Box Backup - hot backups.

    Backup issues will never lose their relevance. This is something without which it is not possible to imagine a single information structure. Today we’ll talk about an on-line backup method.

    How do they do this “usually”?
    When they talk about creating backups of the existing information structure, cron scripts, incremental archives, a powerful server with a huge disk array, streamer and other devices for writing to external media immediately come to mind. Without all this, it’s quite difficult to imagine a complete backup system, although many still somehow somehow work without backups at all. I will not describe and prove the need to have “strong rear”, because everyone knows this.

    The above software and hardware components are designed to provide the ability to recover files if they are lost for one reason or another. As a rule, the need for incremental backups is explained by the huge volumes of information that is constantly changing and needs to be backed up.

    You take as a basis one of the redundancy schemes, ADD the redundancy necessary in your opinion and put the resulting solution into operation. Not the worst option would be the scheme below:

    • Once a month, a complete backup is made of absolutely all the files that need it.
    • Every day, the data changed for the current day is copied.
    • Every week, all data changed during the week is copied.
    • Once every two weeks, all files changed during this period are copied or archives are merged in two weeks.
    • The pattern repeats again until a new month arrives.

    You can keep two weekly copies or one at a time, depending on your preferences or the standards adopted by your company. The procedure for restoring files is the reverse of the procedure for entering them into the archive.

    • Restore the last monthly copy.
    • Restore two weekly copies.
    • Restore a weekly copy.
    • Restore copies of the day in the reverse order.

    Circuits like the one described are used by many companies. Using this scheme, you can be sure that all files will be restored at the time of the creation of the last “daily” copy. With sufficiently large amounts of data (which, of course, is not uncommon), you are forced to use external media for storage and have the necessary amount of space on your hard drives to create at least one full copy. (The condition is not mandatory, but greatly simplifies life.)

    This and similar schemes have been working in many companies for a very long time. However, they have a number of significant drawbacks. Among which:

    • Known problems when backing up "external" users. You cannot force laptop users to leave their computers turned on at the office every day.
    • Backup security issues.
    • A relatively large amount of time to recover, both single lost files and large arrays.
    • The inconvenience of working with archives - the search time for the backup database can be very long.
    • The need for help from a system administrator for working with archives.

    Not all existing problems are listed, these are only those that I had to face. Perhaps the solution you are using lacks these shortcomings. Perhaps your backup software package has been purchased and meets all your requirements. Perhaps you are satisfied with the current order of things. But I still try to convince you to pay attention to another principle of creating backups.

    Online backup Box Backup.
    The system refers to online backup. Why does it have such a name?

    In contrast to the scheme described above, a "hot" backup is done ... constantly. It is like replacing a failed server power supply without shutting it down. (I think you have encountered such computers, or at least heard about them.) Creating a backup copy of user files occurs interactively as they change. The operation scheme is simple:

    • At the initial start-up, the system scans the directories indicated to it and transfers them to the archive. Then it monitors what is happening in the file system.
    • As it detects changed files, it transfers them to the archive.

    In other words, the most recent file versions are always in the backup (!). In case of data loss on the source system, you can safely and quickly restore them in full. Tempting isn't it?

    Box Backup system can work in a rather impressive list of OS:
    • OpenBSD;
    • Linux;
    • NetBSD;
    • FreeBSD;
    • Darwin / Mac OS X 10.5;
    • Cygwin (Windows) (client only);
    • Native Windows (client only);
    • Solaris.

    Some quite logical questions that arise when you first familiarize yourself with this hot backup system. I will try to answer the most obvious of them.

    • If the user deleted the files, what will happen to the backup?
    • Permanent copying of files implies huge network traffic and heavy load of the backup server. How to solve this problem?
    • What is the security of copies?
    • And if there are a lot of files, how many resources will the program need to check for changes?

    Removal procedure.
    Files that were deleted from the system do not really disappear anywhere. (I’m talking, of course, not about the client computer.) In the backup, they are only marked as deleted. A user (yes, a user, not a system administrator, but more on that later) at any time can calmly ask the system to return the file that was deleted by mistake. Marked data will disappear from the archive only when the allowable amount reserved for backups approaches that mark beyond which there is no choice — either clear the marked files or have nowhere to copy new ones.

    Demanding for resources.
    A large network load, as one would expect, can actually be observed only when creating the initial backup, when the system needs to transfer a large amount of data at a time. However, the process priority (by default) of the Box Backup client is rather low and designed so as not to interfere with the overall operation of the computer. It works in the background and does not cause discomfort from the “thoughtfulness” of the system as a whole. Subsequently, the system will need to transfer only new or changed files, and this is not so much traffic.

