BackupPC

 BackupPC

BackupPC Introduction

This documentation describes BackupPC version 1.02, released on 28 Oct 2001.

Overview

BackupPC is a high-performance, enterprise-grade system for backing up Linux and WinXX PCs and laptops to a server's disk. BackupPC is highly configurable and easy to install and maintain.

Given the ever decreasing cost of disks and raid systems, it is now practical and cost effective to backup a large number of machines onto a server's local disk or network storage. For some sites, this might be the complete backup solution. For other sites, additional permanent archives could be created by periodically backing up the server to tape.

Features include:

Backup Basics

Full Dump
A full dump is a complete dump of a share. BackupPC can be configured to do a full dump at a regular interval (often weekly). BackupPC can also be configured to keep a certain number of full backups, and to keep a smaller number of very old full backups.

Incremental Dump
An incremental dump is a dump of files that have changed (based on their modification time) since the last successful full dump. To be safe, BackupPC dumps all files that have changed since one hour prior to the start of the last successful full dump. BackupPC can also be configured to keep a certain number of incremental backups, and to keep a smaller number of very old incremental backups. (BackupPC does not support multi-level incremental dumps, although it would be easy to do so.)

BackupPC ``fills-in'' an incremental dump from the last complete dump so that it looks like a complete dump. This makes browsing and restoring backups easier.

Backup Policy
Based on your site's requirements you need to decide what your backup policy is. BackupPC is not designed to provide exact re-imaging of failed disks. See Limitations for more information.

BackupPC saves backups onto disk. Because of pooling you can relatively economically keep several weeks (perhaps months) of old backups. But BackupPC does not provide permanent storage to tape. Other Open Source applications can do this by backing up BackupPC's pool directories to tape.

At some sites the disk-based backup will be adequate, without a secondary tape backup. This system is robust to any single failure: if a client disk fails or loses files, the BackupPC server can be used to restore files. If the server disk fails, BackupPC can be restarted on a fresh file system, and create new backups from the clients. The chance of the server disk failing can be made very small by spending more money on increasingly better RAID systems.

At other sites a secondary tape backup will be required. This tape backup can be done perhaps weekly from the BackupPC pool file system.

One comment: in the US in particular, permanent backups of things like email are becoming strongly discouraged by lawyers because of discovery prior to possible litigation. Using BackupPC without tape backup allows recent file changes or losses to be restored, but without keeping a history more than a month or two old.

Resources

BackupPC home page
The BackupPC Open Source project is hosted on SourceForge. The home page can be found at: 
    http://backuppc.sourceforge.net

This page has links to the current documentation, the SourceForge project page and general information.

SourceForge project
The SourceForge project page is at: 
    http://sourceforge.net/projects/backuppc

This page has links to the current releases of BackupPC.

Mail lists
Two BackupPC mailing lists exist for announcements (backuppc-announce) and reporting information, asking questions, discussing development or any other topic relevant to BackupPC (backuppc-users).

You are encouraged to subscribe to either the backuppc-announce or backuppc-users mail list on sourceforge.net at either:

    http://lists.sourceforge.net/lists/listinfo/backuppc-announce
    http://lists.sourceforge.net/lists/listinfo/backuppc-users

The backuppc-announce list is moderated and is used only for important announcements (eg: new versions). It is low traffic. You only need to subscribe to one list: backuppc-users also receives any messages on backuppc-announce.

To post a message to the backuppc-users list, send an email to

    backuppc-users@lists.sourceforge.net

Do not send subscription requests to this address!

Other Programs of Interest
If you want to mirror linux or unix files or directories to a remote server you should look at rsync, http://rsync.samba.org.

Two popular open source packages that do tape backup are Amanda (http://www.amanda.org) and afbackup (http://sourceforge.net/projects/afbackup). Amanda can also backup WinXX machines to tape using samba. These packages can be used as backends to BackupPC to backup the BackupPC server data to tape.

Back to Top

Installing BackupPC

Requirements

BackupPC requires:

How much disk space do I need?

Here's one real example for an environment that is backing up 65 laptops. Each full backup averages 3.2GB. Each incremental backup averages about 0.2GB. Storing one full backup and two incremental backups per laptop is around 240GB of raw data. But because of the pooling of identical files, only 87GB is used. (In fact, since the incremental backups are ``filled-in'' with hard links to look like a complete backup, the server is effectively storing 195 complete backups averaging 3.2GB each, or 624GB in just 87GB of space.)

Here's a rule of thumb. Add up the C drive usage of all the machines you want to backup (210GB in the example above). This is a rough minimum space estimate that should allow a couple of full backups and at least half a dozen incremental backups per machine. Add some margin in case you add more machines or decide to keep more old backups.

Your actual mileage will depend upon the types of applications your users have and how common these applications are between machines.

For example, the Eudora email tool stores each mail folder in a separate file, and attachments are extracted as separate files. So in the sadly common case of a large attachment emailed to many recipients, Eudora will extract the attachment into a new file. When these machines are backed up, only one copy of the file will be stored on the server, even though the file appears in many different full or incremental dumps. In this sense Eudora is a ``friendly'' application from the point of view of backup storage requirements.

An example at the other end of the spectrum is Outlook. Everything (email bodies, attachments, calendar, contact lists) is stored in a single file, which often becomes huge. Any change to this file requires a separate copy of the file to be saved during backup. Outlook is even more troublesome, since it keeps this file locked all the time, so it cannot be read by smbclient whenever Outlook is running. See the Limitations section for more discussion of this problem.

Step 1: Getting BackupPC

Download the latest version from http://backuppc.sourceforge.net.

Step 2: Installing the distribution

After fetching BackupPC-1.02.tar.gz, run these commands as root:

    tar zxf BackupPC-1.02.tar.gz
    cd BackupPC-1.02
    perl configure.pl

You will be prompted for the full paths of various executables, and you will be prompted for the following information:

BackupPC user
It is best if BackupPC runs as a special user, eg backuppc, that has limited privileges. It is preferred that backuppc belongs to a system administrator group so that sys admin members can browse backuppc files, edit the configuration files and so on. Although configurable, the default settings leave group read permission on pool files, so make sure the BackupPC user's group is chosen restrictively.

