Banana Pi - backup server

Task

There are three hosts. Two in the home network and one remote. Backup requires an independent backup server, which can be connected directly to your home network or placed remotely. The main task: to make regular backups of both home and remote systems. The server should be as economical as possible. All hosts and backup server use FreeBSD operating system.

The easiest way as a server to adapt the old computer. However, he must be on duty around the clock and therefore will eat a lot of electricity. So I turned my attention to single board computers on the ARM processor. This processor is supported by the FreeBSD operating system.


The optimal choice of Banana Pi M1. Suitable processor and memory. You can connect a SATA drive. The parameters are quite satisfactory for the backup server, which has nowhere to rush.
')
BackupPC is selected as the software solution. Everything is fine with it except for one thing: archives are not encrypted. To upload a copy of the archive to the cloud (and even more so to the non-kosher mail.ru), additional encryption is required. But this is not a separate question on this topic. Access to the BackupPC web interface requires a web server. The classic installation for BackupPC proposes Apache. But the hand does not rise to a small Banana Pi to pile such a monster. Therefore, it will be nginx.

Iron

The following equipment was ordered on aliexpress:

1. Banana Pi A20 Dual Core 1GB RAM singel-board computer
2. Banana PI M1 Case
3. PC Banana pi Aluminum Heatsink CPU and RAM
4. Banana Pi M1 SATA cable
5. 5v 3a Micro USB Ac / dc Power Adapter Eu

The computer board is made neatly. This inspires confidence that it will work normally. Loaded FreeBSD 11. It works. The case is also made very well. Although at first, it seems. did not want to gather. In appearance, the body is symmetrical. But if you look closely, you may find that on one side one side support on the bottom cover of the case has a slightly different shape. A short side cover (on which the Power and Reset buttons are) sits lower than the opposite cover. Everything else is quite gathered. It is only necessary to pull off the screws. Included are rubber feet that are glued to the holes with screws.

The initial assembly of the test, so the legs, of course, did not glue. It will take more to disassemble to install radiators. The body is warm. What is there and how heats up specifically check, when the device starts to work in normal mode. A lot with two sets of radiators was purchased. There are four of them in the set. One for each chip. A set of radiators with one set is not attached. Therefore, we have a spare. Ali also suggests some ceramic radiators that do not understand how they should dissipate heat. They have no edges - just a thick sticker on the chip. Most likely it is something inanimate type of Chinese memory, batteries or LED-lamps.

The ventilation properties of the case are not the best. There is a grill on the bottom cover, but it is only one and there is no through-flow of air. However, the case itself is comfortable. For everything there are holes Made for sure. They fit perfectly with the board. There is only a hole for the microphone. And he is not needed. On the top cover there are two additional hatch, closing the connectors, which I will not use. There is also a light guide that leads to the surface of the case the light from the red LED on the board, indicating the power connection. Another minus of the case is that there are no holes for mounting it on the wall.

The power supply unit is recommended for 2A, but I ordered three, because I plan to use with an external 2.5 "HDD, for which it is quite good to have a power supply unit with a power reserve. This means a peak mode. In the current mode, the consumption of the entire system should fit in 1A.

Task execution

The system is loaded onto an SD card. The configuration is basic. Further, it will need to adapt to your needs. In addition, the option growfs_enable="YES" added to rc.conf. When you first start the system, it ensures the use of the full amount of your card. Another one-time option is to get an IP address via DHCP for initial access to the board.

In order to be able to connect to the board via SSH, initially the system provides two users freebsd and root. Passwords match names. Do not forget to replace them with more secure ones. First you need to create a new rc.conf. By default, sendmail is disabled. It is useful to us for sending BackupPC messages. Therefore, the disconnect lines from the config are removed. Now sendmail can send mail from localhost.

 ## common #apcupsd_enable="YES" hostname="foo.example.com" keymap="us.dvorak.kbd" ntpd_enable="YES" ntpd_sync_on_start="YES" sshd_enable="YES" ## net ifconfig_dwc0_ipv6="inet6 accept_rtadv" rtsold_enable="YES" ipv6_defaultrouter="2a01:348:1f9:29::1" ## nginx nginx_enable="YES" spawn_fcgi_enable="YES" fcgiwrap_enable="YES" fcgiwrap_user="bpc" 

#apcupsd_enable="YES" - while disabled, a backup power supply will be connected when switching to production. You see keymap="us.dvorak.kbd" - this is purely my personal thing. In the case of connection from the console, I need to provide the keyboard layout I need. The fee does not store the current time. It is requested from the ntp server. Therefore, it is planned to launch the corresponding demon.

Added the usual user who lives on all my hosts. I also added a .ssh / authorized_keys file, installed the necessary shell for it. Now you can get rid of the initial user "freebsd". And you can not start a new user, and stay with the existing one. And in general, you can do only by the user, who will create BackupPC, but then it will have to be included in the wheel group and give password access for the case of the used console. We must remember that the resources of a single-board computer are limited. And this device to perform one task. Excess software is not needed.

