Full encrypted Backup server to (r)sync with the primary server

Published:
I promised to write further about my project, and here I am.  First, I needed to setup the Primary Server.  You can read how in this article: Setup FreeBSD Server with full HDD encryption.  Then I had to insert a second Power source as you can read in the article: Use a Compaq 200 Watt Power Supply (PSU) as a second power source to power 9 hard disks in my system (5x IDE and 4x Sata).

Now I am finally ready to setup my beast!

Note: The following sequence will destroy all your files on your harddisk.  Take extreme care with any =thing that might destroy data.  You have been warned!!

1. Connect all the harddrives and a CD-ROM drive

Connect all the harddrives and a CD-ROM drive to your system, startup the system and boot from the FreeBSD 8.1 DVD.

2. Choose standard

Choose a standard installation, and the choose user from the menu.

3. Configure your Boot Harddisk

Configure your BOOT harddrive, the name is usually: ad0, Make a slice of 12 GB. If your boot harddisk is over 40GB, you can change this value to a higher one, but don't use all the space in one slice.

4. Quit and make the mount points

Choose {Q} uit and choose OK to make the mount points. An example:

ad0s1a - / - 2000MB - UFS2 - Y 
                      ad0s1b - swap - 1000MB - SWAP -  
                      ad0s1d - /var - 2000MB - UFS2+S - Y 
                      ad0s1e - /tmp - 1000MB - UFS2+S -  Y
                      ad0s1f - /usr - Rest - UFS2+S -  Y

Open in new window

If you have a bigger hdd, use the following:

ad0s1a - / - 5000MB - UFS2 - Y 
                      ad0s1b - swap - 2000MB - SWAP -  
                      ad0s1d - /var - 5000MB - UFS2+S - Y 
                      ad0s1e - /tmp - 1000MB - UFS2+S -  Y
                      ad0s1f - /usr - Rest - UFS2+S -  Y

Open in new window

5. Choose BootMgr

Choose {Q}uit and choose Boot Manager (Other than this will give me errors)

Choose {OK}

6. Ports Collection

Say yes if FreeBSD asks to install the ports collection, choose to install from CD/DVD (The one you inserted in your cdrom-drive).

A Picture of my Monster:
My Monster of loch ness with 5x IDE and 4x Sata Hdd

7. Sure to write partitions?

FreeBSD will ask if you are sure you want to write all the configurated file systems.  Answer {Yes}!

Please wait until the installation is finished!

8. Congratulations! You now have FreeBSD

Congratulations! You now have FreeBSD installed on your system, choose {OK}

9. Configure Ethernet...

Configure Ethernet or SLIP/PPP network devices? Answer: {Yes}

On my machine I use a separate network card, onboard Network devices seem to always give me headache.  I Choose fxp1

10. A Few Network questions

IPv6 -> Answer: No
DHCP -> Answer: No.

Separate screen to enter the LAN credentials.

Host:BSD02
Domain: wayward.nl
IPv4 Gateway:10.30.0.100  (My Router adress)
Name Server: 10.30.0.100 (My Router adress.  If you have a domain controller that provides DNS you can enter it here)
IPv4 Address: 10.30.0.3

Would you like to bring the fxp1 interface up right now?: {Yes}

Function as a network gateway?: {No}
Configure inet and the network.... {No}

Would you like to enable SSH login? {Yes}

Do you want to have anonymous FTP access to this machine? {No}

Configure NFS Server {No}

This machine NFS client {No}

Customize your system console settings? {No}

Time Zone: {Yes}
Select local or UTC... {No}
Time Zone Selector: {8} Europe
Countries in Europe: {34} Netherlands
CEST look reasonable? {Yes}

PS/2, serial or bus Mouse? {No} (FreeBSD picks it up along the way)

FreeBSD package collection, Browse the collection now? {No}

Additional accounts to the system? {No} (The user will not get a home directory when you create it in the install routine, this can be a pain)

Set Root Password: {Ok}

Enter a password twice, and keep this Password different than the password you are going to use on the encrypted part.

Chance to Set any last options? {No}

Exit the installation.

Remove the media: {Ok}

System will reboot.

11. Create a encrypted part of the boot HDD

Type:
Sysinstall

Open in new window

Choose: Configure --> Fdisk

In my case, the boot hdd is ad0, I choose ad0 (Place an X and then {OK})

If you are confronted with Geometry, I choose {Yes}.

In Fdisk, press {C} and use up the rest of the HDD, press {W},
Choose BootMgr and then press {Q} to leave.

There is an {X} in front of ad0, choose {OK}

Press {X}, and {Exit Install}  to Exit sysinstall.

12. Shutdown the Backup server

My Backup server has a problem with the RocketRaid card that the computer will always startup, even when I tell him to Power down.  Instead, I use the following command:
shutdown -h NOW

Open in new window

When the system is halted, I pull out the powercord, and then I switch off the secondary power supply.


Preparing temporary HDD

13. Start from the secondary HDD

In the BIOS of my Primary server, I could say from which IDE drive the system must start, unfortunately the Compaq has no option for this.  We need to disconnect the primary HDD and connect a harddisk configured as slave on the IDE controller. Start the system and insert the FreeBSD DVD in the cdrom drive.

14. Secondary Installation Steps

Start the system from the CDrom and choose:
Standard installation.

A program to partition your harddisk will be started, select {OK}

15. Create a slice

You will be asked which harddisk you wish to work on, in my case the HDD is called ad1, I choose {ad1}.

Delete any existing Slices with the {D} key.

Create a New Slice and use the full HDD.

Press {Q} to leave this program.

16. Choose Boot Manager

Since the Compaq BIOS has no option for selected the harddrive we need the BootMgr, I choose {BootMgr}.

