Using OVH PCA with backupninja
Motivation
OVH provides a cheap way for longterm storing backup data, the Public Cloud Archive (PCA). As this is for write-once data (cold data store), it needs to be used together with a little bit more expensive hot data store for meta data when used for sequential backups. The backup solution duplicity is capable of using such multi backends. backupninja provides a nice solution for a standardized configuration of duplicity and running it automatically.
Prerequisites
On system to backup
- Enable email sending for backup status mails by installing a mta.
- Install system dependencies
apt install librsync-dev gpg backupninja
- Make sure to have disk encryption enabled for all files containing secrets. Ex. with luks or gocryptfs
GPG
- Create a new secret key. Note the password. Keep this private and on encrypted filesystems only!
gpg --quick-generate-key cloud@freedomhost.de
gpg --export-secret-key keyid > private.key
- Make sure that
~/.gnupg
folder is on an encrypted filesystem on the server - Copy the key to the server
scp private.key server:
- Import it in the local keyring on server
gpg --allow-secret-key-import --import private.key
- Increase trust level:
# gpg --edit-key KEY_ID
> trust
> 5
> quit
On OVH
- Create new Public Cloud project
- Create a new user unter Public Cloud → Project Management → Users & Roles
- Give the user the Role
ObjectStore operator
- Note username and password
- Give the user the Role
- Get TenantID
- click 3 dots on the right of the users row. Click Download OpenStack’s RC file. Here you can select a region where the PCA should be set up
- Note value of
OS_TENANT_ID
Install python modules
- Be sure to use latest issues, so install python modules with pip:
pip3 install duplicity python-swiftclient python-keystoneclient fasteners
Configuration
- 3 files are used for this:
/etc/backupninja.conf
: Here you can set the time of day when the backup should be run, and to whom to send status emails. This file is pre-installed and quite self-explaining/etc/ovh-config.json
for holding the OVH credentials/etc/backup.d/20_ovh_pca.dup
for configuring duplicity for backupninja usage contains gnupg secrets.
/etc/backup.d/20_ovh_pca.dup
- There is a full example for duplicity configuration in
/usr/share/doc/backupninja/examples/example.dup
. Find a slightly pre configured version here - Most important options are:
options = --archive-dir /tmp --file-prefix-manifest 'hot_' --file-prefix-signature 'hot_' --file-prefix-archive 'cold_'
testconnect = no
[gpg]
sign = yes
encryptkey = GPGKEY
password = GPGKEYPASSWORD
[source]
include = SOMEDIR
include = SOMEOTHERDIR
[dest]
desturl = 'multi:///etc/ovh-config.json?mode=mirror&onfail=abort'
/etc/ovh-config.json
- This is the credentials file for OVH. Get this template
- adapt the
url
keys to something meaningful ex.backedupserver1_cold
andbackedupserver2_hot
. This will be the names of the Cloud Archives resp. Object Stores - change
PCA_TENANTID
andSWIFT_TENANTID
to notedOS_TENANT_ID
- change
PCA_USERNAME
andSWIFT_USERNAME
to noted username - do the same for Password and Regionname
- adapt the
- Make sure minimal access rights with
chmod 600
backup
- do a test run
backupninja -d -n
- backupninja should start every day at a predefined time as specified in
/etc/backupninja.conf
restore
- create a
ovh-conf.json
file for the credentials like for backup - run (preferably as root, so user ownership can also be restored):
duplicity --file-prefix-manifest 'hot_' \\
--file-prefix-signature 'hot_' \\
--file-prefix-archive 'cold_' \\
--encrypt-key EXAMPLEKEYID \\
--sign-key EXAMPLEKEYID \\
--path-to-restore PATH/IN/BACKUP \\
restore 'multi:///PATH/TO/ovh-config.json?mode=mirror&onfail=abort' LOCAL/SUBFOLDER