I usually use the ports system on all my hosts. Now I will try to do without them.

 # pkg install  

Packages are a less flexible solution, but they will save time. So, put zsh, vim and mc. Vim - must have. You can do without zsh - this is not desktop. Once set up, nailed to the wall and let them live there. MC is sometimes useful for clarity, but you can live without it.

SD card is selected in size 2 GB. Those. correct gigabytes there will be 1.8. So some "excesses" in the software you can afford. Initially, the system took about 1 GB. The rest for the user. Some cards Banana does not see. So if the system does not boot, then you should not panic, but you just need to try another SD card.

Install BackupPC. There are some features. Please note - in rc.conf there is no launch of BackupPC. We will run it manually. Thus launched BackupPC will at any time have access to all the hosts listed in its configuration. But to go from a backup user to any other host just will not work. He will ask for the passphrase to access the key. However, in the case of a server reboot, for example, with a long-term power outage, when the server starts after the system has stopped the backup power supply, you will have to download BackupPC again. In order not to miss such an event, cron every three hours checks for the presence of an active BackupPC. If the BackupPC process is not running, the server will send emails.

In addition, BackupPC itself, if something is wrong, sends email notifications. You can check the operation of this service with the command (of course, if the Email section of the backupc configuration is correctly configured):

 BackupPC_sendEmail -u your@email.address 

In the current version, BackupPC does not support IPv6. We'll have to patch him a little in accordance with the article on Github . There is one feature. The configure.pl file is missing from the installed configuration. Instead, I made a change to /usr/local/libexec/backuppc/update.pl. After editing files, BackupPC was able to work with sixth IP addresses. No problems happened.

You will also need to install the p5-File-RsyncP-0.74 - Perl Rsync client package, since the rsync method will be used to implement the backup.

When installing BackupPC, a user of the same name is created with minimal rights. We need a real user. The name backuppc is too long and inconvenient. Therefore, it is more convenient to use a shorter bpc. We can connect to it to run BackupPC. And BackupPC will go to the serviced hosts under his name. Due to the user name change, the / usr / local / www / backuppc directory should be renamed to / usr / local / www / bpc.

Now the backup host looks in / etc / passwd like this:

 bpc:*:301:301:BackupPC user:/home/bpc:/usr/local/bin/zsh 

There are files in the user's home directory:

 -rwxr--r-- 1 bpc bpc 304 Nov 13 19:02 agent -rw-r--r-- 1 bpc bpc 110 Nov 20 12:11 agent-info -rwxr--r-- 1 bpc bpc 158 Nov 19 10:21 mailbpc -rw-r--r-- 1 bpc bpc 38 Nov 19 09:51 mailtext 

agent - script to run BackupPC. It is usually called from your desktop or another computer that is allowed access:

 ssh bpc@foo.example.com /home/bpc/agent 

Script content:

 #!/usr/local/bin/zsh ## ssh-agent to the file pid=`ps ax| grep ssh-agent | grep -v grep` if [ "$pid" = "" ] then ssh-agent | head -2 > ~/agent-info ## Setup Environment for ssh-agent source ~/agent-info ssh-add fi ## Start BackupPC and term the connection /usr/local/bin/BackupPC -d 

Checks for the presence of a running ssh-agent, and if it is not running, starts it, sets the environment for it, starts ssh-add, starts BackupPC. The connection to the host from which the launch occurs is closed. If the ssh-agent process is detected, the script ends with a message stating that the agent is already running.

agent-info file with environment settings. It creates an agent.
mailbpc - email warning script that BackupPC has crashed:

 #!/usr/local/bin/zsh pid=`ps ax | grep perl | grep -v grep` if [ "$pid" = "" ] then mail -s "bpc failure" postmaster@example.com < /home/bpc/mailtext fi 

To perform a check (every three hours), for bpc via crontab -e, add the line:

 3 */3 * * * /home/bpc/mailbpc 

mailtext - here add the text at your discretion. Something like: “BackupPC does not work. We need to restart it. ”If everything is in order, emails will not come.

~ Bpc / .ssh content

 ~ % ls -l .ssh total 20 -rw-r--r-- 1 bpc bpc 400 Oct 28 11:43 authorized_keys -rw------- 1 bpc bpc 35 Nov 7 16:15 config -rw------- 1 bpc bpc 444 Nov 15 12:46 id_ed25519 -rw-r--r-- 1 bpc bpc 90 Nov 15 14:49 id_ed25519.pub -rw-r--r-- 1 bpc bpc 762 Nov 20 14:39 known_hosts 

authorized_keys - here are added the public keys of the hosts, from which you can start BackupPC.
config - local ssh configuration file. Required if a new host has been added to BackupPC. Provides automatic access to the new host. By default, this keyword uses the ask argument, and backupc cannot answer questions. Content:

 Host * StrictHostKeyChecking no 

id_ed25519 - private key, which BackupPC encrypts messages to its clients
id_ed25519.pub - public key that clients need to add to their authorized_keys
known_hosts is a list of clients that is updated automatically due to the instructions contained in the config file.

