354 lines
13 KiB
HTML
354 lines
13 KiB
HTML
<!--startcut ======================================================= -->
|
||
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
|
||
<html><head>
|
||
<META NAME="generator" CONTENT="lgazmail v1.1pre9c">
|
||
<TITLE>The Answer Guy 31:
|
||
Remote Backups: GNU 'tar' through 'rsh'
|
||
</TITLE>
|
||
<!-- ORIGINAL SUBJECT:
|
||
Remote Backups (Yet Again)
|
||
JTD SUBTITLE:
|
||
|
||
-->
|
||
</head>
|
||
|
||
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#A000A0"
|
||
ALINK="#FF0000">
|
||
<H4>"Linux Gazette...<I>making Linux just a little more fun!</I>"
|
||
</H4>
|
||
<P> <hr> <P>
|
||
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
|
||
<H1 align="center"><A NAME="answer">
|
||
<img src="../gx/dennis/qbubble.gif" alt="" border="0" align="middle">
|
||
<a href="./index.html">The Answer Guy</a>
|
||
<img src="../gx/dennis/bbubble.gif" alt="" border="0" align="middle">
|
||
</A></H1>
|
||
<BR>
|
||
<H4 align="center">By James T. Dennis,
|
||
<a href="mailto:linux-questions-only@ssc.com">linux-questions-only@ssc.com</a>
|
||
<BR>Starshine Technical Services, <A HREF="http://www.starshine.org/">http://www.starshine.org/</A>
|
||
</H4>
|
||
<p><hr><p>
|
||
<!--endcut ========================================================= -->
|
||
<H3><img src="../gx/dennis/qbub.gif" alt="(?)"
|
||
width="50" height="28" align="left" border="0"
|
||
>Remote Backups: GNU '<tt>tar</TT>' through '<TT>rsh</tt>'</h3>
|
||
<p><strong>From Ken Plumbly on 18 Jul 1998
|
||
in the</strong>
|
||
<a href="news:comp.unix.questions">comp.unix.questions</a>
|
||
<strong>newsgroup</strong></p>
|
||
|
||
<!-- begin body -->
|
||
|
||
<p><strong>
|
||
Hi :
|
||
</strong></p>
|
||
|
||
|
||
<p><strong>
|
||
I'm sure this one will probably drive you crazy, I read your
|
||
<a href="http://www.linuxgazette.com/issue29/tag_betterbak.html">answer
|
||
in LG issue 29 for remote backups</a>, and did what the article said,
|
||
but I get the response back from the server with the tape drive:
|
||
</strong></p>
|
||
|
||
|
||
<BLOCKQUOTE><IMG SRC="../gx/dennis/bbub.gif" ALT="(!)" width="50" height="28" border="0" lign="bottom"
|
||
>Getting things like this working for the first
|
||
time have driven me crazy in the past. So, it's
|
||
certainly possible for them to do so again.
|
||
</blockquote>
|
||
|
||
|
||
<blockquote>
|
||
(Some friends might say that "crazy" is a state they've come to expect of me).
|
||
</blockquote>
|
||
|
||
|
||
<STRONG><P><IMG SRC="../gx/dennis/qbub.gif" ALT="(?)" width="50" height="28" border="0" lign="bottom"
|
||
><code>permission denied.
|
||
<br>tar: Cannot open user@host.our.domain:/dev/st0: I/O error
|
||
</code></p></strong>
|
||
|
||
|
||
<STRONG><P>
|
||
and in the messages file on the tape host is:
|
||
</p></strong>
|
||
|
||
|
||
<STRONG><P><code>
|
||
pam_rhosts_auth[7300]: denied to root@hostname.our.domain as user:
|
||
<br>access not allowed
|
||
</code></p></strong>
|
||
|
||
|
||
<STRONG><P>
|
||
We are running redHat 4.2 with a connor 4gb tape drive.
|
||
</p></strong>
|
||
|
||
|
||
<STRONG><P>
|
||
I created a user on the tape server, and put a <tt>.rhosts</tt> file in
|
||
the <tt>~user</tt> directory but still no joy.
|
||
</p></strong>
|
||
|
||
|
||
<STRONG><P>
|
||
Any Ideas?
