https://redmine.auroville.org.in/https://redmine.auroville.org.in/favicon.ico2018-11-30T12:04:04ZRedmineGIS - Support #7161: Setup remote backuphttps://redmine.auroville.org.in/issues/7161?journal_id=419152018-11-30T12:04:04ZPhilippe May
<ul><li><strong>Assignee</strong> changed from <i>Philippe May</i> to <i>Charles Atkinson</i></li></ul><p>Charles, it's a long term topic that i'm finally taking up.</p>
<p>How do you want to proceed? Is there a documentation? Discussion for our weekly meeting?</p> GIS - Support #7161: Setup remote backuphttps://redmine.auroville.org.in/issues/7161?journal_id=419192018-11-30T14:58:45ZCharles Atkinsonc@aurinoco.net
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>In Progress</i></li><li><strong>Assignee</strong> changed from <i>Charles Atkinson</i> to <i>Philippe May</i></li></ul><p>Let's discuss face to face some convenient time TBD</p> GIS - Support #7161: Setup remote backuphttps://redmine.auroville.org.in/issues/7161?journal_id=424562018-12-11T05:19:57ZPhilippe May
<ul><li><strong>Assignee</strong> changed from <i>Philippe May</i> to <i>Charles Atkinson</i></li></ul><p>As discussed, can you please send me OpenVPN certs and your ssh key?</p> GIS - Support #7161: Setup remote backuphttps://redmine.auroville.org.in/issues/7161?journal_id=424842018-12-11T07:45:48ZCharles Atkinsonc@aurinoco.net
<ul><li><strong>Assignee</strong> changed from <i>Charles Atkinson</i> to <i>Philippe May</i></li></ul><p>For the OpenVPN certs, what is the client's FQDN? My ssh key emailed to you.</p> GIS - Support #7161: Setup remote backuphttps://redmine.auroville.org.in/issues/7161?journal_id=424902018-12-11T09:07:26ZPhilippe May
<ul><li><strong>Assignee</strong> changed from <i>Philippe May</i> to <i>Charles Atkinson</i></li></ul><p>Starting with the DB server: gisdb.csr.av (csr.av being handled by a local bind server)</p> GIS - Support #7161: Setup remote backuphttps://redmine.auroville.org.in/issues/7161?journal_id=424922018-12-11T09:14:29ZPhilippe May
<ul></ul><p>OK, your ssh key was already there: server was ansiblized with the BL server role (equivalent of Bliss) including BL's standard set of keys <img alt="sunglasses" height="20" src="https://redmine.auroville.org.in/images/emoji/sunglasses.png" style="vertical-align:middle" width="20" title=":sunglasses:" class="emoji" /></p> GIS - Support #7161: Setup remote backuphttps://redmine.auroville.org.in/issues/7161?journal_id=425042018-12-11T10:44:15ZCharles Atkinsonc@aurinoco.net
<ul></ul><a name="Generating-OpenVPN-certs"></a>
<h1 >Generating OpenVPN certs<a href="#Generating-OpenVPN-certs" class="wiki-anchor">¶</a></h1>
<p>Doc: [[Aurinoco Systems:OpenVPN_24_operations#On-the-OpenVPN-server]]</p>
<ul>
<li>Created openvpn2.iciti.av:/etc/bind/pri.csr.av with A record for gisdb and address 172.16.9.1.</li>
<li>Extended openvpn2.iciti.av:/etc/bind/named.conf.local with pri.csr.av</li>
<li>Created OpenVPN certs file:<br /><pre>
root@openvpn2.iciti:~# /root/scripts/openvpn/setup_client_on_server.sh -f gisdb.csr.av -i 172.16.9.1
Creating a temporary directory
Checking for existing client certifficate and key files
Creating certificate and key
Certificate and key successully created:
-rw------- 1 root root 4446 Dec 11 16:02 /etc/openvpn/easy-rsa/pki/issued/gisdb.csr.av.crt
-rw------- 1 root root 1704 Dec 11 16:02 /etc/openvpn/easy-rsa/pki/private/gisdb.csr.av.key
Creating /etc/openvpn/ccd/gisdb.csr.av
Creating the client configuration inline file
The next step is to copy /etc/openvpn/client_inline_files/gisdb.csr.av.ICITI.ovpn to the client
</pre></li>
<li>Fixed the above typos and pushed to git</li>
<li>Mailed the file privately to Phil</li>
</ul> GIS - Support #7161: Setup remote backuphttps://redmine.auroville.org.in/issues/7161?journal_id=425052018-12-11T10:46:08ZCharles Atkinsonc@aurinoco.net
<ul><li><strong>Assignee</strong> changed from <i>Charles Atkinson</i> to <i>Philippe May</i></li></ul><p>Certs file mailed to you, Phil. Installation procedure: [[Aurinoco Systems:OpenVPN_24_operations#Debian]]</p> GIS - Support #7161: Setup remote backuphttps://redmine.auroville.org.in/issues/7161?journal_id=425092018-12-11T11:32:52ZPhilippe May
