astrails-safe 0.1.3 → 0.1.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/README.markdown +160 -0
- data/VERSION.yml +1 -1
- metadata +3 -3
- data/README.rdoc +0 -132
data/README.markdown
ADDED
|
@@ -0,0 +1,160 @@
|
|
|
1
|
+
astrails-safe
|
|
2
|
+
=============
|
|
3
|
+
|
|
4
|
+
Simple mysql and filesystem backups with S3 support (with optional encryption)
|
|
5
|
+
|
|
6
|
+
Motivation
|
|
7
|
+
----------
|
|
8
|
+
|
|
9
|
+
We needed a backup solution that will satisfy the following requirements:
|
|
10
|
+
|
|
11
|
+
* opensource
|
|
12
|
+
* simple to install and configure
|
|
13
|
+
* support for simple ‘tar’ backups of directories (with includes/excludes)
|
|
14
|
+
* support for simple mysqldump of mysql databases
|
|
15
|
+
* support for symmetric or public key encryption
|
|
16
|
+
* support for local filesystem and Amazon S3 for storage
|
|
17
|
+
* support for backup rotation. we don’t want backups filling all the diskspace or cost a fortune on S3
|
|
18
|
+
|
|
19
|
+
And since we didn't find any, we wrote our own :)
|
|
20
|
+
|
|
21
|
+
Usage
|
|
22
|
+
-----
|
|
23
|
+
|
|
24
|
+
Usage:
|
|
25
|
+
astrails-safe [OPTIONS] CONFIG_FILE
|
|
26
|
+
Options:
|
|
27
|
+
-h, --help This help screen
|
|
28
|
+
-v, --verbose be verbose, duh!
|
|
29
|
+
-n, --dry-run just pretend, don't do anything.
|
|
30
|
+
-L, --local skip S3
|
|
31
|
+
|
|
32
|
+
Note: CONFIG_FILE will be created from template if missing
|
|
33
|
+
|
|
34
|
+
Encryption
|
|
35
|
+
----------
|
|
36
|
+
|
|
37
|
+
If you want to encrypt your backups you have 2 options:
|
|
38
|
+
* use simple password encryption
|
|
39
|
+
* use GPG public key encryption
|
|
40
|
+
|
|
41
|
+
For simple password, just add password entry in gpg section.
|
|
42
|
+
For public key encryption you will need to create a public/secret keypair.
|
|
43
|
+
|
|
44
|
+
We recommend to create your GPG keys only on your local machine and then
|
|
45
|
+
transfer your public key to the server that will do the backups.
|
|
46
|
+
|
|
47
|
+
This way the server will only know how to encrypt the backups but only you
|
|
48
|
+
will be able to decrypt them using the secret key you have locally. Of course
|
|
49
|
+
you MUST backup your backup encryption key :)
|
|
50
|
+
We recommend also pringing the hard paper copy of your GPG key 'just in case'.
|
|
51
|
+
|
|
52
|
+
The procedure to create and transfer the key is as follows:
|
|
53
|
+
|
|
54
|
+
1. run 'gpg --gen-gen' on your local machine and follow onscreen instructions to create the key
|
|
55
|
+
(you can accept all the defaults).
|
|
56
|
+
|
|
57
|
+
2. extract your public key into a file (assuming you used test@example.com as your key email):
|
|
58
|
+
gpg -a --export test@example.com > test@example.com.pub
|
|
59
|
+
|
|
60
|
+
3. transfer public key to the server
|
|
61
|
+
scp backup@example.com root@example.com:
|
|
62
|
+
|
|
63
|
+
4. import public key on the remote system:
|
|
64
|
+
<pre>
|
|
65
|
+
$ gpg --import test@example.com.pub
|
|
66
|
+
gpg: key 45CA9403: public key "Test Backup <test@example.com>" imported
|
|
67
|
+
gpg: Total number processed: 1
|
|
68
|
+
gpg: imported: 1
|
|
69
|
+
</pre>
|
|
70
|
+
|
|
71
|
+
5. since we don't keep the secret part of the key on the remote server, gpg has
|
|
72
|
+
no way to know its yours and can be trusted.
