Abstract
This document describes server setup for the stoney cloud (Online) Backup service, built upon the Gentoo Linux distribution.
Overview
After working through this documentation, you will be able to set up and configure your own (Online) Backup service server.
Software Installation
Requirements
A working stoney cloud installation.
USE-Flages
For a full OpenLDAP directory installation:
echo "net-nds/openldap overlays perl sasl" >> /etc/portage/package.use
For a minimal OpenLDAP directory installation (just the necessary tools):
echo "sys-auth/nss-pam-ldapd sasl" >> /etc/portage/package.use echo "sys-auth/nss-pam-ldapd ~amd64" >> /etc/portage/package.keywords echo "net-nds/openldap ~amd64" >> /etc/portage/package.keywords echo "sys-fs/quota ldap" >> /etc/portage/package.use
For the prov-backup-rsnapshot daemon
echo "dev-perl/Net-SMTPS ~amd64" >> /etc/portage/package.keywords
Emerge
emerge ⁻va nss-pam-ldapd emerge -va rsnapshot emerge -va quota emerge -va dev-perl/Config-IniFiles emerge -va dev-perl/LockFile-Simple emerge -va dev-perl/Net-SMTPS emerge -va dev-perl/perl-ldap emerge -va virtual/perl-Switch
Software Configuration
OpenLDAP
/etc/openldap/ldap.conf
nss-pam-ldapd
/etc/nslcd.conf
# This is the configuration file for the LDAP nameservice # switch library's nslcd daemon. It configures the mapping # between NSS names (see /etc/nsswitch.conf) and LDAP # information in the directory. # See the manual page nslcd.conf(5) for more information. # The user and group nslcd should run as. uid nslcd gid nslcd # The uri pointing to the LDAP server to use for name lookups. # Multiple entries may be specified. The address that is used # here should be resolvable without using LDAP (obviously). #uri ldap://127.0.0.1/ #uri ldaps://127.0.0.1/ #uri ldapi://%2fvar%2frun%2fldapi_sock/ # Note: %2f encodes the '/' used as directory separator uri ldaps://ldapm.tombstone.ch # The LDAP version to use (defaults to 3 # if supported by client library) #ldap_version 3 # The distinguished name of the search base. base dc=stoney-cloud,dc=org # The distinguished name to bind to the server with. # Optional: default is to bind anonymously. binddn cn=Manager,dc=stoney-cloud,dc=org # The credentials to bind with. # Optional: default is no credentials. # Note that if you set a bindpw you should check the permissions of this file. bindpw myverysecretpassword # The distinguished name to perform password modifications by root by. #rootpwmoddn cn=admin,dc=example,dc=com # The default search scope. #scope sub #scope one #scope base # Customize certain database lookups. #base group ou=Groups,dc=example,dc=com base group ou=groups,ou=backup,ou=services,dc=stoney-cloud,dc=org base passwd ou=accounts,ou=backup,ou=services,dc=stoney-cloud,dc=org base shadow ou=accounts,ou=backup,ou=services,dc=stoney-cloud,dc=org #scope group onelevel #scope hosts sub #filter group (&(objectClass=posixGroup)(sstIsActive=TRUE)) filter passwd (&(objectClass=posixAccount)(sstIsActive=TRUE)) filter shadow (&(objectClass=shadowAccount)(sstIsActive=TRUE)) # Bind/connect timelimit. #bind_timelimit 30 # Search timelimit. #timelimit 30 # Idle timelimit. nslcd will close connections if the # server has not been contacted for the number of seconds. #idle_timelimit 3600 # Use StartTLS without verifying the server certificate. #ssl start_tls tls_reqcert never # CA certificates for server certificate verification #tls_cacertdir /etc/ssl/certs #tls_cacertfile /etc/ssl/ca.cert # Seed the PRNG if /dev/urandom is not provided #tls_randfile /var/run/egd-pool # SSL cipher suite # See man ciphers for syntax #tls_ciphers TLSv1 # Client certificate and key # Use these, if your server requires client authentication. #tls_cert #tls_key # Mappings for Services for UNIX 3.5 #filter passwd (objectClass=User) #map passwd uid msSFU30Name #map passwd userPassword msSFU30Password #map passwd homeDirectory msSFU30HomeDirectory #map passwd homeDirectory msSFUHomeDirectory #filter shadow (objectClass=User) #map shadow uid msSFU30Name #map shadow userPassword msSFU30Password #filter group (objectClass=Group) #map group member msSFU30PosixMember # Mappings for Services for UNIX 2.0 #filter passwd (objectClass=User) #map passwd uid msSFUName #map passwd userPassword msSFUPassword #map passwd homeDirectory msSFUHomeDirectory #map passwd gecos msSFUName #filter shadow (objectClass=User) #map shadow uid msSFUName #map shadow userPassword msSFUPassword #map shadow shadowLastChange pwdLastSet #filter group (objectClass=Group) #map group member posixMember # Mappings for Active Directory #pagesize 1000 #referrals off #idle_timelimit 800 #filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)) #map passwd uid sAMAccountName #map passwd homeDirectory unixHomeDirectory #map passwd gecos displayName #filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)) #map shadow uid sAMAccountName #map shadow shadowLastChange pwdLastSet #filter group (objectClass=group) # Alternative mappings for Active Directory # (replace the SIDs in the objectSid mappings with the value for your domain) #pagesize 1000 #referrals off #idle_timelimit 800 #filter passwd (&(objectClass=user)(objectClass=person)(!(objectClass=computer))) #map passwd uid cn #map passwd uidNumber objectSid:S-1-5-21-3623811015-3361044348-30300820 #map passwd gidNumber objectSid:S-1-5-21-3623811015-3361044348-30300820 #map passwd homeDirectory "/home/$cn" #map passwd gecos displayName #map passwd loginShell "/bin/bash" #filter group (|(objectClass=group)(objectClass=person)) #map group gidNumber objectSid:S-1-5-21-3623811015-3361044348-30300820 # Mappings for AIX SecureWay #filter passwd (objectClass=aixAccount) #map passwd uid userName #map passwd userPassword passwordChar #map passwd uidNumber uid #map passwd gidNumber gid #filter group (objectClass=aixAccessGroup) #map group cn groupName #map group gidNumber gid
/etc/nsswitch.conf
passwd: files ldap shadow: files ldap group: files ldap # passwd: db files nis # shadow: db files nis # group: db files nis hosts: files dns networks: files dns services: db files protocols: db files rpc: db files ethers: db files netmasks: files netgroup: files bootparams: files automount: files aliases: files
rsnapshot
/etc/...
