Research and Development Network

h1. AFS Backups

h2. Software and instructions

* BackupAFS at UNC

** http://www.physics.unc.edu/~stephen/BackupAFS/

h2.  Installation at DevNet

Based upon directions at http://www.physics.unc.edu/~stephen/BackupAFS/

# Open up firewall on SSL and normal web ports on eir.dev.ru.is

# Become root

<pre> sudo su -</pre>

# Install the openafs client

<pre>apt-get -y install krb5-auth-dialog krb5-user krb5-clients libpam-ccreds libpam-krb5 build-essential dkms linux-headers-`uname -r` openafs-modules-dkms openafs-{client,krb5}</pre>

# Diable AFS backups (bos)

## TODO

# Install prerequisites

<pre>sudo apt-get install apache2 libapache2-mod-auth-kerb postfix pigz libxml-rss-perl</pre>

# Stop apache

<pre>service apache2 stop</pre>

# Create a backup user and give (foley) remote access to it

<pre>adduser --home /home/backupafs --shell /bin/bash backupafs

echo foley@DEV.RU.IS > /home/backupafs/.k5login</pre>

# Create a location for the backups (or mount a drive here if you already have one)

<pre>mkdir -p /srv/backupafs

chown backupafs:backupafs /srv/backupafs

chmod 700 /srv/backupafs</pre>

# Grab the backupafs package  http://www.sourceforge.net/projects/backupafs.  Alternatively, copy it from/afs/dev.ru.is/service/backupafs/SVN/src/BackupAFS-1.0.0

<pre>cp -rp /afs/dev.ru.is/service/backupafs/SVN/src/BackupAFS-1.0.0 /home/backupafs/

cd /home/backupafs/BackupAFS-1.0.0</pre>

# Run the install script

<pre>perl configure.pl</pre>

** Install directory: @/usr/local@

** Data directory: @/srv/backupafs@

** CGI-bin @/var/www/vhosts/backupafs/cgi-bin@

** Apache image directory @/var/www/vhosts/backupafs/htdocs/images@

** URL for image directory @/images@

** Ignore the gentoo warning, unless you are running gentoo.

# copy the site script (and adjust) into the apache configs and enable it

<pre>cp /afs/dev.ru.is/service/backupafs/SVN/conf/001-backupafs  /etc/apache2/sites-available/.

a2ensite 001-backupafs</pre>

# Create a HTTP keytab for kerberized access.  This example assumes your hostname is @bor.dev.ru.is@

<pre>admin

Authenticating as principal foley/admin@DEV.RU.IS with password.

Password for foley/admin@DEV.RU.IS: 

kadmin:  ank -randkey HTTP/bor.dev.ru.is

WARNING: no policy specified for HTTP/bor.dev.ru.is@DEV.RU.IS; defaulting to no policy

Principal "HTTP/bor.dev.ru.is@DEV.RU.IS" created.

kadmin:  ktadd -k /etc/BackupAFS/krb5.keytab HTTP/bor.dev.ru.is

Entry for principal HTTP/bor.dev.ru.is with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/BackupAFS/krb5.keytab.

Entry for principal HTTP/bor.dev.ru.is with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/BackupAFS/krb5.keytab.

Entry for principal HTTP/bor.dev.ru.is with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/BackupAFS/krb5.keytab.

Entry for principal HTTP/bor.dev.ru.is with kvno 2, encryption type des-cbc-crc added to keytab WRFILE:/etc/BackupAFS/krb5.keytab.

kadmin:  quit

</pre>

# Fix owner and permissions on keytab

<pre>cd /etc/BackupAFS/

/etc/BackupAFS# chown backupafs:backupafs krb5.keytab

/etc/BackupAFS# chmod 600 krb5.keytab </pre>

# Set administrator users yb adding them to the $Conf{CgiAdminUsers} variable in /etc/BackupAFS/config.pl. Separate multiple users with spaces.

<pre>$Conf{CgiAdminUsers} = 'foley@DEV.RU.IS';</pre>

# Turn on SSL

<pre>a2enmod ssl</pre>

# Set the apache server to run as backupafs instead of www-data.  Look for @APACHE_RUN_USER@ and @APACHE_RUN_GROUP@ in

@/etc/apache2/envvars@

emacs /etc/apache2/envvars

</pre>

** export APACHE_RUN_USER=backupafs

**export APACHE_RUN_GROUP=backupafs

# start up the webserver

<pre>service apache2 start</pre>

# setup the init scripts and start the daemon.  Set the script to be executable for convenince

<pre>cp /home/backupafs/BackupAFS-1.0.0/init.d/debian-backupafs /etc/init.d/backupafs

update-rc.d backupafs defaults

/bin/sh /etc/init.d/backupafs start

chmod 755 /etc/init.d/backupafs</pre>

# setup the AFS keys.  Keep these keys secure!

<pre>mkdir -p /etc/openafs/server

chmod 700 /etc/openafs/server

cd /etc/openafs

cp -r root@afsfs1.dev.ru.is:/etc/openafs/server /etc/openafs

cd server

chown -R backupafs:backupafs .

chmod 700 KeyFile

</pre>

h2. Emails and notifications

# Become backupafs

<pre> su backupafs</pre>

# Test all the command line options

<pre>/usr/local/bin/BackupAFS_serverMesg status info

/usr/local/bin/BackupAFS_serverMesg jobs

/usr/local/bin/BackupAFS_serverMesg volsets

</pre>

# Check email delivery

<pre>BackupAFS_sendEmail -u MYNAME@MYDOMAIN.COM</pre>

## Check the list delivery

<pre>BackupAFS_sendEmail -u devnet-backup@list.ru.is</pre>

# Setup a nightly check to see if the script is still running

**<pre>crontab -e</pre>

** Add these lines

<pre># This checks if the backupafs script is running and sends email if not

59 23 * * * /usr/local/bin//BackupAFS_sendEmail -c</pre>

h2. Tweaks

h3. Fixing the logo

# Grab the DevNet logo from @/afs/dev.ru.is/project/devnet/Public/logo@  There is a convenience link in the backupafs area.

<pre>cp /afs/dev.ru.is/service/backupafs/logo/devnet

</pre>

h2. Migrating from old backup server

* Rsync the old backups

<pre>sudo su -

rsync -avux root@backupafs.dev.ru.is:/srv/backupafs /srv

</pre>

* Grab the config and the Vollist from @/etc/BackupAFS@.  Alternatively grab the ones from AFS in @/afs/dev.ru.is/service/software/backupafs/svn/config@

h2. Reference

* http://linuxbox.com/drupal/files/downloads/afs_backup_afsbp2005.pdf