=<time>] [--at-time=<time>]
17 <clientid>*
18 safekeep --client [--cleanup]
20 safekeep -h | -V
22
24 SafeKeep is a client/server backup script which enhances the power of
25 rdiff-backup with simple configuration and use.
26 SafeKeep can work in server mode, client mode, SSH key management mode
28 or list mode.
29 In server mode, SafeKeep parses a set of configurations files which
31 defines a set of backup clients. For each backup client, SafeKeep
32 connects to the client host over SSH (using a public key
33 authentification system previously set up using safekeep --keys
34 --deploy), and launches safekeep --client onto the client host. The
35 client does the real backup and sends the data over SSH to the SafeKeep
36 server which stores it in the specified location.
37 In client mode, SafeKeep does a few setup steps, depending on the
39 client configuration (database dump, LVM device snapshot), then backups
40 the client data using rdiff-backup, and then cleanups the state
41 (removes the database dumps, deactivates the LVM snapshots)
42 Note that the client mode of SafeKeep should never be invoked manually,
44 this mode is meant to be used only by the server mode of SafeKeep. The
45 only exception to this is if run with the --cleanup option, which is
46 used to remove LVM snapshots and mounts created by Safekeep, after a
47 crash or some other failure, without a connection to the server.
48 Normally this cleanup would be performed through the server command
49 safekeep --server --cleanup.
50 The SSH key management mode is a helper mode for deploying or verifying
52 the setup of the SSH authentification keys.
53 In list mode, SafeKeep lists the details of existing archives. This is
55 basically an interface to the relevant options for rdiff-backup.
56 In server, keys management and list mode, you can restrict the
58 operation to a specific set of clients by listing the desired client
59 IDs as arguments. If no client ID is given, SafeKeep will operate over
60 all known clients.
61 Each mode accepts a few options as described below.
63
65 --server
66 Selects the server mode
67 --client
69 Selects the client mode. This should never be invoked manually, the
70 clients are started automatically by the server on the client
71 machines using SSH.
72 --keys
74 Selects the SSH key management mode
75 --list
77 Selects the list mode
78 Please note that you must always specify an operation mode. Earlier
79 versions used do default to --server mode, but that proved to work out
80 poorly in practice.
81
83 -c, --conf=FILE
84 Specifies the configuration file location. If not specified at all,
85 SafeKeep will default to /etc/safekeep/safekeep.conf, or optionally
86 in ~/.safekeep/safekeep.conf for non-root users, if it exists.
87 Simply using this default is the recommended usage.
88 -h, --help
90 Selects the help mode, in which safekeep prints out the online help
91 and exits.
92 -V, --version
94 Selects the version mode, in which safekeep prints out the version
95 number and exits.
96 -q, --quiet
98 Decreases the verbosity level. Can be specified more than once.
99 -v, --verbose
101 Increases the verbosity level. Can be specified more than once.
102 --noemail
104 Disables the sending of email, no matter what the settings within
105 the configuration file.
106
108 --force
109 Pass the --force option to rdiff-backup, allowing it to overwrite
110 the backup directory metadata. This option is potentially
111 dangerous, and should only be used if the backup directory becomes
112 corrupt, and rdiff-backup error logs tells you to use this option.
113 --cleanup
115 Remove LVM snapshots and mounts left by Safekeep after a crash or
116 other failure. This will run also run the standard cleanup
117 processes, such as the removal of an DB dumps, and forces a
118 consistency check of the rdiff-backup destination directory. This
119 is the prefered cleanup procedure and can be run with no danger of
120 corrupting the system if there is nothing to cleanup.
121
123 --cleanup
124 Remove LVM snapshots and mounts left after a crash or other failure
125 from the local system. Unlike the equivalent --server option, it
126 does not do any other of the standard cleanups. This option should
127 only be used when it is not possible to refer to the server, for
128 example, when the network connection to the server is no longer
129 available.
130
132 -i FILE
133 Forces ssh(1) to use FILE for the identity (private key) in RSA/DSA
134 authentication. If not specified, ssh(1) will use its default
135 identity files.
136 --status
138 Display the key status for the clients. It is implied if no other
139 option is specified. In effect this option prints the steps that
140 will be taken when the keys are deployed to the client.
141 --print
143 Display the authorization keys for the clients. This is useful in
144 case you want to manually copy it into the client’s
145 ~/.ssh/authorized_keys file. This option is seldom useful.
146 --deploy
148 Deploy the authorization keys on the clients.
149
151 --increments
152 Pass the --list-increments option to rdiff-backup, to list the
153 number and date of partial incremental backups for the given or all
154 clients. This is the default list option.
155 --parseable-output
157 Pass the --parsable-output option to rdiff-backup to generate
158 output in a format that is easily parsed by other programs. This
159 currently only works with the --increments.
160 --sizes
162 Pass the --list-increment-sizes option to rdiff-backup, to list the
163 total size of all increment and mirror files by time for the given
164 or all clients. Note, this may take some time.
165 --changed=TIME
167 Pass the --list-changed-since option for TIME to rdiff-backup, to
168 list the files changed since TIME for the given clients. TIME is
169 passed directly to rdiff-backup. Note, this may take some time and
170 generate considerable output. Also, unlike rdiff-backup the is no
171 option to select sub-directories.
