How do I backup my Root (V)Server?

Nine offers you S3-compatible backup space where you can save the data of your root (V)server. We recommend the duplicity tool to create the backup. Below you will find a brief introduction to duplicity.

What is duplicity?

duplicity helps you create backups of a system and store them on another system or media. Here you can specify multiple different targets for the backup. duplicity also allows you to create encrypted backups. In this case, the data will be encrypted and decrypted with GnuPG.

A backup with duplicity can be started simply via a call with the appropriate parameters; no complicated configuration is necessary.

There are also various frontends for duplicity. One example is duply.

The commands and scripts shown do not use duply. If you need a frontend for duplicity, the following link will help you install duply, a simple frontend for duplicity:

https://www.thomas-krenn.com/de/wiki/Backup_unter_Linux_mit_duply

How is duplicity installed?

Ubuntu

duplicity must be available in version 0.7.x or higher for the backup to work with our S3-compatible storage. Furthermore, an additional Python module is needed.

Under Ubuntu, only the version 0.6x can be installed directly from the official Ubuntu-repository. Therefore, duplicity's own Ubuntu repository is used for installation.

This can be accomplished with the following commands:

apt-get install software-properties-common
apt-get install python-software-properties

Only on Ubuntu Xenial (16.04) or older systems:

add-apt-repository ppa:duplicity-team/ppa

After that, duplicity can be installed:

apt-get update
apt-get install duplicity

Additionally, the python-boto package must be installed before duplicity is ready to use:

apt-get install python-boto

Debian

The same packages used for Ubuntu can also be used for Debian. Note that after adding the additional repository via

add-apt-repository ppa:duplicity-team/ppa

the designation of the Debian version in the file /etc/apt/sources.list.d/duplicity-team-ppa-trusty.list must be replaced by "trusty".

How do I use duplicity?

The access data must be exported as environmental variables before a backup can be created. This is done as follows:

export AWS_ACCESS_KEY_ID='GOTTEN_ACCESS_KEY'
export AWS_SECRET_ACCESS_KEY='PASSWORD_FROM_ACCESS_KEY'

To prevent display of these data in the console history, we recommend storing the two commands in a hidden file, such as /root/.backup.cred. Thereafter, this script can simply be invoked with source code $(/root/.backup.cred) to set the variables.

How do I test my access data?

The following command checks for the existence of the credentials and collections, and then displays on what date and time the last backup, if any, was created.

duplicity collection-status s3://backup-space.nine.ch/${HOSTNAME}

Output of a successful validation:

Last full backup date: none
Collection Status
-----------------
Connecting with backend: BackendWrapper
Archive dir: /root/.cache/duplicity/...

Output of an unsuccessful validation:

Traceback (innermost last):
 File “/usr/bin/duplicity”, line 1559, in <module>
   with_tempdir(main)
 File “/usr/bin/duplicity”, line 1545, in with_tempdir
   fn()
 File “/usr/bin/duplicity”, line 1381, in main
   action = commandline.ProcessCommandLine(sys.argv[1:])
 File “/usr/lib/python2.7/dist-packages/duplicity/commandline.py”, line 1132, in ProcessCommandLine
   globals.backend = backend.get_backend(args[0])
 File “/usr/lib/python2.7/dist-packages/duplicity/backend.py”, line 223, in get_backend
   obj = get_backend_object(url_string)
 File “/usr/lib/python2.7/dist-packages/duplicity/backend.py”, line 209, in get_backend_object

Create a backup

Before creating a backup with duplicity, the user must decide what kind of backup he/she wants for the system. We recommend using weekly full backups with associated daily incremental backups.

The following command will create a backup of a directory:

duplicity --log-file /var/log/duplicity.log --verbosity info --archive-dir=/var/tmp/duplicity --no-print-statistics --full-if-older-than 3D --no-encryption ${DIRECTORY_TO_BACKUP} s3://backup-space.nine.ch/${HOSTNAME}/${PREFIX}

If the command specified above is executed in a cron job, e.g. daily, then a complete backup of directory ${DIRECTORY_TO_BACKUP} will be created every three days. Incremental backups will be created in between the three days. Note that a new bucket named ${HOSTNAME} is thus created. The variable ${PREFIX} represents a freely chosen prefix to identify the backup. The prefix can be chosen freely, but the name of the bucket should correspond to the server's hostname to avoid confusion.

If error code 403 appears with this command, it may be due to one of the following causes:

1. The access data (AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY) were not stored or were incorrectly stored.
2. A bucket with the chosen name already exists. Please choose another bucket name (in the command above, the bucket name is ${HOSTNAME}).

Verify a backup

The “duplicity verify” command with a “–compare-data” flag will compare the directory specified with the S3 bucket.

duplicity verify --compare-data s3://backup-space.nine.ch/${HOSTNAME}/${Prefix} /directory/to/compare

Discrepancies are found:

Local and Remote metadata are synchronized, no sync needed.
Last full backup date: DATE TIME
Difference found: File . has mtime DATE TIME, expected DATE TIME
Difference found: New file TEST.txt
Verify complete: 30 files compared, 2 differences found.

No discrepancies are found:

Local and Remote metadata are synchronized, no sync needed.
Last full backup date: DATUM UHRZEIT
Verify complete: 30 files compared, 0 differences found.