Data Directory
You need to decide where to put the data directory, below which all the BackupPC data is stored. This needs to be a big file system.

On this installation, this is __TOPDIR__.

Install Directory
You should decide where the BackupPC scripts, libraries and documentation should be installed, eg: /opt/local/backuppc.

On this installation, this is __INSTALLDIR__.

Step 3: Setting up config.pl

After running configure.pl, browse through the config file, __INSTALLDIR__/conf/config.pl, and make sure all the default settings are correct. In particular, you will need to set the smb share password, backup policies and check the email message headers and bodies.

BackupPC needs to know the smb share user name and password for each PC. The user name is specified in $Conf{SmbShareUserName}. There are four ways to tell BackupPC the smb share password:

Placement and protection of the smb share password is a possible security risk, so please double-check the file and directory permissions. In a future version there will probably be support for encryption of this password, but a private key will still have to be stored in a protected place. Suggestions are welcome.

Step 4: Setting up the hosts file

The file __TOPDIR__/conf/hosts contains the list of hosts to backup.

Each line in the hosts file contains three fields, separated by white space:

Host name
If this host is a static IP address this must the machine's IP host name (ie: something that can be looked up using nslookup or DSN). If this is a DHCP host then the host name must be the netbios name of the machine. The host name should be in lower case.

DHCP flag
Set to 0 if this is a static IP address host. Otherwise, set to 1 for DHCP hosts.

User name
This should be the unix login/email name of the user who ``owns'' or uses this machine. This is the user who will be sent email about this machine, and this user will have permission to stop/start/browse/restore backups for this host.

The first non-comment line of the hosts file is special: it contains the names of the columns and should not be edited.

Here's a simple example of a hosts file:

    host        dhcp    user
    farside     0       craig
    larson      1       gary

The range of DHCP addresses to search is specified in $Conf{DHCPAddressRanges}.

Step 5: Running BackupPC

The installation contains an init.d backuppc script that can be copied to /etc/init.d so that BackupPC can auto-start on boot. See init.d/README for further instructions.

BackupPC should be ready to start. If you installed the init.d script, then you should be able to run BackupPC with:

    /etc/init.d/BackupPC start

Otherwise, just run

     __INSTALLDIR__/bin/BackupPC -d

as user __BACKUPPCUSER__. The -d option tells BackupPC to run as a daemon (ie: it does an additional fork).

Any immediate errors will be printed to stderr and BackupPC will quit. Otherwise, look in __TOPDIR__/log/LOG and verify that BackupPC reports it has started and all is ok.

Step 6: Talking to BackupPC

You should telnet to BackupPC to make sure it is listening. On linux, telnet tries to negotiate various things that BackupPC doesn't understand. The -K option appears to turn this off:

    telnet -K ServerHost ServerPort

eg:

    telnet -K farside 2359

where $Conf{ServerHost} and $Conf{ServerPort} are set in the configuration file. On Solaris a plain telnet should be fine.

You can request status information and start and stop backups using this interface. This interface is mainly provided for the CGI interface (and some of the BackupPC sub-programs use it too). But right now we just want to make sure BackupPC is happy. Each of these commands should produce some status output:

    status info
    status jobs
    status hosts

The returned values will be some hashes printed with Data::Dumper. The jobs status should initially show just BackupPC_trashClean. The hosts status should produce a list of every host you have listed in __TOPDIR__/conf/hosts.

You can also request that all hosts be queued:

    backup all

You can logout with:

    quit

Note that this socket interface is not secure: anyone can run this telnet command. The set of commands you can issue is restricted. In future versions there might be an authentication handshake using a shared private key. Comments are welcome.

At this point you should make sure the CGI interface works since it will be much easier to see what is going on. That's our next subject.

CGI interface

The CGI interface script is a powerful and flexible way to see and control what BackupPC is doing. It is written for an Apache server.

The CGI interface should have been installed by the configure.pl script in __CGIDIR__/BackupPC_Admin. BackupPC_Admin should have been installed as setuid to the BackupPC user, in addition to user and group execute permission. You should be very careful about permissions on BackupPC_Admin and directory __CGIDIR__: it is important that normal users cannot directly execute or change BackupPC_Admin, otherwise they can access backup files from any PC. You might need to change the group ownership of BackupPC_Admin to a group that Apache belongs to so that Apache can execute it (don't add ``other'' execute permission!).

BackupPC_Admin requires that users are authenticated by Apache. Specifically, it expects that Apache sets the REMOTE_USER environment variable when it runs. To do this you should create a .htaccess file in the cgi-bin directory that looks like:

    AuthGroupFile /etc/httpd/conf/group    # <--- change path as needed
    AuthUserFile /etc/http/conf/passwd     # <--- change path as needed
    AuthType basic
    AuthName "access"
    require valid-user

You will also need ``AllowOverride Indexes AuthConfig'' in the Apache httpd.conf file to enable the .htaccess file. Alternatively, everything can go in the Apache httpd.conf file inside a Location directive. The list of users and password file above can be extracted from the NIS passwd file.

Debugging Installation Problems

This section will probably grow based on the types of questions on the BackupPC mail list.

Assuming BackupPC can start correctly you should inspect __TOPDIR__/log/LOG for any errors. Assuming backups for a particular host start, you should be able to look in __TOPDIR__/pc/$host/LOG for error messages specific to that host.

The most likely problems will relate to connecting to the smb shares on each host. On each failed backup, a file __TOPDIR__/pc/$host/SmbERR will be created. This is the stderr output from smbclient. The first line will show the full smbclient command that was run. Based on the error messages you should figure out what is wrong. Possible errors on the server side are invalid host, invalid share name, bad username or password. Possible errors on the client side are misconfiguration of the share, username or password.

