User Tools

Site Tools


rpi_backup_server:accueil

Poor man's Raspberry Pi backup server

As a geek, I always imagine worst-case scenarios. I was worried about my data I had at home. My laptop is backuped on my server, which hosts some other websites (this wiki), and family stuff (photos, mainly).

At first, I had an external hard drive that I would connect once every blue moon (I tried at least every two months), and I would then launch a bash script that would backup the server drives into the external HDD. That was great, but I needed two things:

  • The backups must be automated. As we say, if something is not automated, you'll end up not doing it.
  • Some physical security; what if someone broke into my house ?

The first point was easy, but if I left the HDD plugged in, if someone broke into my server, they just had to

 rm -rf /

to delete the backup; no good..

For the second point, sure, the server is screwed in the rack, but maybe that makes-it more valuable ? And what about floods, the house catching fire or EMPs (wink ;) ) ?

The first thought would be to assemble a simple computer, put an HDD inside it, an ask a friend to host it for me. But that's a bit dumb: for a backup box, you don't need very much “responsiveness” nor computing power: I don't want to waste energy for nothing.

So then I thought about using a Raspberry Pi: they're cheap, low power and noise-free. The final idea was to use an old 1U-rack case I had lying around: it'll be nicer, sturdier and “geekier” ;)

The installation

The enclosure

As you can see, the enclosure is quite spacy and nice

The HDD

Surprisingly, and against Murphy's law, the hard drive fit perfectly between the two holders. I just had to bend to shape 2 aluminium plates in order to secure the HDD in place. After that, I put on some shock absorbers to prevent vibration between the HDD and the case:

The Pi

As you know, the Pi is powered from a 5V supply, so that means that the box would need two PSU's from 230VAC to 12V and 5V. That's a bit dumb, so I took a simple switching supply (LM2596 based) that will step down the voltage from 12V to 5V. Also, I soldered the wires directly to the “expansion port”: that'll be more vibration proof than a USB micro connector.

I also added a red LED to make it nicer ;)

Holding the RPi to the case was challenging, but I realized that the case that Farnell gave with it's RPi's was quite good. So I glued-it to the case, and the Pi then fit really good ;)

The PSU

I didn't want to add a jack connection to the box in order to connect a wall power supply: I thought that having an IEC C13-type connector would be way cooler. So I took apart the 12V wall switching power supply and hooked-it to the connector:

Finally

It looks cool, without the front, don't you think ? ;)

Testing…

Finally, in it's temporary rack

And with some finishing touches The total power consumption is quite low (but I expected lower): 29W in full load, 9W with the disk spinning and a bit more than 2W in idle (disk “parked”).

Logical Architecture

HomeLAN - Server/Router - INTERNET - ForgeinRouter - BackupBox

BackupBox should initiate a VPN connexion to the server, which is publicly available.

Every night, the BB connects to the server ssh/rsync and retrieves the files to backup. The are night backups, two-nights old backups and week-old backups.

The server should NOT know the passphrase of the BB. Clients (aka me) sshing to the BB should use dual auth (keypair and passphase).

At each reboot, the BB sends data to the server concerning it's current network config. In case of a robbery, we still have a hope of retrieving the thing. The BB also asks for the disk-decryption key.

So we finally have:

VPN→SSH→RSYNC → HDD (ecryptfs or equivalent)

  • VPN: “plaintext” secret
  • SSH: initiated by the BB on a special backup account on the server
  • Ecryptfs password stored in RAM, and provided by the user (aka me) after each reboot

Some remarks

Compression is SLOW. Do not use-it !
With SCP (over plain ethernet, without VPN), I'm able to reach ~1.5MB/s from disk to disk on small files, which is “reasonable”. If you enable compression, you drop to 1.0MB/s (and more latency).

If you make a big file (p. eg. a TAR archive), I can achieve speeds of 3.7MB/s.

Services configurés

Postfix as a relay/null client smartd client for HDD w/ mail sending munin for logs

Bash Scripts

server_start.sh
#!/bin/bash                                                           
 
cd /root/scripts
 
./send_ip_mail.sh
./notify_ask_pwd.sh
openvpn /etc/openvpn/tunnel_to_home.conf
notify_ask_pwd.sh
#!/bin/bash
 
sleep 40
#wait for IP
 
echo -e "I need my ecryptfs password !" | mail -s "/!\\[Backup box]: Ecrpytfs pwd" MY@EMAIL.TLD
unlock-passes.sh
#!/bin/bash
 
echo -n "Entrez MDP ecryptfs: "
read ecryptfs_pwd
 
echo $ecryptfs_pwd > /dev/shm/ecryptfs_pwd
 
/mnt/DDp2/mount-ecryptfs.sh
mount-ecryptfs
#!/bin/bash
 
PASS_FILE=/dev/shm/ecryptfs_pwd
EDIR=/mnt/DDp2/.crypted
DIR=/mnt/DDp2/crypted
 
PASS=$(cat $PASS_FILE)
cd /mnt/DDp2
 
#modprobe ecryptfs
mount -t ecryptfs \
-o key=passphrase,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=no,passwd=$(echo $PASS) \
.crypted crypted
 
rm $PASS_FILE
backup_srv.sh
#!/bin/bash
set -x
 
## SSH FORWARDING STUFF: make a tunnel into the main server and to the rsync port
ssh -N -T -L 8733:localhost:873 villaro-dixon-BCK &
#NB: rsync only allows **/** copies from localhost and authentified
SSHID=$!
sleep 10
 
trap kill $SSHID
 
 
cd /mnt/DDp2/crypted/villaro-dixon.eu/
 
RS_PWD=/mnt/DDp2/crypted/rsync/password-backup-box
RS_EXCLUDE=/mnt/DDp2/crypted/villaro-dixon.exclude
 
DAY0=`date -I`
DAY1=`date -I -d "1 day ago"`
 
BCK_RO="/mnt/DDp2/crypted/villaro-dixon.eu/"
TRG="$BCK_RO$DAY0"
LNK="$BCK_RO$DAY1"
 
OPT="-avpt --delete --port 8733 --password-file $RS_PWD --exclude-from=$RS_EXCLUDE --link-dest=$LNK"
 
rsync $OPT backupbox@localhost::backup_box/ $TRG
 
 
#Now, delete old backups, to be sure...
DAY30=`date -I -d "30 days ago"`
DAY31=`date -I -d "31 days ago"`
DAY32=`date -I -d "32 days ago"`
if [ -d /backup/website/$DAY30 ]; then
        rm /backup/website/$DAY30
fi
if [ -d /backup/website/$DAY31 ]; then
        rm /backup/website/$DAY31
fi
if [ -d /backup/website/$DAY32 ]; then
        rm /backup/website/$DAY32                                                                                                                                                       
fi
 
kill $SSHID
 
exit
.ssh/config
IdentityFile /mnt/DDp2/crypted/ssh/id_rsa

Discussion

Enter your comment. Wiki syntax is allowed:
GOELG
 
rpi_backup_server/accueil.txt · Last modified: 2014/02/08 18:05 by frank