Hi
I'm searching for a backup solution on a remote site, and I am concerned about privacy. Thanks to OMV and his debian basis, I tried in a lab environment to connect two OMV servers and backup the first on the second. If I find a friend who wants to try it in the real world, both OMV servers will backup each other (as long as there are enough SATA interfaces to build quite large RAID arrays and logical volumes !)
Backups do not need a fast network after the first sync, but if a disaster occurs, downloading all the data will take a long time. Beware about the need to keep the encryption key in a safe place, far from the server to backup !
1 - LAB description
1 OMV 0.4.32 for data storage (hostname omv-filer)
1 OMV 0.4.32 for backup
A network between both OMV
1.1 - Settings
The file server's hostname is omv-filer
The backup server's hostname is omv-backup, his IP is 192.168.0.30
2 - On the omv-filer (the file server)
2.1 - Install the iscsi target
Login into the server's OMV GUI. In System, click on Plugins. Click on the plugin openmediavault-iscsitarget and click on the button Install.
Reload the web interface to apply changes.
Go in Services, iSCSI Target. Tick Enable and apply.
2.2 - Configure discovery with mutual CHAP authentication
Note : the two credentials below MUST be different. Choose different usernames and different passwords.
Click in Services on iSCSI Target. Click on the button Add in Discovery Authentication. In Transfer Mode choose Incoming and add the username discoverinuser and his password discoverinpass. Click on OK.
Click again on Add. In Transfer Mode choose Outgoing and add the username discoveroutuser and his password discoveroutpass. Click on OK.
2.3 - Create the target
Go in Services, iSCSI Target. Choose the tab Targets and click on the button Add.
Fill the form as the following :
Identifier : backup
Open the Authenticatin tab and create two users for mutual authentication. These credentials will be used for opening a session on the target.
Transfer mode : Incoming
username : targetinuser
Transfer mode : targetinpass
Transfer mode : Outgoing
username : targetoutuser
Transfer mode : targetoutpass
In the LUN tab choose one or several devices which will be accessed through the target.
Apply your changes.
3 - On the omv-backup (the backup server)
3.1 - install the iSCSI initiator
Open a local or remote command line interface and installe the package open-iscsi.
Type the following command apt-get install open-iscsi.
Edit the file /etc/iscsi/iscsid.conf.
3.2 - discover the targets
Edit the file /etc/iscsi/iscsid.conf. and change the following lines :
# To enable CHAP authentication for a discovery session to the target
# set discovery.sendtargets.auth.authmethod to CHAP. The default is None.
discovery.sendtargets.auth.authmethod = CHAP
# To set a discovery session CHAP username and password for the initiator
# authentication by the target(s), uncomment the following lines:
discovery.sendtargets.auth.username = discoverinuser
discovery.sendtargets.auth.password = discoverinpass
# To set a discovery session CHAP username and password for target(s)
# authentication by the initiator, uncomment the following lines:
discovery.sendtargets.auth.username_in = discoveroutuser
discovery.sendtargets.auth.password_in = discoveroutuserpass
Alles anzeigen
Try to discover the targets :
omv-filer:~# iscsiadm -m discovery -t st -p 192.168.0.30
192.168.0.30:3260,1 iqn.2013-06.fr.domain.omv-backup:backup
The initiators knows nearly all about the target. Edit the generated configuration files with the following commands to set the credentials for the target :
omv-filer:~# iscsiadm -m node -T iqn.2013-06.fr.domain.omv-backup:backup -p 192.168.0.30 -o update -n node.session.auth.authmethod -v CHAP
omv-filer:~# iscsiadm -m node -T iqn.2013-06.fr.domain.omv-backup:backup -p 192.168.0.30 -o update -n node.session.auth.username -v targetinuser
omv-filer:~# iscsiadm -m node -T iqn.2013-06.fr.domain.omv-backup:backup -p 192.168.0.30 -o update -n node.session.auth.password -v targetinpass
omv-filer:~# iscsiadm -m node -T iqn.2013-06.fr.domain.omv-backup:backup -p 192.168.0.30 -o update -n node.session.auth.username_in -v targetinuser
omv-filer:~# iscsiadm -m node -T iqn.2013-06.fr.domain.omv-backup:backup -p 192.168.0.30 -o update -n node.session.auth.password_in -v targetinpass
Try to open a session on the target.