You should run smbclient manually and verify that you can connect to the host in interactive mode, eg:

    smbclient '\\hostName\shareName' -U userName

shareName should match the $Conf{SmbShareName} setting and userName should match the the $Conf{SmbShareUserName} setting.

You will be prompted for the password. You should then see this prompt:

    smb: \>

Verify that ``ls'' works and then type ``quit'' to exit.

Secondly, you should also verify that nmblookup correctly returns the netbios name. This is essential for DHCP hosts, and depending upon the setting of $Conf{FixedIPNetBiosNameCheck} might also be required for fixed IP address hosts too. Run this command:

    nmblookup -A hostName

Verify that the host name is printed. The output might look like:

    received 7 names
            DELLLS13        <00> -         P <ACTIVE> 
            DOMAINNAME      <00> - <GROUP> P <ACTIVE> 
            DELLLS13        <20> -         P <ACTIVE> 
            DOMAINNAME      <1e> - <GROUP> P <ACTIVE> 
            DELLLS13        <03> -         P <ACTIVE> 
            DELLLS13$       <03> -         P <ACTIVE> 
            CRAIG           <03> -         P <ACTIVE>

The first name, converted to lower case, is used for the host name.

Back to Top

BackupPC Design

Some Design Issues

Pooling common files
To quickly see if a file is already in the pool, an MD5 digest of the file length and contents is used as the file name in the pool. This can't guarantee a file is identical: it just reduces the search to often a single file or handful of files. A complete file comparison is always done to verify if two files are really the same.

Identical files on multiples backups are replaced by hard links. Hardlinks are used so that identical files all refer to the same physical file on the server's disk. Also, hard links maintain reference counts so that BackupPC knows when to deleted unused files from the pool.

The pooling system used by BackupPC is just a chained hash table stored on a (big) file system.

The hashing function
There is a tradeoff between how much of file is used for the MD5 digest and the time taken comparing all the files that have the same hash.

Using the file length and just the first 4096 bytes of the file for the MD5 digest produces some repetitions. One example: with 900,000 unique files in the pool, this hash gives about 7,000 repeated files, and in the worse case 500 files have the same hash. That's not bad: we only have to do a single file compare 99.2% of the time. But in the worse case we have to compare as many as 500 files checking for a match.

With a modest increase in CPU time, if we use the file length and the first 256K of the file we now only have 500 repeated files and in the worse case around 20 files have the same hash. Furthermore, if we instead use the first and last 128K of the file (more specifically, the first and eighth 128K chunks for files larger than 1MB) we get only 300 repeated files and in the worse case around 20 files have the same hash.

Based on this experimentation, this is the hash function used by BackupPC. It is important that you don't change the hash function after files are already in the pool. Otherwise your pool will grow to twice the size until all the old backups (and all the old files with old hashes) eventually expire.

To Compress or not?
Currently BackupPC saves disk space by pooling identical files among multiple backups. BackupPC does not compress files. The reason is the excessive CPU load. Each backup generates data at around 0.5-1MB/sec. Doing a decent job compressing this data stream takes 20-50% of the CPU time (eg, on my desktop machine), so running several parallel backups is not possible except on very fast machines.

On the other hand, uncompressing is often a factor of ten or so faster than compression. Since most of the time a newly backed up file is not unique (it is likely already in the pool), the pool comparison can be done by comparing the uncompressed pool file to the new file, rather than comparing the compressed new file to the pool. This is how BackupPC will efficiently implement compression. Compression should provide an additional 40% saving in pool size, at the expense of more CPU time (but a lot less CPU time than other backup systems that compress all incoming data).

As of version 1.02 most of the code is in place to support compression, so you should expect it soon.

BackupPC Operation

BackupPC reads the configuration information from __TOPDIR__/conf/config.pl. It then runs and manages all the backup activity. It maintains queues of pending backup requests, user backup requests and administrative commands. Based on the configuration various requests will be executed simultaneously.

As specified by $Conf{WakeupSchedule}, BackupPC wakes up periodically to queue backups on all the PCs. This is a four step process:

  1. BackupPC_queueAll is forked, and in the background it tells BackupPC all the PCs that should be backed up. It does this by reading the hosts file in __TOPDIR__/conf/hosts and writing the list of PCs to stdout. It also lists all the DHCP addresses.

  2. For each PC, BackupPC_dump is forked. Several of these may be run in parallel, based on the configuration. First a ping is done to see if the machine is alive. If this is a DHCP address, nmblookup is run to get the netbios name, which is used as the host name. The file __TOPDIR__/pc/$host/backups is read to decide whether a full or incremental backup needs to be run. If no backup is scheduled, or the ping to $host fails, then BackupPC_dump exits.

    The backup is done using samba's smbclient piped into BackupPC_tarExtract, extracting the dump into __TOPDIR__/pc/$host/new. The smbclient output is put into __TOPDIR__/pc/$host/SmbLOG.

    As BackupPC_tarExtract extracts the files from smbclient, it checks each file in the backup to see if it is identical to an existing file from any previous backup of any PC. It does this without needed to write the file to disk. If the file matches an existing file, a hardlink is created to the existing file in the pool. If the file does not match any existing files, the file is written to disk and the file name is saved in __TOPDIR__/pc/$host/NewFileList for later processing by BackupPC_link. BackupPC_tarExtract can handle arbitrarily large files and multiple candidate matching files without needing to write the file to disk in the case of a match. This significantly reduces disk writes (and also reads, since the pool file comparison is done disk to memory, rather than disk to disk).

    Based on the configuration settings, BackupPC_dump checks each old backup to see if any should be removed. Any expired backups are moved to __TOPDIR__/trash for later removal by BackupPC_trashClean.

  3. For each complete, good, backup, BackupPC_link is run. To avoid race conditions as new files are linked into the pool area, only a single BackupPC_link program runs at a time and the rest are queued.

    BackupPC_link reads the NewFileList written by BackupPC_dump and inspects each new file in the backup. It re-checks if there is a matching file in the pool (another BackupPC_link could have added the file since BackupPC_dump checked). If so, the file is removed and replaced by a hard link to the existing file. If the file is new, a hard link to the file is made in the pool area, so that this file is available for checking against each new file and new backup.

