Re: [rdiff-backup-users] Post-setup questions

[Maarten Bezemer]

On Sun, 14 Aug 2011, Grant wrote:

> That sounds like a great idea.  I'll set up openvpn and switch from
> pushing to pulling.  BTW, is the read-only restriction on the public
> SSH keys the only advantage of pulling vs. pushing?  Are there any
> drawbacks?  In a pull arrangement, if the private keys on the backup
> server are stolen, the thief would have root read-access on each
> system?

If someone steals the private keys on the backup server, they already have 
access to all your files. Although I admit there is a subtle difference 
between 'all your base are belong to us' and actually using those keys to 
plant malware on your laptop, but you will be screwed either way.
That's the reason why I keep my backup server unreachable from the outside 
world.. not running any services on public IP address.


> Would it be safe to reserve zero space for root on the USB hard drive?
> Maybe that reserved space is only necessary on a disk containing an
> OS?

0% would be 'safe', if rdiff-backup would be the only process writing to 
the USB drive. Reserved space is primarily meant for OS disks such that 
root still has the ability to login and move stuff around when non-root 
users/processes made a mess and filled the entire disk.

However, it is still good to reserve some 2 or 3 % of your 1TB drive. Or 
even go with the default which is usually 5%. If you are running out of 
space and need to regress a failed backup due to "no disk space", you can 
use tune2fs or other filesystem's relatives to create some more room to do 
a proper cleanup.
(Reserved space is live-tunable on most file systems. If it is not, you 
could set it to 0% and simply create a large "placeholder" file, and 
deleting the placeholder file in case you need more space to regress.)



> Would you use rsync or would you have the remote system described
> above act as a second rdiff-backup server and run the entire backup
> process a second time?

Using rdiff-backup to copy an rdiff-backup repository wouldn't be a good 
idea. Using rdiff-backup against the original system (your laptop, etc) 
might also not be what you want. So, I think using rsync to keep a copy of 
the rdiff-backup tree would be the best way to go.


As for you other email:
> You're saying openvpn with UDP would be best, then SSH -R, then 
> openvpn with TCP?

Yes. With openvpn/udp I usually get the most reliable and fast results. 
Using ssh with a -R tunnel or using openvpn/tcp shouldn't be much of a 
difference wrt performance, but ssh is usually considered to be easier to 
setup.
Especially because you only need 1 connection to be tunneled, and you 
don't need the advanced networking and routing stuff.
But, in the end, it's your call... it's all free software ;-)


--
Maarten