|
|
73
|
+
To fix that we can sign it with other trusted key, or just directly modify its
|
|
74
|
+
trust level in gpg (use level 5):
|
|
75
|
+
|
|
76
|
+
<pre>
|
|
77
|
+
$ gpg --edit-key test@example.com
|
|
78
|
+
...
|
|
79
|
+
Command> trust
|
|
80
|
+
...
|
|
81
|
+
1 = I don't know or won't say
|
|
82
|
+
2 = I do NOT trust
|
|
83
|
+
3 = I trust marginally
|
|
84
|
+
4 = I trust fully
|
|
85
|
+
5 = I trust ultimately
|
|
86
|
+
m = back to the main menu
|
|
87
|
+
|
|
88
|
+
Your decision? 5
|
|
89
|
+
...
|
|
90
|
+
Command> quit
|
|
91
|
+
</pre>
|
|
92
|
+
|
|
93
|
+
6. export your secret key for backup
|
|
94
|
+
(we recommend to print it on paper and burn to a CD/DVD and store in a safe place):
|
|
95
|
+
|
|
96
|
+
> gpg -a --export-secret-key test@example.com > test@example.com.key
|
|
97
|
+
|
|
98
|
+
|
|
99
|
+
Example configuration
|
|
100
|
+
---------------------
|
|
101
|
+
<pre>
|
|
102
|
+
safe do
|
|
103
|
+
local :path => "/backup/:kind/:id"
|
|
104
|
+
|
|
105
|
+
s3 do
|
|
106
|
+
key "...................."
|
|
107
|
+
secret "........................................"
|
|
108
|
+
bucket "backup.astrails.com"
|
|
109
|
+
path "servers/alpha/:kind/:id"
|
|
110
|
+
end
|
|
111
|
+
|
|
112
|
+
gpg do
|
|
113
|
+
# symmetric encryption key
|
|
114
|
+
# password "qwe"
|
|
115
|
+
|
|
116
|
+
# public GPG key (must be known to GPG, i.e. be on the keyring)
|
|
117
|
+
key "backup@astrails.com"
|
|
118
|
+
end
|
|
119
|
+
|
|
120
|
+
keep do
|
|
121
|
+
local 2
|
|
122
|
+
s3 2
|
|
123
|
+
end
|
|
124
|
+
|
|
125
|
+
mysqldump do
|
|
126
|
+
options "-ceKq --single-transaction --create-options"
|
|
127
|
+
|
|
128
|
+
user "root"
|
|
129
|
+
password "............"
|
|
130
|
+
socket "/var/run/mysqld/mysqld.sock"
|
|
131
|
+
|
|
132
|
+
database :blog
|
|
133
|
+
database :servershape
|
|
134
|
+
database :astrails_com
|
|
135
|
+
database :secret_project_com
|
|
136
|
+
|
|
137
|
+
end
|
|
138
|
+
|
|
139
|
+
tar do
|
|
140
|
+
archive "git-repositories", :files => "/home/git/repositories"
|
|
141
|
+
archive "dot-configs", :files => "/home/*/.[^.]*"
|
|
142
|
+
archive "etc", :files => "/etc", :exclude => "/etc/puppet/other"
|
|
143
|
+
|
|
144
|
+
archive "blog-astrails-com" do
|
|
145
|
+
files "/var/www/blog.astrails.com/"
|
|
146
|
+
exclude ["/var/www/blog.astrails.com/log", "/var/www/blog.astrails.com/tmp"]
|
|
147
|
+
end
|
|
148
|
+
|
|
149
|
+
archive "astrails-com" do
|
|
150
|
+
files "/var/www/astrails.com/"
|
|
151
|
+
exclude ["/var/www/astrails.com/log", "/var/www/astrails.com/tmp"]
|
|
152
|
+
end
|
|
153
|
+
end
|
|
154
|
+
end
|
|
155
|
+
</pre>
|
|
156
|
+
|
|
157
|
+
Copyright
|
|
158
|
+
---------
|
|
159
|
+
|
|
160
|
+
Copyright (c) 2009 Astrails Ltd. See LICENSE for details.