    Then, for incremental backups, hard links are made in the new backup to all files that were not extracted during the incremental backups. The means the incremental dump looks like a complete image of the PC (with the exception that files that were removed on the PC since the last full dump will still appear in the backup directory tree).

  4. BackupPC_trashClean is always run in the background to remove any expired backups. Every 5 minutes it wakes up and removes all the files in __TOPDIR__/trash.

    Also, once each night, BackupPC_nightly is run to complete some additional administrative tasks, such as cleaning the pool. This involves removing any files in the pool that only have a single hard link (meaning no backups are using that file). Again, to avoid race conditions, BackupPC_nightly is only run when there are no BackupPC_dump or BackupPC_link processes running.

BackupPC also listens for tcp connections on $Conf{ServerPort}, which is used by the CGI script BackupPC_Admin for status reporting and user-initiated backup or backup cancel requests.

Storage layout

BackupPC resides in three directories:

__INSTALLDIR__
Perl scripts comprising BackupPC reside in __INSTALLDIR__/bin, libraries are in __INSTALLDIR__/lib and documentation is in __INSTALLDIR__/doc.

__CGIDIR__
The CGI script BackupPC_Admin resides in this cgi binary directory.

__TOPDIR__
All of BackupPC's data (PC backup images, logs, configuration information) is stored below this directory.

Below __TOPDIR__ are several directories:

__TOPDIR__/conf
The directory __TOPDIR__/conf contains:
config.pl
Configuration file. See Configuration file below for more details.

hosts
Hosts file, which lists all the PCs to backup.

__TOPDIR__/log
The directory __TOPDIR__/log contains:
LOG
Current (today's) log file output from BackupPC.

LOG.0
Yesterday's log file output. Log files are aged daily, and old LOG files are deleted.

BackupPC.pid
Contains BackupPC's process id.

status.pl
A summary of BackupPC's status written periodically by BackupPC so that certain state information can be maintained if BackupPC is restarted. Should not be edited.

UserEmailInfo.pl
A summary of what email was last sent to each user, and when the last email was sent. Should not be edited.

__TOPDIR__/trash
Any directories and files below this directory are periodically deleted whenever BackupPC_trashClean checks. When a dump is aborted or when an old dump expires, BackupPC_dump simply moves the directory to __TOPDIR__/trash for later removal by BackupPC_trashClean.

__TOPDIR__/pool
All files from PC backups are stored below __TOPDIR__/pool. Each file's name is based an the MD5 hex digest of the file contents. Specifically, for files less than 256K, the file length and the entire file is used. For files up to 1MB, the file length and the first and last 128K are used. Finally, for files longer than 1MB, the file length, and the first and eighth 128K chunks for the file are used.

Each file is stored in a subdirectory X/Y/Z, where X, Y, Z are the first 3 hex digits of the MD5 digest.

For example, if a file has an MD5 digest of 123456789abcdef0, so the file is stored in __TOPDIR__/pool/1/2/3/123456789abcdef0.

The MD5 digest might not be unique (especially since not all the file's contents are used for files bigger than 256K). Different files that have the same MD5 digest are stored with a trailing suffix ``_n'' where n is an incrementing number starting at 0. So, for example, if two additional files were identical to the first, except the last byte was different, and assuming the file was larger than 1MB (so the MD5 digests are the same but the files are actually different), the three files would be stored as:

        __TOPDIR__/pool/1/2/3/123456789abcdef0
        __TOPDIR__/pool/1/2/3/123456789abcdef0_0
        __TOPDIR__/pool/1/2/3/123456789abcdef0_1

Both BackupPC_dump (actually, BackupPC_tarExtract) and BackupPC_link are responsible for checking newly backed up files against the pool. For each file, the MD5 digest is used to generate a file name in the pool directory. If the file exists in the pool, the contents are compared. If there is no match, additional files ending in ``_n'' are checked. (Actually, BackupPC_tarExtract compares multiple candidate files in parallel.) If the file contents exactly match, the file is created by simply making a hard link to the pool file (this is done by BackupPC_tarExtract as the dump proceeds). Otherwise, BackupPC_tarExtract writes the new file to disk and a new hard link is made in the pool to the file (this is done later by BackupPC_link).

Therefore, every file in the pool will have at least 2 hard links (one for the pool file and one for the backup file below __TOPDIR__/pc). Identical files from different backups or PCs will all be linked to the same file. When old backups are deleted, some files in the pool might only have one link. BackupPC_nighly checks the entire pool and removes all files that have only a single link, thereby recovering the storage for that file.

One other issue: zero length files are not pooled, since there are a lot of these files and on most file systems it doesn't save any disk space to turn these files into hard links.

__TOPDIR__/pc/$host
For each PC $host, all the backups for that PC are stored below the directory __TOPDIR__/pc/$host. This directory contains the following files:
LOG
Current log file for this PC from BackupPC_dump.

LOG.0
Last month's log file. Log files are aged monthly, and old LOG files are deleted.

SmbERR
Output from smbclient for the most recent failed backup.

new
Subdirectory in which the current backup is stored. This directory is renamed if the backup succeeds.

SmgLOG
Output from smbclient for the current backup.

nnn (an integer)
Successful backups are in directories numbered sequentially starting at 0.

SmbLOG.nnn
Output file from smbclient corresponding to backup number nnn.

backups
A tab-delimited ascii table listing information about each successful backup, one per row. The columns are:
num
The backup number, an integer that starts at 0 and increments for each successive backup. The corresponding backup is stored in the directory num (eg: __TOPDIR__/pc/$host/5).

type
Set to ``full'' or ``incr'' for full or incremental backup.

startTime
Start time of the backup in unix seconds.

endTime
Stop time of the backup in unix seconds.

nFiles
Number of files backed up (as reported by smbclient).

size
Total file size backed up (as reported by smbclient).

nFilesExist
Number of files that were already in the pool (as determined by BackupPC_dump and BackupPC_link).

sizeExist
Total size of files that were already in the pool (as determined by BackupPC_dump and BackupPC_link).

nFilesNew
Number of files that were not in the pool (as determined by BackupPC_link).

sizeNew
Total size of files that were not in the pool (as determined by BackupPC_link).

smbErrs
Number of errors or warnings from smclient.

smbBadFile
Number of errors from smclient that were bad file errors.

smbBadShare
Number of errors from smclient that were bad share errors.

