Version: 1.0

A backup strategy for your remote files!

As the backups will be run by launchd we switch to the root user and set up everything under this user.

  1. Enabling and using the "root" user in Mac OS X: http://docs.info.apple.com/article.html?artnum=106290

    How to enable the root user

    Mac OS X 10.5 or later

    1. From the Finder's Go menu, choose Utilities.
    2. Open Directory Utility.
    3. Click the lock in the Directory Utility window.
    4. Enter an administrator account name and password, then click OK.
    5. Choose Enable Root User from the Edit menu
    6. Enter the root password you wish to use in both the Password and Verify fields, then click OK.

    Auf Deutsch:
    1. Finder
    2. MenĂ¼ "Gehe zu"
    3. Dienstprogramme
    4. Verzeichnisdienste (Nicht "Verzeichnis")
    5. MenĂ¼ "Bearbeiten"
    6. root-Benutzer aktivieren
  2. Mac OS X enable fast user switching: http://www.tech-recipes.com/mac_system_administration_tips706.html

    To turn on fast user switching, open the System Preferences and click on the Accounts icon under the System category. Click on Login Options near the lower left and click the Enable fast user switching checkbox.

    The menu bar at the top of the screen will change, inserting the current user name at the top right. When you click on this name, you'll see a menu listing all of the system's users and a Login Window... choice. Clicking on a user's name will switch to that user (possibly after requesting a password). Clicking on the Login Window... option will take you to the login screen.

    The fast user switch occurs with a dramatic rotation of the screen, a slick effect. Be warned that each user logged into a system eats up memory and the more applications open for each user, the more likely the system will swap stuff into virtual memory and system performance will suffer.
  3. Switch to the root user.
  4. Download and install Xcode: http://developer.apple.com/tools/xcode/index.html
  5. Download and install MacPorts: https://www.macports.org
  6. cd /opt/local/bin
  7. port -d selfupdate
  8. port install rsnapshot
  9. Edit the rsnapshot configuration file (PLEASE BE AWARE OF THE FOLLOWING RULES: This file requires tabs between elements)
    cd /opt/local/etc
  10. nano rsnapshot.conf
  11. Content of rsnapshot.conf:

    snapshot_root /Users/phil/Documents/Daten/Inet/Backup/
    cmd_ssh /usr/bin/ssh
    interval hourly 6
    interval daily 7
    interval weekly 4
    interval monthly 3

    I don't want to backup these filetypes so I define the exceptions:

    exclude *.avi
    exclude *.mpg
    exclude *.mp3
    exclude *.pdf

    backup sshuser@mydomain1.com:/path/to/the/web/root/ mydomain1.com/
    backup sshuser@mydomain2.com:/path/to/the/web/root/ mydomain2.com/
  12. Launchd must be able to login to the remote webservers via ssh. So we have to set up key-based logins WITHOUT passphrases so that no interaction is required and everything can run in batch-mode.
  13. Enable key-based logins: http://www.rsnapshot.org/howto/1.2/rsnapshot-HOWTO.en.html#backup

    In addition to full paths on the local filesystem, you can also backup remote systems using rsync over ssh. If you have ssh installed and enabled (via the cmd_ssh parameter), you can specify a path like:

    backup root@example.com:/etc/ example.com/

    This behaves fundamentally the same way, but you must take a few extra things into account.
    * The ssh daemon must be running on example.com
    * You must have access to the account you specify the remote machine, in this case the root user on example.com.
    * You must have key-based logins enabled for the root user at example.com, without passphrases. If you wanted to perform backups as another user, you could specify the other user instead of root for the source (i.e. user@domain.com). Please note that allowing remote logins with no passphrase is a security risk that may or may not be acceptable in your situation. Make sure you guard access to the backup server very carefully! For more information on how to set this up, please consult the ssh man page, or a tutorial on using ssh public and private keys. You will find that the key based logins are better in many ways, not just for rsnapshot but for convenience and security in general. One thing you can do to mitigate the potential damage from a backup server breach is to create alternate users on the client machines with uid and gid set to 0, but with a more restrictive shell such as scponly.
    * This backup occurs over the network, so it may be slower. Since this uses rsync, this is most noticeable during the first backup. Depending on how much your data changes, subsequent backups should go much, much faster since rsync only sends the differences between files.
  14. man ssh