|
||
<br>Ken
|
||
</p></strong>
|
||
|
||
|
||
<BLOCKQUOTE><IMG SRC="../gx/dennis/bbub.gif" ALT="(!)" width="50" height="28" border="0" lign="bottom"
|
||
>Can you just run a command like:
|
||
</blockquote>
|
||
|
||
|
||
<blockquote><blockquote><code>
|
||
rsh -l operator tapehost "id; pwd; ls -l /dev/st0"
|
||
</code></blockquote></blockquote>
|
||
|
||
<blockquote>... and get the desired results?
|
||
</blockquote>
|
||
|
||
<blockquote>In my example I make some assumptions:
|
||
</blockquote>
|
||
|
||
<blockquote>I'd run this command from root on the client
|
||
and use the "<tt>-l operator</tt>" switch and argument
|
||
to specify that I want <tt>rsh</tt> to access the "<tt>operator</tt>"
|
||
account on the tapehost.
|
||
</blockquote>
|
||
|
||
<blockquote>I'd create an account named "<tt>operator</tt>" on the
|
||
tapehost machine. It would have no special
|
||
privileges except that it would be a member of
|
||
the "<tt>tape</tt>" group.
|
||
</blockquote>
|
||
|
||
<blockquote>My copy of <TT>/dev/st0</TT> on the tapehost would be
|
||
owned by <tt>root.tape</tt> (the "tape" group) and
|
||
would be mode <tt>770</tt> (writable by group).
|
||
</blockquote>
|
||
|
||
<blockquote>This should allow what you want. Until you can
|
||
use stock '<tt>rsh</tt>' commands through this context --- your
|
||
'<tt>tar</tt>' commands are doomed. (Since
|
||
<a href="http://www.gnu.org/">GNU</a> tar actually
|
||
calls '<tt>rsh</tt>' for that part of this work).
|
||
</blockquote>
|
||
|
||
<blockquote>For more security you can use '<tt>ssh</TT>' instead of
|
||
'<TT>rsh</tt>'
|
||
</blockquote>
|
||
|
||
<blockquote>Next I would not use the command as you described it.
|
||
</blockquote>
|
||
|
||
<blockquote>Tape drives are very sensitive to inconsistent latency (caused
|
||
by transport of the data over a network and by any compression
|
||
you attempt to do). If the data is not fed to the interface
|
||
fast enough <tt>and at an even rate</tt> then the drive will have to
|
||
stop, rewind a bit, and restart to get back to the right speed
|
||
and tape position to continue writing.
|
||
</blockquote>
|
||
|
||
<blockquote>This is called "shoeshining."
|
||
</blockquote>
|
||
|
||
<blockquote>To prevent shoeshining we run a program called 'buffer' (Lee
|
||
McLoughlin) on the "tapehost" (the machine that recieves the
|
||
data over the network and writes it to the tape drive).
|
||
</blockquote>
|
||
|
||
<blockquote>So that command would look like:
|
||
</blockquote>
|
||
|
||
|
||
<blockquote><blockquote><code>
|
||
# tar czSf - .... | rsh -l operator tapehost
|
||
"buffer -o <TT>/dev/st0</TT>"
|
||
</code></blockquote></blockquote>
|
||
|
||
<blockquote>Note the <tt>-S</tt> switch that we use to preserve "sparsity"
|
||
in files --- that is to detect cases where the data
|
||
blocks have not be continously allocated to the file
|
||
--- where there are "holes" in the allocation map for
|
||
the "empty" parts of the file's data. These sorts of
|
||
files are commonly created with dbm libraries and
|
||
other "hashing" algorithms that use file seek offsets
|
||
as "indexes" into a file --- your <TT>/etc/aliases.pag</TT>
|
||
file might be one of them. If you don't understand
|
||
"holes" and "sparse" files (which are features of the
|
||
Unix filesystem that aren't supported in some others
|
||
--- though I know that Netware had them) --- don't
|
||
worry about it. Just add the <tt>-S</tt> and it won't hurt
|
||
anything even if there are no such files in the
|
||
data set that you're working with.
|
||
</blockquote>
|
||
|
||
<blockquote>Note that I use the <tt>c</tt> (create), <tt>z</tt> (compress)
|
||
and <tt>f</tt> (file target) flags, and that the file target I specify
|
||
is "<tt>-</tt>" (a dash). In Unix this usually indicates that
|
||
the "standard output" device should be used. In other
|
||
words, "<tt>-</tt>" (dash) is an idiom in a number of Unix/Linux
|
||
commands. So, this command will write all of the
|
||
tar file into the pipe.
