Using NFS for Networked Backups

Contributed by jose on 2003-03-28 from the homeland-backup dept.

A recent OReilly Network article gives an example of how to use NFS for networked backups . It includes a couple of example scripts you can use to build small backup commands. Backups are lifesavers, and I've found it worth the brief time of setup and testing to make regular backups.

This method, NFS, is essentially what I do when I have an NFS server available in my environment. While I use rsync with ssh when I don't have an NFS server around, when I do have one I use rsync and NFS. My basic backup command mounts the NFS volume to the right place and executes my rsync command to copy the information I need to the server, and then unmounts the NFS system. It's a simple setup, but it's saved me hours of rebuilding. Check out the article for some ideas.

(Comments are closed)

Comments

By Anonymous Coward () on 2003-03-28 16:49

Copying /etc with no_root_squash over NFS sounds like a pretty bad idea to me.
By Anonymous Coward () on 2003-03-28 17:02

we have all of our servers using tar over ssh, with passphrase-less public key authentication. it works quite well for our us.

a full system restore can be done with an openbsd installation floppy (provided the backups are temporarily accessible via ftp or http.) we've succesfully restored a system with this method.

a fairly basic shell script is used to gather some information from the system (as it does run on openbsd and linux) and then uses tar over ssh to store the backups. a job on the backup server prunes old backup tar files once in a while.

so basically it boils down to just:

gtar -c -f - -z -C / --ignore-failed-read --preserve var etc usr [...] | ssh backups@backupserver "cat - > /some/path/backup-serverhere-datehere.tar.gz"
Comments
1. By Anonymous Coward () on 2003-03-29 08:58
  
  We backup all of our "small" servers (dns, nis, dhcp ... ) in a similar way. rsync over ssh with public key authentication is so sweet. I backup everything to a 1TB IDE-RAID system. The other day a person deleted a mail and all I had to do was to quickly grep through the last 20 days of mailboxes (all stored on the IDE-RAID) and then select the right messages and inject them again. The whole procedure took about 5 minutes. Before when we used one of these big-brand backup solutions you had to ask the user for a more precise date when they deleted the mail and then start to restore from backup tapes. It could take over an hour to restore a single email. Of course we do tape backups of the IDE-RAID system in case it breaks :-).
2. By Anonymous Coward () on 2003-03-29 09:10
  
  maybe "dd of=backup.gz" not "cat > backup.gz"
3. By STEPHEN C () on 2003-03-29 16:26
  
  SSH IS SLOW, HOW DO YOU REMOVE ENCRYPTION ?
  Comments
  1. By Anonymous Coward () on 2003-03-29 16:57
    
    use telnet or some other insecure thingy?
  2. By Anonymous Coward () on 2003-03-29 17:15
    
    What do you rather have? Wait twice as long for a backup to complete, or have all the confidential data you're backupping exposed because that windows box you're hosting for a friend was 0wned and sniffing your LAN?
    You shouldn't transmit any data unencrypted, unless if it's public data.
    But backups sure aren't public data!
  3. By Anonymous Coward () on 2003-03-29 18:11
    
    nc(1)
    
    Comments
    
    By STEPHEN C () on 2003-03-30 11:20
    
    NC(1) DOES NOT HAVE AUTHENTICATION.
    SSH HAS AUTHENTICATION, I JUST DO NOT NEED THE DATA ENCRYPTED BECAUSE IT IS ON A TRUSTED LOCAL NETWORK.
    
    Comments
    
    By Anonymous Coward () on 2003-03-30 15:40
    
    What you _really_ need is a new keyboard, because the shift-key is broken on your current one.
    
    Comments
    
    By Matt () on 2003-03-30 18:08
    
    You might want to try using blowfish as the default encryption protocol. It is significatly faster than the default cipher (AES i think).
    
    By Anonymous Coward () on 2003-03-30 19:41
    
    If you're on a trusted local network, you don't need authentication, either.
    
    By Anonymous Coward () on 2003-04-01 00:29
    
    SSH HAS AUTHENTICATION, I JUST DO NOT NEED THE DATA ENCRYPTED BECAUSE IT IS ON A TRUSTED LOCAL NETWORK.
    ftp.
By Anonymous Coward () on 2003-03-28 18:04

Using rsync updating once a day to mirror to a partition on a remote server, and then on the remote server do backups sounds good also.

That way you can rescue something changed from yesterday or go to the backups for something older that yesterday....
By Anonymous Coward () on 2003-03-28 19:46

Copy mysql & innodb db live without shutting down the server and you'll get a corruption of your database, believe me, I know; this is just a simple example of what you shouldn't do.

NFS for backups, is it a joke?
Comments
1. By Anonymous Coward () on 2003-03-29 09:31
  
  select * into
2. By Jedi/Sector One () j@pureftpd.org on 2003-03-29 16:39 http://www.pureftpd.org/
  
  It must be a joke.
  