omv-filer:~# iscsiadm -m node -T iqn.2013-06.fr.domain.omv-backup:backup -p 192.168.0.30 -l
If the command succeeded, you will see a new device :
omv-filer:~# ls -l /dev/sd*
brw-rw---- 1 root disk 8, 0 1 juil. 13:45 /dev/sda
brw-rw---- 1 root disk 8, 1 1 juil. 13:45 /dev/sda1
brw-rw---- 1 root disk 8, 2 1 juil. 13:45 /dev/sda2
brw-rw---- 1 root disk 8, 5 1 juil. 13:45 /dev/sda5
brw-rw---- 1 root disk 8, 16 1 juil. 13:45 /dev/sdb
brw-rw---- 1 root disk 8, 17 1 juil. 13:45 /dev/sdb1
brw-rw---- 1 root disk 8, 32 1 juil. 13:45 /dev/sdc
brw-rw---- 1 root disk 8, 33 1 juil. 13:45 /dev/sdc1
Now enable automatic logon on this target
omv-filer:~# iscsiadm -m node -T iqn.2013-06.fr.domain.omv-backup:backup -p 192.168.0.30 -o update -n node.startup -v automatic
3.3 - Create a volume
You may create a RAID array or a logical volume or simply a partition. Encryption will apply on this volume.
omv-filer:~# parted /dev/sdc
GNU Parted 2.3
Using /dev/sdc
Welcome to GNU Parted! Type 'help' to view a list of commands.
(parted) mklabel gpt
Warning: The existing disk label on /dev/sdc will be destroyed and all data on
this disk will be lost. Do you want to continue?
Yes/No? yes
(parted) mkpart primary ext4 1M 100%
(parted) p
Model: IET VIRTUAL-DISK (scsi)
Disk /dev/sdc: 5369MB
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Number Start End Size File system Name Flags
1 1049kB 5368MB 5367MB primary
(parted) q
Information: You may need to update /etc/fstab.
Alles anzeigen
3.4 - Encryption configuration
Install cryptsetup
omv-filer:~# apt-get install cryptsetup
Overwrite the full device with random data. A zero'ed device will make a weaker encryption. This step will need a very long time depending on his size and the speed of your network with the remote server. It is more efficient to do it from a command line on the backup server itself.
omv-filer:~# dd if=/dev/urandom of=/dev/sdc1 bs=1M
To follow the overwrite progress you may use these commands. Simply replace <dd pid> by the process ID found by ps :
omv-filer:~# ps -ef |grep dd
omv-filer:~# kill -USR1 <pid dd>
Create a key to open your encrypted device. This will need some time.
omv-filer:~# mkdir /etc/keys
omv-filer:~# dd if=/dev/random of=/etc/keys/sdc1_key bs=1 count=42
omv-filer:~# chmod go-rwx /etc/keys/sdc1_key
Create the volume encryption header with the key :
omv-filer:~# cryptsetup -c aes-xts-plain64 -s 512 -h sha512 -i 5000 luksFormat /dev/sdc1 /etc/keys/sdc1_key
WARNING!
========
Cette action écrasera définitivement les données sur /dev/sdc1.