17. Make partitions

An {X} is still in front of ad1, select {OK}

Some instructions will be given, select {OK}

Choose {A} and the partitions will be filled in.  For the secondary HDD, it is not very important to have a good proportioned harddrive since you are going to use it once.

Press {Q} to leave.

18. Choose the installation

Choose: {User} Binaries and doc only.

You will be asked in which language you want documentation. Choose the correct one and then {OK}

Install the ports collection? {No}

Choose {OK}

Install from FreeBSD CD/DVD.

A warning appears that all be overwritten, choose {Yes}

The installation is started, please wait....

19. Answer some questions

Configure Ethernet or SLIP/PP network devices? {NO}

Function as a network gateway? {NO}

Configure inetd and the network services that it provides? {NO}

WOuld you like to enable SSH login? {YES}

Do you want anonymous FTP access? {NO}

NFS Server? {NO}

NFS Client {NO}

Customize your system console settings? {NO}

Time Zone? {YES}

CMOS clock set to UTC… {NO}, choose: 8. Europe, Netherlands

CET reasonable? {YES}

PS/2, serial or BUS mouse? {NO}

FreeBSD package collection? {NO}

Additional accounts to the system? {YES} --> Add a user, then use {X} Exit.

20. Enter the root password

Keep this password different from the encrypted part of the HDD.

Visit general configuration menu for a change to set any last options? {NO}

{X} Exit Install

Are you sure? {Yes}

Be sure to remove the media from the drive {OK}

21. Turn off system when the BIOS screen is visible

Turn off the system when the BIOS screen is visible.


Creating the encrypted part of the HDD

22. Connect both harddisk drive's on the system

Connect both harddisk drives to the primary IDE cable, so there is a Master drive (The one you are going to use in the future) and a secondary HDD on the primary IDE cable (The temporary HDD).

23. Choose F5 (Other drive)

At bootup you will be presented to boot from the HDD:
F1Start FreeBSD
                      F5 Drive 1

Open in new window

Choose F5 to switch from Primary hdd to Secondary HDD (On the Primary IDE Cable).
Then choose F1 to actually boot (Or wait a few seconds)

24. Check the avaible devices

Login as root

Go to the devices directory:
cd /dev/

Open in new window

and get the directory dump on your screen:
ls

Open in new window

Look for a drive with s2 at the end.  On my machine, the drive is called: ad0s2.

25. Create Encrypted Part of HDD

To make the second Slice of the Boot harddrive encrypted type:
geli init –b –s 4096 –l 256 /dev/ad0s2

Open in new window

You will be asked to enter a passphrase, enter this twice.

Note: My passphrase is the same as the head server and has 7 words in it, make it hard for another to crack and easy for you to remember.  Be sure to use both uppercase and lowercase characters.

26. Attach encrypted Slice

Type:
geli attach /dev/ad0s2

Open in new window

Message will appear:
GEOM_ELI: Device ad0s2.eli created
                      GEOM_ELI: Encryption: AES-CBC 256
                      GEOM_ELI:      Crypto: software

Open in new window

27. Create Partitions on the encrypted drive

To make the necessary partitions/Labels on the encrypted part, we are going to use bsdlabel:

bsdlabel –w /dev/ad0s2.eli
                      bsdlabel –e /dev/ad0s2.eli

Open in new window

After the last line you will be presented with an editor, make it look like this:
# /dev/ad0s2.eli: 
                      8 partitions: 
                      #   size       offset   fstype     [fsize  bsize   bps/cpg] 
                      a:  125000          0   4.2BSD     0       0        
                      b:  118164     125000   swap       0       0 
                      c:  1418759         0   unused     0       0       # don’t edit 
                      d:  309082     243164   4.2BSD     0       0        
                      e:  125000     552246   4.2BSD     0       0        
                      f:  *          677246   4.2BSD     0       0 

Open in new window


I=Insert [ESC=end Insert], x remove character.
Do not change the letter c!

I use this setup, because my hdd is 100 GB:
# /dev/ad0s2.eli:
                      8 partitions:
                      #     size       offset     fstype   [fsize  bsize    bps/cpg]
                      a:    500000          0     4.2BSD     0        0    
                      b:    472656     500000       swap     0        0
                      c:    ??????          0     unused     0        0    # don’t edit
                      d:    618164     972656     4.2BSD     0        0    
                      e:    250000    1590820     4.2BSD     0        0    
                      f:         *    1840820     4.2BSD     0        0

Open in new window


28. Save the labels

Press once on {ESC}, then type :w {ENTER}, and leave :q {ENTER}

29. Check if the new (encrypted) devices are created

cd /dev
                      ls

Open in new window

Are there any .eli devices? If Yes, Go ON!

30. Format the encrypted partitions/labels

newfs –i 1024 /dev/ad0s2.elia

Open in new window

Note: The parameter -i will make it possible to write a lot of small files on this partition.
We don't need to format the swap partition, so we go on to:
newfs /dev/ad0s2.elid
                      newfs /dev/ad0s2.elie

Open in new window

With the label mounted as /usr it is important to be able to write a lot of small files:
newfs –i 1024 /dev/ad0s2.elif

Open in new window

31. Create the directory for root mountpoint

mkdir /fixed

Open in new window

Then mount it:
mount /dev/ad0s2.elia /fixed

Open in new window

32. Create all other directory's needed for FreeBSD OS

mkdir /fixed/var
                      mkdir /fixed/tmp
                      mkdir /fixed/usr

Open in new window

33. Mount the encrypted slices

mount /dev/ad0s2.elid /fixed/var
                      mount /dev/ad0s2.elie /fixed/tmp
                      mount /dev/ad0s2.elif /fixed/usr