Delete all backups

The following command can be used to delete old backups that are no longer needed:

duplicity remove-all-but-n-full 3 --archive-dir=/var/tmp/duplicity  --log-file /var/log/duplicity.log --force --verbosity info --no-print-statistics s3://backup-space.nine.ch/${HOSTNAME}/${PREFIX}

This will always preserve the last 3 complete backups of the server.

Restore backup

To restore the last backup, proceed as follows:

duplicity --archive-dir=/var/tmp/duplicity restore s3://backup-space.nine.ch/${HOSTNAME}/${PREFIX} ${TARGET}

If it was verified that all necessary data were contained in the S3 dataspace, then no special handling is required for the restore.

List backups

The following command lists all currently available backups:

duplicity collection-status --archive-dir=/var/tmp/duplicity s3://backup-space.nine.ch/${HOSTNAME}/${PREFIX}

Encrypted backups

duplicity also allows you to create encrypted backups. Here the data are encrypted via GPG.

Create GPG key pair A public and a private key are required for encryption. These can be created as follows:

GPG then asks how the new key should be created. Choose the following specifications:

1. RSA and RSA

2. = 2048 (4096 recommended)

3. The desired expiry date for the key (0 = never expires)
4. if "0" is specified, it must be confirmed.
5. "Real name" can be set, for example, to the server name
6. Leave “Email address” empty.
7. Also leave "Comment" empty.
8. Confirm with "O" (as in okay).
9. Do not set a password. (This would have to be specified in clear text for each backup.)

If the server was restarted, the following text may appear when creating the key: “Not enough random bytes available. Please do some other work to give the OS a chance to collect more”

These random bytes are automatically generated by running programs and tasks. However, this can be accelerated with "mg-tools".

sudo apt-get install rng-tools
rngd -f -r /dev/urandom

This must be allowed to run for a couple of minutes. Thereafter, the GPG-key can be created.

Once the key pair has been created, we recommend storing the private key on another device, since the data can later only be decrypted with this key.

Export the keys as follows:

gpg --output mygpgkey_pub.gpg --armor --export MYGPGKEY01
gpg --output mygpgkey_sec.gpg --armor --export-secret-key MYGPGKEY01

These two files can then be transferred to another device as follows:

scp MYGPGKEY01_pub.gpg MYGPGKEY01_sec.gpg user@remotehost:~/

As soon as both files have been transferred, they should be deleted from the server.

rm ~/MYGPGKEY01_sec.gpg ~/MYGPGKEY01_pub.gpg

Create an encrypted backup

To create an encrypted backup, the backup command mentioned above must merely be extended as follows:

1. env PASSPHRASE=" must be set before the command.
2. Extend the command with the parameters --encrypt key '${REALNAME/KEYID}'and--gpg options '--trust-model=always'. ${REALNAME/KEYID} represents here the name or ID of the GPG Key.
3. Remove the parameter --no encryption.

The new command will then look like this:

env PASSPHRASE='' duplicity --log-file /var/log/duplicity.log --verbosity info --archive-dir=/var/tmp/duplicity --no-print-statistics --full-if-older-than 3D  --encrypt-key '${REALNAME/KEYID}' --gpg-options '--trust-model=always' ${DIRECTORY_TO_BACKUP} s3://backup-space.nine.ch/${HOSTNAME}/${PREFIX}

Restore an encrypted backup

Restoration of an encrypted backup only requires prefixing env PASSPHRASE=":

env PASSPHRASE='' duplicity --archive-dir=/var/tmp/duplicity --encrypt-key '${REALNAME/KEYID}' restore s3://backup-space.nine.ch/${HOSTNAME}/${PREFIX} ${ZIEL}

More information on duplicity

• http://duplicity.nongnu.org/docs.html
• man duplicity
• https://launchpad.net/~duplicity-team/+archive/ubuntu/ppa

Script recommendation

To automate the creation of backups, it is advisable to collect the commands to create a backup and delete old backups in a script. The script to create an unencrypted backup of /home, for example, looks like this:

#!/bin/bash

source $(/root/.backup.cred)
if [ $? -ne 0 ]; then
    echo 'Could not source in credentials file' >&2
    exit 1
fi
duplicity --log-file /var/log/duplicity.log --verbosity info --archive-dir=/var/tmp/duplicity --no-print-statistics --full-if-older-than 3D --no-encryption /home s3://backup-space.nine.ch/${HOSTNAME}/home
duplicity remove-all-but-n-full 3 --archive-dir=/var/tmp/duplicity  --log-file /var/log/duplicity.log --force --verbosity info --no-print-statistics s3://backup-space.nine.ch/${HOSTNAME}/home

This can either be stored directly in directory /etc/cron.daily/ or simply entered as a cron job.

The cronjob file must be made executable with the following command:

chmod +x /etc/cron.daily/${CRONJOB}

Naturally, you should verify in the next few days that the script correctly backs up the data at the right times.

Database backups

Since databases cannot in most cases be saved simply by copying the data, it is advisable to create a dump of the databases. The dump can then be saved with duplicity like the rest of the data.

We recommend the following tools for dumps of databases:

• MySQL: AutoMySQLBackup
• PostgreSQL: Auto PostgreSQL Backup