Are you sure? (Type uppercase yes): YES
Open the encrypted volume :
omv-filer:~# cryptsetup luksOpen /dev/sdc1 backupcrypted --key-file /etc/keys/sdc1_key
Check the encrypted volume is available
omv-filer:~# ls /dev/mapper/
lrwxrwxrwx 1 root root 7 30 juin 19:36 backupcrypted -> ../dm-0
crw------- 1 root root 10, 59 30 juin 10:23 control
Find the UUID of the encrypted volume
omv-filer:~# blkid
/dev/sda1: UUID="de2d538e-3929-4f46-abe1-a0cdde3abe35" TYPE="ext4"
/dev/sda5: UUID="94946e4d-11a4-411e-b667-51602afbdab6" TYPE="swap"
/dev/sdb1: LABEL="data" UUID="162efbed-45e3-40cc-87a0-28ba2966a51e" TYPE="ext4"
/dev/sdc1: UUID="ad0bca32-9393-40b4-ae1a-142ed8f374fc" TYPE="crypto_LUKS"
Edit /etc/crypttab and add a line similar to this one :
backupcrypted UUID=ad0bca32-9393-40b4-ae1a-142ed8f374fc /etc/keys/sdc1_key luks
3.5 - format the encrypted volume
Create a filesystem on the encrypted volume
omv-filer:~# mkfs.ext4 /dev/mapper/backupcrypted
Mount the encrypted volume in the GUI of omv-filer.
Get the UUID of the encrypted volume :
omv-filer:~# blkid
/dev/sda1: UUID="de2d538e-3929-4f46-abe1-a0cdde3abe35" TYPE="ext4"
/dev/sda5: UUID="94946e4d-11a4-411e-b667-51602afbdab6" TYPE="swap"
/dev/sdb1: LABEL="data" UUID="162efbed-45e3-40cc-87a0-28ba2966a51e" TYPE="ext4"
/dev/sdc1: UUID="ad0bca32-9393-40b4-ae1a-142ed8f374fc" TYPE="crypto_LUKS"
/dev/mapper/backupcrypted: UUID="9aa2e503-dc13-4030-973c-f354f7c045f6" TYPE="ext4"
Edit /etc/openmediavault/config.xml and find the UUID of the encrypted volume. Edit the section <mntent /> to add the options nofail and _netdev.
<mntent>
<uuid>01ad35b5-2680-483d-af92-ae93526e3959</uuid>
<fsname>9aa2e503-dc13-4030-973c-f354f7c045f6</fsname>
<dir>/media/9aa2e503-dc13-4030-973c-f354f7c045f6</dir>
<type>ext4</type>
<opts>defaults,acl,user_xattr,noexec,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0,nofail,_netdev</opts>
<freq>0</freq>
<passno>2</passno>
</mntent>
Open /etc/fstab and add the same options :
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
# >>> [openmediavault]
UUID=9aa2e503-dc13-4030-973c-f354f7c045f6 /media/9aa2e503-dc13-4030-973c-f354f7c045f6 ext4 defaults,acl,user_xattr,noexec,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0,nofail,_netdev 0 2
# <<< [openmediavault]
3.6 - automount the encrypted volume
Create the file /etc/init.d/cryptdisks-late. Add the following content :
#! /bin/sh
### BEGIN INIT INFO
# Provides: cryptdisks-late
# Required-Start: checkroot
# Required-Stop: umountroot
# Should-Start: udev mdadm-raid lvm2 open-iscsi
# Should-Stop: udev mdadm-raid lvm2 open-iscsi
# X-Start-Before:
# X-Stop-After:
# X-Interactive: true
# Default-Start: S
# Default-Stop: 0 6
# Short-Description: Setup late encrypted block devices.
# Description:
### END INIT INFO
iscsiUUIDList="ad0bca32-9393-40b4-ae1a-142ed8f374fc"
maxTries=3
do_start () {
local iscsiUUID stopWaiting tries iscsiUUIDFound cryptedvol
# try to open all encrypted volumes
if [ -f /etc/crypttab ]
then
if [ -r /etc/crypttab ]
then
for iscsiUUID in $iscsiUUIDList
do
echo "checking /dev/disk/by-uuid/$iscsiUUID ..."
