Authored by Colin Densem

Rsnapshot - secure & multihost?

Aim: To create a secure backup via rsnapshot of multiple servers without root!

This isn't a complete copy & paste guide!

Some steps are opinionated and there are qualifier gaps. This is so you know or find out to a point of knowing what you're setting up versus blindly copying.

Google and community knowledge is your friend, so just ask and please please, offer suggestions or tweaks...

Rsnapshot is a great tool, leveraging rsync which is fantastic.

This approach allows/encourages different non-blocking schedules.

Under a normal 'default' config, if one job is delayed or very length, all the others wait.

This can and often will have knock on impact to the next scheduled run.

What we'd like then is a multiple host, independent scheule and exlcusion per host, ideally without using root passwordless access.

Before we begin, treat your backup servers like your production servers. There is no reason for them to have any port or service exposed. Consider even placing ssh behind a bastion jump host.

Also check your backups work. Try restoring to a test server occasionally.

Shall we backup?

Introducing our cast

For the purposes of ease, the following servers/actors appear in this guide:

  • Earth: The backup server where all your backup data will be held.
  • Mars: A lifeless server? Infrequent changes, it requires a daily backup.
  • Venus: A very special server; of course, and it requires an hourly backup.
  • rbackup: our intrepid backupstranaut.

Comms Check - Connectivity

Ensure you can access both servers remotely and obtain a root session. Ensure your firewall permits traffic from Earth to Mars & Venus Ensure you can also SSH from Earth to Mars & Venus as root initally.

Earth Preparations

Generate a specific key for this task.

ssh-keygen -t rsa -b 4096 -C rbackup@Earth

Give the key a different name to the default, perhaps /root/.ssh/id_rsa_rbackup. Doing this means you need to setup some ssh config to supply this identity file. For this key & task, don't supply a password when prompted.

On Earth in /root/.ssh/config ( repeat the Mars section for each target)

Host mars
  User rbackup
  IdentityFile /root/.ssh/id_rsa_rbackup

  Port 322 # Only if SSH isn't on port 22
  Hostname mars.fqdn # This needs to be routable! IP address works too.

Mission Prep Work

On Mars & Venus create a new user rbackup, this will be used by Earth to perform the backup tasks via the passwordless ssh key.

Add the public key from Earth to the rbackup users on Mars and Venus. Now check you can access Mars & Venus from Earth via ssh mars & ssh venus.

You should find yourself on Mars & Venus as rbackup.

Mars & Venus Base

Before you can make the backup trips to Mars or Venus you need to send root to make a suitable & secure base. * Avast, space pyrats *

As root, create a new file in the home directory of rbackup on Mars & Venus.

vim ~/

Use the following contents for, src:

FAIL_MESSAGE="Connection Closed"
    echo "$FAIL_MESSAGE"
    echo "$FAIL_MESSAGE"
    echo "$FAIL_MESSAGE"
    echo "$FAIL_MESSAGE"
    echo "$FAIL_MESSAGE"
    echo "$FAIL_MESSAGE"
    echo "$FAIL_MESSAGE"
    echo true
    echo "$FAIL_MESSAGE"

Ensure validate_rsync has the right permissions and is executable

chmod 550

As root, alter the suoders file with visudo, add the rbackup rights to the bottom of the file

rbackup ALL=NOPASSWD:/usr/bin/rsync

As root create a rsync wrapper script at /usr/local/bin/ with the content:

/usr/bin/sudo /usr/bin/rsync "$@";

Then set owner and permissions:

chown rbackup:root /usr/local/bin/
chmod 550 /usr/local/bin/

For additional security, you can the login shell of rbackup to the script.

sudo chsh rbackup

When prompted, for a shell, enter /home/rbackup/

Ammend the authorised_keys on Mars & Venus to apply a from filter and a command filter, like this:

from="20.01.Earth.ip",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="/home/rbackup/" ssh-rsa AAABBB...key... rbackup@Earth


You want to avoid space madness right? Feel free to do more, it's your ride!

From Earth, if you attempt to ssh to Mars, you should see your Connection Closed from #2.

From Earth try

ssh -v mars true > out.dat

With luck, out.dat should have true in it. This might just work!

Test rsync basics, from Earth we want to backup say the tools directory in root to out /tmp folder.

rsync -ae ssh --rsync-path='' mars:/root/tools /tmp/

You should have a copy of tools in tmp. * Test Probe Made It *

If you get other errors, check google, you might just have to figure it out.

rSnapshot setup & configuration

The goal here is to use Earth to backup from multiple hosts, Mars & Venus. The majority of this section is built on the work of Derek Simkowiak and adapted for CentOS/Centmin please read it, I#m going to skip over a lot of his text.


Install rsnapshot via yum. yum install -y rsnapshot

What follows is for a custom install/config Proceed at your own risk.