Limitations

BackupPC isn't perfect. Here are some limitations of BackupPC:

Non-unix file attributes not backed up
smbclient doesn't extract the WinXX ACLs, so file attributes other than the minimal unix attributes are not backed up.

Unix file modification times are not preserved
Since identical files are pooled, modification times of files are not preserved. If a file is unique then the modification time will be correct.

Locked files are not backed up
Under WinXX a locked file cannot be read by smbclient. Such files will not be backed up.

This is especially troublesome for Outlook, which stores all its data in a single large file and keeps it locked whenever it is running. Since many users keep Outlook running all the time their machine is up their Outlook file will not be backed up. Sadly, this file is the most important file to backup. How do commercial backup systems solve this problem?

So far, the best that BackupPC can do is send warning emails to the user saying that their outlook files haven't been backed up in X days. (X is configurable.) The message invites the user to exit Outlook and gives a URL to manually start a backup.

I suspect there is a way of mirroring the outlook.pst file so that at least the mirror copy can be backed up. Or perhaps a manual copy can be started at login. Does some WinXX expert know how to do this?

Don't expect to reconstruct a complete drive
The conclusion from the last few items is that BackupPC is not intended to allow a complete disk to be re-imaged from the backup. Our approach to system restore in the event of catastrophic failure is to re-image a new disk from a generic master, and then use the BackupPC archive to restore user files.

Some tape backup systems aren't smart about hard links
If you backup the BackupPC pool to tape you need to make sure that the tape backup system is smart about hard links. For example, if you simply try to tar the BackupPC pool to tape you will backup a lot more data than is necessary.

Using the example at the start of the installation section, 65 hosts are backed up with each full backup averaging 3.2GB. Storing one full backup and two incremental backups per laptop is around 240GB of raw data. But because of the pooling of identical files, only 87GB is used. However, since the incremental backups are ``filled-in'' with hard links to look like a complete backup, the server is effectively storing 195 complete backups averaging 3.2GB each, or 624GB in just 87GB of space. If you run du or tar on the data directory, there will appear to be 624GB of data.

If your tape backup system is not smart about hard links an alternative is to periodically dump just the last successful dump for each host to tape. Supporting more efficient tape backup is an area for further development.

Incremental dumps might included deleted files
To make browsing and restoring backups easier, incremental dumps are ``filled-in'' from the last complete dump by adding hard links for all files that were not backed up during the incremental dump. This doesn't take much more disk space.

However, if a file was deleted by a user after the last full dump, that file will still appear in the ``filled-in'' incremental dump. This is not really a specific problem with BackupPC, rather it is a general issue with the full/incremental dump paradigm. This minor problem could be solved by having smblient list all files when it does the incremental dump. Volunteers anyone?

Comments or suggestions on these issues are welcome.

Security Issues

Please read this section and consider each of the issues carefully.

Smb share password
An important security risk is the manner in which the smb share passwords are stored. They are in plain text. As described in Step 3: Setting up config.pl there are four ways to tell BackupPC the smb share password (manually setting an environment variable, setting the environment variable in /etc/init.d/backuppc, putting the password in __TOPDIR__/conf/config.pl, or putting the password in __TOPDIR__/pc/$host/config.pl). In the latter 3 cases the smb share password appears in plain text in a file.

If you use any of the latter three methods please make sure that the file's permission is appropriately restricted. If you also use RCS or CVS, double check the file permissions of the config.pl,v file.

In future versions there will probably be support for encryption of the smb share password, but a private key will still have to be stored in a protected place. Comments and suggestions are welcome.

BackupPC socket server
Currently anyone can connect to BackupPC via port $Conf{ServerPort} on $Conf{ServerHost}. The commands that can be executed should all be benign. However, any user can start or stop a backup on any machine and put bogus messages in the log file through this interface.

A denial-of-service type attack is possible here. Someone could simply connect many times to this port, until BackupPC had exhausted all its file descriptors, and this would cause new backups and the CGI interface to fail.

In future versions there might be an authentication handshake using a shared private key. Comments and suggestions are welcome.

Installation permissions
It is important to check that the BackupPC scripts in __INSTALLDIR__/bin and __INSTALLDIR__/lib cannot be edited by normal users. Check the directory permissions too.

Pool permissions
It is important to check that the data files in __TOPDIR__/pool, __TOPDIR__/pc and __TOPDIR__/trash cannot be read by normal users. Normal users should not be able to see anything below __TOPDIR__.

Host shares
Enabling shares on hosts carries security risks. If you are on a private network and you generally trust your users then there should not be a problem. But if you have a laptop that is sometimes on public networks (eg: broadband or even dialup) you should be concerned. A conservative approach is to use firewall software, and only enable the netbios and smb ports (add these TBD) on connections from the host running BackupPC.

CGI interface
The CGI interface, __CGIDIR__/BackupPC_Admin, needs access to the pool files so it is installed setuid to __BACKUPPCUSER__. The permissions of this file need to checked carefully. It should be owned by __BACKUPPCUSER__ and have user and group (but not other) execute permission. To allow apache/httpd to execute it, the group ownership should be something that apache/httpd belongs to.

The Apache configuration should be setup for AuthConfig style, using a .htaccess file so that the user's name is passed into the script as $ENV{REMOTE_USER}.

If normal users could directly run BackupPC_Admin then there is a serious security hole: since it is setuid to __BACKUPPCUSER__ any user can browse and restore any backups. Be aware that anyone who is allowed to edit or create cgi scripts on your server can execute BackupPC_Admin as any user! They simply write a cgi script that sets $ENV{REMOTE_USER} and then execs BackupPC_Admin. The exec succeeds since httpd runs the first script as user httpd/apache, which in turn has group permission to execute BackupPC_Admin.