Open in new window

34. Copy the FreeBSD OS to the encrypted part of the drive


Prepare the destination location (encrypted part)
/bin/sh
                      export DESTDIR=/fixed/
                      /bin/csh

Open in new window

Mount the CD-ROM drive:
mount /cdrom

Open in new window

Change to the correct directory:
cd /cdrom/8.1-RELEASE/base
                      ./install.sh

Open in new window

You are about to extract the base distribution into /fixed/ - are you SURE you want to do this over your installed system (y/n)? If /fixed/ is mentioned, press: {y}

35. Install the kernel

cd /cdrom/8.1-RELEASE/kernels
                      ./install.sh GENERIC

Open in new window

36. Install the help pages

cd /cdrom/8.1-RELEASE/manpages
                      ./install.sh
                      cd /cdrom/8.1-RELEASE/catpages
                      ./install.sh

Open in new window

37. Copy the boot directory to the future boot drive

First we need to mount the future boot drive:
mount /dev/ad0s1 /mnt

Open in new window

Copy the boot directory to the boot drive:
cp –Rpv /fixed/boot /mnt

Open in new window

38. Speed up the boot process

To Speed up the boot process we compress a few files:
cd /mnt/boot/kernel
                      gzip kernel geom_eli.ko acpi.ko

Open in new window

39. Make FreeBSD startup from the encrypted part

To let FreeBSD boot from the un-encrypted part of the HDD and process the startup from the encrypted part we change the fstab file.
vi /mnt/etc/fstab

Open in new window

Make the Fstab file look like this:
# Device		Mountpoint	Fstype		Options	Dump	Pass#
                      /dev/ad0s2.elib		none		swap		sw		0	0
                      /dev/ad0s2.elia		/		ufs		rw		1	1
                      /dev/ad0s2.elie		/tmp		ufs		rw		2	2
                      /dev/ad0s2.elif		/usr		ufs		rw		2	2
                      /dev/ad0s2.elid		/var		ufs		rw		2	2
                      /dev/acd0			/cdrom		cd9660	ro,noauto	0	0

Open in new window

Save the file and exit.

40. Create the necessary directories


If you have a floppydrive:
mkdir /fdd
                      mkdir /mnt/fdd
                      mkdir /fixed/fdd

Open in new window

For the cdrom drive:
mkdir /cdrom
                      mkdir /mnt/cdrom
                      mkdir /fixed/cdrom

Open in new window

41. Copy fstab to encrypted part

We also need to copy the fstab file from the unencrypted part to the encrypted part:
cp /mnt/etc/fstab /fixed/etc

Open in new window

42. Let FreeBSD ask for the passphrase at bootup

echo geom_eli_load=\”YES\” >> /mnt/boot/loader.conf

Open in new window

43. Copy Unencrypted boot to encrypted part

Since we are going to use striping of FreeBSD we need some files that the install we did on the encrypted part does not have.  We need to copy the unencrypted boot back to the encrypted boot directory.

cp -Rpnv /mnt/boot /fixed

Open in new window

Wait for all the files to be copied.

44. ALL STEPS DONE!!!!???

Are you sure that you have done all the above steps??

shutdown -h NOW

Open in new window

45. Disconnect the slave HDD

Power down the Server, disconnect all the power to the machine and disconnect the Slave HDD from the IDE Cable.


Test the FreeBSD encrypted version

45. See if you can login without a password

If everything was going well, you have to enter the passphrase that you have typed in the steps before. Then if you login with root, you will not be presented with a password.  If this happens, you know you are on the encrypted part of the HDD.

Since the installation is basic, you need to configure everything by hand before it will work. Also a warning about a name server will pop by -- that's because the network device is not configured yet.

46. (optional) Connect your Harddisk drives to your Raid Controller

shutdown -h NOW

Open in new window

When the machine says the system is halted, turn off your system and disconnect the powercables.

When you are using a HPT374 like me, take note that Seagate ST3500630A (Barracuda) does not work together with Hitachi Deskstar IDE HDDs on the Rocketraid 454. I could not make a RAID 0/JBOD or Mirror, so I have choosen to do this the software way.

Also, sometimes a LED keeps on when the machine is started in FreeBSD and then ad6 HDD is not present in the /dev directory.
shutdown -r NOW

Open in new window

I have to restart it until all the LEDs are off or a device is not detected.
(Can anyone tell me what this is? It happens after I type in my passphrase).
It seems to me, when I wait too long with typing the correct passphrase that this happens??!!

47. Enable networking

Type:
Sysinstall

Open in new window

Select: Configure --> Networking --> Interfaces
In my case I select: {fxp1}

IPv6: {No}
DHCP {No}

I type in my credentials.

Bring the interface up now? {Yes}

{X} Exit
{X} Exit
{X} Exit Install

Reboot:
Shutdown -r NOW

Open in new window

48. Enable SSH

To work faster and from every PC I enable SSH login, type:
sysinstall

Open in new window

Choose: Configure --> Networking --> (Scroll down with arrow keys) sshd, choose {Ok}

{X} Exit --> {X} Exit Install

49. Check rc.conf for ssh

Sysinstall is nice and easy, but you should know what it does. So we are going to check /etc/rc.conf for ssh

vi /etc/rc.conf

Open in new window

Check if you see the tag: sshd_enable="YES".  If so, ssh will be enabled at next bootup.

shutdown -r NOW

Open in new window

50. (optional) A little detour

Yes! I did a little detour on this one, I tried to connect four IDE harddrives to one controller and four sata drives to a sata controller. Sad thing is, it was not stable, I have left this piece in this manual so you can learn from it.  I bought two Sata drives of 2 TeraByte and now I am using 4 x 2 TB Sata drives as one big volume.


