Inhaltsverzeichnis
Overview
The following setup can be used for backing up a blockdevice to a remote location with the following constraints:
- the source is a blockdevice
- we do not trust the remote destination
- no downtime for the source
- the backup reflects a consistent state of the source at a specific point in time
The remote backup can be a file or a blockdevice.
rsync would be the obvious tool for this kind of tasks if it could only handle blockdevices.
Tools
The following tools are used for this purpose:
- cryptsetup: blockdevice encryption
LVM: dynamic volume management with snapshots
bdsync: remote synchronization of blockdevices
Build bdsync from source
Bdsync not included in Debian's repository. You need to build it from the source code.
First install the necessary packages:
apt-get install git build-essential libssl-dev
Grap the source code from Github:
git clone https://github.com/TargetHolding/bdsync.git
Change to bdsync directory and build it with a simple make. Atferward copy the files to the right places:
cp bdsync /usr/local/bin/ mkdir /usr/local/man/man1 gzip -c bdsync.1 > /usr/local/man/man1/bdsync.1.gz
Disk layout
The disk layout needs to be planned carefully in order to allow encryption and snapshots.
Simple layout (imperfect)
The following layout is sufficient for all defined requirements except for timely consistency (the blockdevice may change during the course of the transfer).
/dev/sda |
Grub-Boot-Partition |
Raid /dev/md0 |
Raid /dev/md1 |
||
/boot |
PV: lvm-crypto |
||||
: LV: lvm-crypto/root |
: LV: lvm-crypto/swap |
: LV: lvm-crypto/home |
Complex layout (perfect)
The following layout allows consistent synchronization: the encrypted blockdevice is an LVM volume (snapshots are possible).
/dev/sda |
Grub-Boot-Partition |
Raid /dev/md0 |
|||||||
PV: lvm-plain |
|||||||||
LV: lvm-plain/boot |
LV: lvm-plain/crypto-pv |
||||||||
PV: lvm-crypto |
|||||||||
: LV: lvm-crypto/root |
: LV: lvm-crypto/swap |
: LV: lvm-crypto/home |
Workflow
Initialization
copy the blockdevice to a remote location:
dd if=/dev/lvm-plain/crypto-pv | pv | ssh root@target "dd of=/dev/target"
Synchronization
create a snapshot of the encrypted blockdevice:
lvcreate --size 10G --snapshot --name backup-snapshot lvm-plain/crypto-pv
create a bdsync patch between this snapshot and the current remote backup:
bdsync "ssh root@target bdsync --server" /dev/lvm-plain/backup-snapshot /dev/target >bdsync.patch
copy the bdsync patch to the remote location:
scp bdsync.patch root@target: rm bdsync.patch
apply the bdsync patch remotely and remove it afterwards:
ssh root@target "bdsync --patch bdsync.patch && rm bdsync.patch"
remove the snapshot blockdevice:
lvremove lvm-plain/backup-snapshot