Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
simple backup for mysql, posgresql, svn and files to s3 or local filesystem
Ruby
branch: master

This branch is 1 commit ahead, 63 commits behind astrails:master

Fetching latest commit…

Cannot retrieve the latest commit at this time

Failed to load latest commit information.
bin
examples
lib
templates
.autotest
.document
.gitignore
CHANGELOG
LICENSE
README.markdown
Rakefile
TODO
VERSION.yml
astrails-safe.gemspec

README.markdown

astrails-safe

Simple database and filesystem backups with S3 and Rackspace Cloud Files support (with optional encryption)

Home: http://blog.astrails.com/astrails-safe

Motivation

We needed a backup solution that will satisfy the following requirements:

  • opensource
  • simple to install and configure
  • support for simple ‘tar’ backups of directories (with includes/excludes)
  • support for simple mysqldump of mysql databases
  • support for symmetric or public key encryption
  • support for local filesystem, Amazon S3, and Rackspace Cloud Files for storage
  • support for backup rotation. we don’t want backups filling all the diskspace or cost a fortune on S3 or Cloud Files

And since we didn't find any, we wrote our own :)

Contributions

The following functionality was contributed by astrails-safe users:

Thanks to all :)

Installation

sudo gem install astrails-safe --source http://gemcutter.org

Reporting problems

Please report problems at the Issues tracker

Usage

Usage:
   astrails-safe [OPTIONS] CONFIG_FILE
Options:
  -h, --help           This help screen
  -v, --verbose        be verbose, duh!
  -n, --dry-run        just pretend, don't do anything.
  -L, --local          skip remote storage, only do local backups

Note: CONFIG_FILE will be created from template if missing

Encryption

If you want to encrypt your backups you have 2 options:

  • use simple password encryption
  • use GPG public key encryption

For simple password, just add password entry in gpg section. For public key encryption you will need to create a public/secret keypair.

We recommend to create your GPG keys only on your local machine and then transfer your public key to the server that will do the backups.

This way the server will only know how to encrypt the backups but only you will be able to decrypt them using the secret key you have locally. Of course you MUST backup your backup encryption key :) We recommend also pringing the hard paper copy of your GPG key 'just in case'.

The procedure to create and transfer the key is as follows:

  1. run 'gpg --gen-key' on your local machine and follow onscreen instructions to create the key (you can accept all the defaults).

  2. extract your public key into a file (assuming you used test@example.com as your key email): gpg -a --export test@example.com > test@example.com.pub

  3. transfer public key to the server scp test@example.com.pub root@example.com:

  4. import public key on the remote system:

    $ gpg --import test@example.com.pub
    gpg: key 45CA9403: public key "Test Backup " imported
    gpg: Total number processed: 1
    gpg:               imported: 1
    
  5. since we don't keep the secret part of the key on the remote server, gpg has no way to know its yours and can be trusted. To fix that we can sign it with other trusted key, or just directly modify its trust level in gpg (use level 5):

     $ gpg --edit-key test@example.com
     ...
     Command> trust
     ...
     1 = I don't know or won't say
     2 = I do NOT trust
     3 = I trust marginally
     4 = I trust fully
     5 = I trust ultimately
     m = back to the main menu
    
     Your decision? 5
     ...
     Command> quit
    
  6. export your secret key for backup (we recommend to print it on paper and burn to a CD/DVD and store in a safe place):

    $ gpg -a --export-secret-key test@example.com > test@example.com.key
    

Example configuration

  safe do
    local :path => "/backup/:kind/:id"

    s3 do
      key "...................."
      secret "........................................"
      bucket "backup.astrails.com"
      path "servers/alpha/:kind/:id"
    end

    cloudfiles do
      username "..........."
      api_key "................................."
      container "safe_backup"
      path ":kind/" # this is default
      service_net false
    end

    sftp do
      host "sftp.astrails.com"
      user "astrails"
      # port 8023
      password "ssh password for sftp"
    end

    gpg do
      # symmetric encryption key
      # password "qwe"

      # public GPG key (must be known to GPG, i.e. be on the keyring)
      key "backup@astrails.com"
    end

    keep do
      local 20
      s3 100
      cloudfiles 100
      sftp 100
    end

    mysqldump do
      options "-ceKq --single-transaction --create-options"

      user "root"
      password "............"
      socket "/var/run/mysqld/mysqld.sock"

      database :blog
      database :servershape
      database :astrails_com
      database :secret_project_com do
        skip_tables "foo"
        skip_tables ["bar", "baz"]
      end

    end

    svndump do
      repo :my_repo do
        repo_path "/home/svn/my_repo"
      end
    end

    pgdump do
      options "-i -x -O"   # -i => ignore version, -x => do not dump privileges (grant/revoke), -O => skip restoration of object ownership in plain text format

      user "username"
      password "............"  # shouldn't be used, instead setup ident.  Current functionality exports a password env to the shell which pg_dump uses - untested!

      database :blog
      database :stateofflux_com
    end

    tar do
      options "-h" # dereference symlinks
      archive "git-repositories", :files => "/home/git/repositories"
      archive "dot-configs",      :files => "/home/*/.[^.]*"
      archive "etc",              :files => "/etc", :exclude => "/etc/puppet/other"

      archive "blog-astrails-com" do
        files "/var/www/blog.astrails.com/"
        exclude "/var/www/blog.astrails.com/log"
        exclude "/var/www/blog.astrails.com/tmp"
      end

      archive "astrails-com" do
        files "/var/www/astrails.com/"
        exclude ["/var/www/astrails.com/log", "/var/www/astrails.com/tmp"]
      end
    end
  end

Reporting problems

http://github.com/astrails/safe/issues

Copyright

Copyright (c) 2009 Astrails Ltd. See LICENSE for details.

Something went wrong with that request. Please try again.