    Backup Security.
    Security has received a lot of attention.

    • Client authorization on the backup server.
    • Security of data transmission.
    • Data encryption.
    • Protection of data structure.
    • Security of data storage.

    SSL is used to authorize the client on the server side of the Box Backup system. On each computer, the data of which needs to be backed up, an SSL certificate is created, which is signed on the server.

    TLS encryption is used to provide a secure communication environment. Any operations between the client and the server occur via an encrypted channel. This allows you to use the backup system even in an insecure environment without fear that data might be intercepted.

    Backup file security is ensured by encryption. Each client of the Box Backup system creates a unique key during configuration. All transferred files are encrypted with this key. And only with a key you can access the archive for viewing or restoring files.

    Moreover, on the backup server, files are stored under unique numbers, not names. Not knowing where the file is located - it is not possible to guess what it is. However, even knowing what kind of file in front of you you can not achieve anything. After all, they are encrypted, and access requires a key. No passwords required.

    Installing the server side of Box Backup.
    I will look at installing Box Backup using the gentoo system as an example. Installation on other systems will differ only in a few details, which I will mention later.

    So, first install the server side of the system. ebuild Box Backup is in the standard ports tree, so we only need to use the standard package installation procedure on the gentoo system.

    #emerge -av boxbackup

    Please note that by default you will be prompted to install an older version of the system - 0.09. I would recommend following the ports tree to the desired branch and installing a newer version, as many corrections have been made to it.

    #cd / usr / portage / app-backup / boxbackup
    #emerge -av boxbackup-0.10.ebuild

    Of course, you can make corrections to your /etc/portage/package.keywords, but I see no reason to do this for the sake of one package (the system will not require other packages for its operation).

    After the assembly of the package is completed, you can proceed with the configuration. It is important to note one point here. If your system does not have a raid controller for backup, and you just use several disks, Box Backup suggests creating several directories that will provide redundancy in case of disk errors.

    If raid is installed, then you can safely refuse to use this structure.

    To use the “raid” from Box Backup, execute the following command:

    # raidfile-config / etc / boxbackup 2048 /raid/0.0 /raid/0.1 /raid/0.2

    Or we will refuse to use it with a command of a different kind:

    # raidfile-config / etc / boxbackup 2048 /raid/0.0 The

    list of parameters in this command:
    • / etc / boxbackup - the directory where the configuration files will be created. (If you are not installing the system on gentoo linux, use the / etc / box directory by default);
    • 2048 - file block size;
    • /raid/0.0 and the rest are directories where backups will be stored directly. These directories must be created by you. They will not be created automatically.

    After the configuration file is ready, create a user who will run Box Backup.

    #useradd _bbstored

    And create the main system configuration file:

    # bbstored-config / etc / boxbackup hostname _bbstored

    • / etc / boxbackup - directory of configuration files;
    • hostname - computer name;
    • _bbstored - the name of the user the system is running from.

    If you built the package yourself on another system, use the / etc / box directory for configuration files.

    Executing this command will create the main configuration file for the Box Backup system /etc/boxbackup/bbstored.conf, in which the main parameters are written.

    Assign our user _bbstored the rights to the directory

    #chown -R _bbstored / etc / boxbackup / bbstored
    #chmod -R go-rwx / etc / boxbackup / bbstored

    This completes the configuration of the server side of the Box Backup system. All that remains is to create an SSL certificate for our system and add customer accounts. We will do this after installing the client part on the machine from which the backup will be performed.

    Installing the client part of Box Backup on Linux.
    Since we are talking about gentoo linux, and in the previous output of the

    #emerge -av boxbackup-0.10.ebuild command, you

    probably noticed the -client-only flag, we will use it. Let's execute the following command on the system that needs to be backed up:

    #cd / usr / portage / app-backup / boxbackup
    # USE = 'client-only' emerge boxbackup-0.10.ebuild

    this will install the system client on our system.

    After the client is installed, configure it to work with our server. Two options are possible here:

    • lazy - in this mode, the bbackupd backup daemon constantly monitors file changes, and as soon as the changed file is closed, it is transferred to the backup.
    • snapshot - the operation of this mode is understandable by its name. Once in the time period you set, the bbackupctl sync command is launched, upon receiving which the bbackupd daemon starts scanning all the directories specified in the configuration file. In case of discrepancies in the date of the last change, the file is transferred to the backup server.