While this setup should be safe, a more conservative approach is to run a dedicated Apache as user __BACKUPPCUSER__ on a different port. Then BackupPC_Admin no longer needs to be setuid, and the cgi directories can be locked down from normal users.

Comments and suggestions are welcome.

Back to Top

Configuration File

The BackupPC configuration file resides in __TOPDIR__/conf/config.pl. Optional per-PC configuration files reside in __TOPDIR__/pc/$host/config.pl. This file can be used to override settings just for a particular PC.

Modifying the main configuration file

The configuration file is a perl script that is executed by BackupPC, so you should be careful to preserve the file syntax (punctuation, quotes etc) when you edit it. It is recommended that you use CVS, RCS or some other method of source control for changing config.pl.

BackupPC reads or re-reads the main configuration file in three cases:

Whenever you change the configuration file you can either do a kill -HUP BackupPC_pid or simply wait until the next regular wakeup period.

Each time the configuration file is re-read a message is reported in the LOG file, so you can tail it (or view it via the CGI interface) to make sure your kill -HUP worked. Errors in parsing the configuration file are also reported in the LOG file.

The optional per-PC configuration file (__TOPDIR__/pc/$host/config.pl) is read whenever it is needed by BackupPC_dump, BackupPC_link and others.

Back to Top

Configuration parameters

The configuration parameters are divided into four general groups. The first group (general server configuration) provides general configuration for BackupPC. The next two groups describe what to backup, when to do it, and how long to keep it. The fourth group are settings for the CGI interface.

All configuration settings in the second, third and fourth groups can be overridden by the per-PC config.pl file.

General server configuration

$Conf{ServerHost} = ``'';
Host name on which the BackupPC server is running.

$Conf{ServerPort} = 2359;
TCP port number on which the BackupPC server listens for and accepts connections.

$Conf{MyPath} = ``/bin:/usr/sbin:/usr/bin:/usr/local/bin'';
PATH setting for BackupPC. An explicit value is necessary for taint mode. Value shouldn't matter too much since all execs use explicit paths.

$Conf{UmaskMode} = 027;
Permission mask for directories and files created by BackupPC. Default value prevents any access from group other, and prevents group write.

$Conf{WakeupSchedule} = [1..23];
Times at which we wake up, check all the PCs, and schedule necessary backups. Times are measured in hours since midnight. Can be fractional if necessary (eg: 4.25 means 4:15am).

If the hosts you are backing up are always connected to the network you might have only one or two wakeups each night. This will keep the backup activity after hours. On the other hand, if you are backing up laptops that are only intermittently connected to the network you will want to have frequent wakeups (eg: hourly) to maximized the chance that each laptop is backed up.

Examples:

    $Conf{WakeupSchedule} = [22.5];         # once per day at 10:30 pm.
    $Conf{WakeupSchedule} = [1..23];        # every hour except midnight
    $Conf{WakeupSchedule} = [2,4,6,8,10,12,14,16,18,20,22];  # every 2 hours

$Conf{MaxBackups} = 4;
Maximum number of simultaneous backups to run. If there are no user backup requests then this is the maximum number of simultaneous backups.

$Conf{MaxUserBackups} = 4;
Additional number of simultaneous backups that users can run. As many as $Conf{MaxBackups} + $Conf{MaxUserBackups} requests can run at the same time.

$Conf{MaxPendingCmds} = 10;
Maximum number of pending link commands. New backups will only be started if there are no more than $Conf{MaxPendingCmds} plus $Conf{MaxBackups} number of pending link commands, plus running jobs. This limit is to make sure BackupPC doesn't fall too far behind in running BackupPC_link commands.

$Conf{MaxOldLogFiles} = 14;
Maximum number of log files we keep around in log directory. These files are aged nightly. A setting of 14 means the log directory will contain about 2 weeks of old log files, in particular at most the files LOG, LOG.0, LOG.1, ... LOG.13.

If you decrease this number after BackupPC has been running for a while you will have to manually remove the older log files.

$Conf{DfPath} = ``/bin/df'';
Full path to the df command. Security caution: normal users should not allowed to write to this file or directory.

$Conf{DfMaxUsagePct} = 95;
Maximum threshold for disk utilization on the __TOPDIR__ filesystem. If the output from $Conf{DfPath} reports a percentage larger than this number then no new regularly scheduled backups will be run. However, user requested backups (which are incremental backups and tend to be small) are still performed, independent of disk usage. Also, currently running backups will not be terminated when the disk usage exceeds this number.

$Conf{TrashCleanSleepSec} = 300;
How long BackupPC_trashClean sleeps in seconds between each check of the trash directory. Once every 5 minutes should be reasonable.

$Conf{DHCPAddressRanges} = [];
List of DHCP address ranges we search looking for PCs to backup. This is an array of hashes for each class C address range.

Examples:

   # to specify 192.10.10.20 to 192.10.10.250 as the DHCP address pool
   $Conf{DHCPAddressRanges} = [
       {
           ipAddrBase => "192.10.10",
           first => 20,
           last  => 250,
       },
   ];
   # to specify two pools (192.10.10.20-250 and 192.10.11.10-50)
   $Conf{DHCPAddressRanges} = [
       {
           ipAddrBase => "192.10.10",
           first => 20,
           last  => 250,
       },
       {
           ipAddrBase => "192.10.11",
           first => 10,
           last  => 50,
       },
   ];

$Conf{BackupPCUser} = ``'';
$Conf{CgiDir} = ``'';
$Conf{InstallDir} = ``'';
These configuration settings aren't used by BackupPC, but simply remember a few settings used by configure.pl during installation. These are used by configure.pl when upgrading to new versions of BackupPC.

What to backup and when to do it

$Conf{SmbShareName} = ``c'';
Name of the PC share that is backed up. This can be a string or an array of strings (eg: [``c'', ``d'']) if there are multiple shares per host.

