Difference between revisions of "Tarsnap"

From NixNet
(create page)
 
m (decrease indentation level)
Line 63: Line 63:
 
TODO
 
TODO
  
== Backups ==
+
= Backups =
 
Yes, backups for the backups are necessary. Specifically, backups of tarsnap ''keys'' are necessary. If you lose the key, you lose your backups. There is no way around this. While saving your key in a password manager, ina  text file on your PC, one someone else's PC, or even another server are all possible solutions, it's also good to have an offline copy Just In Case™. We use [https://github.com/intra2net/paperbackup paperbackup] because it's easily read by both machines (QR codes) and humans (plain text). Run your key through this, print the resulting PDF, put it in a folder, put the folder in a box, and put the box somewhere very very safe.
 
Yes, backups for the backups are necessary. Specifically, backups of tarsnap ''keys'' are necessary. If you lose the key, you lose your backups. There is no way around this. While saving your key in a password manager, ina  text file on your PC, one someone else's PC, or even another server are all possible solutions, it's also good to have an offline copy Just In Case™. We use [https://github.com/intra2net/paperbackup paperbackup] because it's easily read by both machines (QR codes) and humans (plain text). Run your key through this, print the resulting PDF, put it in a folder, put the folder in a box, and put the box somewhere very very safe.

Revision as of 04:56, 9 July 2021

Installation

Package is called tarsnap on most distributions and is usually included in the official repos. After installation, generate a key and associate it with your Tarnsap account using the following command.

tarsnap-keygen --keyfile /root/tarsnap.key --user name@example.com --machine hostname

Configuration

The configuration file is usually stored in /etc/tarsnap/tarsnap.conf. You may need to copy the sample configuration to the production config before editing.

cachedir /usr/local/tarsnap-cache
keyfile /root/tarsnap.key
nodump
print-stats
checkpoint-bytes 1G
humanize-numbers

Automation

We use ACTS for automation. It stands for Another Calendar-based Tarsnap Script and manages backup creation and rotation. It keeps 31 daily backups, 12 monthly backups, and never deletes yearly backups; maintaining those are on you. When you feel like a specific yearly backup is no longer necessary, delete it yourself.

After adding a new user to our database that has read-only access to everything, we'll configure ACTS, create pre- and post-backup scripts for database dumps, then set up email alerts.

Database dumps

Refer to SQL Snippets for working with databases. Add a new user with a complicated password and lock/read-only permissions to all databases with the following SQL command.

grant lock tables,show view,select on *.* to 'archive'@'localhost' identified by 'CHANGEMETOSOMETHINGSECURE';

We store this script in /usr/local/scripts/pre-acts.sh. It simply dumps all databases to a backup SQL file for tarsnap to ingest.

#!/bin/sh
DAY=$(date +%Y-%m-%d)
DUMPFILE=/root/db_dumps/mysql-backup-$DAY.sql
touch $DUMPFILE
chown 0:0 $DUMPFILE
chmod 600 $DUMPFILE
mysqldump -u archive -pCHANGEMETOSOMETHINGSECURE --all-databases > $DUMPFILE

This one is stored in /usr/local/scripts/post-acts.sh. It deletes all dumps older than 5 days.

#!/bin/sh
find /root/db_dumps/ -type f -mtime +5 -delete

ACTS configuration

It can be installed by simply wgeting acts and acts.conf.sample. Alternatively, clone the whole repository and symlink acts to wherever you like for easier updates then copy acts.conf.sample to /etc/acts.conf. We store scripts in /usr/local/scripts but you can put them wherever.

Make sure you reference the sample configuration file but these are the base options we use. Until you run ACTS and verify that your configuration works properly, leave verbose set to one. After you're sure everything works, set it to 0.

backuptargets="usr/local/scripts root/db_dumps"
tarsnapbackupoptions="--one-file-system --humanize-numbers"
verbose=1
prebackupscript=/usr/local/scripts/pre-acts.sh
postbackupscript=/usr/local/scripts/post-acts.sh

Failure emails

TODO

Backups

Yes, backups for the backups are necessary. Specifically, backups of tarsnap keys are necessary. If you lose the key, you lose your backups. There is no way around this. While saving your key in a password manager, ina text file on your PC, one someone else's PC, or even another server are all possible solutions, it's also good to have an offline copy Just In Case™. We use paperbackup because it's easily read by both machines (QR codes) and humans (plain text). Run your key through this, print the resulting PDF, put it in a folder, put the folder in a box, and put the box somewhere very very safe.