Zfs Remote Backup

28 Feb 2015

Since no one bought my N54L NAS I need to do something with it. So my first guess was a remote backup, and thats exactly what I did.

So thats why I visited @ronyspitzer this weekend (well some weekend in the past (ages ago), since I failed to finish this). So I grab my hardware and thats how it looks:

hardware relocation

Maybe I should do finally my driving licence, or stop transporting so much stuff from A to B.

But lets talk about the setup. The N54L is loaded with 3 x 2TB drives and 1 TB for the system. So the first step was to install FreeBSD with root on zfs which is really easy with the FreeBSD 10 installer. With the other drives I build a raidz.

zpool create -O utf8only=on -O normalization=formD -O casesensitivity=mixed -O aclinherit=passthrough tank raidz ada0 ada1 ada2

This is basically the same setup like my Dell T20. And a very usefull hint for me was the sysctl for geom debugflags, becaue I used disks with old partition tables on it and I got allways a error like "Device Busy" so you can force to create a zfs volume anyway with sysctl kern.geom.debugflags=16.

With the pool in place, I enable ssh on my NAS with a passwordless key login. Maybe I write a blog post about that to. (Probably not, but you can find how that is done on teh interwebz)

remote server

After all this is done, I can finally use my 'master' backup scripts. Well you probably don't have a user to receive. But ZFS is nice so there is a nice way for this:

sudo zfs allow -u l33tname create,receive,mount,userprop,destroy,send,hold,compression,aclinherit tank

This allow everything which is necessary to receive snapshots on tank. You can check your config with zfs allow tank.

DATE=`date "+%Y-%m-%d_%H-%M-%S"` #snap teh shot .__. zfs snapshot -r tank@$DATE #send it zfs send -R tank@$DATE | ssh -c arcfour travos "zfs receive -F tank" echo "THE end"

Because you probably won't send everytime the entire dataset you can use the incremental script. That's what I do. Every night with cron.

30 2 * * * /root/backup/backup_incremental >> /root/backup/backup.log

#!/usr/local/bin/zsh PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin DATE=$(date "+%Y-%m-%d_%H-%M-%S") SCRIPTNAME=$(basename $0) PIDFILE=/var/run/${SCRIPTNAME}.pid if [ -f ${PIDFILE} ]; then #verify if the process is actually still running under this pid OLDPID=$(cat ${PIDFILE}) RESULT=$(ps A | grep ${OLDPID} | grep ${SCRIPTNAME}) if [ -n "${RESULT}" ]; then echo "${DATE}: Script already running (PID: ${OLDPID})! Exiting" exit 255 fi fi #grab pid of this process and update the pid file with it PID=$$ echo ${PID} > ${PIDFILE} echo "${DATE}: start incremetal backup" LASTSNAPSHOT=`ssh travos "zfs list -t snapshot -o name -s creation -r tank | awk 'END{print}'"` echo "${DATE}: the last snapshot was: $LASTSNAPSHOT" #snap teh shot .__. zfs snapshot -r tank@$DATE echo "${DATE}: the new snapshot is: tank@$DATE" START=$(date +%s) #send it zfs send -R -i $LASTSNAPSHOT tank@$DATE | ssh -C -c blowfish-cbc,arcfour travos "zfs receive -F tank" END=$(date +%s) TIME=$(( $END - $START )) echo "${DATE}: It took ${TIME} seconds to send the snapshot" if [ -f ${PIDFILE} ]; then rm ${PIDFILE} fi

~~The only thing what I can thought off is missing in my scripts is the case when you run a backup while a backup process is still running. I will probably fix this for the future version.~~

Actually I did this before I blog about it.

Balance Your Btrfs

14 Nov 2014

When your ` btrfs fi df` show much unused space, but your programms crash because they can't write. It's probably that your drive is full anyway.

If your filesystem looks like this:

# btrfs fi show /
Label: 'fedora_XXXXX'  uuid: ff4be388-XXXX-XXXX-XXXX-e5b02d8ac312
	Total devices 2 FS bytes used 61.55GiB
	devid    1 size 103.40GiB used 103.40GiB path /dev/mapper/luks-bf4bdc39-XXXX-XXXX-XXX-4fb5e13c5056

As you can see your disk use 103.40GiB of 103.40GiB which means full. In this state you can do probably not much. So first add more space to your btrfs volume.

btrfs device add -f /dev/sdc /

A 1 GB usb stick should be enough, but make sure there are no data on it.

Now you can balance it with:

btrfs balance start -dusage=80 /

Right, there is no space between -d and usage. You can change the usage parameter, more in this case means it use more time but free more space.

