Network/Procedures/Set up borg backups

From Makers Local 256
Jump to: navigation, search

This is how to start backing up a box via borg to newbackup. We will use the fictitious box called 'newbox' for illustrative purposes.

  • Bring the box up to Debian 8 or newer.
  • Install borgbackup. If it's Debian 8, you'll need to use jessie-backports. Otherwise it's mainline.
newbox:~# if grep -E '^8' /etc/debian_version; then apt-get install borgbackup -t jessie-backports; else apt install borgbackup; fi
Setting up borgbackup (1.0.1-1~bpo8+1) ...
  • As root, on the box, generate an ssh key with no passphrase. This will be used for backup transit.
newbox:~# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/
  • Copy the key to your clipboard.
newbox:~# cat .ssh/ 
ssh-rsa ...
  • On newbackup, you will need to add a line that looks like this to ~borg/.ssh/authorized_keys:

command="cd /srv/backup/borg/repos/newbox; borg serve --restrict-to-path /srv/backup/borg/repos/newbox",no-port-forwarding,no-X11-forwarding,no-pty,no-agent-forwarding,no-user-rc ssh-rsa ...

You need to replace "newbox" in the directories with the name of the box you are adding (mail, web, newvpn, etc.). Also, everything beginning with "ssh-rsa" all the way to the end should be replaced with the key from the file that you copied to your clipboard earlier. All of this needs to be on one line! You are only adding one line to the file.

  • Now create that directory on newbackup.
hfuller@newbackup:~$ sudo su -c "mkdir /srv/backup/borg/repos/newbox" borg
  • On the box you are backing up, initialize the repo. When prompted for a passphrase, use KeePass to generate one, then save it in the Makers' KeePass. YOU NEED TO SAVE THE PASSPHRASE! If we need to restore this backup, this will be the ONLY place the passphrase is found!!
newbox:~# borg init
The authenticity of host ' (' can''t be established.
ECDSA key fingerprint is 5e:ac:ab:35:73:bb:93:44:2b:84:bb:e2:f6:5e:14:a3.
Are you sure you want to continue connecting (yes/no)? yes
Remote: Warning: Permanently added ',' (ECDSA) to the list of known hosts.
Enter new passphrase: 
Enter same passphrase again: 
Do you want your passphrase to be displayed for verification? [yN]: y
Your passphrase (between double-quotes): "..."
Make sure the passphrase displayed above is exactly what you wanted.
  • Save that passphrase into a file, then make sure no one but root can read it.
newbox:~# cat > /usr/local/etc/borgpass
(Paste the key here, then hit Ctrl-D)
newbox:~# chown root:root /usr/local/etc/borgpass && chmod 400 /usr/local/etc/borgpass && ls -l /usr/local/etc/borgpass 
-r-------- 1 root root 23 Apr 21 22:59 /usr/local/etc/borgpass
  • Clone the netadmin-scripts repo, which will give you the borgsnap tool.
newbox:~# git clone /usr/local/sbin
Cloning into '/usr/local/sbin'...
remote: Counting objects: 50, done.
remote: Total 50 (delta 0), reused 0 (delta 0), pack-reused 50
Unpacking objects: 100% (50/50), done.
Checking connectivity... done.
  • Edit the /usr/local/etc/borgsnap.conf file. Add this line to set the dirs that are backed up. Add extra dirs as needed.

BACKUP_DIRS="/etc /root/ /var/backups/ /var/log/ /var/www"

  • Edit root's crontab ('sudo crontab -e') and add this line:

3 5 * * * /usr/local/sbin/borgsnap

Except, preferably, change the number 3 to an arbitrary number less than 60. I like to use the last octet of the server's IP address.

  • Kick the backup once to watch it go. The first run will take a while. Make sure it returns that all is well.
newbox:~# /usr/local/sbin/borgsnap ; echo "borgsnap returned $?"
borgsnap returned 0