Make a Stripe set (Raid0) with FreeBSD
If you are using one controller card with 4 IDE drives and another controller card with 4 Sata drive's and you want one big volume you can use FreeBSD to stripe with the GEOM software.

Enable striping driver
vi /boot/defaults/loader.conf

Open in new window

Search Geom_Stripe and type "YES" instead of "NO"

Save the file with ":w!" (The i is to write a read-only file, only possible as root user)

Do the same for unencrypted part
First mount the unencrypted part of the HDD
mount /dev/ad0s1a /mnt
                      vi //mnt/boot/defaults/loader.conf

Open in new window

Search Geom_Stripe and type "YES" instead of "NO"

Save the file with ":w!"

Reboot to activate striping
shutdown -r NOW

Open in new window


And YES! it is native!

Create first striping set
I explained about the problem between the Seagate and the barracuda, so I solve this the software way. We are going to create a striping set from ad4,6,8 and 10. (The names may be different on your system, check the /dev directory).

gstripe label -v ide0 /dev/ad4 /dev/ad6 /dev/ad8 /dev/ad10

Open in new window

This will create a striping set with the name ide0. It will give some errors that it will not use the entire drive's capacity, but that is common with RAID 0 sets  -- all volumes must be the exact same size.

Check your striping set
You can check your striping set by:
cd /dev/stripels

Open in new window

and search for ide0

Stripe over stripe
Striping over striping... It's unbelievable that this is possible.  In Windows, I would be afraid what will happen with the data, but on my FreeBSD box... I am confident!

My other Rocket Raid (Model 1740) has created 3 striping sets so we have 4 times 2 TB of striping sets, create a second striping set:
gstripe label -v big0 /dev/stripe/ide0 /dev/da0 /dev/da1 /dev/da2

Open in new window


/dev/dax is the most common name for a hardware striping set, I have seen this in FreeBSD 8.x and in a VirtualMachine enviroment with iSCSI. Once I have seen arx in FreeBSD6.2

Make the stripe (big0) encrypted
And yes we want to encrypt this too! When I format the big0 volume it is somewhat slow, but the only thing this system has to do is duplicate data and share it when disaster strikes, so I don't care.
geli init –b –s 4096 –l 256 /dev/stripe/big0

Open in new window


Type your secret passphrase twice.

Attach the big0 array
geli attach /dev/stripe/big0

Open in new window

Type type the passphrase and the usual confirmation will be shown.

Label the striped encrypted drive"]
bsdlabel –w /dev/stripe/big0.eli
                      bsdlabel –e /dev/stripe/big0.eli

Open in new window


[x] to delete characters, Press {I} to edit/insert, Change unused behind a: to 4.2BSD, [ESC], :w, :q

Format the encrypted .elia drive
newfs /dev/stripe/big0.elia

Open in new window

When I look at the drive, I see the let's making disco, so I know all drive's are being used to stripe!

When working with older stuff, it helps to connect all the LEDs, for 20,- Euro's you got 10 of them with a wire and a little connector

Mount it and check it"]
mount /dev/stripe/big0.elia /encrypt_a
                      df -h

Open in new window

A list with the mounted drives will be presented, check if the size checks out.

Mount at startup
vi /etc/fstab

Open in new window

Add the following line at the end of the file:
/dev/stripe/big0.elia	/encrypt_a	ufs	rw	2	2

Open in new window

Save the file and exit vi.

Copy the new fstab to the unecrypted part
mount /dev/ad0s1a /mnt
                      cp /etc/fstab /mnt/etc/fstab

Open in new window


Install Rsync on your FreeBSD machine

51. Encrypt the big volume

My Big volume that are 4 S-Ata harddisks on one Sata Controller is called /dev/da0, the name for your array could be different, check the name first:
cd /dev
                      ls

Open in new window


Search for da0 (or da1, da2, etc...) or ar0 (ar1, ar2, etc..) and use this device name to encrypt the big volume

Encrypt the big volume with:
geli init –b –s 4096 –l 256 /dev/da0

Open in new window

Enter the passphrase twice.

52. Attach and format the big volume (da0)

First we need to attach the encrypted device:
geli attach /dev/da0

Open in new window

Enter the passphrase you defined in the last step.

Make a label for the attached device:
bsdlabel –w /dev/da0.eli
                      bsdlabel –e /dev/da0.eli

Open in new window

[x] to delete characters, Press {I} to edit/insert, Change unused behind a: to 4.2BSD, [ESC], :w, :q

It needs to look like this:
# /dev/da0.eli
                      8 partitions:
                      #	size		offset	fstype	[fsize	bsize	bps/cpg]
                        a:	1953431549	2	4.2BSD	0	0	0
                        c:	1953431549	0	unused	0	0		#"raw" part, don't edit

Open in new window


The offset will be different; this is the size of your volume.

Don't forget the save the file and then Exit

Check if there are new devices in your /dev directory
cd /dev
                      ls

Open in new window

You should see devices like da0.elia or ar0.elia.
Format the new device:
newfs /dev/stripe/big0.elia

Open in new window

This may take a while, please wait!

53. Mount the encrypted volume

First make a directory where you can mount the volume:
mkdir /encrypt_a

Open in new window

Mount the big device:
mount /dev/stripe/da0.elia /encrypt_a

Open in new window


Check the size with command df:
df -h

Open in new window


Result:
Filesystem	size	Used	Avail	Capacity	Mounted on
                      /dev/ad0s2.elia	1.8G	315M	1.3G	19%		/
                      devfs		1.0K	1.0K	0B	100%		/dev
                      /dev/ad0s2.elie	961M	24K	884M	0%		/tmp
                      /dev/ad0s2.elif	64G	1.7G	47G	3%		/usr
                      /dev/ad0s2.elid	2.3G	834M	1.3G	38%		/var
                      /dev/da0.elia	7.2T	2.6T	4.0T	40%		/encrypt_a

Open in new window


Your figures are probably different, but this is a good way to check if all the sizes are correct.

