1SAFEKEEP(1) SAFEKEEP(1)
2
6 safekeep - Client/server backup script
7
9 safekeep [--server] [-q] [-v] [--force] [-c file] <clientid>*
10 safekeep --keys [-q] [-v] [-c file] [-i file] [--status] [--print]
12 [--deploy] <clientid>*
13 safekeep --client
15 safekeep -h | -V
17
19 SafeKeep is a client/server backup script which enhances the power of
20 rdiff-backup with simple configuration and use.
21 SafeKeep can work in server mode, client mode or SSH key management
23 mode.
24 In server mode, SafeKeep parses a set of configurations files which
26 defines a set of backup clients. For each backup client, SafeKeep
27 connects to the client host over SSH (using a public key
28 authentification system previously set up using safekeep --keys
29 --deploy), and launches safekeep --client onto the client host. The
30 client does the real backup and sends the data over SSH to the SafeKeep
31 server which stores it in the specified location.
32 In client mode, SafeKeep does a few setup steps, depending on the
34 client configuration (database dump, LVM device snapshot), then backups
35 the client data using rdiff-backup, and then cleanups the state
36 (removes the database dumps, deactivates the LVM snapshots)
37 Note that the client mode of SafeKeep should never be invoked manually,
39 this mode is meant to be used only by the server mode of SafeKeep.
40 The SSH key management mode is a helper mode for deploying or verifying
42 the setup of the SSH authentification keys.
43 In both server and keys management mode, you can restrict the operation
45 to a specific set of clients by listing the desired client IDs as
46 arguments. If no client ID is given, SafeKeep will operate over all
47 known clients.
48 Each mode accepts a few options as described below.
50
52 --server
53 Selects the server mode (default)
54 --client
56 Selects the client mode. This should never be invoked manually, the
57 clients are started automatically by the server on the client
58 machines using SSH.
59 --keys
61 Selects the SSH key management mode
62
64 -c, --conf=FILE
65 Specifies the configuration file location. If not specified at all,
66 SafeKeep will default to /etc/safekeep/safekeep.conf if it exists.
67 Simply using this default is the recommended usage.
68 -h, --help
70 Selects the help mode, in which safekeep prints out the online help
71 and exits.
72 -V, --version
74 Selects the version mode, in which safekeep prints out the version
75 number and exits.
76 -q, --quiet
78 Decreases the verbosity level. Can be specified more than once.
79 -v, --verbose
81 Increases the verbosity level. Can be specified more than once.
82
84 --force
85 Pass the --force option to rdiff-backup, allowing it to overwrite
86 the backup directory metadata. This option is potentially
87 dangerous, and should only be used if the backup directory becomes
88 corrupt, and rdiff-backup error logs tells you to use this option.
89
91 -i FILE
92 Forces ssh(1) to use FILE for the identity (private key) in RSA/DSA
93 authentication. If not specified, ssh(1) will use its default
94 indetity files.
95 --status
97 Display the key status for the clients. It is implied if no other
98 option is specified. In effect this option prints the steps that
99 will be taken when the keys are deployed to the client.
100 --print
102 Display the authorization keys for the clients. This is useful in
103 case you want to manually copy it into the client´s
104 ~/.ssh/authorized_keys file. This option is seldom useful.
105 --deploy
107 Deploy the authorization keys on the clients.
108
110 Normally the configuration files are placed in the
111 /etc/safekeep/backup.d/ directory from where they will get picked up
112 automatically by SafeKeep. Each backup client is described by a
113 configuration file in XML format. The minimum configuration file is:
114 <backup>
117 <host name="my_workstation" />
118 </backup>
119 This will simply backup all relevant files (excluding temporary files,
120 caches, etc) from the client with the address my_workstation.