BackupPC can be tried before the launch is configured via the agent. For a trial run, you need to make an initial adjustment backuppc / config.pl - write the modified user name. Check file paths, specify server name. IP addresses are enough, but the IP version of the sixth version is more cumbersome than the fourth version. The domain name must be registered in / etc / hosts or in the DNS zone file of the server of your domain. Detailed configuration can be configured later via the web interface. The program’s web interface is quite usable. There is context-sensitive help for all items.

Check whether it starts or not. To do this, go to the server under the user bpc.

 ssh bpc@foo.example.com 

After that do a test run:

 /usr/local/bin/BackupPC -d 

You can see the result through top or using the ps command:

 ~ % ps aux | grep perl bpc 753 0.0 1.1 15252 11908 - I 12:11 0:00.19 /usr/local/bin/perl /usr/local/bin/BackupPC -d bpc 754 0.0 0.8 12748 8084 - IN 12:11 0:00.77 /usr/local/bin/perl /usr/local/bin/BackupPC_trashClean 

Now we take nginx. First, run it in the standard configuration:

 # service nginx start 

If all is well, then we bring nginx.conf to this form:

 load_module /usr/local/libexec/nginx/ngx_mail_module.so; load_module /usr/local/libexec/nginx/ngx_stream_module.so; user bpc bpc; worker_processes auto; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; sendfile on; keepalive_timeout 65; server { listen [::]:80; server_name foo.example.com; index index.html /index.cgi; root /usr/local/www; access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; location / { auth_basic "BackupPC admin"; auth_basic_user_file /usr/local/etc/nginx/.passwd; } location ~ \.cgi$ { include fastcgi_params; fastcgi_pass unix:/var/run/fcgiwrap/fcgiwrap.sock; fastcgi_param REMOTE_ADDR $remote_addr; fastcgi_param REMOTE_USER $remote_user; fastcgi_param SCRIPT_FILENAME /usr/local/www/cgi-bin/BackupPC_Admin; error_page 404 /404.html; error_page 500 502 503 504 /50x.html; } } } 

Do not forget to install the packages that are referenced by this configuration and rc.conf.

 fcgiwrap-1.1.0_3 Simple FastCGI wrapper for CGI scripts spawn-fcgi-1.6.4_2 Spawns fastcgi applications 

Standard port 22 for SSH is better to replace with another, otherwise stupid bruteforcers will jam out. Rule sshd_config: Port 12345. To let BackupPC go to other hosts, we perform a similar operation with the ssh_config file.

Now you need to restrict access to the BackupPC web interface. For this, I wanted to use htdigest. But with this turned out a bummer. The installed package does not have this option. In nginx, you can connect modules. I'm trying to do it. On github is the desired module. True five years ago. I'm trying to compile it. The code is outdated and no longer gives a positive result with modern nginx. I find a more modern version. Everything compiles. But rejoice early. htdigest is not created as a plug-in. As a result, I had to get by with the usual htpasswd and create a password using the openssl password. Alternatively, install from ports or from src. What is unnecessarily troublesome. The BackupPC web interface will be available at foo.example.com.

I took the first step. Entered the first host for backup. Clicked Save. It seems to be all right. You need to check the ping for this client.

 ping6 client.your.domain 

Further it should be ensured that on the other hand, i. on the client, someone could call rsync and run around the client to pile up the files needed for backup.

 bpc:*:1006:1006:backuppc from foo:/home/bpc:/bin/csh 

To do this, a bpc user is created on each client, which must have access rights to all files. However, these rights must be strictly limited to the scope of the task. To do this, a line is added to / usr / local / etc / sudoers:

 bpc ALL=NOPASSWD: /usr/local/bin/rsync --server * 

The next step is to check the access to the client. Just trying to access ssh on the client. Ssh will immediately ask for the passphrase for accessing the key. If everything works out, then BackupPC will also come. However, in practice, avoiding the fact that BackupPC never reported: “Unable to read 4 bytes” is very difficult. This means that he can not connect to the client. As a rule, the reason in such cases is own inattention. We fix errors and voilà - the server connects to the host.

One important thing is not done yet - the SATA disk is not connected in the absence of it at the moment. While for debugging purposes, a USB flash drive is used as a drive.

Next, you need the standard configuration and debugging of BackupPC, which is described in detail in the documentation and you can find a lot of things on this topic on the Internet. When configuring BackupPC it will be useful to use the command:

 BackupPC_dump -v -f bpc@client.your.domain 

It gives a detailed conclusion, the analysis of which helps to get a working backuppc well.

So everything is ready. The system is working. Stayed the final touch. You need to backup the SD card.

 # dd if=/dev/da0 of=//bpc.img bs=1m 

Now the work is really finished and there is a backup copy from which you can restore the system to a new SD card in which case.

The article is not all reflected in sufficient detail. Actually there is almost no BackupPC setup process. But the main goal is not in detail, but in principle the possibility of deploying a BackupPC on the Banana Pi M1 running the FreeBSD 11 operating system.