From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1QtTQH-0008Ol-Ax for garchives@archives.gentoo.org; Tue, 16 Aug 2011 23:51:53 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 0407721C2CA; Tue, 16 Aug 2011 23:51:43 +0000 (UTC) Received: from mail-ew0-f53.google.com (mail-ew0-f53.google.com [209.85.215.53]) by pigeon.gentoo.org (Postfix) with ESMTP id 61C5021C203 for ; Tue, 16 Aug 2011 23:50:43 +0000 (UTC) Received: by ewy8 with SMTP id 8so224497ewy.40 for ; Tue, 16 Aug 2011 16:50:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=G2SFzJZFIeosi1A/mn5KQGbihd/L/Xhv0XKaFAi/H9g=; b=Dr3wgXlPK2GsgIK+OJn46mR/cSu2uki6onpvQn1u5qJDRVC0MKrAHyOZhe04gB5xh3 j2Fn5sMzBI4PfaoxRy38rgTJQy2o/YNUkBM2IamGPrVEEaOdxfflHmsb0eCTY2XAL/M3 S22L3IaeXuCt5qU0xhKyQNa/HuqG7KE42T+8I= Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Received: by 10.14.147.12 with SMTP id s12mr101109eej.140.1313538640977; Tue, 16 Aug 2011 16:50:40 -0700 (PDT) Received: by 10.14.100.140 with HTTP; Tue, 16 Aug 2011 16:50:40 -0700 (PDT) In-Reply-To: <54732072.QyOj10dyxT@eve> References: <54732072.QyOj10dyxT@eve> Date: Tue, 16 Aug 2011 16:50:40 -0700 Message-ID: Subject: Re: [gentoo-user] {OT} rdiff-backup: push or pull? From: Grant To: gentoo-user@lists.gentoo.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Archives-Salt: X-Archives-Hash: 01c9f07deb318fa5a62379885bf8aa56 >> I'm setting up an automated rdiff-backup system and I'm stuck between >> pushing the backups to the backup server, and pulling the backups to >> the backup server. =A0If I push, I have to allow read/write access of my >> backups via SSH keys. =A0If I pull, I have to enable root logins on each >> system to be backed-up, allow root read access of each system via SSH >> keys, and I have to deal with openvpn or ssh -R so my laptop can back >> up from behind foreign routers. =A0The conventional wisdom online seems >> to indicate pulling is better, but pushing seems like it might be >> better to me. =A0Do you push or pull? > > I would push, to be honest. Me too. The rdiff-backup "UnattendedRdiff" wiki page only has instructions for pulling but that doesn't seem like the way to go: http://wiki.rdiff-backup.org/wiki/index.php/UnattendedRdiff > You can seperate the backups by giving each system a different account wh= ere > to store the backups. I'm not sure what you mean. The backups are all stored on the backup serve= r. > This way you can also have better control over when to do the backup. If = your > laptop hooks up via VPN just to quickly check email over an expensive or = slow > link, you might not want the backup to start downloading all the pictures= you > took during the holiday or that 300-page manuscript you wrote for your bo= ok. > > -- > Joost Here's what I'm doing. root on 3 machines pushes to non-root on a 4th machine via rdiff-backup and SSH keys. The SSH keys are restricted like so (although there is no from=3D for the laptop's key since it could be behind any IP): command=3D"rdiff-backup --server",from=3D"12.34.56.78",no-port-forwarding,no-X11-forwarding,no-pty ssh-rsa ... root@machine1 Is this a good arrangement? I think the worst-case scenario (compromised SSH keys) is read/write access of the non-root user on the backup server via rdiff-backup. Additionally, the backups on the 4th machine are pushed to another machine by root to non-root via rsync and SSH keys. Is there a way to restrict SSH keys to the rsync command? Should the non-root backup user have any special configuration? Can I reserve 0% for root on my USB hard drive which is only used for backups and does not contain an OS? - Grant