$Conf{SmbShareUserName} = ``'';
Smbclient share user name. This is passed to smbclient's -U argument.

$Conf{SmbSharePasswd} = ``'';
Smbclient share password. This is passed to smbclient via the PASSWD environment variable. There are several ways you can tell BackupPC the smb share password. In each case you should be very careful about security. If you put the password here, make sure that this file is not readable by regular users! See the ``Setting up config.pl'' section in the documentation for more information.

$Conf{FullPeriod} = 6.97;
Minimum period in days between full backups. A full dump will only be done if at least this much time has elapsed since the last full dump, and at least $Conf{IncrPeriod} days has elapsed since the last successful dump.

Typically this is set slighty less than an integer number of days. The time taken for the backup, plus the granularity of $Conf{WakeupSchedule} will make the actual backup interval a bit longer.

$Conf{IncrPeriod} = 0.97;
Minimum period in days between incremental backups. (a user requested incremental backup will be done anytime on demand).

Typically this is set slighty less than an integer number of days. The time taken for the backup, plus the granularity of $Conf{WakeupSchedule} will make the actual backup interval a bit longer.

$Conf{FullKeepCnt} = 1;
Number of full backups to keep. Must be >= 1.

In the steady state, each time a full backup completes successfully the oldest one is removed. If this number is decreased, the extra old backups will be removed.

$Conf{FullKeepCntMin} = 1;
$Conf{FullAgeMax} = 60;
Very old full backups are removed after $Conf{FullAgeMax} days. However, we keep at least $Conf{FullKeepCntMin} full backups no matter how old they are.

$Conf{IncrKeepCnt} = 6;
Number of incrmental backups to keep. Must be >= 1.

In the steady state, each time an incr backup completes successfully the oldest one is removed. If this number is decreased, the extra old backups will be removed.

$Conf{IncrKeepCntMin} = 1;
$Conf{IncrAgeMax} = 28;
Very old incremental backups are removed after $Conf{IncrAgeMax} days. However, we keep at least $Conf{IncrKeepCntMin} incremental backups no matter how old they are.

$Conf{BackupFilesOnly} = undef;
List of directories or files to backup. If this is defined, only these directories or files will be backed up.

Only one of $Conf{BackupFilesExclude} and $Conf{BackupFilesOnly} can be specified per share. If both are set for a particular share, then $Conf{BackupFilesOnly} takes precedence and $Conf{BackupFilesExclude} is ignored.

This can be set to a string, an array of strings, or, in the case of multiple shares, a hash of strings or arrays. A hash is used to give a list of directories or files to backup for each share (the share name is the key). If this is set to just a string or array, and $Conf{SmbShareName} contains multiple share names, then the setting is assumed to apply to only the first share name.

Examples:

   $Conf{BackupFilesOnly} = "/myFiles";
   $Conf{BackupFilesOnly} = ["/myFiles"];     # same as first example
   $Conf{BackupFilesOnly} = ["/myFiles", "/important"];
   $Conf{BackupFilesOnly} = {
      "c" => ["/myFiles", "/important"],      # these are for "c" share
      "d" => ["/moreFiles", "/archive"],      # these are for "d" share
   }

$Conf{BackupFilesExclude} = undef;
List of directories or files to exclude from the backup. Only one of $Conf{BackupFilesExclude} and $Conf{BackupFilesOnly} can be specified per share. If both are set for a particular share, then $Conf{BackupFilesOnly} takes precedence and $Conf{BackupFilesExclude} is ignored.

This can be set to a string, an array of strings, or, in the case of multiple shares, a hash of strings or arrays. A hash is used to give a list of directories or files to exclude for each share (the share name is the key). If this is set to just a string or array, and $Conf{SmbShareName} contains multiple share names, then the setting is assumed to apply to only the first share name.

Examples:

   $Conf{BackupFilesExclude} = "/temp";
   $Conf{BackupFilesExclude} = ["/temp"];     # same as first example
   $Conf{BackupFilesExclude} = ["/temp", "/winnt/tmp"];
   $Conf{BackupFilesExclude} = {
      "c" => ["/temp", "/winnt/tmp"],         # these are for "c" share
      "d" => ["/junk", "/dont_back_this_up"], # these are for "d" share
   }

$Conf{BlackoutBadPingLimit} = 3;
$Conf{BlackoutGoodCnt} = 7;
PCs that are always or often on the network can be backed up after hours, to reduce PC, network and server load during working hours. For each PC a count of consecutive good pings is maintained. Once a PC has at least $Conf{BlackoutGoodCnt} consecutive good pings it is subject to ``blackout'' and not backed up during hours and days specified by $Conf{BlackoutWeekDays}, $Conf{BlackoutHourBegin} and $Conf{BlackoutHourEnd}.

To allow for periodic rebooting of a PC or other brief periods when a PC is not on the network, a number of consecutive bad pings is allowed before the good ping count is reset. This parameter is $Conf{BlackoutBadPingLimit}.

Note that bad and good pings don't occur with the same interval. If a machine is always on the network, it will only be pinged roughly once every $Conf{IncrPeriod} (eg: once per day). So a setting for $Conf{BlackoutGoodCnt} of 7 means it will take around 7 days for a machine to be subject to blackout. On the other hand, if a ping is failed, it will be retried roughly everytime BackupPC wakes up, eg, every one or two hours. So a setting for $Conf{BlackoutBadPingLimit} of 3 means that the PC will lose its blackout status after 3-6 hours of unavailability.

To disable the blackout feature set $Conf{BlackoutGoodCnt} to a negative value. A value of 0 will make all machines subject to blackout. But if you don't want to do any backups during the day it would be easier to just set $Conf{WakeupSchedule} to a restricted schedule.

$Conf{BlackoutHourBegin} = 7.5;
$Conf{BlackoutHourEnd} = 19.0;
$Conf{BlackoutWeekDays} = [1, 2, 3, 4, 5]; # 0 -> Sun
The default settings specify the blackout period from 7:30am to 7pm local time on Mon-Fri.

