Differenze tra le versioni di "Server/horror/Technical documentation"
Jump to navigation
Jump to search
m (horror) |
(more info) |
||
| Riga 1: | Riga 1: | ||
{{Server|horror}} | {{Server|horror}} | ||
| − | + | This page is the public technical documentation for the server {{Server link|horror}}, dedicated to ''off-site'' backups, useful for a [[#Disaster recovery]]. | |
| − | == | + | == Authorization == |
| − | Server administrators | + | Server administrators must be authorized before being able to do a [[#Server login]] in the {{Server link|horror}} backup server. To be authorized: |
| − | ; You need: | + | ; You need: |
| + | |||
| + | # a good reason | ||
| + | #: for example [[#Add a project under the backup umbrella]] | ||
| + | #: for example [[#Disaster recovery]]) | ||
| + | # Unix-like sysadmin experience | ||
; Instructions | ; Instructions | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
Request access policy: | Request access policy: | ||
| Riga 20: | Riga 19: | ||
* https://wiki.wikimedia.it/wiki/Infrastruttura | * https://wiki.wikimedia.it/wiki/Infrastruttura | ||
| − | == | + | == Server login == |
| − | + | Access to the backup server is exclusively via SSH login. There are <u>no</u> other forms of access, since SSH is the most secure method possible. To do it: | |
| + | |||
| + | ; You need | ||
| − | + | # [[#Authorization]] | |
| + | # SSH experience | ||
; Instructions | ; Instructions | ||
| − | All recent backups are here: | + | Just login via SSH using the username we assigned to you in your [[#Authorization]] process: |
| + | |||
| + | ssh ''name-surname''@horror.wikimedia.it | ||
| + | |||
| + | If it doesn't work, stop <u>immediately</u> and repeat [[#Authorization]]. | ||
| + | |||
| + | Do not try random attempts or you can be blocked, notified, fired or even sued. | ||
| + | |||
| + | == Filesystem overview == | ||
| + | |||
| + | You can explore the filesystem only after [[#Server login]]. All recent backups are here: | ||
/var/backups/wmi | /var/backups/wmi | ||
| Riga 45: | Riga 57: | ||
/var/backups/wmi.3/lessema.wikimedia.it | /var/backups/wmi.3/lessema.wikimedia.it | ||
| − | So to get | + | So to get the most recent backup of your project just do something like this: |
| + | |||
| + | rsync ''lessema''@horror.wikimedia.it:/var/backups/wmi/''lessema.wikimedia.it'' ./my-destination/ | ||
| + | |||
| + | Or to download the 3-days-old backup do something like this: | ||
| − | rsync lessema@horror.wikimedia.it:/var/backups/wmi/lessema.wikimedia.it . | + | rsync ''lessema''@horror.wikimedia.it:/var/backups/wmi.3/''lessema.wikimedia.it'' ./my-destination/ |
| − | + | Etc. | |
== Filesystem policies == | == Filesystem policies == | ||
| − | Here is a summary of the main filesystem pathnames | + | The filesystem rule is the standard one in Unix-like systems: give as <u>few</u> privileges as possible. |
| + | |||
| + | Here is a summary of the main filesystem pathnames: | ||
{| class="wikitable" | {| class="wikitable" | ||
| Riga 61: | Riga 79: | ||
! Description | ! Description | ||
|- | |- | ||
| − | | /var/backups/wmi | + | | /var/backups/wmi*/ |
| root:root | | root:root | ||
| 755 | | 755 | ||
| Everyone should be allowed to list its sub-directories to list the available latest backups. | | Everyone should be allowed to list its sub-directories to list the available latest backups. | ||
| − | + | Note: You may be allowed to list sub-directories but you must be not allowed to access them as default. | |
|- | |- | ||
| − | | /var/backups/wmi | + | | /var/backups/wmi*/''project'' |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| ''project'':''project'' | | ''project'':''project'' | ||
| 750 | | 750 | ||
| The user ''project'' must be the only one allowed to access in its sub-directory. | | The user ''project'' must be the only one allowed to access in its sub-directory. | ||
|} | |} | ||
| + | |||
| + | Note: the location <code>/var/backups/wmi</code> is automatically rotated in <code>/var/backups/wmi.1</code> etc. and the oldest is automatically deleted. Permissions are just kept. | ||
== Add a project under the backup umbrella == | == Add a project under the backup umbrella == | ||
| Riga 85: | Riga 98: | ||
; You need | ; You need | ||
| − | + | # a good understanding about what data need to be saved | |
| − | + | # a good understanding about how to transfer that data (e.g. ''rsync + SSH'') | |
| − | + | # [[#Server login]] | |
| − | |||
| − | |||
; Instructions | ; Instructions | ||
| Riga 107: | Riga 118: | ||
</pre> | </pre> | ||
| − | The final purpose is to execute this command daily <u>from you server ''foo''</u>: | + | The final purpose is to execute this command daily <u>from you server ''foo''</u> to <u>push</u> your backups on server horror: |
rsync /my/important/pathname foo@horror.wikimedia.it:/var/backups/wmi/foo.wikimedia.it | rsync /my/important/pathname foo@horror.wikimedia.it:/var/backups/wmi/foo.wikimedia.it | ||
| − | + | You can also execute a daily command <u>from server ''horror''</u> to <u>pull</u> your backups from server ''foo''. It's up to you. | |
| + | |||
| + | === Available backup tools === | ||
| + | |||
| + | * rsync | ||
| + | * rclone | ||
| + | * mysqldump | ||
| + | * https://gitpull.it/source/micro-backup-script/ (just a stupid script that encapsulates those above) | ||
| + | * ... | ||
| + | |||
| + | == Disaster recovery == | ||
| − | + | ; You need | |
| − | + | # a good understanding of what data is to be recovered and from what date | |
| + | # check if the provider has native backup/snapshots (if yes, try to use them - they may be more simple to be recovered) | ||
| + | # check if there are on-site backups (if yes, try to use them - they may be more up to date) | ||
| + | # [[#Server login]] | ||
| − | + | ; Instructions | |
| − | + | ||
| + | # please create a public Task in [[phabricator:tag/wmit-infrastructure/]] to describe the incident shortly, and notify [[Infrastruttura]] | ||
| + | # using [[#Server login]], verify the interested backup location and the required privileges | ||
| + | #: Example: | ||
| + | #:: <code>ls -l /var/backups/wmi</code> | ||
| + | # set a strong password to that user | ||
| + | #: Example: | ||
| + | #:: <code>passwd ''interested-user''</code> | ||
| + | # from your already-existing device, download the needed data | ||
| + | #: Example: | ||
| + | #:: <code>rsync ''interested-user''@horror.wikimedia.it:/var/backups/wmi/''interested-project'' ./my-destination/ | ||
| + | # when you have concluded, disable the password to that user | ||
| + | #: Example: | ||
| + | #: <code>passwd --delete ''interested-user''</code> | ||
[[Categoria:Documentazione tecnica|horror]] | [[Categoria:Documentazione tecnica|horror]] | ||
Versione delle 10:34, 15 mar 2022
_(4).jpg)
Pagina legata al server
⚙️ horrorThis page is the public technical documentation for the server ⚙️ horror, dedicated to off-site backups, useful for a #Disaster recovery.
