LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/LDP/LG/issue31/tag_backup.html

354 lines
13 KiB
HTML
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!--startcut ======================================================= -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<html><head>
<META NAME="generator" CONTENT="lgazmail v1.1pre9c">
<TITLE>The Answer Guy 31:
Remote Backups: GNU 'tar' through 'rsh'
</TITLE>
<!-- ORIGINAL SUBJECT:
Remote Backups (Yet Again)
JTD SUBTITLE:
-->
</head>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#A000A0"
ALINK="#FF0000">
<H4>"Linux Gazette...<I>making Linux just a little more fun!</I>"
</H4>
<P> <hr> <P>
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
<H1 align="center"><A NAME="answer">
<img src="../gx/dennis/qbubble.gif" alt="" border="0" align="middle">
<a href="./index.html">The Answer Guy</a>
<img src="../gx/dennis/bbubble.gif" alt="" border="0" align="middle">
</A></H1>
<BR>
<H4 align="center">By James T. Dennis,
<a href="mailto:linux-questions-only@ssc.com">linux-questions-only@ssc.com</a>
<BR>Starshine Technical Services, <A HREF="http://www.starshine.org/">http://www.starshine.org/</A>
</H4>
<p><hr><p>
<!--endcut ========================================================= -->
<H3><img src="../gx/dennis/qbub.gif" alt="(?)"
width="50" height="28" align="left" border="0"
>Remote Backups: GNU '<tt>tar</TT>' through '<TT>rsh</tt>'</h3>
<p><strong>From Ken Plumbly on 18 Jul 1998
in the</strong>
<a href="news:comp.unix.questions">comp.unix.questions</a>
<strong>newsgroup</strong></p>
<!-- begin body -->
<p><strong>
Hi :
</strong></p>
<p><strong>
I'm sure this one will probably drive you crazy, I read your
<a href="http://www.linuxgazette.com/issue29/tag_betterbak.html">answer
in LG issue 29 for remote backups</a>, and did what the article said,
but I get the response back from the server with the tape drive:
</strong></p>
<BLOCKQUOTE><IMG SRC="../gx/dennis/bbub.gif" ALT="(!)" width="50" height="28" border="0" lign="bottom"
>Getting things like this working for the first
time have driven me crazy in the past. So, it's
certainly possible for them to do so again.
</blockquote>
<blockquote>
(Some friends might say that "crazy" is a state they've come to expect of me).
</blockquote>
<STRONG><P><IMG SRC="../gx/dennis/qbub.gif" ALT="(?)" width="50" height="28" border="0" lign="bottom"
><code>permission denied.
<br>tar: Cannot open user@host.our.domain:/dev/st0: I/O error
</code></p></strong>
<STRONG><P>
and in the messages file on the tape host is:
</p></strong>
<STRONG><P><code>
pam_rhosts_auth[7300]: denied to root@hostname.our.domain as user:
<br>access not allowed
</code></p></strong>
<STRONG><P>
We are running redHat 4.2 with a connor 4gb tape drive.
</p></strong>
<STRONG><P>
I created a user on the tape server, and put a <tt>.rhosts</tt> file in
the <tt>~user</tt> directory but still no joy.
</p></strong>
<STRONG><P>
Any Ideas?
<br>Ken
</p></strong>
<BLOCKQUOTE><IMG SRC="../gx/dennis/bbub.gif" ALT="(!)" width="50" height="28" border="0" lign="bottom"
>Can you just run a command like:
</blockquote>
<blockquote><blockquote><code>
rsh -l operator tapehost "id; pwd; ls -l /dev/st0"
</code></blockquote></blockquote>
<blockquote>... and get the desired results?
</blockquote>
<blockquote>In my example I make some assumptions:
</blockquote>
<blockquote>I'd run this command from root on the client
and use the "<tt>-l operator</tt>" switch and argument
to specify that I want <tt>rsh</tt> to access the "<tt>operator</tt>"
account on the tapehost.
</blockquote>
<blockquote>I'd create an account named "<tt>operator</tt>" on the
tapehost machine. It would have no special
privileges except that it would be a member of
the "<tt>tape</tt>" group.
</blockquote>
<blockquote>My copy of <TT>/dev/st0</TT> on the tapehost would be
owned by <tt>root.tape</tt> (the "tape" group) and
would be mode <tt>770</tt> (writable by group).
</blockquote>
<blockquote>This should allow what you want. Until you can
use stock '<tt>rsh</tt>' commands through this context --- your
'<tt>tar</tt>' commands are doomed. (Since
<a href="http://www.gnu.org/">GNU</a> tar actually
calls '<tt>rsh</tt>' for that part of this work).