|
data/VERSION.yml
CHANGED
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: astrails-safe
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.1.
|
|
4
|
+
version: 0.1.4
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Astrails Ltd.
|
|
@@ -30,10 +30,10 @@ extensions: []
|
|
|
30
30
|
|
|
31
31
|
extra_rdoc_files:
|
|
32
32
|
- LICENSE
|
|
33
|
-
- README.
|
|
33
|
+
- README.markdown
|
|
34
34
|
files:
|
|
35
35
|
- LICENSE
|
|
36
|
-
- README.
|
|
36
|
+
- README.markdown
|
|
37
37
|
- Rakefile
|
|
38
38
|
- VERSION.yml
|
|
39
39
|
- bin/astrails-safe
|
data/README.rdoc
DELETED
|
@@ -1,132 +0,0 @@
|
|
|
1
|
-
= astrails-safe
|
|
2
|
-
|
|
3
|
-
Simple mysql and filesystem backups with S3 support (with optional encryption)
|
|
4
|
-
|
|
5
|
-
Usage:
|
|
6
|
-
astrails-safe [OPTIONS] CONFIG_FILE
|
|
7
|
-
Options:
|
|
8
|
-
-h, --help This help screen
|
|
9
|
-
-v, --verbose be verbose, duh!
|
|
10
|
-
-n, --dry-run just pretend, don't do anything.
|
|
11
|
-
-L, --local skip S3
|
|
12
|
-
|
|
13
|
-
Note: CONFIG_FILE will be created from template if missing
|
|
14
|
-
|
|
15
|
-
If you want to encrypt your backups you have 2 options:
|
|
16
|
-
* use simple password encryption
|
|
17
|
-
* use GPG public key encryption
|
|
18
|
-
|
|
19
|
-
For simple password, just add password entry in gpg section.
|
|
20
|
-
For public key encryption you will need to create a public/secret keypair.
|
|
21
|
-
|
|
22
|
-
We recommend to create your GPG keys only on your local machine and then
|
|
23
|
-
transfer your public key to the server that will do the backups.
|
|
24
|
-
|
|
25
|
-
This way the server will only know how to encrypt the backups but only you
|
|
26
|
-
will be able to decrypt them using the secret key you have locally. Of course
|
|
27
|
-
you MUST backup your backup encryption key :)
|
|
28
|
-
We recommend also pringing the hard paper copy of your GPG key 'just in case'.
|
|
29
|
-
|
|
30
|
-
The procedure to create and transfer the key is as follows:
|
|
31
|
-
|
|
32
|
-
1. run 'gpg --gen-gen' on your local machine and follow onscreen instructions to create the key
|
|
33
|
-
(you can accept all the defaults).
|
|
34
|
-
|
|
35
|
-
2. extract your public key into a file (assuming you used test@example.com as your key email):
|
|
36
|
-
gpg -a --export test@example.com > test@example.com.pub
|
|
37
|
-
|
|
38
|
-
3. transfer public key to the server
|
|
39
|
-
scp backup@example.com root@example.com:
|
|
40
|
-
|
|
41
|
-
4. import public key on the remote system:
|
|
42
|
-
$ gpg --import test@example.com.pub
|
|
43
|
-
gpg: key 45CA9403: public key "Test Backup <test@example.com>" imported
|
|
44
|
-
gpg: Total number processed: 1
|
|
45
|
-
gpg: imported: 1
|
|
46
|
-
|
|
47
|
-
5. since we don't keep the secret part of the key on the remote server, gpg has
|
|
48
|
-
no way to know its yours and can be trusted.