54. Mount the new device at bootup

Edit fstab
vi /etc/fstab

Open in new window

Add the following line at the bottom:
/dev/da0.elia	/encrypt_a	ufs	rw	2	2

Open in new window


55. Install rsync

Now we have a device where we can put all the data from the primary server we need to sync it to the backup server.  

You need to have rsync installed on the primary server, read here how you can do it!

To install Rsync we start sysinstall.
sysinstall

Open in new window

Select Configure --> Packages --> CD/DVD --> net --> rsync-3.x.x

Select {OK} --> {Install}

You will be shown what you have selected, select {OK}

Installation will commence.

{X} Exit

{X} Exit Install

Take out FreeBSD CD/DVD

56. Setup rsyncd

vi /usr/local/etc/rsyncd.conf

Open in new window

Remove # before "UID" & "GID" and change "nobody" to "rsync", the file will look like this:
# rsyncd.conf - Example file, see rsyncd.conf(5)
                      #
                      
                      # Set this if you want to stop rsync daemon with rc.d scripts
                      pid file = /var/run/rsyncd.pid
                      
                      # Edit this file before running rsync daemon!!
                      
                      uid = rsync 
                      gid = rsync
                      #use chroot = no
                      #max connections = 4
                      #syslog facility = local5
                      
                      #[ftp]
                      #	path = /var/ftp/pub
                      #	comment = whole ftp area (approx 6.1 GB)
                      
                      #[sambaftp]
                      #	path = /var/ftp/pub/samba
                      #	comment = Samba ftp area (approx 300 MB)
                      
                      #[rsyncftp]
                      #	path = /var/ftp/pub/rsync
                      #	comment = rsync ftp area (approx 6 MB)
                      
                      #[sambawww]
                      #	path = /public_html/samba
                      #	comment = Samba WWW pages (approx 240 MB)
                      
                      #[cvs]
                      #	path = /data/cvs
                      #	comment = CVS repository (requires authentication)
                      #	auth users = tridge, susan
                      #	secrets file = /usr/local/etc/rsyncd.secrets

Open in new window


On the other side (the primary server), the file will look like this:
# rsyncd.conf - Example file, see rsyncd.conf(5)
                      #
                      
                      # Set this if you want to stop rsync daemon with rc.d scripts
                      pid file = /var/run/rsyncd.pid
                      
                      # Edit this file before running rsync daemon!!
                      
                      uid = rsync 
                      gid = rsync
                      use chroot = no
                      max connections = 4
                      syslog facility = local5
                      pid file = /var/run/rsyncd.pid
                      auth users = roland, speciaal, copycop
                      secrets file = /usr/local/etc/rsyncd.secrets
                      
                      [test]
                      	path = /encrypt_a/tmp/
                      	comment = Test to sync the samba tmp directory
                      
                      [encrypt_a]
                      	path = /encrypt_a/
                      	comment = Shared Directory Tree
                      
                      #[ftp]
                      #	path = /var/ftp/pub
                      #	comment = whole ftp area (approx 6.1 GB)
                      
                      #[sambaftp]
                      #	path = /var/ftp/pub/samba
                      #	comment = Samba ftp area (approx 300 MB)
                      
                      #[rsyncftp]
                      #	path = /var/ftp/pub/rsync
                      #	comment = rsync ftp area (approx 6 MB)
                      
                      #[sambawww]
                      #	path = /public_html/samba
                      #	comment = Samba WWW pages (approx 240 MB)
                      
                      #[cvs]
                      #	path = /data/cvs
                      #	comment = CVS repository (requires authentication)
                      #	auth users = tridge, susan
                      #	secrets file = /usr/local/etc/rsyncd.secrets

Open in new window


57. Create user rsync

adduser

Open in new window

Fill in all the credentials.

58. Create a batch file on the backup server

vi /usr/local/bin/rsyncd.bat

Open in new window

It must contain:
#!/bin/sh
                      /usr/local/bin/rsync -avz --stats --delete copycop@10.30.0.4::encrypt_a /encrypt_a --password-file /usr/local/etc/copycop.rsyncd

Open in new window


59. Make the batch file startable

chmod 0760 /usr/local/bin/rsyncd.bat

Open in new window

60. Create the password file

Now create the password file for copycop
vi /usr/local/etc/copycop.rsyncd

Open in new window

Type the password in the file and save it!

61. Change the rights

Change the rights of the file's so not everybody can read them.
chmod 0640 /usr/local/etc/copycop.rsyncd
                      chmod 0640 /usr/local/etc/rsyncd.conf

Open in new window

62. Start Rsync to test syncing the data

/usr/local/bin/rsyncd.bat

Open in new window

You should see:
receiving file list … 

Open in new window

and then popping a lot of file's on your screen! (And of course the led's playing disco, as a matter a fact I feel Disco! Wheee!!!)
If you get an error like: "rsync error error starting client-server protocol code 5", check the password you have used in the password file on the primary and backup server. Also check on the primary server if host allow contains the correct IP Address.

63. More pointers about errors with rsync

If you get the following errors:
rsync error: some files/attrs were not transferred (see previous errors) (code23) 
                          at main.c(1508) [generator=3.0.7]

Open in new window

Scroll back and see on which directory's you don't have access.  Change the rights of those directories on the primary server.
The error you should see an error in the copy files tree like this: send_files failed to open "dir/ectory/" (in encrypt_a): Permission denied (13)

64. Setting up NTP for time sync

Open rc.conf
vi /etc/rc.conf

Open in new window

Add the following to lines at the bottom:
ntp_date="10.30.0.4"

Open in new window

This is the IP adress of your head server, so all systems in your network al synced together!
ntpdate_enable="YES"

Open in new window



Installation of Samba
===================

What is the use of a backup server, when you cannot access it from Windows?  I will set it up Samba so that you can only read from it!