</blockquote>
<blockquote>For more security you can use '<tt>ssh</TT>' instead of
'<TT>rsh</tt>'
</blockquote>
<blockquote>Next I would not use the command as you described it.
</blockquote>
<blockquote>Tape drives are very sensitive to inconsistent latency (caused
by transport of the data over a network and by any compression
you attempt to do). If the data is not fed to the interface
fast enough <tt>and at an even rate</tt> then the drive will have to
stop, rewind a bit, and restart to get back to the right speed
and tape position to continue writing.
</blockquote>
<blockquote>This is called "shoeshining."
</blockquote>
<blockquote>To prevent shoeshining we run a program called 'buffer' (Lee
McLoughlin) on the "tapehost" (the machine that recieves the
data over the network and writes it to the tape drive).
</blockquote>
<blockquote>So that command would look like:
</blockquote>
<blockquote><blockquote><code>
# tar czSf - .... | rsh -l operator tapehost
"buffer -o <TT>/dev/st0</TT>"
</code></blockquote></blockquote>
<blockquote>Note the <tt>-S</tt> switch that we use to preserve "sparsity"
in files --- that is to detect cases where the data
blocks have not be continously allocated to the file
--- where there are "holes" in the allocation map for
the "empty" parts of the file's data. These sorts of
files are commonly created with dbm libraries and
other "hashing" algorithms that use file seek offsets
as "indexes" into a file --- your <TT>/etc/aliases.pag</TT>
file might be one of them. If you don't understand
"holes" and "sparse" files (which are features of the
Unix filesystem that aren't supported in some others
--- though I know that Netware had them) --- don't
worry about it. Just add the <tt>-S</tt> and it won't hurt
anything even if there are no such files in the
data set that you're working with.
</blockquote>
<blockquote>Note that I use the <tt>c</tt> (create), <tt>z</tt> (compress)
and <tt>f</tt> (file target) flags, and that the file target I specify
is "<tt>-</tt>" (a dash). In Unix this usually indicates that
the "standard output" device should be used. In other
words, "<tt>-</tt>" (dash) is an idiom in a number of Unix/Linux
commands. So, this command will write all of the
tar file into the pipe.
</blockquote>
<blockquote>On the recieving side of the pipe we have a local copy
of '<tt>rsh</tt>' that will try to connect to the "tapehost" as the
user named "operator" and thereon try to run a command
named "buffer" with the <tt>-o</tt> (output) of that pointed
to the tape device.
</blockquote>
<blockquote>How much difference does 'buffer' make? About an order of
magnitude. Yes. You read that right --- on my network
(which was completely idle at the time) I ran experiements
with and without buffer (and with and without compression)
and it would take <em>10 times longer</em> to write the tape
without '<tt>buffer</tt>'. On top of all of that the tapes created
without '<tt>buffer</tt>' are <em>much</em> less reliable. So, failing to
use that can be harmful to your data, and add immense amounts
of wear and tear to the drive (shortening its useful life).
</blockquote>
<blockquote>The '<tt>buffer</tt>' command came with my copies of
<A HREF="http://www.suse.com/">S.u.S.E.</A> and
might come with your copy of RH 5.x (although I don't think
4.2 had it). You can find that at:
</blockquote>
<blockquote><blockquote><code>
<A HREF="http://src.doc.ic.ac.uk/public/public/packages/buffer"
>http://src.doc.ic.ac.uk/public/public/packages/buffer</A>
</code></blockquote></blockquote>
<blockquote>Imperial College, U.K./Great Britain where Lee McLoughlin is a
a system manager, and programmer.
</blockquote>
<blockquote>Lee McLoughlin is also known for an FTP mirror package he
wrote and maintained in PERL a few years ago. He maintains a web page
(<A HREF="http://www.doc.ic.ac.uk/~lmjm/">http://www.doc.ic.ac.uk/~lmjm/</A>)
which doesn't mention this or the '<tt>buffer</tt>' program but highlights
some of his other work.
</blockquote>
<blockquote>With RH 4.2 you might also be suffering from some
confusion with your PAM configuration. You might have to
change that around a bit or upgrade it to a new version.
</blockquote>
<blockquote>If you were trying to access the root or any "root equivalent"
account -- that is anyone with a UID of 0 (zero) you might
have been bumping into the "<tt>/etc/securettys</tt>" problem. This
is one of the other reasons why I configure my systems with
an "<tt>operator</tt>" account and give that account access to the
'<tt>buffer</tt>' program and to the <TT>/dev/st0</TT> node.