Authorization
Server administrators must be authorized before being able to do a #Server login in the ⚙️ horror backup server. To be authorized:
- You need
- a good reason
- for example #Add a project under the backup umbrella
- for example #Disaster recovery)
- Unix-like sysadmin experience
- Instructions
Request access policy:
Server login
Access to the backup server is exclusively via SSH login. There are no other forms of access, since SSH is the most secure method possible. To do it:
- You need
- #Authorization
- SSH experience
- Instructions
Just login via SSH using the username we assigned to you in your #Authorization process:
ssh name-surname@horror.wikimedia.it
If it doesn't work, stop immediately and repeat #Authorization.
Do not try random attempts or you can be blocked, notified, fired or even sued.
Filesystem overview
You can explore the filesystem only after #Server login. All recent backups are here:
/var/backups/wmi
Older copies can be obtained adding a numeric suffix. For example the 2-days-old backups are here:
/var/backups/wmi.2
Note that all sub-directories can be accessed only if you are its dedicated user.
For example all of these are owned by the user lessema:
/var/backups/wmi/lessema.wikimedia.it /var/backups/wmi.1/lessema.wikimedia.it /var/backups/wmi.2/lessema.wikimedia.it /var/backups/wmi.3/lessema.wikimedia.it
So to get the most recent backup of your project just do something like this:
rsync lessema@horror.wikimedia.it:/var/backups/wmi/lessema.wikimedia.it ./my-destination/
Or to download the 3-days-old backup do something like this:
rsync lessema@horror.wikimedia.it:/var/backups/wmi.3/lessema.wikimedia.it ./my-destination/
Etc.
Filesystem policies
The filesystem rule is the standard one in Unix-like systems: give as few privileges as possible.
Here is a summary of the main filesystem pathnames:
| Path | owner:group | Permissions | Description |
|---|---|---|---|
| /var/backups/wmi*/ | root:root | 755 | Everyone should be allowed to list its sub-directories to list the available latest backups.
Note: You may be allowed to list sub-directories but you must be not allowed to access them as default. |
| /var/backups/wmi*/project | project:project | 750 | The user project must be the only one allowed to access in its sub-directory. |
Note: the location /var/backups/wmi is automatically rotated in /var/backups/wmi.1 etc. and the oldest is automatically deleted. Permissions are just kept.
Add a project under the backup umbrella
- You need
- a good understanding about what data need to be saved
- a good understanding about how to transfer that data (e.g. rsync + SSH)
- #Server login
- Instructions
In short you just need to create a directory on server ⚙️ horror and a dedicated user able to read/write in that directory. Then, you can push backups on that directory.
Some pseudo-instructions to be executed from server ⚙️ horror to create a new project foo to be added under its backup umbrella:
USERNAME=foo PROJECT=foo.wikimedia.it sudo adduser --disabled-password $USERNAME sudo mkdir --parents /var/backups/wmi/"$PROJECT" sudo chown $USERNAME:$USERNAME /var/backups/wmi/"$PROJECT"
The final purpose is to execute this command daily from you server foo to push your backups on server horror:
rsync /my/important/pathname foo@horror.wikimedia.it:/var/backups/wmi/foo.wikimedia.it
You can also execute a daily command from server horror to pull your backups from server foo. It's up to you.
Available backup tools
- rsync
- rclone
- mysqldump
- https://gitpull.it/source/micro-backup-script/ (just a stupid script that encapsulates those above)
- ...
Disaster recovery
- You need
- a good understanding of what data is to be recovered and from what date
- check if the provider has native backup/snapshots (if yes, try to use them - they may be more simple to be recovered)
- check if there are on-site backups (if yes, try to use them - they may be more up to date)
- #Server login
- Instructions
- please create a public Task in phabricator:tag/wmit-infrastructure/ to describe the incident shortly, and notify Infrastruttura
- using #Server login, verify the interested backup location and the required privileges
- Example:
ls -l /var/backups/wmi
- Example:
- set a strong password to that user
- Example:
passwd interested-user
- Example:
- from your already-existing device, download the needed data
- Example:
rsync interested-user@horror.wikimedia.it:/var/backups/wmi/interested-project ./my-destination/
- Example:
- when you have concluded, disable the password to that user
- Example:
passwd --delete interested-user