121 A more realistic example:
123 <backup>
126 <host name="my_workstation" />
127 <repo retention="10D" />
128 <setup>
129 <dump type="postgres" dbuser="postgres" file="/var/lib/pgsql/backups/all_dbs" />
130 <dump type="mysql" user="mysql" dbuser="dbbackup" db="adatabase" file="/var/backups/dumps/adatabase_dbs" />
131 <dump type="mysql" user="mysql" dbuser="dbbackup" db="mysql" file="/var/backups/dumps/mysql_dbs" cleanup="true" />
132 <snapshot device="/dev/mapper/VolGroup00-LogVol00" size="500M" />
133 </setup>
134 <data>
136 <exclude regexp=".*\.ogg"/>
137 <exclude regexp=".*\.mp3"/>
138 <include path="/etc"/>
140 <exclude glob="/home/*/tmp"/>
142 <include path="/home"/>
143 <include path="/root"/>
145 <include path="/srv"/>
147 <exclude path="/var/cache"/>
149 <exclude path="/var/lock"/>
150 <exclude path="/var/run"/>
151 <exclude path="/var/tmp"/>
152 <include path="/var/named/chroot/etc"/>
153 <include path="/var/named/chroot/var/named"/>
154 <exclude path="/var/named/chroot"/>
155 <include path="/var"/>
156 <exclude path="/"/>
158 </data>
159 </backup>
160 In this case, SafeKeep will dump all databases managed by PostgreSQL,
161 snapshot the disk via LVM, and proceed to backup /etc, /home, /root,
162 /srv, /var, while excluding some unneeded files and directories. Older
163 data will be retained for 10 days.
164 For full reference documentation of the configuration format, see
166 safekeep.backup(5).
167
169 Normally the client IDs are generated automatically from the
170 configuration filenames without the extension. E.g. if a configuration
171 file is named my_workstation.conf, the client ID becomes
172 my_workstation. For more information on this topic, see
173 safekeep.backup(5).
174
176 The safekeep(1) server needs to access the clients in order to conduct
177 the backup. To that end, it establishes two ssh(1) pipes: one for
178 control, and one for data. To simplify the deployment of the keys,
179 safekeep(1) has a key deploy mode.
180 When deploying keys using the built-in key management functionality,
182 safekeep(1) needs to be invoked as the user under which it will
183 function as a server. By default, that user is safekeep. For extra
184 security, you can not login into that account, so you have to invoke
185 safekeep(1) as root:
186 [root@yourbox ~] # safekeep --keys --deploy
189
191 Since safekeep(1) is built around rdiff-backup(1), it doesn´t have any
192 built-in restore capabilities. It simply relies on rdiff-backup to
193 perform this task.
194 To do so, you just need to know the directory where the data is
196 actually stored. In a typical installation, for a box configured via
197 the file /etc/safekeep/backup.d/mybox.backup, the data will be stored
198 under /var/lib/safekeep/mybox/. Please refer to safekeep.backup(5) for
199 more information on this matter.
200 Once you have determined where the data will be stored (we´ll continue
202 the example above), all you have to do is run rdiff-backup:
203 # rdiff-backup -r 1s /var/lib/safekeep/mybox my-restore-dir
206 You will be able to find more information on the restore procedure in
207 the rdiff-backup(1) man page.
208
210 It is important to note that the include/exclude directives that
211 control file selection are matched in the order they appear in the
212 configuration file, and the first one that matches dictates whether the
213 file will be included or excluded. As a result, you have to add the
214 more specific ones first, or the more generic specifications will
215 always win. For example:
216 <include path="/home"/>
219 <exclude path="/home/joe"/>
220 will NOT do what you expect, because the /home will match before
221 /home/joe, and thus all files under /home will be included. The correct
222 way is to flip the two around
223 <exclude path="/home/joe"/>
226 <include path="/home"/>
227 Please see safekeep.backup(5) for more information on file selection.
228
230 rdiff-backup(1), safekeep.conf(5), safekeep.backup(5)
231
233 Written by Dimi Paun <dimi@lattica.com> and Stelian Pop
234 <stelian@lattica.com>.
235 10/22/2007 SAFEKEEP(1)