</blockquote>
<blockquote>If you did tests with '<tt>rlogin</tt>' that seemed successful
(you were able to '<tt>rlogin</tt>' to the account but not to
run '<tt>rsh</tt>' commands, keep in mind that these are separately
configurable services in PAM.
</blockquote>
<blockquote>Another constraint that is a bit more subtle: you
cannot access '<tt>rsh</TT>' and '<TT>rlogin</tt>' commands through IP
Masquerading. This is because the source IP port for an
<tt>rsh</tt> or <tt>rlogin</tt> connection must be set to specific values
</blockquote>
<blockquote>It's a <em>very</em> weak form of "authentication" on the part of
the protocol, it was intended to ensure that the
process on the client side of the machine was running
with 'root's authority --- that it wasn't a random
user's process just claiming to be anybody. That was
almost reasonably 20 years ago before people had
TCP/IP capable workstation on their desktops --- back when
all of the "computers" were locking in server rooms and
you wanted to create loosely coupled computing clusters
within your domain. It is <em>wholly</em> inadequate and
inappropriate on today's networks. That's why we have
'i<tt>ssh</tt>' and why I spend all night <em>last</em> night playing
with the "Linux Free S/WAN" project (just search Yahoo!
on that phrase).
</blockquote>
<blockquote>(Free S/WAN is a project to implement secure, network level IP
--- so that we can use transparent cryptography to protect
applications layer protocols like <tt>rsh</tt>, and so many others.
It's being developed internationally --- so that it will
have to be <em>imported</em> into the U.S. --- this is because
we're a "free nation" except when it comes to the practical
application of advanced mathematics as a medium of expression).
</blockquote>
<blockquote>In any event --- I really doubt that you're trying to
access your tapehost through a masquerading router --- but
if you are, you can expect that to fail.
</blockquote>
<blockquote>From the error messages you show it looks like you do have the
appropriate <TT>/etc/services</TT> entry and the appropriate entries in
the <TT>/etc/inetd.conf</TT>. It also looks like you are not having
a TCP wrappers problem in this case (since that would have
given a different error message in the tapehost's syslog).
</blockquote>
<!-- end body -->
<!--================================================================-->
<P> <hr> <P>
<H5 align="center"><a href="http://www.linuxgazette.com/copying.html"
>Copyright &copy;</a> 1998, James T. Dennis <BR>
Published in <I>Linux Gazette</I> Issue 31 August 1998</H5>
<P> <hr> <P>
<!--================================================================-->
<table width="98%"><tr valign="center" align="center">
<td rowspan="3"><A HREF="./lg_answer31.html"><IMG
SRC="../gx/dennis/answernew.gif"
ALT="[ Answer Guy Index ]"></A></td>
<td><A HREF="tag_backup.html">backup</A></td>
<td><A HREF="tag_uidgid.html">uidgid</A></td>
<td><A HREF="tag_connect.html">connect</A></td>
<td><A HREF="tag_95slow.html">95slow</A></td>
<td><A HREF="tag_badblock.html">badblock</A></td>
<td><A HREF="tag_trident.html">trident</A></td>
<td><A HREF="tag_sound.html">sound</A></td>
</tr><tr valign="center" align="center">
<td><A HREF="tag_kernel.html">kernel</A></td>
<td><A HREF="tag_solprint.html">solprint</A></td>
<td><A HREF="tag_idescsi.html">idescsi</A></td>
<td><A HREF="tag_distrib.html">distrib</A></td>
<td><A HREF="tag_modem.html">modem</A></td>
<td><A HREF="tag_NDS.html">NDS</a></td>
<td><A HREF="tag_rpm.html">rpm</A></td>
</tr><tr valign="center" align="center">
<td><A HREF="tag_guy.html">guy</A></td>
<td><A HREF="tag_maildns.html">maildns</A></td>
<td><A HREF="tag_memleak.html">memleak</a></td>
<td><A HREF="tag_multihead.html">multihead</A></td>
<td><A HREF="tag_cdr.html">cdr</A></td>
</tr></table>
<P> <hr> <P>
<!--================================================================-->
<A HREF="./index.html"><IMG SRC="../gx/indexnew.gif"
ALT="[ Table Of Contents ]"></A>
<A HREF="../index.html"><IMG SRC="../gx/homenew.gif"
ALT="[ Front Page ]"></A>
<A HREF="lg_bytes31.html"><IMG SRC="../gx/back2.gif"
ALT="[ Previous Section ]"></A>
<A HREF="./searls.html"><IMG SRC="../gx/fwd.gif"
ALT="[ Next Section ]"></A>
<!--startcut ======================================================= -->
</body>
</html>
<!--endcut ========================================================= -->
Reference in New Issue View Git Blame Copy Permalink