You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3.7 KiB
3.7 KiB
title | description | date |
---|---|---|
Using OVH PCA with backupninja | Accessing the OVH Public cloud archive with the automated backup tool backupninja using its duplicity backend | 2022-03-03 |
motivation
OVH provides a cheap way for longterm storing backup data, the Public Cloud Archive (PCA). As this is for write-once data (cold data store), it needs to be used together with a little bit more expensive hot data store for meta data when used for sequential backups. The backup solution duplicity is capable of using such multi backends. backupninja provides a nice solution for a standardized configuration of duplicity and running it automatically.
Prerequisites
On system
- Enable email sending for backup status mails by installing a mta.
- Install system dependencies
apt install librsync-dev gpg backupninja
- Make sure to have disk encryption enabled for all files containing secrets. Ex. with luks or gocryptfs
GPG
- Create a new secret key. Note the password. Keep this private and on encrypted filesystems only!
gpg --quick-generate-key cloud@freedomhost.de
gpg --export-secret-key keyid > private.key
- Make sure that
~/.gnupg
folder is on an encrypted filesystem on the server - Copy the key to the server
scp private.key server:
- Import it in the local keyring on server
gpg --allow-secret-key-import --import private.key
- Increase trust level:
# gpg --edit-key KEY_ID
> trust
> 5
> quit
On OVH
- Create a new user unter Cloud Archive → Project Management → Users & Roles
- Give the user the Role
ObjectStore operator
- Note username and password
- Give the user the Role
- Get TenandID
- click 3 dots on the right of the users row. Click Download OpenStack's RC file. Here you can select a region where the PCA should be set up
- Note the
OS_TENANT_ID
, here you also can extractOS_USERNAME
andOS_REGION_NAME
Installation
- Be sure to have at least version 0.8.21 of duplicity
pip3 install duplicity>=0.8.21 python-swiftclient python-keystoneclient
Configuration
- 3 files are used for this:
/etc/backupninja.conf
: Here you can set the time of day when the backup should be run, and to whom to send status emails. This file is pre-installed and quite self-explaining/etc/ovh-config.json
for holding the OVH credentials/etc/backup.d/20_ovh_pca.dup
for configuring duplicity for backupninja usage contains gnupg secrets.
/etc/backup.d/20_ovh_pca.dup
- There is a full example for duplicity configuration in
/usr/share/doc/backupninja/examples/example.dup
find a slightly pre configured version here - most important options are:
options = --volsize 200 --archive-dir /tmp --file-prefix-manifest 'hot_' --file-prefix-signature 'hot_' --file-prefix-archive 'cold_'
testconnect = no
[gpg]
sign = yes
encryptkey = GPGKEY
password = GPGKEYPASSWORD
[source]
include = SOMEDIR
include = SOMEOTHERDIR
[dest]
desturl = 'multi:///etc/ovh-config.json?mode=mirror&onfail=abort'
/etc/ovh-config.json
- This is the credentials file for OVH. Get this template
- adapt the
url
keys to something meaningful ex.backedupserver1_cold
andbackedupserver2_hot
. This will be the names of the Cloud Archives resp. Object Stores - change
PCA_TENANTID
andSWIFT_TENANTID
to notedOS_TENANT_ID
- change
PCA_USERNAME
andSWIFT_USERNAME
to notedOS_USERNAME
- do the same for Password and Regionname
- adapt the
- Make sure minimal access rights with
chmod 600
testing
- do a test run
backupninja -d -n