We will now configure the server and backup client (in my case another centos server)
Firstly let’s generate a RSA key pair for the backuppc user on the backup server:
chown backuppc:backuppc /var/lib/BackupPC/.ssh
chmod 700 /var/lib/BackupPC/.ssh
Now use the backuppc user to create a key pair:
su -s /bin/bash backuppc
You will get a bash-4.1$ or something similar prompt:
ssh-keygen -t dsa
Press Enter a few times, defaults and no password is fine:
Generating public/private dsa key pair. Enter file in which to save the key (/var/lib/backuppc/.ssh/id_dsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /var/lib/backuppc/.ssh/id_dsa. Your public key has been saved in /var/lib/backuppc/.ssh/id_dsa.pub. The key fingerprint is: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx email@example.com
You only have to create the keypair once.
We should also make any emails going to backuppc system user go to the proper systems/ it team admin email address:
printf "backuppc:\firstname.lastname@example.org\n" >> /etc/aliases
We also now need to edit the sudoers file so that the user backuppc can access tar and other programmes:
Add at the end of the file :
Defaults !lecture backuppc ALL=NOPASSWD:/bin/gtar,/bin/tar
Configuring the client (Backup PC will back this up):
We have to configure the firewall, and user on the client like so:
We are setting a temporary password for this user. After we will remove the password by typing passwd -d backuppc
Now we will also add the user backuppc in “sudo” file to allow it to use rsync and other services without errrors:
then go to the bottom of the file and insert this code:
#BackupPC user allowed backuppc ALL=NOPASSWD: /usr/bin/rsync --server --sender *
We have to ensure that port 22 (used by Rsync) is open to the backup servers IP address:
If the backuppc server is behind the same ip range / natted behind the same public IP as your management workstation then you don’t have to do this:
insert this: | Edit the IP as required.
-A INPUT -s 126.96.36.199/32 -p tcp --dport 22 -j ACCEPT
iptables-restore < /etc/sysconfig/iptables
Copying the ssh id_dsa.pub file accross
ssh-copy-id -i /var/lib/BackupPC/.ssh/id_dsa.pub email@example.com
Type yes | Then enter in the backuppc password you created on the client.
bash-4.1$ ssh-copy-id -i /var/lib/BackupPC/.ssh/id_dsa.pub firstname.lastname@example.org
The authenticity of host ‘web.technical.network (188.8.131.52)’ can’t be established.
RSA key fingerprint is e4:57:b5:fc:a3:23:cfbfgshsfdhsfsfdh0f:23:03.
Are you sure you want to continue connecting (yes/no)y es
Warning: Permanently added ‘clientserver.domain.name,176. 58.100.83’ (RSA) to the list of known hosts.
Now try logging into the machine, with “ssh ‘backuppc@ clientserver.domain.name'”, and check in:
to make sure we haven’t added extra keys that you were n’t expecting.
NOTE: Now try ssh’ing from the backuppc server as the backuppc user like so:
bash-4.1$ ssh email@example.com
and you should be able to login. If not then make sure the keys have copied correclty etc. Double-check everything.
Adding the host from the front-end:
Go to the backupPC front end website and on the left click on “Edit hosts” and then select ADD after putting the name of the server in:
We need to also do one more thing:
Click on the Xfer tab,
Find the settings that say:
$sshPath -q -x -l root $host $rsyncPath $argList+
and change it to | then click save
$sshPath -q -x -l backuppc $host sudo $rsyncPath $argList+
This is because we are using the backuppc user for backups not root. We only have to do this once to allow it for global configuration which gets applied to all hosts.
We also want to avoid backing up /sys /proc and /dev folders from the root directory:
The Global configuration page should look like this:
Click on the left hand side, the drop down where it has “Hosts” and select the newly added host (sometimes you have to refresh)
Now click on “Start Full Backup” and wala | click on the status page to see that your backup is happening:
Well Done! 🙂