iptables -F
systemctl stop firewalld
setenforce 0
Configuring rsync backup source
yum -y install rsync
rpm -q rsync
rsync-3.1.2-4.el7.x86_64
1, the establishment /etc/rsyncd.conf profile
vim /etc/rsyncd.conf
uid = nobody
gid = nobody
use chroot = yes
address = 192.168.200.123
port = 873
log file = /var/log/rsyncd.log
pid file = /var/run/rsyncd.pid
hosts allow = 192.168.200.0/24
[wwwroot]
path = / var / www / html
comment = Document Root os www.crushlinux.com
read only = yes
dont compress = *.gz *.bz2 *.tgz *.zip *.rar *.z
auth users = backuper
secrets file = /etc/rsyncd_users.db
Comment:
uid = nobody # Username
gid = nobody # Group name
use chroot = yes # detained in the source directory
Listen Address address = 192.168.200.123 #
port = 873 # listening port
log file = /var/log/rsyncd.log # log file location
pid file = /var/run/rsyncd.pid # store the process ID file location
hosts allow = 192.168.200.0/24 # allow access to the client process
[Wwwroot] # shared module name
The actual path path = / var / www / html # source directory
comment = Document Root os www.crushlinux.com # description
read only = yes # is read-only
dont compress = * .gz * .bz2 * .tgz * .zip * .rar * .z # synchronization is no longer compressed file types
auth users = backuper # backup authorized users
secrets file = /etc/rsyncd_users.db # account information stored data files
For security purposes, preferably for the backup source rsync only allows read-only way to do downlink synchronization. Further, synchronization can be used anonymously, as long as one of the "auth users" and "secrets file" configuration record can be removed.
2, create a data file backup account
vim /etc/rsyncd_users.db
backuper:pwd123
Colon segmentation, password information in a file stored in plain text
Backup user backuper also need to have appropriate read access to the / var / www / html, in fact, as long as the other group has read permissions, the user backuper user backup and run nobody will have the read permission.
chmod 755 /var/www/html/
3, start the rsync service process
rsync --daemon
Run the command to start the service "rsync --daemon", run as an independent monitoring service way, if the rsync service can be shut kill the process way
kill $(cat /var/run/rsyncd.pid)
Service Script
vim /etc/init.d/rsyncd
#!/bin/bash
#chkconfig:2345 80 20
#description:rsync server
start () {
netstat -lnpt | grep -q :873
[ $? -ne 0 ] && rsync --daemon
}
stop () {
netstat -lnpt | grep -q :873
[ $? -eq 0 ] && kill $(cat /var/run/rsyncd.pid) && rm -rf /var/run/rsyncd.pid
}
status () {
netstat -lnpt | grep -q :873
[ $? -eq 0 ] && echo "Rsync Daemon is running."
}
case $1 in
start)
start
;;
stop)
stop
;;
restart|reload)
$0 stop
$0 start
;;
status)
status
;;
*)
echo "用法:$0{start|stop|restart|reload|status}"
esac
chmod +x /etc/init.d/rsyncd
chkconfig --add rsyncd
systemctl start rsyncd
Use rsync backup tool 192.168.200.124
After synchronization with the source server, you can use rsync to perform remote synchronization tool. The following operations are performed at the client (initiator)
Local Backup: backup source and initiator may be a machine
rsync /et/fstab /opt/
rsync -rl /etc/fstab /boot/grub/ /opt/
rsync command format and backup options:
Format: rsync [options] ... the original target position
-r: recursive mode, the directory containing all the files and subdirectories
-l: For symbolic link files are still copying files to symbolic links
-p: keep the file permissions mark
-t: Retention time tag file
-g: retention is a group of tag files (only super-users)
-o: mark owner retains the file (only super-users)
-D: retention device files and other special files
-a: archive mode, and retain recursive object properties equivalent to -rlptgoD
-v: Show details (verbose) information synchronization process
-z: compress (compress) when transferring files
-H: retain the hard-linked files
-A: Reserved ACL attribute information
--delete: delete the target location and the original location does not have the file
--checksum: whether to skip the checksum file to determine the object based on
Representation of the backup source:
When performing remote synchronization tasks, rsync command will specify the resource location of the backup source server. There are two resource representation rsync synchronization source:
Username @ host address :: shared module name
rsync: // username @ host address / module name shared
rsync -avz [email protected]::wwwroot /root
rsync -avz rsync://[email protected]/wwwroot /root
No cross-authentication rsync backup source
1, preserved by export RSYNC_PASSWORD variable password, the variable value can be automatically read when the command is executed rsync, rsync sent to the server when needed to authenticate
export RSYNC_PASSWORD=pwd123
rsync -avzH --delete [email protected]::wwwroot /myweb
2, through the --password-file option specifies the file to store the password
vim /etc/server.pass
pwd123
chmod 600 /etc/server.pass
rsync -avzH --delete --password-file=/etc/server.pass rsync://[email protected]/wwwroot /myweb
SSH measures to avoid interaction with the source, the use of a variable to store the password was not very secure, it can be used in scripts and script permissions strict control to prevent password disclosure.
