| | 15 | |
| | 16 | == セキュリティの強化 == |
| | 17 | rsyncの実行のみリモートユーザに許可して、セキュリティを強化することができる。 |
| | 18 | |
| | 19 | === 鍵作成 === |
| | 20 | {{{ |
| | 21 | [root@desthost ~]# ssh-keygen -f rsynckey -t rsa -b 4096 -C "youname@hoge.com" |
| | 22 | Generating public/private rsa key pair. |
| | 23 | Enter passphrase (empty for no passphrase): |
| | 24 | Enter same passphrase again: |
| | 25 | Your identification has been saved in rsynckey. |
| | 26 | Your public key has been saved in rsynckey.pub. |
| | 27 | The key fingerprint is: |
| | 28 | SHA256:UEcdnGoXW4E6jyjBkm71U1bbyx2mVj1T6q4tCkal7eo youname@hoge.com |
| | 29 | The key's randomart image is: |
| | 30 | +---[RSA 4096]----+ |
| | 31 | | ..oo.+.. | |
| | 32 | | . . B . .| |
| | 33 | | o. .+ * .o| |
| | 34 | | o +. +B + o*.| |
| | 35 | | . o oS=.= o+o+| |
| | 36 | | o ..+.. .o+ .| |
| | 37 | | . .o.. .. | |
| | 38 | | . o ... | |
| | 39 | | .E ...o. | |
| | 40 | +----[SHA256]-----+ |
| | 41 | [root@desthost ~]# ls |
| | 42 | anaconda-ks.cfg rsynckey rsynckey.pub |
| | 43 | }}} |
| | 44 | |
| | 45 | == バックアップ元に鍵を配置 |
| | 46 | |
| | 47 | SSHでログインできるようにする。 |
| | 48 | {{{ |
| | 49 | [root@srchost ~]# adduser rsync-user |
| | 50 | [root@srchost ~]# cd /home/rsync-user/ |
| | 51 | [root@srchost rsync-user]# mkdir .ssh |
| | 52 | [root@srchost rsync-user]# chmod 700 .ssh/ |
| | 53 | [root@srchost rsync-user]# mv /root/rsynckey.pub .ssh/authorized_keys |
| | 54 | [root@srchost rsync-user]# chown rsync-user.rsync-user -R .ssh/ |
| | 55 | [root@srchost rsync-user]# restorecon -R .ssh/ |
| | 56 | }}} |
| | 57 | |
| | 58 | == バックアップ先 |
| | 59 | |
| | 60 | 鍵認証でログインできるか確認確認 |
| | 61 | |
| | 62 | {{{ |
| | 63 | [root@desthost ~]# ssh -i rsynckey rsync-user@192.168.1.155 |
| | 64 | [rsync-user@srchost ~]$ |
| | 65 | }}} |
| | 66 | |
| | 67 | == 鍵認証でrsyncが動作するか確認 |
| | 68 | {{{ |
| | 69 | [root@desthost ~]# sync -vvv -PSavz --delete --bwlimit=500 -e "ssh -i /root/rsynckey" rsync-user@srchost:/var/www/html/mariadb /var/www/html |
| | 70 | opening connection using: ssh -i rsynckey -l rsync-user srchost rsync --server --sender -vvvlogDtprSze.iLsf --bwlimit=500 . /var/www/html/mariadb |
| | 71 | receiving incremental file list |
| | 72 | server_sender starting pid=1439 |
| | 73 | [sender] make_file(mariadb,*,0) |
| | 74 | recv_file_name(mariadb) |
| | 75 | received 1 names |
| | 76 | ... |
| | 77 | generate_files finished |
| | 78 | |
| | 79 | sent 92 bytes received 6075 bytes 12334.00 bytes/sec |
| | 80 | total size is 206849027 speedup is 33541.27 |
| | 81 | [generator] _exit_cleanup(code=0, file=main.c, line=1518): about to call exit(0) |
| | 82 | |
| | 83 | }}} |
| | 84 | |
| | 85 | == rsyncのみの実行に絞る絞る |
| | 86 | セキュリティの観点では、sshで全ての実行を可能とするのはよろしくない。sshの接続にのみ絞るには、上記rsyncを実行した結果を利用する。 |
| | 87 | |
| | 88 | opening connection using: ssh -i rsynckey -l rsync-user srchost **rsync --server --sender -vvvlogDtprSze.iLsf --bwlimit=500 . /var/www/html/mariadb** |
| | 89 | |
| | 90 | == エラー処理について |
| | 91 | エラー発生時のエラーコード(echo $?)の値は、下記の通り。 |
| | 92 | |
| | 93 | * 転送中ののネットワーク切断: 12 |