|
||
</blockquote>
|
||
|
||
<blockquote>On the recieving side of the pipe we have a local copy
|
||
of '<tt>rsh</tt>' that will try to connect to the "tapehost" as the
|
||
user named "operator" and thereon try to run a command
|
||
named "buffer" with the <tt>-o</tt> (output) of that pointed
|
||
to the tape device.
|
||
</blockquote>
|
||
|
||
<blockquote>How much difference does 'buffer' make? About an order of
|
||
magnitude. Yes. You read that right --- on my network
|
||
(which was completely idle at the time) I ran experiements
|
||
with and without buffer (and with and without compression)
|
||
and it would take <em>10 times longer</em> to write the tape
|
||
without '<tt>buffer</tt>'. On top of all of that the tapes created
|
||
without '<tt>buffer</tt>' are <em>much</em> less reliable. So, failing to
|
||
use that can be harmful to your data, and add immense amounts
|
||
of wear and tear to the drive (shortening its useful life).
|
||
</blockquote>
|
||
|
||
<blockquote>The '<tt>buffer</tt>' command came with my copies of
|
||
<A HREF="http://www.suse.com/">S.u.S.E.</A> and
|
||
might come with your copy of RH 5.x (although I don't think
|
||
4.2 had it). You can find that at:
|
||
</blockquote>
|
||
|
||
|
||
<blockquote><blockquote><code>
|
||
<A HREF="http://src.doc.ic.ac.uk/public/public/packages/buffer"
|
||
>http://src.doc.ic.ac.uk/public/public/packages/buffer</A>
|
||
</code></blockquote></blockquote>
|
||
|
||
<blockquote>Imperial College, U.K./Great Britain where Lee McLoughlin is a
|
||
a system manager, and programmer.
|
||
</blockquote>
|
||
|
||
<blockquote>Lee McLoughlin is also known for an FTP mirror package he
|
||
wrote and maintained in PERL a few years ago. He maintains a web page
|
||
(<A HREF="http://www.doc.ic.ac.uk/~lmjm/">http://www.doc.ic.ac.uk/~lmjm/</A>)
|
||
which doesn't mention this or the '<tt>buffer</tt>' program but highlights
|
||
some of his other work.
|
||
</blockquote>
|
||
|
||
<blockquote>With RH 4.2 you might also be suffering from some
|
||
confusion with your PAM configuration. You might have to
|
||
change that around a bit or upgrade it to a new version.
|
||
</blockquote>
|
||
|
||
<blockquote>If you were trying to access the root or any "root equivalent"
|
||
account -- that is anyone with a UID of 0 (zero) you might
|
||
have been bumping into the "<tt>/etc/securettys</tt>" problem. This
|
||
is one of the other reasons why I configure my systems with
|
||
an "<tt>operator</tt>" account and give that account access to the
|
||
'<tt>buffer</tt>' program and to the <TT>/dev/st0</TT> node.
|
||
</blockquote>
|
||
|
||
<blockquote>If you did tests with '<tt>rlogin</tt>' that seemed successful
|
||
(you were able to '<tt>rlogin</tt>' to the account but not to
|
||
run '<tt>rsh</tt>' commands, keep in mind that these are separately
|
||
configurable services in PAM.
|
||
</blockquote>
|
||
|
||
<blockquote>Another constraint that is a bit more subtle: you
|
||
cannot access '<tt>rsh</TT>' and '<TT>rlogin</tt>' commands through IP
|
||
Masquerading. This is because the source IP port for an
|
||
<tt>rsh</tt> or <tt>rlogin</tt> connection must be set to specific values
|
||
</blockquote>
|
||
|
||
<blockquote>It's a <em>very</em> weak form of "authentication" on the part of
|
||
the protocol, it was intended to ensure that the
|
||
process on the client side of the machine was running
|
||
with 'root's authority --- that it wasn't a random
|
||
user's process just claiming to be anybody. That was
|
||
almost reasonably 20 years ago before people had
|
||
TCP/IP capable workstation on their desktops --- back when
|
||
all of the "computers" were locking in server rooms and
|
||
you wanted to create loosely coupled computing clusters
|
||
within your domain. It is <em>wholly</em> inadequate and
|
||
inappropriate on today's networks. That's why we have
|
||
'i<tt>ssh</tt>' and why I spend all night <em>last</em> night playing
|
||
with the "Linux Free S/WAN" project (just search Yahoo!