|
|
49
|
-
To fix that we can sign it with other trusted key, or just directly modify its
|
|
50
|
-
trust level in gpg (use level 5):
|
|
51
|
-
|
|
52
|
-
$ gpg --edit-key test@example.com
|
|
53
|
-
...
|
|
54
|
-
Command> trust
|
|
55
|
-
...
|
|
56
|
-
1 = I don't know or won't say
|
|
57
|
-
2 = I do NOT trust
|
|
58
|
-
3 = I trust marginally
|
|
59
|
-
4 = I trust fully
|
|
60
|
-
5 = I trust ultimately
|
|
61
|
-
m = back to the main menu
|
|
62
|
-
|
|
63
|
-
Your decision? 5
|
|
64
|
-
...
|
|
65
|
-
Command> quit
|
|
66
|
-
|
|
67
|
-
6. export your secret key for backup
|
|
68
|
-
(we recommend to print it on paper and burn to a CD/DVD and store in a safe place):
|
|
69
|
-
|
|
70
|
-
gpg -a --export-secret-key test@example.com > test@example.com.key
|
|
71
|
-
|
|
72
|
-
|
|
73
|
-
Example configuration:
|
|
74
|
-
|
|
75
|
-
safe do
|
|
76
|
-
local :path => "/backup/:kind/:id"
|
|
77
|
-
|
|
78
|
-
s3 do
|
|
79
|
-
key "...................."
|
|
80
|
-
secret "........................................"
|
|
81
|
-
bucket "backup.astrails.com"
|
|
82
|
-
path "servers/alpha/:kind/:id"
|
|
83
|
-
end
|
|
84
|
-
|
|
85
|
-
gpg do
|
|
86
|
-
# symmetric encryption key
|
|
87
|
-
# password "qwe"
|
|
88
|
-
|
|
89
|
-
# public GPG key (must be known to GPG, i.e. be on the keyring)
|
|
90
|
-
key "backup@astrails.com"
|
|
91
|
-
end
|
|
92
|
-
|
|
93
|
-
keep do
|
|
94
|
-
local 2
|
|
95
|
-
s3 2
|
|
96
|
-
end
|
|
97
|
-
|
|
98
|
-
mysqldump do
|
|
99
|
-
options "-ceKq --single-transaction --create-options"
|
|
100
|
-
|
|
101
|
-
user "root"
|
|
102
|
-
password "............"
|
|
103
|
-
socket "/var/run/mysqld/mysqld.sock"
|
|
104
|
-
|
|
105
|
-
database :blog
|
|
106
|
-
database :servershape
|
|
107
|
-
database :astrails_com
|
|
108
|
-
database :secret_project_com
|
|
109
|
-
|
|
110
|
-
end
|
|
111
|
-
|
|
112
|
-
|
|
113
|
-
tar do
|
|
114
|
-
archive "git-repositories", :files => "/home/git/repositories"
|
|
115
|
-
archive "dot-configs", :files => "/home/*/.[^.]*"
|
|
116
|
-
archive "etc", :files => "/etc", :exclude => "/etc/puppet/other"
|
|
117
|
-
|
|
118
|
-
archive "blog-astrails-com" do
|
|
119
|
-
files "/var/www/blog.astrails.com/"
|
|
120
|
-
exclude ["/var/www/blog.astrails.com/log", "/var/www/blog.astrails.com/tmp"]
|
|
121
|
-
end
|
|
122
|
-
|
|
123
|
-
archive "astrails-com" do
|
|
124
|
-
files "/var/www/astrails.com/"
|
|
125
|
-
exclude ["/var/www/astrails.com/log", "/var/www/astrails.com/tmp"]
|
|
126
|
-
end
|
|
127
|
-
end
|
|
128
|
-
end
|
|
129
|
-
|
|
130
|
-
== Copyright
|
|
131
|
-
|
|
132
|
-
Copyright (c) 2009 Astrails Ltd. See LICENSE for details.
|