stopWaiting=0
tries=0
iscsiUUIDFound=0
while [ $stopWaiting -eq 0 ]
do
tries=`expr $tries + 1`
if [ -e /dev/disk/by-uuid/$iscsiUUID ]
then
stopWaiting=1
iscsiUUIDFound=1
echo "device $iscsiUUID found"
else
if [ $tries -gt $maxTries ]
then
stopWaiting=1
echo "device $iscsiUUID not found after $maxTries tries; giving up"
else
echo "Tried $tries out of $maxTries waiting a second..."
sleep 1s
fi
fi
done
if [ $iscsiUUIDFound -eq 1 ]
then
echo "finding in /etc/crypttab the mapped device name for $iscsiUUID"
cryptedvol=$(tail -n +2 /etc/crypttab | grep $iscsiUUID | cut -f 1)
# try to open the volume found in /etc/crypttab
echo "trying to open $cryptedvol"
cryptdisks_start $cryptedvol
if [ $? -eq 0 ]
then
# try to mount once, if it exists un /etc/fstab
echo "trying to mount the crypted volume $cryptedvol"
mount /dev/mapper/$cryptedvol
if [ $? -ne 0 ]
then
echo "Could not mount $cryptedvol"
fi
else
echo "Could not open encrypted volume with cryptdis_start"
fi
fi
done
fi
fi
}
do_stop () {
local iscsiUUID stopWaiting tries iscsiUUIDFound cryptedvol
# try to open all encrypted volumes
if [ -f /etc/crypttab ]
then
if [ -r /etc/crypttab ]
then
for iscsiUUID in $iscsiUUIDList
do
echo "checking /dev/disk/by-uuid/$iscsiUUID ..."
stopWaiting=0
tries=0
iscsiUUIDFound=0
while [ $stopWaiting -eq 0 ]
do
tries=`expr $tries + 1`
if [ -e /dev/disk/by-uuid/$iscsiUUID ]
then
stopWaiting=1
iscsiUUIDFound=1
echo "device $iscsiUUID found"
fi
done
if [ $iscsiUUIDFound -eq 1 ]
then
echo "finding in /etc/crypttab the mapped device name for $iscsiUUID"
cryptedvol=$(tail -n +2 /etc/crypttab | grep $iscsiUUID | cut -f 1)
# try to unmount the volume found in /etc/crypttab
echo "trying to unmount the crypted volume $cryptedvol"
umount /dev/mapper/$cryptedvol
if [ $? -eq 0 ]
then
# try to close the crypted volume
echo "trying to close the crypted volume $cryptedvol"
cryptdisks_stop $cryptedvol
if [ $? -ne 0 ]
then
echo "Could not close $cryptedvol"
fi
else
echo "Could not unmount encrypted volume with umount"
fi
fi
done
fi
fi
}
case "$CRYPTDISKS_ENABLE" in
[Nn]*)
exit 0
;;
esac
case "$1" in
start)
do_start
;;
stop)
do_stop
;;
restart|reload|force-reload)
do_stop
do_start
;;
force-start)
FORCE_START="yes"
do_start
;;
*)
echo "Usage: cryptdisks {start|stop|restart|reload|force-reload|force-start}"
exit 1
;;
esac
Alles anzeigen
The variable iscsiUUIDList is a space separated list of iSCSI volumes encrypted by LUKS. The script tries several times to find the iSCSI volume, and if it is found, opens it with cryptsetup. Finally the encrypted volume is mounted with mount. Cryptsetup uses /etc/crypttab and mount uses /etc/fstab.
Edit the iscsiUUIDList with the UUIDs of the iSCSI volumes as they appear with blkid after opening a session on the iSCSI targets.
Make the script executable and setup it as a service:
omv-filer:~# chmod +x /etc/init.d/cryptdisks-late
omv-filer:~# update-rc.d cryptdisks-late defaults
Restart the system to check the encrypted volumes are automatically mounted.
Use the backup solution of your choice to backup the local volumes on the remote encrypted volume.