My configuration files for the btrbk backup tool. This configuration utilizes Btrfs to take hourly snapshots and incremental backups of specific subvolumes.
This repository contains the btrbk configuration files for my various systems. Devices that take snapshots of subvolumes, dubbed target devices, do so hourly via their configurations. Backups are handled from an isolated, remote system via a pull strategy over an SSH connection. The setup and configuration vary according to whether the device is a remote backup device or a system taking local snapshots of the important data. The instructions here describe how to configure everything to get this working for both the target and backup roles. It’s recommended that the backup systems be configured first, as this will produce the SSH public keys required to configure the target systems.
-
Install btrbk.
sudo rpm-ostree install btrbk
-
Reboot.
sudo systemctl reboot
-
Create the necessary subvolumes and directories.
- Backup
-
-
Create the target directories where the backups will reside.
sudo mkdir --parents /run/media/system/jwillikers_Backup_02/{meerkat,rockpro64}.jwillikers.io
-
- Target
-
-
Configure any Btrfs filesystems as necessary. The argument following the
volumes
directive denotes root of the particular Btrfs filesystem. In many cases, this might just be/
if the root filesystem is Btrfs. My configurations for target devices have the home directory on its own disk and therefore its own Btrfs filesystem, which results involume /var/home
. Get this part sorted out first by orchestrating the underlying disks, partitions, and filesystems as they should be. -
Ensure that any subvolumes mentioned in the configuration file exist. Either create new subvolumes or migrate any existing directories to be subvolumes. The following command creates the subvolume
/var/home/core/container-volumes
.sudo btrfs subvolume create /var/home/core/container-volumes
-
Correct ownership of the subvolume as needed.
sudo chown --recursive core:core /var/home/core/container-volumes
-
Create the necessary
.snapshots
subvolumes where the snapshots will be stored. Each volume in the configuration must contain its own.snapshots
subvolume owned by the root user. For instance, when backing up a subvolume that is under the volume/run/media/system/JWillikers_Data
create the/run/media/system/JWillikers_Data/.snapshots
subvolume.sudo btrfs subvolume create /run/media/system/JWillikers_Data/.snapshots
-
-
Configure SSH.
- Backup
-
-
Create a directory for storing the SSH key that will be used to access the target machine for creating backups.
sudo mkdir --parents /etc/backup/ssh
-
Generate the backup SSH key.
sudo ssh-keygen -t rsa -b 4096 -f /etc/backup/ssh/id_rsa -C $USER@(hostname) -N ""
-
Note the public key just created. This key will be placed in the
authorized_keys
file of thebackup
user.sudo cat /etc/backup/ssh/id_rsa.pub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDU9d2LjH01...3dmTrNfJavtZ7Q62GqxnL0D6cjNNrxew== [email protected]
-
Add the host keys of the target machine to the user’s
known_hosts
file on the machine carrying out the backups.sudo --user root ssh -i /etc/backup/ssh/id_rsa rockpro64.jwillikers.io
-
- Target
-
-
Create a dedicated
backup
group for thebackup
user.sudo groupadd --gid 801 --system backup
-
Create a dedicated
backup
user account to allow Btrbk to login.sudo useradd \ --btrfs-subvolume-home \ --comment "Account used for remote backups." \ --create-home \ --gid backup \ --shell /usr/bin/bash \ --system \ --uid 801 \ backup
-
Create a new sudoers policy file for the
backup
user.sudoedit /etc/sudoers.d/99-backup
-
Allow the backup user to run the necessary commands as root to manipulate Btrfs snapshots.
/etc/sudoers.d/99-backupCmnd_Alias BTRBK_BACKUP = /usr/sbin/btrfs, /usr/bin/readlink backup rockpro64.jwillikers.io=NOPASSWD:BTRBK_BACKUP
ℹ️Ensure that
btrfs
is at the correct location, i.e./usr/sbin/btrfs
, if using a different installation method. -
Create the
backup
user’s SSH directory.sudo --user backup mkdir --parents /home/backup/.ssh
-
Configure Btrbk’s SSH command filter so that only the relevant Btrfs commands can be executed from the backup machine. Replace the sample key used here with the public SSH key generated on the backup machine.
/home/backup/.ssh/authorized_keyscommand="/usr/share/btrbk/scripts/ssh_filter_btrbk.sh --sudo --source --target --delete --info --send --receive --restrict-path /run/media/system/JWillikers_Data" ssh-rsa AAAAB3NzaC1...hwumXFRQBL [email protected]
This uses the
--restrict-path
option to restrict commands to operating only on paths at or below/btrfs_pool
. Be sure to configure this appropriately so that access is only allowed for the necessary volumes in the system’s configuration. -
Make sure that the
backup
user’s.ssh
directory and included files have the correct ownership.sudo chown --recursive backup:backup /home/backup/.ssh
-
-
Make a
~/Projects
directory in which to clone the repository.mkdir --parents ~/Projects
-
Clone this repository.
git -C ~/Projects clone [email protected]:jwillikers/btrbk-config.git
-
Change to the repository directory.
cd btrbk-config
-
Copy the relevant config file to the
/etc/btrbk/
directory asbtrbk.conf
.sudo cp btrbk.rockpro64.conf /etc/btrbk/btrbk.conf
-
Edit the
btrbk.timer
systemd unit to fire as often as you want.sudo systemctl edit btrbk.timer
I switch my timer to run hourly instead of daily using the configuration below.
/etc/systemd/system/btrbk.timer.d/override.conf[Unit] Description=btrbk hourly backup [Timer] OnCalendar=hourly
-
Enable and start the systemd timer.
sudo systemctl enable --now btrbk.timer
-
Start a tmux session in case the first sync takes a while to complete.
tmux
-
Manually run the
btrbk.service
service.sudo systemctl start btrbk.service
Please refer to the project’s Code of Conduct.