<ul><li><strong>Assignee</strong> changed from <i>Philippe May</i> to <i>Charles Atkinson</i></li></ul><p>Looks OK: 172.16.9.1 @ tun0.</p>
<p>Just a small note on openvpn management by systemd: i prefer to have the config in <code>/etc/openvpn/client</code>, and the service at <code>openvpn-client@gisdb.csr.av.ICITI.service</code>. It makes it more explicit to differentiate between server and client. Ref: <a class="external" href="https://unix.stackexchange.com/questions/409665/starting-openvpn-client-as-daemon-in-debian">https://unix.stackexchange.com/questions/409665/starting-openvpn-client-as-daemon-in-debian</a></p>
<p>Back to you to log in and proceed, the database dumps are in:</p>
<pre>
root@gisdb:/var/log# ll /var/lib/autopostgresqlbackup/daily/avgis
total 162512
drwxr-xr-x 2 root postgres 4096 Dec 11 06:25 ./
drwxr-xr-x 7 root postgres 4096 Nov 21 17:58 ../
-rw------- 1 root root 27573587 Nov 25 06:25 avgis_2018-11-25_06h25m.Sunday.sql.gz
-rw------- 1 root root 27715338 Dec 3 06:25 avgis_2018-12-03_06h25m.Monday.sql.gz
-rw------- 1 root root 27749682 Dec 5 06:25 avgis_2018-12-05_06h25m.Wednesday.sql.gz
-rw------- 1 root root 27761994 Dec 6 06:25 avgis_2018-12-06_06h25m.Thursday.sql.gz
-rw------- 1 root root 27773790 Dec 7 06:25 avgis_2018-12-07_06h25m.Friday.sql.gz
-rw------- 1 root root 27822839 Dec 11 06:25 avgis_2018-12-11_06h25m.Tuesday.sql.gz
</pre>
<p>We'll see how it goes with this directory first.</p> GIS - Support #7161: Setup remote backuphttps://redmine.auroville.org.in/issues/7161?journal_id=425202018-12-11T16:10:15ZCharles Atkinsonc@aurinoco.net
<ul><li><strong>Assignee</strong> changed from <i>Charles Atkinson</i> to <i>Philippe May</i></li></ul><p>Regards having the config in /etc/openvpn/client, from the linked page (dated 8 Dec 2017):</p>
<blockquote>
<p>Note that newer versions of OpenVPN have split the configuration files directory into /etc/openvpn/client and /etc/openvpn/server. This has not (yet) percolated down into a stable version of Debian</p>
</blockquote>
<p>When designing the current implementation I considered introducing /etc/openvpn/{client,server} but they would break the Stretch systemd OpenVPN generator which only works with /etc/openvpn/*.conf files.</p>
<p>Sorry -- somehow I have disabled ssh access:<br /><pre>
c@CW10:~$ ssh -A root@172.16.9.1
root@172.16.9.1's password:
</pre>It was working until I fumbled copying some files into /root for my personal convenience like .bashrc_scrippet_for_charles and .bashrc.d and its contents. <img alt="cold_sweat" height="20" src="https://redmine.auroville.org.in/images/emoji/cold_sweat.png" style="vertical-align:middle" width="20" title=":cold_sweat:" class="emoji" /></p> GIS - Support #7161: Setup remote backuphttps://redmine.auroville.org.in/issues/7161?journal_id=425272018-12-12T05:04:39ZPhilippe May
<ul></ul><p>Oh oh... <img alt="open_mouth" height="20" src="https://redmine.auroville.org.in/images/emoji/open_mouth.png" style="vertical-align:middle" width="20" title=":open_mouth:" class="emoji" /></p>
<p>Halt the domU, mount the file system on dom0.</p>
<p>Found that /root was owned by unknown user 10012. Reset uid to 0.</p>
<p>Umount the file system from dom0, reboot: OK.</p>
<p>Using a production system as a first machine to back up wasn't such a great idea.</p>
<p>And, finally, i might prefer to set up Bung myself... Let's put it on hold for a while.</p> GIS - Support #7161: Setup remote backuphttps://redmine.auroville.org.in/issues/7161?journal_id=425902018-12-13T04:50:10ZCharles Atkinsonc@aurinoco.net
<ul></ul><blockquote>
<p>And, finally, i might prefer to set up Bung myself... Let's put it on hold for a while</p>
</blockquote>
<p>As you wish (I don't normally screw up as above).</p> GIS - Support #7161: Setup remote backuphttps://redmine.auroville.org.in/issues/7161?journal_id=425982018-12-13T06:33:10ZPhilippe May