|
||
on that phrase).
|
||
</blockquote>
|
||
|
||
<blockquote>(Free S/WAN is a project to implement secure, network level IP
|
||
--- so that we can use transparent cryptography to protect
|
||
applications layer protocols like <tt>rsh</tt>, and so many others.
|
||
It's being developed internationally --- so that it will
|
||
have to be <em>imported</em> into the U.S. --- this is because
|
||
we're a "free nation" except when it comes to the practical
|
||
application of advanced mathematics as a medium of expression).
|
||
</blockquote>
|
||
|
||
<blockquote>In any event --- I really doubt that you're trying to
|
||
access your tapehost through a masquerading router --- but
|
||
if you are, you can expect that to fail.
|
||
</blockquote>
|
||
|
||
<blockquote>From the error messages you show it looks like you do have the
|
||
appropriate <TT>/etc/services</TT> entry and the appropriate entries in
|
||
the <TT>/etc/inetd.conf</TT>. It also looks like you are not having
|
||
a TCP wrappers problem in this case (since that would have
|
||
given a different error message in the tapehost's syslog).
|
||
</blockquote>
|
||
<!-- end body -->
|
||
|
||
<!--================================================================-->
|
||
<P> <hr> <P>
|
||
<H5 align="center"><a href="http://www.linuxgazette.com/copying.html"
|
||
>Copyright ©</a> 1998, James T. Dennis <BR>
|
||
Published in <I>Linux Gazette</I> Issue 31 August 1998</H5>
|
||
<P> <hr> <P>
|
||
<!--================================================================-->
|
||
<table width="98%"><tr valign="center" align="center">
|
||
<td rowspan="3"><A HREF="./lg_answer31.html"><IMG
|
||
SRC="../gx/dennis/answernew.gif"
|
||
ALT="[ Answer Guy Index ]"></A></td>
|
||
<td><A HREF="tag_backup.html">backup</A></td>
|
||
<td><A HREF="tag_uidgid.html">uidgid</A></td>
|
||
<td><A HREF="tag_connect.html">connect</A></td>
|
||
<td><A HREF="tag_95slow.html">95slow</A></td>
|
||
<td><A HREF="tag_badblock.html">badblock</A></td>
|
||
<td><A HREF="tag_trident.html">trident</A></td>
|
||
<td><A HREF="tag_sound.html">sound</A></td>
|
||
|
||
</tr><tr valign="center" align="center">
|
||
<td><A HREF="tag_kernel.html">kernel</A></td>
|
||
<td><A HREF="tag_solprint.html">solprint</A></td>
|
||
<td><A HREF="tag_idescsi.html">idescsi</A></td>
|
||
<td><A HREF="tag_distrib.html">distrib</A></td>
|
||
<td><A HREF="tag_modem.html">modem</A></td>
|
||
<td><A HREF="tag_NDS.html">NDS</a></td>
|
||
<td><A HREF="tag_rpm.html">rpm</A></td>
|
||
|
||
</tr><tr valign="center" align="center">
|
||
<td><A HREF="tag_guy.html">guy</A></td>
|
||
<td><A HREF="tag_maildns.html">maildns</A></td>
|
||
<td><A HREF="tag_memleak.html">memleak</a></td>
|
||
<td><A HREF="tag_multihead.html">multihead</A></td>
|
||
<td><A HREF="tag_cdr.html">cdr</A></td>
|
||
</tr></table>
|
||
<P> <hr> <P>
|
||
<!--================================================================-->
|
||
<A HREF="./index.html"><IMG SRC="../gx/indexnew.gif"
|
||
ALT="[ Table Of Contents ]"></A>
|
||
<A HREF="../index.html"><IMG SRC="../gx/homenew.gif"
|
||
ALT="[ Front Page ]"></A>
|
||
<A HREF="lg_bytes31.html"><IMG SRC="../gx/back2.gif"
|
||
ALT="[ Previous Section ]"></A>
|
||
<A HREF="./searls.html"><IMG SRC="../gx/fwd.gif"
|
||
ALT="[ Next Section ]"></A>
|
||
<!--startcut ======================================================= -->
|
||
</body>
|
||
</html>
|
||
<!--endcut ========================================================= -->
|
||
|
||
|