  BEGIN;
  SELECT * INTO ...
  COMMIT;
  
  Did you understand what InnoDB was designed for ?
  
  You can also buy the dedicated hotbackup utility from http://www.innodb.com/
By Anonymous Coward () on 2003-03-28 21:29

i've done rsync to keep two sets of directory trees in sync. rsync doesn't HAVE to go over a network to sync things up
By pixel fairy () on 2003-03-29 01:30 mailto:pixel [shift +2] [not photoshop] ORG(y)

ive been useing ide hard drives (in removable bays) and am about to get a firewire/usb2 enclosure so i wont have to reboot the the file server to change disks. this seems to be the cheapest and most simple way for my home network.

what do you use?
Comments
1. By kaboom () on 2003-03-31 12:19
  
  SCSI Environmental enclosure and ramdisk kernel with embedded md0 from ide flash disk
By djm () on 2003-03-29 02:40

NFS == No Fucking Security
Comments
1. By Anonymous Coward () on 2003-03-30 16:36
  
  please explain further
  Comments
  1. By Random Person () on 2003-03-31 00:00
    
    two points...
    Both of these are not always important if you have a private (and physically secure) network - i.e. a network segment inside the server room.
    
    1) NFS servers use IP address as the only form of authentication. Then trusting that computer to say if the file access is on behalf of nobody or root.
    
    so at the very least you need NFS over IPSEC(AH).
    
    AH (part of IPSEC) allows you to authenticatic the source IP addresses of packets - which is exactly whats needed for this.
    
    2) NFS doesn't encrypt anything. Once again this can be fixed with IPSEC (ESP in this case).
By dugsong () dugsong@monkey.org on 2003-03-29 07:36 mailto:dugsong@monkey.org

here's a simple script i use for AES-encrypted tar backups:
http://monkey.org/~dugsong/tmp/aestar
same usage as tar, except it prompts you for a passphrase on creation/extraction...
Comments
1. By Jeffrey () on 2003-03-29 15:37
  
  Hey, that is fun! =)
  I never thought of doing it that way...
  Very interesting indeed.
2. By odin () odin@cleannorth.org on 2003-03-29 18:44 http://cleannorth.org/
  
  Isn't that case statement looking for the wrong flag for extraction?
  
  Quite an interesting script. I've been wanting encrypted amanda dumps for a while. A similar script around dump/restore, with an auto-generated aes key encrypted and saved with a public-key cypher may just solve that for me. Thank you for the idea.
  
  --- aestar.orig Sat Mar 29 13:41:13 2003
  +++ aestar Sat Mar 29 13:41:27 2003
  @@ -39,7 +39,7 @@
  tar $TARFLAGS - $* | openssl aes-256-cbc -e -kfile $PASSFILE -out $FILE
  rm $PASSFILE
  ;;
  - *t*|*z*)
  + *t*|*x*)
  FILE=$1
  shift
  if [ -r $FILE ]; then
  Comments
  1. By Anonymous Coward () on 2003-03-29 21:20
    
    tar cvf - / | openssl enc -rc4-40 -key supersecret | ssh holo@graphic dd of=backup.tar.secure
  2. By dugsong () dugsong@monkey.org on 2003-03-31 07:36 mailto:dugsong@monkey.org
    
    heh, good eye! patch applied. :-)
By Anonymous Coward () on 2003-03-29 09:26

How do you get rid of nfs server software???
Comments
1. By Anonymous Coward () on 2003-03-29 10:14
  
  If you don't want NFS, just don't _enable_ it :)
  Yes, that's right, OpenBSD doesn't come with any cruft enabled, so no worries about NFS security, unless you want NFS :)
  Comments
  1. By Anonymous Coward () on 2003-03-29 16:37
    
    but sometimes this is second option after none
By Anonymous Cow Herd () on 2003-03-29 14:34

...you can do named pipes over rsh. This is without a doubt the fastest way to push files over the network that I've tried so far. NFS is one of the slowest. Using ssh with rsync is also slow and slows down both host processors. Samba is a lot faster than NFS and more secure than named pipes over rsh.
Comments
1. By Anonymous Coward () on 2003-03-30 15:14
  
  named pipes??? you sure???

Latest Articles

Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (12)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (2)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)
Tue, Mar 12
- 06:53 OpenSSH 9.7/9.7p1 released! (0)
Mon, Mar 11
- 11:28 Game of Trees 0.97 released (0)
Sun, Mar 10
- 09:06 LibreSSL versions 3.8.3 and 3.9.0 released (0)
Fri, Mar 08
- 06:46 OpenBGPD 8.4 released (0)
Mon, Mar 04
- 06:32 rpki-client 9.0 released (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]