How to create a read-only view of files to back up with e.g. rsync

published Mar 06, 2016 12:20   by admin ( last modified Sep 05, 2016 11:24 )

On Linux, it is possible with bindfs to create a read-only view of a part of the file system, so that a separate backup user (e.g. named "backup_user") can read the files for backup purposes, but not alter them.

If you use rsync to copy over the files you need to configure rsync directory permissions ( --chmod=Do+w), see the second part of this article for info on this. If you use rsync you may also restrict the shell of user backup_user to only be able to do rsync commands.

How to create a read-only view of a part of your file system

The machine getting backed up is referred to as the workstation henceforth.

Make a mount point that backup_user should read from

sudo mkdir /mnt/files-to-backup

Install bindfs

sudo apt-get install bindfs

Edit /etc/fstab to contain a line similar to this example. In the example, "/home/auser/files" is the part of the hard disk you want to backup, "/mnt/files-to-backup" is a read only view on the workstation of "/home/auser/files" that is only readable by the user "backup_user":

/home/auser/files /mnt/files-to-backup fuse.bindfs perms=0000:u=rD,force-user=backup_user,force-group=nogroup 0 0

Restart the workstation or just mount it with e.g.

sudo mount -a

How to configure rsync to pull over the files to the server

Limit backup_user to only be able to use rsync commands

sudo apt-get install rssh

Edit /etc/rssh.conf to allow rsync

Set the shell of "backup_user" to rssh.

chsh -s /usr/bin/rssh

Schedule the server to pull rsync transfers from the workstation

On the server:

Let's rsync from the server.

Put this in crontab with "crontab -e" (select "nano" if it asks you)  to run it every hour at 42 minutes into the hour:

42 *  *   *   *    /usr/bin/rsync -r --delete --relative --progress  --chmod=Do+w backup_user@workstation.ip.address:/mnt/files-to-backup/ /mnt/volume1/synced_files/

A little about the switches used for rsync:

-r
Recursive transfer

--delete
Delete files at target that aren't any more at source. This is if you want a mirror.

--relative
Makes it easier to use exclude filters

--progress
Not strictly necessary but is good for debugging the whole command line

 --chmod=Do+w
Do+w tells rsync to add write permissions to directories. We are reading from a read-only image of the file system, and if we keep those permissions for directories, rsync cannot place anything inside the top level directories.

Here is an example of an exclude file, which you could have on the crontab command line like so:

--exclude-from=/path/to/excludes.txt

Example contents of excludes.txt:

- /mnt/files-to-backup/.npm
- /mnt/files-to-backup/.mozilla
- /mnt/files-to-backup/Downloads
- /mnt/files-to-backup/.wine
- /mnt/files-to-backup/.cache
- node_modules/
- .git/
- .svn/