172 --at-time=TIME
174 Pass the --list-at-time option for TIME to rdiff-backup, to list
175 the files in the archive that were present at the given time for
176 the given clients. Note, this may take some time and generate
177 considerable output. Also, unlike rdiff-backup the is no option to
178 select sub-directories.
179
181 Normally the configuration files are placed in the
182 /etc/safekeep/backup.d/ directory, or optionally in
183 ~/.safekeep/backup.d/ for non-root users, from where they will get
184 picked up automatically by SafeKeep. Each backup client is described by
185 a configuration file in XML format. The minimum configuration file is:
186 <backup>
189 <host name="my_workstation" />
190 </backup>
191 This will simply backup all relevant files (excluding temporary files,
193 caches, etc) from the client with the address my_workstation.
194 A more realistic example:
196 <backup>
199 <host name="my_workstation" />
200 <repo retention="10D" />
201 <setup>
202 <dump type="postgres" dbuser="postgres" file="/var/lib/pgsql/backups/all_dbs" />
203 <dump type="mysql" user="mysql" dbuser="dbbackup" db="adatabase" file="/var/backups/dumps/adatabase_dbs" />
204 <dump type="mysql" user="mysql" dbuser="dbbackup" db="mysql" file="/var/backups/dumps/mysql_dbs" cleanup="true" />
205 <snapshot device="/dev/mapper/VolGroup00-LogVol00" size="500M" />
206 </setup>
207 <data>
209 <exclude regexp=".*\.ogg"/>
210 <exclude regexp=".*\.mp3"/>
211 <include path="/etc"/>
213 <exclude glob="/home/*/tmp"/>
215 <include path="/home"/>
216 <include path="/root"/>
218 <include path="/srv"/>
220 <exclude path="/var/cache"/>
222 <exclude path="/var/lock"/>
223 <exclude path="/var/run"/>
224 <exclude path="/var/tmp"/>
225 <include path="/var/named/chroot/etc"/>
226 <include path="/var/named/chroot/var/named"/>
227 <exclude path="/var/named/chroot"/>
228 <include path="/var"/>
229 <exclude path="/"/>
231 </data>
232 </backup>
233 In this case, SafeKeep will dump all databases managed by PostgreSQL,
235 snapshot the disk via LVM, and proceed to backup /etc, /home, /root,
236 /srv, /var, while excluding some unneeded files and directories. Older
237 data will be retained for 10 days.
238 For full reference documentation of the configuration format, see
240 safekeep.backup(5).
241
243 Normally the client IDs are generated automatically from the
244 configuration filenames without the extension. E.g. if a configuration
245 file is named my_workstation.conf, the client ID becomes
246 my_workstation. For more information on this topic, see
247 safekeep.backup(5).
248
250 The safekeep(1) server needs to access the clients in order to conduct
251 the backup. To that end, it establishes two ssh(1) pipes: one for
252 control, and one for data. To simplify the deployment of the keys,
253 safekeep(1) has a key deploy mode.
254 When deploying keys using the built-in key management functionality,
256 safekeep(1) needs to be invoked as the user under which it will
257 function as a server. By default, that user is safekeep. For extra
258 security, you can not login into that account, so you have to invoke
259 safekeep(1) as root:
260 [root@yourbox ~] # safekeep --keys --deploy
263
265 Since safekeep(1) is built around rdiff-backup(1), it doesn’t have any
266 built-in restore capabilities. It simply relies on rdiff-backup to
267 perform this task.
268 To do so, you just need to know the directory where the data is
270 actually stored. In a typical installation, for a box configured via
271 the file /etc/safekeep/backup.d/mybox.backup, the data will be stored
272 under /var/lib/safekeep/mybox/. Please refer to safekeep.backup(5) for
273 more information on this matter.
274 Once you have determined where the data will be stored (we’ll continue
276 the example above), all you have to do is run rdiff-backup:
277 # rdiff-backup -r 1s /var/lib/safekeep/mybox my-restore-dir
280 You will be able to find more information on the restore procedure in
282 the rdiff-backup(1) man page.
283
285 It is important to note that the include/exclude directives that
286 control file selection are matched in the order they appear in the
287 configuration file, and the first one that matches dictates whether the
288 file will be included or excluded. As a result, you have to add the
289 more specific ones first, or the more generic specifications will
290 always win. For example:
291 ...
294 <include path="/home"/>
295 <exclude path="/home/joe"/>
296 ...
297 will NOT do what you expect, because the /home will match before
299 /home/joe, and thus all files under /home will be included. The correct
300 way is to flip the two around
301 ...
304 <exclude path="/home/joe"/>
305 <include path="/home"/>
306 ...
307 Please see safekeep.backup(5) for more information on file selection.
309
311 rdiff-backup(1), safekeep.conf(5), safekeep.backup(5)
312
314 Written by Dimi Paun <dimi@lattica.com[1]> and Stelian Pop
315 <stelian@lattica.com[2]>.
316
318 1. dimi@lattica.com
319 mailto:dimi@lattica.com
320 2. stelian@lattica.com
322 mailto:stelian@lattica.com
323safekeep 02/10/2019 SAFEKEEP(1)