65. Install Samba from the ports

Insert your FreeBSD 8.1 install CD/DVD in your cd drive and type:
sysinstall

Open in new window

Wait for FreeBSD to complete the operation.

66. Edit smb.conf to configure samba

vi /usr/local/etc/smb.conf

Open in new window

Here is an example of smb.conf file:
# This is the main Samba configuration file. You should read the
                      # smb.conf(5) manual page in order to understand the options listed
                      # here. Samba has a huge number of configurable options (perhaps too
                      # many!) most of which are not shown in this example
                      #
                      # For a step to step guide on installing, configuring and using samba, 
                      # read the Samba-HOWTO-Collection. This may be obtained from:
                      #  http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf
                      #
                      # Many working examples of smb.conf files can be found in the 
                      # Samba-Guide which is generated daily and can be downloaded from: 
                      #  http://www.samba.org/samba/docs/Samba-Guide.pdf
                      #
                      # Any line which starts with a ; (semi-colon) or a # (hash) 
                      # is a comment and is ignored. In this example we will use a #
                      # for commentry and a ; for parts of the config file that you
                      # may wish to enable
                      #
                      # NOTE: Whenever you modify this file you should run the command "testparm"
                      # to check that you have not made any basic syntactic errors. 
                      #
                      #======================= Global Settings =====================================
                      [global]
                      
                      # workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
                         workgroup = Wayward 
                      
                      # server string is the equivalent of the NT Description field
                         server string = BSD02 Samba Server 
                      
                      ## Samba Time Server?
                      #
                         time server =yes
                      
                      ## getpeername failed. Error was socket is not connected, solution:
                      #
                      smb ports = 139
                      
                      # Security mode. Defines in which mode Samba will operate. Possible 
                      # values are share, user, server, domain and ads. Most people will want 
                      # user level security. See the Samba-HOWTO-Collection for details.
                         security = user
                      
                      # This option is important for security. It allows you to restrict
                      # connections to machines which are on your local network. The
                      # following example restricts access to two C class networks and
                      # the "loopback" interface. For more examples of the syntax see
                      # the smb.conf man page
                         hosts allow = 10.30.0. 127. 
                      
                      # If you want to automatically load your printer list rather
                      # than setting them up individually then you'll need this
                         load printers = no 
                      
                      # you may wish to override the location of the printcap file
                         printcap name = /dev/null 
                      
                      # on SystemV system setting printcap name to lpstat should allow
                      # you to automatically obtain a printer list from the SystemV spool
                      # system
                      ;   printcap name = lpstat
                      
                      # It should not be necessary to specify the print system type unless
                      # it is non-standard. Currently supported print systems include:
                      # bsd, cups, sysv, plp, lprng, aix, hpux, qnx
                         printing = bsd 
                      
                      # Uncomment this if you want a guest account, you must add this to /etc/passwd
                      # otherwise the user "nobody" is used
                      ;  guest account = pcguest
                      
                      # this tells Samba to use a separate log file for each machine
                      # that connects
                         log file = /var/log/samba34/log.%m
                      
                      # Put a capping on the size of the log files (in Kb).
                         max log size = 50
                      
                      # Use password server option only with security = server
                      # The argument list may include:
                      #   password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
                      # or to auto-locate the domain controller/s
                      #   password server = *
                      ;   password server = <NT-Server-Name>
                      
                      # Use the realm option only with security = ads
                      # Specifies the Active Directory realm the host is part of
                      ;   realm = MY_REALM
                      
                      # Backend to store user information in. New installations should 
                      # use either tdbsam or ldapsam. smbpasswd is available for backwards 
                      # compatibility. tdbsam requires no further configuration.
                      ;   passdb backend = tdbsam
                      
                      # Using the following line enables you to customise your configuration
                      # on a per machine basis. The %m gets replaced with the netbios name
                      # of the machine that is connecting.
                      # Note: Consider carefully the location in the configuration file of
                      #       this line.  The included file is read at that point.
                      ;   include = /usr/local/etc/smb.conf.%m
                      
                      # Most people will find that this option gives better performance.
                      # See the chapter 'Samba performance issues' in the Samba HOWTO Collection
                      # and the manual pages for details.
                      # You may want to add the following on a Linux system:
                      ;   socket options = SO_RCVBUF=8192 SO_SNDBUF=8192
                      
                      # Configure Samba to use multiple interfaces
                      # If you have multiple network interfaces then you must list them
                      # here. See the man page for details.
                      ;   interfaces = 192.168.12.2/24 192.168.13.2/24 
                      
                      # Browser Control Options:
                      # set local master to no if you don't want Samba to become a master
                      # browser on your network. Otherwise the normal election rules apply
                      ;   local master = no
                      
                      # OS Level determines the precedence of this server in master browser
                      # elections. The default value should be reasonable
                      ;   os level = 33
                      
                      # Domain Master specifies Samba to be the Domain Master Browser. This
                      # allows Samba to collate browse lists between subnets. Don't use this
                      # if you already have a Windows NT domain controller doing this job
                      ;   domain master = yes 
                      
                      # Preferred Master causes Samba to force a local browser election on startup
                      # and gives it a slightly higher chance of winning the election
                      ;   preferred master = yes
                      
                      # Enable this if you want Samba to be a domain logon server for 
                      # Windows95 workstations. 
                      ;   domain logons = yes
                      