General per-PC configuration settings

$Conf{SmbClientPath} = ``/usr/bin/smbclient_pcb'';
Full path for smbclient. Security caution: normal users should not allowed to write to this file or directory.

smbclient is from the Samba distribution. smbclient is used to actually extract the incremental or full dump of the share filesystem from the PC.

$Conf{SmbClientArgs} = ``'';
Additional optional arguments to smbclient.

$Conf{NmbLookupPath} = ``/usr/bin/nmblookup'';
Full path for nmblookup. Security caution: normal users should not allowed to write to this file or directory.

nmblookup is from the Samba distribution. nmblookup is used to get the netbios name, necessary for DHCP hosts.

$Conf{FixedIPNetBiosNameCheck} = 0;
For fixed IP address hosts, BackupPC_dump can also verify the netbios name to ensure it matches the host name. An error is generated if they do not match. Typically this flag is off. But if you are going to transition a bunch of machines from fixed host addresses to DHCP, setting this flag is a great way to verify that the machines have their netbios name set correctly before turning on DCHP.

$Conf{PingPath} = ``/bin/ping'';
Full path to the ping command. Security caution: normal users should not be allowed to write to this file or directory.

$Conf{PingMaxMsec} = 20;
Maximum round-trip ping time in milliseconds. This threshold is set to avoid backing up PCs that are remotely connected through WAN or dialup connections. The output from ping -s (assuming it is supported on your system) is used to check the round-trip packet time. On your local LAN round-trip times should be much less than 20msec. On most WAN or dialup connections the round-trip time will be typically more than 20msec. Tune if necessary.

$Conf{SmbClientTimeout} = 7200;
Timeout in seconds which listening for smbclient stdout. If no output is received during this time, then it is assumed that something has wedged during a backup, and the backup is terminated.

Note that stdout buffering combined with huge files being backed up could cause longish delays in the output from smbclient that BackupPC_dump sees, so in rare cases you might want to increase this value.

$Conf{MaxOldPerPCLogFiles} = 12;
Maximum number of log files we keep around in each PC's directory (ie: pc/$host). These files are aged monthly. A setting of 12 means the adm directory will contain about 1 year of old log files, in particular at most the files LOG, LOG.0, LOG.1, ... LOG.11.

If you decrease this number after BackupPC has been running for a while you will have to manually remove the older log files.

Email reminders, status and messages

$Conf{SendmailPath} = ``/usr/sbin/sendmail'';
Full path to the sendmail command. Security caution: normal users should not allowed to write to this file or directory.

$Conf{EMailNotifyMinDays} = 2.5;
Minimum period between consecutive emails to a single user. This tries to keep annoying email to users to a reasonable level. Email checks are done nightly, so this number is effectively rounded up (ie: 2.5 means a user will never receive email more than once every 3 days).

$Conf{EMailFromUserName} = ``'';
Name to use as the ``from'' name for email

$Conf{EMailAdminUserName} = ``'';
Destination address to an administrative user who will receive a nightly email with warnings and errors. If there are no warnings or errors then no email will be sent.

$Conf{EMailNoBackupEverMesg} = ...;
This message is sent to a user if their PC has never been backed up

$Conf{EMailNotifyOldBackupDays} = 7.0;
How old the most recent backup has to be before notifying user. When there have been no backups in this number of days the user is sent an email.

$Conf{EMailNoBackupRecentMesg} = ...;
This message is sent to a user if their PC has not recently been backed up (ie: more than $Conf{EMailNotifyOldBackupDays} days ago).

$Conf{EMailNotifyOldOutlookDays} = 5.0;
How old the most recent backup of Outlook files has to be before notifying user.

$Conf{EMailOutlookBackupMesg} = ...;
This message is sent to a user if their Outlook files have not recently been backed up (ie: more than $Conf{EMailNotifyOldOutlookDays} days ago).

CGI user interface configuration settings

$Conf{CgiAdminUserGroup} = ``'';
$Conf{CgiAdminUsers} = ``'';
Normal users can only access information specific to their host. They can start/stop/browse/restore backups.

Administrative users have full access to all hosts, plus overall status and log information.

The administrative users are the union of the unix/linux group $Conf{CgiAdminUserGroup} and the manual list of users, seperated by spaces, in $Conf{CgiAdminUsers}. If you don't want a group or manual list of users set the corresponding configuration setting to undef or an empty string.

Examples:

   $Conf{CgiAdminUserGroup} = "admin";
   $Conf{CgiAdminUsers}     = "craig celia";
   --> administrative users are the union of group admin, plus
     craig and celia.
   $Conf{CgiAdminUserGroup} = "";
   $Conf{CgiAdminUsers}     = "craig celia";
   --> administrative users are only craig and celia".

$Conf{CgiUserHomePageCheck} = ``'';
$Conf{CgiUserUrlCreate} = ``'';
User names that are rendered by the CGI interface can be turned into links into their home page or other information about the user. To set this up you need to create two sprintf() strings, that each contain a single ``%s'' that will be replaced by the user name.

$Conf{CgiUserHomePageCheck} should be an absolute file path that is used to check (via ``-f'') that the user has a valid home page. Set this to undef or an empty string to turn off this check.

$Conf{CgiUserUrlCreate} should be a full URL that points to the user's home page. Set this to undef or an empty string to turn off generation of URLs for user names.

Example:

   $Conf{CgiUserHomePageCheck} = "/var/www/html/users/%s.html";
   $Conf{CgiUserUrlCreate}     = "http://myhost/users/%s.html";;
   --> if /var/www/html/users/craig.html exists, then "craig" will
     be rendered as a link to http://myhost/users/craig.html";.

Back to Top

Author

Craig Barratt <craig@arraycomm.com>

See http://backuppc.sourceforge.net.

Back to Top

Copyright

Copyright (C) 2001 Craig Barratt

Back to Top

License

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License in the LICENSE file along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA.

Back to Top

 BackupPC

SourceForge Logo
© Copyright 2001 Craig Barratt. BackupPC is hosted by SourceForge and distributed under a GPL license.