Configuring rsync + inotify real-time synchronization
Linux kernel from version 2.6.13 to start providing notification inotify interface for monitoring changes in a variety of file systems, such as access to documents, delete, move, modify the content and attributes. Using this mechanism, you can achieve file transaction warning, incremental backup, directory, or file for a change of timely accordingly.
The inotify mechanism rsync tool combination can achieve triggered backups (real-time synchronization), as long as the original location of the document changed immediately start an incremental backup, or wait in silent mode to avoid the delays that existed when the backup in a fixed period , periodic problems too close
Because inotify notification mechanisms provided by the Linux kernel, so the main job of this machine monitoring inotify, more suitable trigger uplink synchronization backup applications
1, adjust inotify kernel parameters
In the Linux kernel, the default inotify mechanism provides three regulatory parameters:
cat / proc / sys / fs / inotify / max_queued_events // represents monitoring the event queue (16384)
cat / proc / sys / fs / inotify / max_user_instance // monitor a maximum number of instances (128)
cat / proc / sys / fs / inotify / max_user_watches // up to monitor the number of files in each instance (8192)
When the directory to be monitored, the number of files or large changes frequently, it is recommended to increase the value of these three parameters
vim /etc/sysctl.conf
fs.inotify.max_queued_events = 16384
fs.inotify.max_user_instance = 1024
fs.inotify.max_user_watches = 1048576
sysctl -p
Install inotify-tools
inotify-tools mainly to provide inotifywait, inotifywatch and other tools for monitoring, summary of changes in the situation
Official site: http: //inotify-tools.sourceforge.net
tar xf inotify-tools-3.14.tar.gz
cd inotify-tools-3.14
./configure && make && make install
To monitor website directory / var / www / html for example, after executing the command inotifywait digitally altered under / var / www / html directory in another terminal
mkdir -p / var / www / html
inotifywait -mrq -e modify,create,move,delete,attrib /var/www/html/
-e designated to monitor events
-m represents the continuous monitoring
-r recursive represent the entire directory
-q simplify output
Write trigger synchronization scripts
inotifywait monitoring result output, each row record includes a directory, events, files. Accordingly changes can be identified. For simplicity, as long as the change is detected uplink synchronization operation can be performed rsync
Note: When you update more frequently to avoid concurrent execution rsync backup, if the rsync daemon already exist in this synchronization is ignored, or to decide whether to synchronize the number of rsync process (depending on the actual task).
vim /etc/rsyncd.conf
uid = nobody
gid = nobody
use chroot = yes
address = 192.168.200.123
port = 873
log file = /var/log/rsyncd.log
pid file = /var/run/rsyncd.pid
hosts allow = 192.168.200.0/24
[wwwroot]
path = / var / www / html
comment = Document Root os www.crushlinux.com
read only = no
dont compress = *.gz *.bz2 *.tgz *.zip *.rar *.z
auth users = backuper
secrets file = /etc/rsyncd_users.db
kill $(cat /var/run/rsyncd.conf)
rsync --daemon
chown nobody:nobody /var/www/html/
vim /opt/inotify_rsync.sh
#!/bin/bash
INOTIFY_CMD="inotifywait -mrq -e modify,create,move,attrib,delete /var/www/html/"
RSYNC_CMD="rsync -azH --delete --password-file=/etc/server.pass /var/www/html/ [email protected]::wwwroot"
$INOTIFY_CMD | while read DIRECTORY EVENT FILE
do
if [ $(pgrep rsync | wc -l) -le 0 ]
then
$RSYNC_CMD
be
done
echo "/bin/bash /opt/inotify_rsync.sh" >> /etc/rc.local
The machine used to test the changes in the script / var / www / html directory, once an update is triggered immediately rsync synchronous operation, uploaded to the server / var / www / html directory of 192.168.200.123.