Backup the orginal rbackup config cp -af /etc/rsnapshot.conf /etc/rsnapshot.conf-dist Create the local common rsnapshot config mv /etc/rsnapshot.conf /etc/rsnapshot-common.conf

Edit the rsnapshot.common.conf Only use TABS

  • Uncomment cmd_cp /bin/cp
  • Uncomment cmd_ssh /usr/bin/ssh circa #55
  • Comment out the retain alhpa, beta etc circa #86
  • Change verbose 2 to verbose 3 circa #103
  • Comment out lockfile circa #120
  • Uncomment and change to 1, sync_first 0 crica #175
  • Comment out backup /home etc circa #226

Each host ~ mars/venus will get a rsnapshot.conf file with the specific schedule and exclusions.

Mission Configuration

Create a new backup, there are a number of steps to perform. Save the following to a suitable script /root/tools/

# Make the directory to hold the backups.
# Notice that in this example, everything is under /home/rsnapshot/:
mkdir -p $BACKUP_PATH/$HOST/.sync
# Here we create the unique Rsnapshot config file for the new host.
# The first line includes the global defaults in /etc/rsnapshot-common.conf.
# You may want to tweak these settings, as by default it runs every hour
# and retains incrementals for up to ten years.
# Also notice that each host gets its own .log and .pid file,
# and also an "exclude_file.txt" that lists which files to ignore.
# (Note: The -e option to echo makes \t work as a tab)
echo -e "






" >> $BACKUP_PATH/$HOST/rsnapshot.conf

# Here we create the "exclude" file for this host.
# This is in the rsync format for exclude files, which is a
# little tricky and not easy to understand.
echo "- /bin
- /boot
- /dev
- /lib
- /lib64
- /media
- /mnt
- /opt
- /proc
- /run
- /sbin
- /srv
- /svr-setup
- /sys
- /tmp
- /usr
- /var/lock
- /var/run
+ /*
" >> $BACKUP_PATH/$HOST/exclude_file.txt

# Next, we add this host to crontab.

# Note that this is not the only way to set up cron.  Another
# example would be to use cron's run-parts to manage the hourly,
# daily, and weekly runs separately.  My preference is to keep each
# backup host's cron entries all together in one file, as in this example,
# but it is not required.  (Thanks to Nico Kadel-Garcia for pointing this out.)
# You'll probably want to edit this for hourly or daily:
echo "
# m h  dom mon dow user command
00 * * * *  root rsnapshot -c $BACKUP_PATH/$HOST/rsnapshot.conf sync && rsnapshot -c $BACKUP_PATH/$HOST/rsnapshot.conf hourly
00 04 * * * root rsnapshot -c $BACKUP_PATH/$HOST/rsnapshot.conf daily
00 02 * * 0 root rsnapshot -c $BACKUP_PATH/$HOST/rsnapshot.conf weekly
00 00 1 * * root rsnapshot -c $BACKUP_PATH/$HOST/rsnapshot.conf monthly
" >> /etc/cron.d/rsnapshot.$HOST

Lets run the config script and check....

# First, specify the hostname (used in the config files).  
# This hostname must actually work.
export HOST="mars"
# Secondly, specify the path (used in the config files).  
# This path must exist.
export BACKUP_PATH="/backups"

Now run /root/tools/

Go for rSnapshot?

and check

  • /etc/cron.d for a rsnapshot.HOST
  • /backups for a HOST directory
  • /backups/HOST/ for exclude, rsnapshot config.

All looking good and clean? * Go for rSnapshot. *

5, 4, 3, 2, 1

Lets launch this, grab a drink, run the hourly entry from cron.d/rsnapshot.HOST, e.g.

rsnapshot -c /backups/mars/rsnapshot.conf sync && rsnapshot -c /backups/mars/rsnapshot.conf hourly

rsnapshot encountered an error! * oh snap * ...a coupling has come loose. The oddity of your mission means all config files for rsnapshot needs tabs. You didn't think this was going to be ordinary? Check and re-run if needed.


Hopefully you make it to Mars and back with all your data bits included. Check the backups path on Earth.

That was a long trip. You should go again:

rsnapshot -c /backups/mars/rsnapshot.conf sync && rsnapshot -c /backups/mars/rsnapshot.conf hourly

The keen eye'd will notice this is the scheudule from the hourly backup for Mars. It's just timing, alter the cron timings to suit, depends on size of the initial jobs. For daily I'd run the hourly once a day at 00 00 * * *

All good? Time to try Venus? Then beyond!

Intrepid Explorer

All things are finite. Earth will be gone one day. There is good reason you should find a second host for your data, Moon is a good offsite start, the hard work on Mars and Venus is done. Grab that space slushy...


Edited 9 Bytes
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment