5 \h'-\w'\fB\\$1\ \fP'u'\fB\\$1\ \fP\c
7 .TH rsync-backup 8 "7 October 2012" rsync-backup
16 script is a backup program of the currently popular
21 ability to create hardlinks from (apparently) similar existing local
22 trees to make incremental dumps efficient, even from remote sources.
23 Restoring files is easy because the backups created are just directories
24 full of files, exactly as they were on the source \(en and this is
29 The script does more than just running
31 It is also responsible for creating and removing snapshots of volumes to
32 be backed up, and expiring old dumps according to a user-specified
37 script should be installed and run on a central backup server with local
38 access to the backup volumes.
40 The script should be run with full (root) privileges, so that it can
41 correctly record file ownership information. The server should also be
44 to the client machines, and run processes there as root. (This is not a
45 security disaster. Remember that the backup server is, in the end,
46 responsible for the integrity of the backup data. A dishonest backup
47 server can easily compromise a client which is being restored from
49 .SS Command-line options
50 Most of the behaviour of
52 is controlled by a configuration file, described starting with the
54 .B Configuration commands
56 But a few features are controlled by command-line options.
59 Show a brief help message for the program, and exit successfully.
64 version number and some choice pieces of build-time configuration, and
70 instead of the default configuration file (shown as
77 Don't actually take a backup, or write proper logs: instead, write a
78 description of what would be done to standard error.
81 Produce verbose progress information on standard output while the backup
82 is running. This keeps one amused while running a backup
83 interactively. In any event,
85 will report failures to standard error, and otherwise run silently, so
86 it doesn't annoy unnecessarily if run by
89 Backing up a filesystem works as follows.
91 Make a snapshot of the filesystem on the client, and ensure that the
92 snapshot is mounted. There are some `trivial' snapshot types which use
93 the existing mounted filesystem, and either prevent processes writing to
94 it during the backup, or just hope for the best. Other snapshot types
95 require the snapshot to be mounted somewhere distinct from the main
96 filesystem, so that the latter can continue being used.
100 to copy the snapshot to the backup volume \(en specifically, to
101 .IB host / fs / new \fR.
102 If this directory already exists, then it's presumed to be debris from a
103 previous attempt to dump this filesystem:
105 will update it appropriately, by adding, deleting or modifying the
106 files. This means that retrying a failed dump \(en after fixing whatever
107 caused it to go wrong, obviously! \(en is usually fairly quick.
111 on the client to generate a `digest' describing the contents of the
112 filesystem, and send this to the server as
113 .IB host / fs / new .fshash \fR.
115 Release the snapshot: we don't need it any more.
119 over the new backup; specifically, to
120 .BI tmp/fshash. host . fs . date \fR.
121 This gives us a digest for what the backup volume actually stored.
125 digests. If they differ then dump the differences to the log file and
126 report a backup failure. (Backups aren't any good if they don't
127 actually back up the right thing. And you stand a better chance of
128 fixing them if you know that they're going wrong.)
130 Commit the backup, by renaming the dump directory to
135 .IB host / fs / date .fshash \fR.
137 The backup is now complete.
138 .SS Configuration commands
139 The configuration file is simply a Bash shell fragment: configuration
140 commands are shell functions.
142 .BI "backup " "fs\fR[:\fIfsarg\fR] ..."
143 Back up the named filesystems. The corresponding
145 may be required by the snapshot type.
150 commands will back up filesystems on the named
152 To back up filesystems on the backup server itself, use its hostname:
154 will avoid inefficient and pointless messing about
157 This command clears the
159 list, and resets the retention policy to its default (i.e., the to
160 policy defined prior to the first
164 .BI "like " "host\fR ..."
165 Declare that subsequent filesystems are `similar' to like-named
166 filesystems on the named
170 should use those trees as potential sources of hardlinkable files. Be
171 careful when using this option without
174 option: an erroneous hardlink will cause the backup to fail. (The
175 backup won't be left silently incorrect.)
177 .BI "retain " frequency " " duration
178 Define part a backup retention policy: backup trees of the
180 should be kept for the
192 which means the same); the
200 Expiry considers each existing dump against the policy lines in order:
201 the last applicable line determines the dump's fate \(en so you should
202 probably write the lines in decreasing order of duration.
210 commands collectively define a retention policy. Once a policy is
213 operations use the policy. The first
219 command clears the policy and starts defining a new one. The policy
220 defined before the first
224 policy: at the start of each
226 stanza, the policy is reset to the default.
231 snapshot type (see below) doesn't prevent a filesystem from being
232 modified while it's being backed up. If this happens, the
234 pass will detect the difference and fail. If the filesystem in question
235 is relatively quiescent, then maybe retrying the backup will result in a
236 successful consistent copy. Following this command, a backup which
239 mismatch will be retried up to
241 times before being declared a failure.
243 .BI "snap " type " " \fR[\fIargs\fR...]
246 for subsequent backups. Some snapshot types require additional
247 arguments, which may be supplied here. This command clears the
250 .SS Configuration variables
251 The following shell variables may be overridden by the configuration
255 The number of log files to be kept for each filesystem. Old logfiles
256 are deleted to keep the total number below this bound. The default
260 Command-line options to pass to
262 in addition to the basic set:
269 .B \-\-one-file-system
271 .BR "\-\-filter=""dir-merge .rsync-backup""" .
278 snapshots are mounted on subdirectories below the
280 .IR "on backup clients" .
285 is the backup mount directory configured at build time.
288 The volume size option to pass to
290 when creating a snapshot. The default is
292 which seems to work fairly well.
295 Where the actual backup trees should be stored. See the section on
302 is the backup mount directory configured at build time.
305 The hash function to use for verifying archive integrity. This is
310 so it must name one of the hash functions supported by your Python's
312 module. The default is
315 The configuration file may define shell functions to perform custom
316 actions at various points in the backup process.
318 .BI "backup_precommit_hook " host " " fs " " date
319 Called after a backup has been verified complete and about to be
320 committed. The backup tree is in
322 in the current directory, and the
326 A typical action would be to create a digital signature on the
329 .BI "backup_commit_hook " host " " fs " " date
330 Called during the commit procedure. The backup tree and manifest have
331 been renamed into their proper places. Typically one would use this
332 hook to rename files created by the
333 .B backup_precommit_hook
336 .BR "whine " [ \-n ] " " \fItext\fR...
337 Called to report `interesting' events when the
339 option is in force. The default action is to echo the
341 to (what was initially) standard output, followed by a newline unless
345 The following snapshot types are available.
348 A trivial snapshot type: attempts to back up a live filesystem. How
349 well this works depends on how active the filesystem is. If files
350 change while the dump is in progress then the
352 verification will likely fail. Backups using this snapshot type must
353 specify the filesystem mount point as the
357 A slightly less trivial snapshot type: make the filesystem read-only
358 while the dump is in progress. Backups using this snapshot type must
359 specify the filesystem mount point as the
363 Create snapshots using LVM. The snapshot argument is interpreted as the
364 relevant volume group. The filesystem name is interpreted as the origin
365 volume name; the snapshot will be called
368 .IB SNAPDIR / fs \fR;
369 space will be allocated to it according to the
373 .BI "rfreezefs " client " " vg
374 This gets complicated. Suppose that a server has an LVM volume group,
375 and exports (somehow) a logical volume to a client. Examples are a host
376 providing a virtual disk to a guest, or a server providing
377 network-attached storage to a client. The server can create a snapshot
378 of the volume using LVM, but must synchronize with the client to ensure
379 that the filesystem image captured in the snapshot is clean. The
381 program should be installed on the client to perform this rather
382 delicate synchronization. Declare the server using the
384 command as usual; pass the client's name as the
387 server's volume group name as the
389 snapshot arguments. Finally, backups using this snapshot type must
390 specify the filesystem mount point (or, actually, any file in the
391 filesystem) on the client, as the
394 Additional snapshot types can be defined in the configuration file. A
395 snapshot type requires two shell functions.
397 .BI snap_ type " " snapargs " " fs " " fsarg
398 Create the snapshot, and write the mountpoint (on the client host) to
399 standard output, in a form suitable as an argument to
402 .BI unsnap_ type " " snapargs " " fs " " fsarg
405 There are a number of utility functions which can be used by snapshot
406 type handlers: please see the script for details. Please send the
407 author interesting snapshot handlers for inclusion in the main
409 .SS Archive structure
410 Backup trees are stored in a fairly straightforward directory tree.
412 At the top level is one directory for each client host. There are also
413 some special entries:
415 .B \&.rsync-backup-store
416 This file must be present in order to indicate that a backup volume is
417 present (and not just an empty mount point).
420 The cache database used for improving performance of local file
421 hashing. There may be other
423 files used by SQLite for its own purposes.
426 Part of the filesystem used on the backup volume. You don't want to
430 Used to store temporary files during the backup process. (Some of them
431 want to be on the same filesystem as the rest of the backup.) When
432 things go wrong, files are left behind in the hope that they might help
433 someone debug the mess. It's always safe to delete the files in here
434 when no backup is running.
436 So don't use those names for your hosts.
438 The next layer down contains a directory for each filesystem on the given host.
440 The bottom layer contains a directory for each dump of that filesystem,
441 named with the date at which the dump was started (in ISO8601
442 .IB yyyy \(en mm \(en dd
443 format), together with associated files named
452 Mark Wooding, <mdw@distorted.org.uk>