Trigger uplink synchronization verification operation is as follows:
1, in the machine running inotify_rsync.sh script
bash /opt/inotify_rsync.sh
2, at / var / www / html directory of the machine, create, delete, modify, etc.
mkdir / var / www / html / aa
mv / var / www / html / aa / var / www / html / aaa
touch /var/www/html/abc.txt
3, view the server in / var / www / html directory changes
ls / var / www / html /
aaa abc.txt bb
SSH configuration backup source
Advantages: remote connection security, enhanced privacy backup, easy to implement
Download: In the downlink synchronization, the backup source is responsible for providing documentation of the original location, the initiator has to deal with file read permission
Upload: uplink synchronization, the backup destination is responsible for providing the source document, initiator deal with files have write access
Configuration process
a, confirm that the backup source folder location
b, the backup operation by the user to prepare
Case
192.168.200.123 machine site directory / var / www / html as a backup source
Users do down the down (download) backup
Users make up the upstream (upload) backup
192.168.200.123:
yum -y install httpd rsync
useradd up
echo "123456" | password --stdin up
useradd down
echo "123456" | password --stdin down
vim /etc/ssh/sshd_config
122 UseDNS no // close UseDNS accelerate SSH login
systemctl restart sshd
Adjustment / var / www / html directory permissions, the user has read access down, up users have write access, it is recommended the owner to modify the backup directory user, the other user needs to run as a web service specify additional permissions
chown -R up:up /var/www/html/
setfacl -R -m user:apache:rwx /var/www/html/
getfacl / var / www / html /
Parameter Description acl access control mechanisms
setfacl to set permissions acl
getfacl view acl rights
-R recursively
-m permission to develop
-x delete individual
-b Remove all
Note: The following two lines need not be performed, as understanding
setfacl -R -b / var / www / html remove all ACL attribute
setfacl -R -x user: apache / var / www / html / ACL attribute only delete an item
After all document / var / www / html / upload / newly established, apache has rwx permissions for
setfacl -m default:user:apache:rwx /var/www/html/
getfacl / var / www / html / | grip default
SSH backup source representation:
Username @ host address: target path
SSH access backup source, downloaded to the local / opt / directory
rsync -avz [email protected]:/var/www/html/ /opt/
Ssh downlink synchronization backup source
The server A / var / www / html local folder and B / wwwroot folder synchronization (holding property file permissions, soft and hard link, the ACL attribute, delete / wwwroot redundant file transfer process is encrypted)
mkdir -p /wwwroot
rsync -avzH --delete [email protected]:/var/www/html/ /wwwroot
For synchronization with a remote task execution again, automatically do incremental updates, file with the same name will not be repeated copying
192.168.200.123:
cd / var / www / html /
for i in {1..10};do touch $i.txt;done
192.168.200.124:
rsync -avzH --delete [email protected]:/var/www/html/ /wwwroot
Ssh uplink synchronization backup source
Under the anaconda-ks.cfg file upload client to the backup source server / var / www / html directory, because the user is not up
root user, so -g -o option is not available, etc.
cd /root
rsync -rlvz --delete anaconda-ks.cfg [email protected]:/var/www/html
No cross-validation ssh backup source, because the script is performed according to crond time, on time and according to the user no way prompted for a password
Create a key pair on the 192.168.200.124 host public key file sent to the backup server 192.168.200.123 user, login-free interaction
Create a key pair:
ssh-keygen -t rsa
Copy the key to:
ssh-copy-id [email protected]
ssh-copy-id [email protected]
Connection Test
rsync -avzH --delete [email protected]:/var/www/html/ /wwwroot