    Which mode to prefer depends directly on the number of files that need to be backed up, computer load and network traffic. I think the dependencies are quite obvious. I can only say that if you install the Box Backup system on a laptop that often works outside the local network where the backup server is located, then you should probably choose snapshot mode.

    Of course, no one bothers you to install the Box Backup server so that it is accessible from the outside. But in this case, you should consider the amount of traffic that will be created by computers during backup.

    Run the command, which will create the main configuration file, the system key and SSL certificate for authorization on the remote server.

    # bbackupd-config / etc / boxbackup lazy account_name hostname / var / bbackupd / home

    • / etc / boxbackup - storage location for configuration files;
    • lazy - backup method;
    • 99 - the name of the account on the backup server (usually, I just use the last digits of the ip address of the computer);
    • hostname - network name of the backup server (Do not accidentally specify the name of your computer in this parameter!);
    • / var / bbackupd - the place where temporary files of the Box Backup system will be stored (make sure that there is enough free space there);
    • / home - the path for backup (folders are easily configured in the configuration file and we will talk about this soon).

    Now we just have to specify the folders whose backups we want to do and the rules for them. The main configuration file of the Box Backup client is located in the / etc / boxbackup directory and is called bbackupd.conf.

    The parameters set in this file contain the necessary and very transparent explanations, so I will focus only on the description of the paths for backup.

    The description structure is as follows:

    Path = / home
    ExcludeDir = / home / ftp
    ExcludeFilesRegex = *. (Avi | AVI) $
    Path = / etc

    home-directory and etc in this case are conditional directory descriptions for the Box Backup system. It is under these names that they will be displayed when requesting a backup.

    Path - the actual path to directories and files that need to be backed up. When specifying paths, it should be noted that the backup will be done recursively, that is, with all subfolders.

    ExcludeDir is, as you might guess, the option to exclude a certain subfolder from the reservation.

    ExcludeFilesRegex - a mask that indicates file extensions that should be ignored and not transferred to the backup.

    The remaining options are no less clear and do not need a separate description.

    The lazy and snapshot modes in the configuration files differ only in the parameters:

    AutomaticBackup = no
    UpdateStoreInterval = 0
    MinimumFileAge = 0
    MaxUploadWait = 0

    (in case of snapshot mode). To change the operating mode, it is enough to change the values ​​of these variables to other parameters, which can always be viewed on the neighboring system. Do not re-run the configuration command, as it will replace your encryption key and SSL certificates. In this case, the signature procedure will have to be repeated. (Of course, you can pre-copy the key and SSL certificate, but ... isn’t it easier to change the value of several variables?)

    Now that we have configured the client and server parts of the Box Backup system, it's time to deal with SSL certificates for authorization.

    SSL certificates for the server side.
    To create a basic certificate structure, run the command:

    # bbstored-certs ca init

    If you get any errors while running this command, please make sure that you have the OpenSSL package installed first.

    After generating the certificate, we will sign it:

    # bbstored-certs ca sign-server hostname-csr.pem

    This completes the preparation of certificates for the Box Backup server part.

    SSL certificates for the client side.
    We already have a client SSL certificate, we only need to sign it on the server, and at the same time copy the certificate from the server to the client. To do this, you need to transfer (scp, samba, ftp or another way) to the server the file /etc/boxbackup/bbackupd/account_name-csr.pem

    It is best to place the client certificate on the server in the folder / etc / boxbackup / bbackupd /

    After that, run the command on the server:

    # bbstored-certs / ca sign /etc/boxbackup/bbackupd/account_name-csr.pem When we answer

    Yes, we will sign certificate and see the instruction that we need to copy two files to the client:


    On the client side we put these files in / etc / boxbackup / bbackupd.

    Now it remains only to create an account for our client for reservation.

    Creating an account in the backup system.
    To create an account, use the command:

    #bbstoreaccounts create account_name 0 10000M 15000M

    • account_name - account name in numerical form (for example, as I said, the last digit in the client's ip address).
    • 10000M - soft backup size limit. In this case, I allocated 10 gigabytes per user (you can also specify 10G).
    • 15000M - a hard limit on the size of backup.

    After that, you can safely start the services of the client and server of the Box Backup system. The backup system is ready!

    Other account operations.
    In addition to creating accounts, of course, you can delete them, change the size of the allowed backup space occupied, look at information on the occupied space, and also check backup copies for errors.

    #bbstoreaccounts info account_name

    will show fairly detailed information about the current state of affairs in the specified account. It will look like this.

    Account ID: 00000003
    Last object ID: 390831
    Blocks used: 59659618 (116522.69Mb)
    Blocks used by old files: 110818 (216.44Mb)
    Blocks used by deleted files: 1,670,369 (3262.44Mb)
    Blocks used by directories: 73637 (143.82Mb)
    Block soft limit: 61440000 (120000.00Mb)
    Block hard limit: 64000000 (125000.00Mb)
    Client store marker: 1145862657000000

    As you can see, everything is pretty transparent and clear.

    #bbstoreaccounts setlimit account_name 30000M 35000M

    will change the allowable backup volume for this user. (As I wrote above, the volume can also be specified in gigabytes.)

    To check the backup, use the command:
    #bbstoreaccounts check account_name

    and, in case of errors, correct it with:
    #bbstoreaccount check account_name fix

    Finally, the command:
    #bbstoreaccounts delete account_name

    will delete the existing account.

    Restore files from backup.
    After all that we talked about, perhaps the time has come to find out how the files are actually restored from the backup. There is a bbackupquery utility for this.

    Help output by bbackupquery.
    Figure 1. Help output with bbackupquery utility.

    This utility works like a remote shell. It does not need a working bbackupd daemon and allows you to communicate with the backup server using the commands entered. The connection to the server is established using the same SSL certificates and still passes with TLS channel encryption.

    Figure 1 shows the output of the help command. As you can see, a fairly large number of commands are available, among which there is even compare, which allows you to compare versions of files on the local hard drive and files in the backup. Working with bbackupquery is somewhat similar to communicating with the ftp server through the console client, so I will not dwell on it in detail.

    Directory list (by labels from the configuration file).
    Fig 2. Directory list (by labels from the configuration file).

    Graphic Shell Boxi.
    Of course, the world is not without good people and there is a graphical shell for working with backup. A project called boxi . It has a rather Spartan interface, but nevertheless it makes it much more convenient to communicate with your backup than the console bbackupquery and allows you to perform all the basic operations for working with a backup. Such as - version comparison, deletion from the archive, file recovery, directory structure overview and so on.

    Ascetic boxi.
    Figure 3. Ascetic boxi.

    However, at the moment, the use of Boxi is not possible. The reason is that this utility can only work with Box Backup version 0.09, and as I wrote above, version 0.10 has undergone many changes and is recommended for setting. According to the developer of this utility, the next version, ready to work with version 0.10, should be expected no earlier than in three months.

    But if convenience is more important to you, then it may make sense to install an older version in order to be able to work with the graphics utility.

    It should also be noted that Boxi needs all the Box Backup system configuration files to work. Therefore, when using it, many start the bbackupd process not from the system, but from their user.

    Backup windows systems.
    So far I have been ignoring the use of a backup system for copying windows workstations (and servers, of course). I will explain why.

    On the site you can find the Windows native client, which works at least on systems of the Windows 2000 and Windows XP family. In the archive you will find all the necessary files that are recommended to be copied to the directory c: \ Program Files \ Box Backup \ All that

    remains is to generate a client certificate, sign it on the server and transfer the signed and server certificates back. And here some difficulties may arise. The fact is that the scripts responsible for generating certificates are written in perl language and there are no guarantees that it will be in your windows system. It is possible by long torment to achieve the desired result, but there is a way much faster and more convenient.

    On any of your linux systems, having previously saved the / etc / boxbackup / bbackupd directory in a safe place ... generate certificates for the windows system. Why not? It doesn’t matter where the encryption key and certificate will be created. After that, it remains only to sign the newly created certificate and transfer the necessary files to the windows system. And do not forget to return the contents of the bbackupd folder to its rightful place.

    Thus, connecting the windows of the workstation to backup also becomes a very simple task.

    In MS Windows, all the options of Box Backup configuration files are available to you in the same way, and both modes - lazy, snapshot. In order to install bbackupd as a system service, just run the command:

    bbackupd -i

    Boxi also exists under Windows, but for the reasons described above it is unlikely to be useful to you for now, only if you are not going to return to Box Backup version 0.09.

    It is important.
    It is important to remember that all information in the backup is encrypted and cannot be retrieved without the FileEncKeys.raw key. Therefore, it is strongly recommended that you copy the contents of all / etc / boxbackup / bbackupd folders to a place protected from unauthorized access, as well as transfer it to an external medium and remove it further. In the event of a key loss, file recovery from the archive will become impossible.

    Also, you should pay attention to time synchronization on client and server machines, since Box Backup uses the date of the last file change in work.

    Have a nice hot backup!


    akeeper Alexey Korshunov.
    First published in the System Administrator magazine.

    Also popular now: