Having already outlined my reasons for using tarsnap for online backups this post will detail how exactly I'm using it.
The instructions on the tarsnap site are really very easy to follow. I was momentarily caught out by not importing the code signing key but after getting that sorted out it was fine. I did need to use sha256sum rather than sha256 as suggested. Installation went well and then I had a little play with creating, listing, deleting and recovering data from backups. It was at this point when my only real gripes with the software started to become obvious - you can't humanize the data size figures when using --list-archives and there is no shortcut for --list-archives. As gripes go these are fairly minor though and everything else works nicely.
With the tarsnap client running on my server it was time to automate my backups. I put together a small script which creates a dump of my database and then creates a new backup with the tarsnap client.
#!/bin/bash dateString=`date +%F` echo "Beginning backup for $dateString" >> /home/streety/sources/backup/tarsnap.log #dump the mysql database rm -f /home/streety/mysql-backup.sql mysqldump --user=backup -ppassword --all-databases > /home/streety/mysql-backup.sql #backup to tarsnap tarsnap -c -f linode-jscom-$dateString /home/streety /etc/apache2 echo "Backup complete for $dateString" >> /home/streety/sources/backup/tarsnap.log
That script worked fine when I ran it from the shell but cron didn't seem to be running it. I needed to specify the path to the tarsnap script. Easily enough done.
PATH=/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/bin MAILTOemail@example.com # m h dom mon dow command 5 0 * * * /home/streety/sources/backup/backup.sh >> /home/streety/sources/backup/output.log 2>&1
With everything working I wanted to get permissions set up. Again this was very easy.
tarsnap-keymgmt --outkeyfile /root/limited-tarsnap.key -r -w /root/tarsnap.key
The original key is then removed from the system and kept in a secure place. The new limited key should allow us to create and read from backups but not to delete them.
streety@jonathanstreet:~$ tarsnap -c -f anothertestbackup /home/streety tarsnap: fopen(/root/tarsnap.key): Permission denied tarsnap: Cannot read key file: /root/tarsnap.key streety@jonathanstreet:~$ sudo !! sudo tarsnap -c -f anothertestbackup /home/streety [sudo] password for streety: tarsnap: Removing leading '/' from member names Total size Compressed size All archives 1804387231 685263319 (unique data) 481384333 178645934 This archive 746610352 296516102 New data 721055 196300 streety@jonathanstreet:~$ tarsnap --list-archives tarsnap: fopen(/root/tarsnap.key): Permission denied tarsnap: Cannot read key file: /root/tarsnap.key streety@jonathanstreet:~$ sudo !! sudo tarsnap --list-archives testbackup anothertestbackup linode-jscom-2009-11-30 streety@jonathanstreet:~$ sudo tarsnap -d -f anothertestbackup tarsnap: The delete authorization key is required for -d but is not available
As you can see I keep forgetting to use sudo but it all works. I can create backups, list the existing backups but I can't delete them, at least not from this server. Success.
I've been running this script for a little more than a month now and so far I'm very happy with it.