<ul></ul><p>Just another validation of Murphy's law :)</p>
<p>We might also take this opportunity to validate the installation process by someone who is quite a used to test the above-mentioned law (me).</p> GIS - Support #7161: Setup remote backuphttps://redmine.auroville.org.in/issues/7161?journal_id=426032018-12-13T07:27:30ZPhilippe May
<ul><li><strong>Assignee</strong> changed from <i>Philippe May</i> to <i>Charles Atkinson</i></li></ul><p>I installed bung.</p>
<p>I think that we now need to set up the backup target. I checked <a class="external" href="https://redmine.auroville.org.in/projects/backup-service">https://redmine.auroville.org.in/projects/backup-service</a> , but it doesn't have information, maybe a Wiki page would be nice there.</p>
<p>How would you like to proceed now? You create the target destination, give permissions, and give me the URL for rsync?</p>
<p>The required size of backup space would be less than 1GB (less than 30 MB per day, 1 month retention).</p> GIS - Support #7161: Setup remote backuphttps://redmine.auroville.org.in/issues/7161?journal_id=427232018-12-15T05:58:50ZCharles Atkinsonc@aurinoco.net
<ul><li><strong>Assignee</strong> changed from <i>Charles Atkinson</i> to <i>Philippe May</i></li></ul><p>The remote server should be backup-rsync.iciti.av (currently resolves to backup3.iciti.av). Conventionally the ssh host used to access it and the comment in the ssh keys would be gisdb.csr_to_backup-rsync.iciti</p>
<p>The remote path should be /srv/remote_backup/gisdb.csr.av.</p>
<p>If you send me the public key, I will install it in backup3.iciti.av:/root/.ssh/authorized_keys2 with the command= restriction normally used with bung.</p> GIS - Support #7161: Setup remote backuphttps://redmine.auroville.org.in/issues/7161?journal_id=427792018-12-17T05:44:08ZPhilippe May
<ul><li><strong>Assignee</strong> changed from <i>Philippe May</i> to <i>Charles Atkinson</i></li></ul><p>Here's the <del>private</del> public key:</p>
<pre>
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3Yv7i/yXDFy1gZzW4tagHWzWkUDEeTqinKncmhOiPpfTDpQG9Ug4RIZRVBPq9yirDXhXWfSWzxfgsthwLToaiIL0mSj8qyPJuBFS/apOHrMok2jkAqzqsqB/7CeGMLN28RvM0AC1/aj8emsuNHmhD0iU5scObgjqxMuXwNezyXMmXVUcwmNnM//ariY53MbepybxhxLa0ft43uzmnZ5wodtZHGgYdRj+ncK9saz1tLoB2qNdn/zmU4E/RrpPHsSj0SH3V3nFLoLu57loyGjZ92yq06Iln3VLNZe8TGylBt3EMmSxlVX5zbLc4uOmc74EfVwSYF66Pu1Dyev5Cz1FT root@gisdb
</pre> GIS - Support #7161: Setup remote backuphttps://redmine.auroville.org.in/issues/7161?journal_id=427922018-12-17T08:46:52ZCharles Atkinsonc@aurinoco.net
<ul><li><strong>Assignee</strong> changed from <i>Charles Atkinson</i> to <i>Philippe May</i></li></ul><p>Installed it in backup3.iciti.av:/root/.ssh/authorized_keys2 with the command= restriction normally used with bung.</p> GIS - Support #7161: Setup remote backuphttps://redmine.auroville.org.in/issues/7161?journal_id=428082018-12-17T10:11:37ZPhilippe May
<ul></ul><p>Seems to be working, thanks Charles :)</p>
<p>Schedule the job:</p>
<pre>
root@gisdb:/etc/systemd/system# cat bung.service
[Unit]
Description=Remote backup to Aurinoco
[Service]
ExecStart=/opt/bung/rsync_bu.sh -c /etc/opt/bung/rsync_bu.conf
root@gisdb:/etc/systemd/system# cat bung.timer
[Unit]
Description=Runs the remote backup periodically
[Timer]
OnBootSec=15min
OnCalendar=*-*-* 22:43:00
Persistent=true
[Install]
WantedBy=timers.target
</pre>
<p>TODO: cross check the logs tomorrow.</p> GIS - Support #7161: Setup remote backuphttps://redmine.auroville.org.in/issues/7161?journal_id=428872018-12-19T04:44:20ZPhilippe May
<ul></ul><p>I didn't set the remote host on the config file, so was rsync-ing on localhost.</p>
<p>Looks OK now.</p>
<p>Here's the config:</p>
<pre>
root@gisdb:/etc/opt/bung# cat rsync_bu.conf
Organisation name = csr.av
rsync = /var/lib/autopostgresqlbackup/daily/avgis backup-rsync.iciti.av:/srv/remote_backup/gisdb.csr.av options="--archive --verbose"
</pre>
<p>Next to backup:</p>
<ul>
<li>import baskets</li>
</ul>