prov-backup-rsnapshot
Configuration
The configuration file is currently located in the /var/work/prov-backup-rsnapshot directory:
vi /var/work/prov-backup-rsnapshot/etc/Provisioning/Backup/Rsnapshot_test.conf
# Copyright (C) 2013 stepping stone GmbH # Switzerland # http://www.stepping-stone.ch # support@stepping-stone.ch # # Authors: # Pat Kläy <pat.klaey@stepping-stone.ch> # # Licensed under the EUPL, Version 1.1. # # You may not use this work except in compliance with the # Licence. # You may obtain a copy of the Licence at: # # http://www.osor.eu/eupl # # Unless required by applicable law or agreed to in # writing, software distributed under the Licence is # distributed on an "AS IS" basis, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either # express or implied. # See the Licence for the specific language governing # permissions and limitations under the Licence. # [Global] # If true the script logs every information to the log-file. LOG_DEBUG = 1 # If true the script logs additional information to the log-file. LOG_INFO = 1 #If true the script logs warnings to the log-file. LOG_WARNING = 1 #If true the script logs errors to the log-file. LOG_ERR = 1 ENVIRONMENT = [Database] BACKEND = LDAP SERVER = ldaps://ldapm.tombstone.ch PORT = 636 ADMIN_USER = cn=Manager,dc=stoney-cloud,dc=org ADMIN_PASSWORD = <PASSWORD> SERVICE_SUBTREE = ou=accounts,ou=backup,ou=services,dc=stoney-cloud,dc=org COOKIE_FILE = /var/work/prov-backup-rsnapshot/Provisioning/etc/Provisioning/Backup/rnsapshot.cookie DEFAULT_COOKIE = rid=001,csn= SEARCH_FILTER = (&(entryCSN>=%entryCSN%)(objectClass=*)) [Service] MODUS = selfcare TRANSPORTAPI = LocalCLI SERVICE = Backup TYPE = Rsnapshot SYSLOG = Backup-Rsnapshot [Gateway] HOST = localhost USER = provisioning DSA_FILE = none
Init Scirpts
Currently we just create very basic init scripts which start and stop the deamon:
/etc/init.d/prov-backup-rsnapshot
#!/sbin/runscript # Copyright 1999-2013 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 # $Header: $ depend() { need net after slapd } start() { ebegin "Starting backup-rsnapshot provisioning daemon" start-stop-daemon --start \ --background \ --user ${USER:-root}:${GROUP:-root} \ --make-pidfile \ --pidfile "${PIDFILE}" \ --exec /var/work/prov-backup-rsnapshot/Provisioning/bin/provisioning.pl \ --interpreted \ -- ${OPTIONS} \ -c /var/work/prov-backup-rsnapshot/Provisioning/etc/Provisioning/Backup/Rsnapshot_test.conf \ -g /var/work/prov-backup-rsnapshot/Provisioning/etc/Provisioning/Global.conf eend $? } stop() { ebegin "Stopping backup-rsnapshot provisioning daemon" start-stop-daemon --stop \ --pidfile "${PIDFILE}" eend $? }
/etc/conf.d/prov-backup-rsnapshot
USER="root" GROUP="root" PIDFILE="/run/prov-backup-rsnapshot.pid" # OPTIONS="..."
Run-Level
rc-update add prov-backup-rsnapshot default
Links
- OpenLDAP, an open source implementation of the Lightweight Directory Access Protocol.
- nss-pam-ldapd, a Name Service Switch (NSS) module that allows your LDAP server to provide user account, group, host name, alias, netgroup, and basically any other information that you would normally get from /etc flat files or NIS.
- openssh-lpk_openldap.schema OpenSSH LDAP Public Keys.
- linuxquota Linux DiskQuota.
- rsnapshot, a remote filesystem snapshot utility, based on rsync.
- Jailkit, set of utilities to limit user accounts to specific files using chroot() and or specific commands. Also includes a tool to build a chroot environment.
- Busybox BusyBox combines tiny versions of many common UNIX utilities into a single small executable. Useful to reduce the number of files (and thus the complexity) when building a chroot.