After that is done you can remove your usb stick:

btrfs device delete /dev/sdc /

And if you now check

# btrfs fi show /
Label: 'fedora_XXXXX'  uuid: ff4be388-XXXX-XXXX-XXXX-e5b02d8ac312
	Total devices 1 FS bytes used 61.55GiB
	devid    1 size 103.40GiB used 65.03GiB path /dev/mapper/luks-bf4bdc39-XXXX-XXXX-XXX-4fb5e13c5056

Source and detailed informations: Fixing Btrfs Filesystem Full Problems

Fun With Socks

11 Nov 2014

Fun with SOCKS proxy's

Sometimes you are not at home, but you want access to your local systems with DNS and everything. And guess what, it's possible. The only thing you need is a dyndns setup or a static IP or and a open port for ssh.

Additionally you need a ssh server in your network, I recommend to configure this server to key based login only or at least with 2 factor authentication.

I personally like to setup my host in the ssh config file something like this:

Host hostname
    Hostname my.dyndns.example
    Port 3333
    User myuser
    IdentityFile ~/.ssh/myprivatkey

With this in place you can now easily open a SOCKS proxy

ssh -4 -Nn -D 1080 hostname

This opens a SOCKS proxy on your localhost:1080 which tunnels your traffic through your host in your home network. To test this you can configure this in your Firefox. Options -> Advanced -> Network -> Settings... there you can set your SOCKS Host and port. Now your ready to got, just browse to a site in your local network.

Special Firefox settings

Since you proxy all your traffic through your SOCKS proxy you probably didn't want to leak your DNS query's, so just set network.proxy.socks_remote_dns to true. (you find it in about:config) I set this always on true because I run a DNS server in my home network.

AutoProxy (not working for me in latest Firefox)

But now all your traffic goes through your home network, depending on your internet connection this is maybe a bit slow.

So there are Firefox plugins which allow you to set rules when which proxy is used. On of this plugins is FoxyProxy. The problem with this is you need a paid pro version to configure rules for IP addresses. So I tried AutoProxy instead. And with AutoProxy it's simple to configure 2 rules, one for my local domain and one for my IP range.

AutoProxy settings

PAC files to the rescue

Since AutoProxy stopt working I need a new solution. And guess what it's really simple. Most browser have the ability to use PAC files.

And here is mine:

$ cat setup.pac
//alerts are in ctrl + shift + j
function FindProxyForURL(url, host)
{
  if(shExpMatch(host, "*.l33t.lan*") || shExpMatch(host, "192.168.1.*"))
  {
    return "SOCKS 127.0.0.1:1080";
  }

  // The default case
  return "DIRECT";
}

Just configure your Firefox to use it (don't forget to restart your browser). You just use the file path:

Set a PAC file

Options -> Advanced -> Network -> Settings...

Now all request for my subnet 192.168.1.0/24 and my domain l33t.lan are going through the SOCKS proxy and the rest using as before no proxy. The best from both worlds.

Binaergewitter Sticker

09 Oct 2014

Wie vermutlich die meisten von euch wissen, bin ich "Profi Podcast Hörer". Und so als Profi möchte man sich auch mal ein Sticker seines Lieblings Podcast auf den Laptop kleben.

Die Binargewitter Menschen haben zwar mal gesagt das es Sticker geben wird aber so lange kann ich nicht warten, also hab ich mich bereit erklärt Sticker zu machen.

sticker

So würden die Sticker aussehen und vermutlich 2x6 zoll gross sein. (falls sich jemand findet der was hübscheres designen kann, ~~sticker@l33t.name~~)

Wer jetzt auch so Sticker möchte, schreibt mir doch kurz eine Mail (~~sticker@l33t.name~~) wie viele und wie viel Geld ihr dafür ausgeben würdet.

Wenn etwas daraus wird werde ich sie sicher an den 31c3 mitbringen oder gegen den Aufpreis von ~5 euro in ein Couvert stecken und an euch senden.

Update

Ich hab dann einfach mal Sticker bestellt. Gibt ~100 stück am #31c3. Vielleicht gibt es sogar ein Hörertreffen. sticker II

Allow Raw Sockets Per Jail

31 Aug 2014

This is more a note for me than a blog post. I struggle a bit with allowing raw sockets on a per jail basis. But if you know how it's done, it's not really hard. At least not with ezjail where you have a per jail config file. Let's say you need raw sockets in a jail named 'examplejail' you just need to add:

export jail_examplejail_parameters="allow.raw_sockets=1"

to the config file which you find under /usr/local/etc/ezjail/examplejail.

Restart ezjail and \o/ you have access from your examplejail to the raw sockets.

Older Newer

l33tsource