bashclub/bashclub-zfs-push-pull
1
0
Fork 0
mirror of https://github.com/bashclub/bashclub-zfs-push-pull.git synced 2025-10-31 03:22:26 +01:00
Code Issues Projects Releases Wiki Activity

ssh mode: use forced backup-zfs-shell

Browse Source 
Ensure the backup connection to the SSH server can't do anything other
than designed. Uses ssh's authorized_keys command= statement to launch
backup-zfs-shell, which then supports only the handful of operations
required to perform backups.

$destpath is no longer used, but still included in the documentation
until it can be entirely written out.
This commit is contained in:
Kevin McCormick
2017-03-09 11:55:57 -08:00
parent afb2b924ba
commit 720754a504
2 changed files with 43 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
backup-zfs
View File

@@ -148,7 +148,7 @@ if $tossh ; then
### get newest snapshot on dest - it must exist on src ### get newest snapshot on dest - it must exist on src
### ###
#last="$(ZFS "$desthost" list -d 1 -t snapshot -H -S creation -o name $destfs/$srcbase | head -n1 | cut -f2 -d@)" #last="$(ZFS "$desthost" list -d 1 -t snapshot -H -S creation -o name $destfs/$srcbase | head -n1 | cut -f2 -d@)"
last="$(ssh "$desthost" cat "$destpath/.last")" last="$(ssh "$desthost" zfslast)"
### ###
### send ### send
@@ -166,14 +166,14 @@ if $tossh ; then
if [[ -n $gpgid ]] ; then if [[ -n $gpgid ]] ; then
ZFS "$srchost" send $send_opts -R -I "$last" "$cur" \ ZFS "$srchost" send $send_opts -R -I "$last" "$cur" \
| gpg --trust-model always --encrypt --recipient "$gpgid" \ | gpg --trust-model always --encrypt --recipient "$gpgid" \
| ssh "$desthost" "cat > \"$destpath/${tag}_$date.zfssnap.gpg\"" \ | ssh "$desthost" zfswrite "${tag}_$date.zfssnap.gpg" \
|| die $? "zfs incremental send failed" || die $? "zfs incremental send failed"
ssh "$desthost" "echo \"$snap\" > \"$destpath/.last\"" ssh "$desthost" zfslast "$snap"
else else
ZFS "$srchost" send $send_opts -R -I "$last" "$cur" \ ZFS "$srchost" send $send_opts -R -I "$last" "$cur" \
| ssh "$desthost" "cat > \"$destpath/${tag}_$date.zfssnap\"" \ | ssh "$desthost" zfswrite "${tag}_$date.zfssnap" \
|| die $? "zfs incremental send failed" || die $? "zfs incremental send failed"
ssh "$desthost" "echo \"$snap\" > \"$destpath/.last\"" ssh "$desthost" zfslast "$snap"
fi fi
fi fi
@@ -201,13 +201,13 @@ elif $fromssh ; then
### ###
log "receiving incremental snapshot from $src to $dest" log "receiving incremental snapshot from $src to $dest"
#ZFS "$srchost" send $send_opts -R -I "$last" "$cur" | ZFS "$desthost" receive $recv_opts -Fue "$destfs" || die $? "zfs incremental send failed" #ZFS "$srchost" send $send_opts -R -I "$last" "$cur" | ZFS "$desthost" receive $recv_opts -Fue "$destfs" || die $? "zfs incremental send failed"
for file in $(ssh "$srchost" "find \"$srcpath\" -name \"*.zfssnap\" -o -name \"*.zfssnap.gpg\"") ; do for file in $(ssh "$srchost" zfsfind "$srcpath" | sort) ; do
if [[ $file =~ \.gpg$ ]] ; then if [[ $file =~ \.gpg$ ]] ; then
ssh "$srchost" "cat \"$file\"" | gpg | ZFS "$desthost" receive $recv_opts -Fue "$dest" \ ssh "$srchost" zfsget "$file" | gpg | ZFS "$desthost" receive $recv_opts -Fue "$dest" \
&& ssh "$srchost" "rm \"$file\"" && ssh "$srchost" rm "$file"
else else
ssh "$srchost" "cat \"$file\"" | ZFS "$desthost" receive $recv_opts -Fue "$dest" \ ssh "$srchost" zfsget "$file" | ZFS "$desthost" receive $recv_opts -Fue "$dest" \
&& ssh "$srchost" "rm \"$file\"" && ssh "$srchost" rm "$file"
fi fi
done done

33
backup-zfs-shell Executable file
View File

@@ -0,0 +1,33 @@
#!/bin/bash
# A restricted shell for backup-zfs's SSH mode. Must be installed on the
# SSH server, and then configured with command="/path/to/backup-zfs-shell"
# in the user's authorized_keys file.
# TODO: tag & dest should support better customization
dest=zfssnap.nobackup
tag=frodo
case "$SSH_ORIGINAL_COMMAND" in
zfslast)
exec cat $dest/.last ;;
zfslast\ ${tag}_20[12][0-9]-[01][0-9]-[0-3][0-9]_[012][0-9]:[0-5][0-9]:[0-5][0-9])
exec echo "${SSH_ORIGINAL_COMMAND/zfslast /}" > "$dest/.last" ;;
zfswrite\ ${tag}_20[12][0-9]-[01][0-9]-[0-3][0-9]_[012][0-9]:[0-5][0-9]:[0-5][0-9].zfssnap.gpg)
exec cat > "$dest/${SSH_ORIGINAL_COMMAND/zfswrite /}" ;;
zfswrite\ ${tag}_20[12][0-9]-[01][0-9]-[0-3][0-9]_[012][0-9]:[0-5][0-9]:[0-5][0-9].zfssnap)
exec cat > "$dest/${SSH_ORIGINAL_COMMAND/zfswrite /}" ;;
zfsget\ $dest/${tag}_20[12][0-9]-[01][0-9]-[0-3][0-9]_[012][0-9]:[0-5][0-9]:[0-5][0-9].zfssnap.gpg)
exec cat "${SSH_ORIGINAL_COMMAND/zfsget /}" ;;
zfsget\ $dest/${tag}_20[12][0-9]-[01][0-9]-[0-3][0-9]_[012][0-9]:[0-5][0-9]:[0-5][0-9].zfssnap)
exec cat "${SSH_ORIGINAL_COMMAND/zfsget /}" ;;
zfsfind)
exec find "$dest" -name "*.zfssnap" -o -name "*zfssnap.gpg" ;;
rm\ $dest/${tag}_20[12][0-9]-[01][0-9]-[0-3][0-9]_[012][0-9]:[0-5][0-9]:[0-5][0-9].zfssnap.gpg)
exec rm "${SSH_ORIGINAL_COMMAND/rm /}" ;;
rm\ $dest/${tag}_20[12][0-9]-[01][0-9]-[0-3][0-9]_[012][0-9]:[0-5][0-9]:[0-5][0-9].zfssnap)
exec rm "${SSH_ORIGINAL_COMMAND/rm /}" ;;
*)
echo "Command not allowed: $SSH_ORIGINAL_COMMAND" >&2
exit 1
;;
esac