    The user creates his/her key pair by running ssh-keygen(1). This stores the private key in ~/.ssh/identity (protocol 1), ~/.ssh/id_dsa (protocol 2 DSA), or ~/.ssh/id_rsa (protocol 2 RSA) and stores the public key in ~/.ssh/identity.pub (protocol 1), ~/.ssh/id_dsa.pub (protocol 2 DSA), or ~/.ssh/id_rsa.pub (protocol 2 RSA) in the user's home directory. The user should then copy the public key to ~/.ssh/authorized_keys in his/her home directory on the remote machine. The authorized_keys file corresponds to the conventional ~/.rhosts file, and has one key per line, though the lines can be very long. After this, the user can log in without giving the password.
  15. Create a key pair and don't enter a passphrase!
    ssh-keygen
  16. As we are logged in as root the files will be created here:

    /var/root/.ssh

    Private key: id_rsa
    Public key: id_rsa.pub
  17. Copy the public key to the remote servers:
    Connect to the remote server via ssh and create this file:
    ~/.ssh/authorized_keys

    Then copy the content of the local file /var/root/.ssh/id_rsa.pub to the remote file ~/.ssh/authorized_key
    The file has one key per line!

    A line looks like this (ATTENTION: the user has to be root@... !)
    ssh-rsa .............. root@NameOfMyComputer.local
  18. Now you can test if you can login to the remote user without having to enter the password:
    ssh sshuser@mydomain1.com
  19. Setup the LaunchDaemons so that the backups are run periodically:
    cd /Library/LaunchDaemons/
  20. Download launchd plist files for rsnapshot: rsnapshot_launchd_plists.tgz
  21. launchctl load -w /Library/LaunchDaemons/org.rsnapshot.periodic-daily.plist
    launchctl load -w /Library/LaunchDaemons/org.rsnapshot.periodic-hourly.plist
    launchctl load -w /Library/LaunchDaemons/org.rsnapshot.periodic-monthly.plist
    launchctl load -w /Library/LaunchDaemons/org.rsnapshot.periodic-weekly.plist
  22. A program to edit these launchd plist files:
    http://lingon.sourceforge.net
  23. Check if all four jobs are now active:
    launchctl list
  24. Check if the jobs can be run:
    launchctl start org.rsnapshot.periodic-hourly

    You could also test it with this command but it doesn't simulate the execution of the batch-job:
    /opt/local/bin/rsnapshot -t hourly

    If you are logged in as another user than root you could also run: sudo /opt/local/bin/rsnapshot -t hourly
    But be aware that you might get different results compared to running the batch job. This command might work while the command launchctl start org.rsnapshot.periodic-hourly might not work because of an error in the configuration. Especially if you accidentally entered a passphrase for your key pair.
  25. Does it create the backup?
    du -hc /Users/phil/Documents/Daten/Inet/Backup/

    If you just want to see to a depth of 2 in the tree:
    du -hc -d 2 /Users/phil/Documents/Daten/Inet/Backup/
  26. Check the logfile:
    tail /var/log/rsnapshot
  27. If you want to access the backup files with another user than root you could run these commands:
    cd /Users/phil/Documents/Daten/Inet/Backup/
    chown -R phil *
  28. Congratulations! Your'e done. Switch back to the normal user.

Links

http://en.wikipedia.org/wiki/Launchd
Configuring rsnapshot and launchd on Mac OS X: http://www.justatheory.com/computers/os/macosx/rsnapshot_and_launchd.html
Using Rsnapshot and SSH: http://troy.jdmz.net/rsnapshot/

Infos

A plist can also be run under a certain user:

Thanks

Thanks to Maximilian Schmid for bringing rsnapshot to my attention and helping out.