| | 94 | * サーバ側rsyncプロセスのクラッシュ: 22 |
| | 95 | * sshが繋がらない: 255 |
| | 96 | |
| | 97 | === ネットワーク切断 |
| | 98 | {{{ |
| | 99 | [root@desthost ~]# rsync --timeout 60 -vv -PSavz --delete --bwlimit=500 -e "ssh -i rsynckey" rsync-user@srchost:/var/www/html/mariadb /var/www/html |
| | 100 | .... |
| | 101 | |
| | 102 | [receiver] io timeout after 60 seconds -- exiting |
| | 103 | set uid of mariadb/rpms/.MariaDB-10.1.29-centos7-x86_64-backup.rpm.NPdON0 from 0 to 48 |
| | 104 | set gid of mariadb/rpms/.MariaDB-10.1.29-centos7-x86_64-backup.rpm.NPdON0 from 0 to 48 |
| | 105 | renaming mariadb/rpms/.MariaDB-10.1.29-centos7-x86_64-backup.rpm.NPdON0 to mariadb/rpms/MariaDB-10.1.29-centos7-x86_64-backup.rpm |
| | 106 | rsync error: timeout in data send/receive (code 30) at io.c(140) [receiver=3.0.9] |
| | 107 | [receiver] _exit_cleanup(code=30, file=io.c, line=140): about to call exit(30) |
| | 108 | rsync: connection unexpectedly closed (82 bytes received so far) [generator] |
| | 109 | rsync error: error in rsync protocol data stream (code 12) at io.c(605) [generator=3.0.9] |
| | 110 | [generator] _exit_cleanup(code=12, file=io.c, line=605): about to call exit(12) |
| | 111 | [root@localhost ~]# echo $? |
| | 112 | 12 |
| | 113 | }}} |
| | 114 | |
| | 115 | === ssh不通 |
| | 116 | {{{ |
| | 117 | [root@localhost ~]# rsync --timeout 60 -vv -PSavz --delete --bwlimit=500 -e "ssh -i rsynckey" rsync-user@srchost:/var/www/html/mariadb /var/www/html |
| | 118 | opening connection using: ssh -i rsynckey -l rsync-user srchost rsync --server --sender -vvvlogDtprSze.iLsf --timeout=60 --bwlimit=500 . /var/www/html/mariadb |
| | 119 | ssh: connect to host srchost port 22: No route to host |
| | 120 | rsync: connection unexpectedly closed (0 bytes received so far) [Receiver] |
| | 121 | rsync error: unexplained error (code 255) at io.c(605) [Receiver=3.0.9] |
| | 122 | [Receiver] _exit_cleanup(code=12, file=io.c, line=605): about to call exit(255) |
| | 123 | [root@localhost ~]# echo $? |
| | 124 | 255 |
| | 125 | }}} |
| | 126 | |
| | 127 | === rsyncプロセスの死亡 |
| | 128 | {{{ |
| | 129 | rsync: connection unexpectedly closed (9162874 bytes received so far) [receiver] |
| | 130 | set uid of mariadb/rpms/.MariaDB-10.1.29-centos7-x86_64-backup.rpm.ipt9fC from 0 to 48 |
| | 131 | set gid of mariadb/rpms/.MariaDB-10.1.29-centos7-x86_64-backup.rpm.ipt9fC from 0 to 48 |
| | 132 | renaming mariadb/rpms/.MariaDB-10.1.29-centos7-x86_64-backup.rpm.ipt9fC to mariadb/rpms/MariaDB-10.1.29-centos7-x86_64-backup.rpm |
| | 133 | rsync error: error in rsync protocol data stream (code 12) at io.c(605) [receiver=3.0.9] |
| | 134 | [receiver] _exit_cleanup(code=12, file=io.c, line=605): about to call exit(12) |
| | 135 | rsync: connection unexpectedly closed (82 bytes received so far) [generator] |
| | 136 | rsync error: received SIGINT, SIGTERM, or SIGHUP (code 20) at io.c(605) [generator=3.0.9] |
| | 137 | [generator] _exit_cleanup(code=12, file=io.c, line=605): about to call exit(20) |
| | 138 | [root@localhost ~]# echo $? |
| | 139 | 20 |
| | 140 | }}} |