                      # if you enable domain logons then you may want a per-machine or
                      # per user logon script
                      # run a specific logon batch file per workstation (machine)
                      ;   logon script = %m.bat
                      # run a specific logon batch file per username
                      ;   logon script = %U.bat
                      
                      # Where to store roving profiles (only for Win95 and WinNT)
                      #        %L substitutes for this servers netbios name, %U is username
                      #        You must uncomment the [Profiles] share below
                      ;   logon path = \\%L\Profiles\%U
                      
                      # Windows Internet Name Serving Support Section:
                      # WINS Support - Tells the NMBD component of Samba to enable it's WINS Server
                      ;   wins support = yes
                      
                      # WINS Server - Tells the NMBD components of Samba to be a WINS Client
                      #    Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
                      ;   wins server = w.x.y.z
                      
                      # WINS Proxy - Tells Samba to answer name resolution queries on
                      # behalf of a non WINS capable client, for this to work there must be
                      # at least one    WINS Server on the network. The default is NO.
                      ;   wins proxy = yes
                      
                      # DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
                      # via DNS nslookups. The default is NO.
                         dns proxy = no 
                      
                      # Charset settings
                      ;   display charset = koi8-r
                      ;   unix charset = koi8-r
                      ;   dos charset = cp866
                      
                      # Use extended attributes to store file modes
                      ;    store dos attributes = yes
                      ;    map hidden = no
                      ;    map system = no
                      ;    map archive = no
                      
                      # Use inherited ACLs for directories
                      ;    nt acl support = yes
                      ;    inherit acls = yes
                      ;    map acl inherit = yes 
                      
                      # These scripts are used on a domain controller or stand-alone 
                      # machine to add or delete corresponding unix accounts
                      ;  add user script = /usr/sbin/useradd %u
                      ;  add group script = /usr/sbin/groupadd %g
                      ;  add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %u
                      ;  delete user script = /usr/sbin/userdel %u
                      ;  delete user from group script = /usr/sbin/deluser %u %g
                      ;  delete group script = /usr/sbin/groupdel %g
                      
                      
                      #============================ Share Definitions ==============================
                      [homes]
                         comment = Home Directories
                         browseable = no
                         writable = yes
                      
                      # Un-comment the following and create the netlogon directory for Domain Logons
                      ; [netlogon]
                      ;   comment = Network Logon Service
                      ;   path = /usr/local/samba/lib/netlogon
                      ;   guest ok = yes
                      ;   writable = no
                      ;   share modes = no
                      
                      
                      # Un-comment the following to provide a specific roving profile share
                      # the default is to use the user's home directory
                      ;[Profiles]
                      ;    path = /usr/local/samba/profiles
                      ;    browseable = no
                      ;    guest ok = yes
                      
                      
                      # NOTE: If you have a BSD-style print system there is no need to 
                      # specifically define each individual printer
                      [printers]
                         comment = All Printers
                         path = /var/spool/samba34
                         browseable = no
                      # Set public = yes to allow user 'guest account' to print
                         guest ok = no
                         writable = no
                         printable = yes
                      
                      # This one is useful for people to share files
                      ;[tmp]
                      ;   comment = Temporary file space
                      ;   path = /tmp
                      ;   read only = no
                      ;   public = yes
                      
                      # A publicly accessible directory, but read only, except for people in
                      # the "staff" group
                      ;[public]
                      ;   comment = Public Stuff
                      ;   path = /home/samba
                      ;   public = yes
                      ;   writable = yes
                      ;   printable = no
                      ;   write list = @staff
                      
                      # Other examples. 
                      #
                      # A private printer, usable only by fred. Spool data will be placed in fred's
                      # home directory. Note that fred must have write access to the spool directory,
                      # wherever it is.
                      ;[fredsprn]
                      ;   comment = Fred's Printer
                      ;   valid users = fred
                      ;   path = /homes/fred
                      ;   printer = freds_printer
                      ;   public = no
                      ;   writable = no
                      ;   printable = yes
                      
                      # A private directory, usable only by fred. Note that fred requires write
                      # access to the directory.
                      ;[fredsdir]
                      ;   comment = Fred's Service
                      ;   path = /usr/somewhere/private
                      ;   valid users = fred
                      ;   public = no
                      ;   writable = yes
                      ;   printable = no
                      
                      # a service which has a different directory for each machine that connects
                      # this allows you to tailor configurations to incoming machines. You could
                      # also use the %U option to tailor it by user name.
                      # The %m gets replaced with the machine name that is connecting.
                      ;[pchome]
                      ;  comment = PC Directories
                      ;  path = /usr/pc/%m
                      ;  public = no
                      ;  writable = yes
                      
                      # A publicly accessible directory, read/write to all users. Note that all files
                      # created in the directory by users will be owned by the default user, so
                      # any user with access can delete any other user's files. Obviously this
                      # directory must be writable by the default user. Another user could of course
                      # be specified, in which case all files would be owned by that user instead.
                      ;[public]
                      ;   path = /usr/somewhere/else/public
                      ;   public = yes
                      ;   only guest = yes
                      ;   writable = yes
                      ;   printable = no
                      
                      # The following two entries demonstrate how to share a directory so that two
                      # users can place files there that will be owned by the specific users. In this
                      # setup, the directory should be writable by both users and should have the
                      # sticky bit set on it to prevent abuse. Obviously this could be extended to
                      # as many users as required.
                      ;[myshare]
                      ;   comment = Mary's and Fred's stuff
                      ;   path = /usr/somewhere/shared
                      ;   valid users = mary fred
                      ;   public = no
                      ;   writable = yes
                      ;   printable = no
                      ;   create mask = 0765
                      
                      #-=-=-=-=-=-=-=-=-= My Shares =-=-=-=-=-=-=-=-=-=-
                      #################################################
                      # All drives on the backup server are read only
                      #
                      
                      # This one is useful for people to share files
                      [tmp]
                         comment = Temporary file space
                         path = /encrypt_a/tmp
                         writeable = no
                         public = yes
                      
                      # Log share
                      #
                      [log]
                         comment = Log files of BSD03
                         path = /var/log  
                         public = yes
                         writeable = no
                         browseable = no
                      
                      # Private-drives
                      #
                      [private]
                         comment = Eigen Prive directory op de Server
                         path = /encrypt_a/Private/%U
                         public = no
                         writeable = no
                         browseable = no
                      
                      # Appz Drive
                      #
                      [appz]
                         comment = Programma's, Games en dergelijke.
                         path = /encrypt_a/Appz
                         public = no
                         writeable = no
                         browseable = no
                         force create mode = 0775
                         force directory mode = 0775
                      
                      # Special Drive
                      #
                      [special]
                         comment = Special Drives for: Ftp, Images, Sound, Apache 
                         path = /encrypt_a/Special
                         public = no
                         writeable = no
                         browseable = no
                         force create mode = 0775
                         force directory mode = 0775
                      
                      # Media
                      #
                      [media]
                         comment = Media Audio, Video, Multimedia
                         path = /encrypt_a/Media
                         public = no
                         writeable = no
                         browseable = no
                         force create mode = 0775
                         force directory mode = 0775
                      
                      # Ons
                      #
                      [ons]
                         comment = Gezamelijke schijf
                         path = /encrypt_a/Ons
                         public = no
                         writeable = no
                         browseable = no
                         force create mode = 0770
                         force directory mode = 0770
                      
                      # Startup With batch files for connecting to BSD03
                      #
                      [startup]
                         comment = Batch files to connect to the BSD03 FreeBSD Server
                         path = /encrypt_a/Startup
                         public = yes
                         writeable = no
                         browseable = yes
                      
                      # Share to dump all the Ghost images from dos
                      [image]
                         comment = Drive to dump all the Ghost image's to 
                         path = /encrypt_a/Images
                         public = no
                         writeable = no
                         browseable = yes 
                         force create mode = 0775
                         force directory mode = 0775
                      
                      # Shares for the Media Center
                      # 
                      [video]
                        comment = Video Files for the media center
                        path = /encrypt_a/Media/movies
                        writeable = no
                        browseable = yes
                        force create mode = 0775
                        force directory mode = 0775
                      
                      [TV]
                        comment = Alle the tv programs we like to keep
                        path = /encrypt_a/Media/TV
                        writeable = no
                        browsable = yes
                        force create mode = 0775
                        force directory mode = 0775
                      
                      [pictures]
                        comment = All our pictures
                        path = /encrypt_a/Media/pictures
                        writeable = no
                        browseable = yes
                        force create mode = 0775
                        force directory mode = 0775
                      
                      [audio]
                        comment = All our avaible audio
                        path = /encrypt_a/Media/audio
                        writeable = no
                        browseable = yes
                        force create mode = 0775
                        force directory mode = 0775

Open in new window


On the backup server I have set writable = no on every share, this is a backup server not a working server!

67. Enable Samba at startup

Edit the /etc/rc.conf file and enable Samba:
vi /etc/rc.conf

Open in new window

Add the following lines at the bottom of rc.conf
nmbd_enable="YES"
                      smbd_enable="YES"

Open in new window


If you get the following errors: "nttrans.c:2119(call_nt_transact_ioctl)" you can add the following lines to every share you have in the /usr/local/etc/smb.conf file:
   oplocks = false
   level2 oplocks = false

68. Edit welcome message

vi ./etc/motd

Open in new window


Put the following lines into the editor:
FreeBSD 8.1-RELEASE (BSD02) - 2010 /Node:3 (Original file:/etc/motd.bak)
                      
                      Running:
                      - Apache2, Php 5, Mysql 5
                      - Pure-FTPd, SSH
                      - Samba 3
                      - NFS
                      
                      IP: 10.30.0.4 / Gateway: 10.30.0.100
                      
                      - FreeBSD Handbook: http://www.FreeBSD.org
                      - Use sysinstall to install additional Packages

Open in new window

Save the message with :w and exit.

69. Restart Machine and check Samba

shutdown -r NOW

Open in new window

70. Add the user you want to access Samba

Before the Windows clients can access the Samba shares, you have to add them as a Samba user:
smbpasswd -a username

Open in new window

Enter the password twice and do this for every user you want to be able to access Samba.

71. Try to connect with a windows client

Start the machine, enter the passphrases to mount the encrypted partitions and wait until nmbd & smbd is loaded, then start a Windows client and enter the name of your server in Windows Explorer.
\\bsd02\

Open in new window


You should be able to access the shares, read it, but you cannot write it

72. Create a cronjob for rsync

If you are going to use rsync, do it on a regular basis!  We add a cronjob.

Login as root

Type:
crontab -e

Open in new window

Add the following line:
00 3 * * * /usr/local/bin/rsyncd.bat

Open in new window

Save the file and exit, you should see the line:
crontab: installing new crontab

Open in new window

...then you know it is about to run!

73. Enter a password for the root account

A very important step for security, enter a password for the root account.  Type:
passwd root

Open in new window

Enter the password twice.

74. Done!

Your backup server is ready!
0
3,975 Views

Comments (1)

Author

Commented:
I had several errors:
Mar 12 11:57:21 BSD03 kernel: xl0: transmission error: 90
Mar 12 11:57:21 BSD03 kernel: xl0: tx underrun, increasing tx start threshold to 120 bytes

Open in new window


After that my system rebooted, after fiddling around with drivers, it appeared to be an IRQ problem. I Solved this problem by swapping the VGA card with the NIC card from PCI Slot.

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.