- Shell 59.8%
- Jinja 40.2%
| defaults | ||
| files | ||
| meta | ||
| tasks | ||
| templates | ||
| .gitignore | ||
| README.md | ||
ansible-role-backups
Sample Playbook
- name: Setup backup scripts
hosts: backups
become: true
roles:
- role: backups
tags:
- backups
Backup Servers
Backup Servers are defined as a dict, which allows for multiple servers each with a separate configuration. By default this has no value and must be defined by the consuming playbook.
backup_servers:
- name: ohgnetworks
address: backup0.int.ohgnetworks.com
aliases: backup0 backup0.int
path: /v0/ohgservers
user: backup
key: id_rsa_backup
# retention: 3M
- name: boxcar
address: box0.lan.boxcar.sh
aliases: box0
path: /srv/backups
user: jon
key: id_rsa_backup
Access to a backup server is controlled by an ssh key, which should be secured with ansible-vault and included in the consuming playbook under files/backups. These keys will automatically get decrypted and placed on the backup target hosts.
Example of encrypting an arbitary file with ansbile-vault
ansible-vault encrypt files/backups/id_rsa_backup
Backup Targets
The backup-targets template creates a file for each defined backup server under /etc/backup.d. This file in turn contains backup commnads for each defined target path.
Target paths are provided as a list defined globally, per ansible group, or for an individal host. The default value only targets /etc
Note: it is recommended to delete any old pre-ansible backup scripts in /etc/backup.d if upgrading a legacy host.
Example of multiple target paths
backup_targets:
- target: /etc
- target: /opt
- target: /var/log
Example output for /etc/backup.d/backup-targets-ohgnetworks
This is outdated as it is now wrapped in shell scripts to allow for different local versions, snapshot backups of LVM volumes, and better error handling to supress a few warnings about versions and lack of expirying files if none are older than the expire time. It does reflect the basic backup commands used.
The scripts will skip snapshots if they don't detect LVM volumes, and will proceed with a normal backup of the live volume. If the snapshot fails, they will log an error and proceed with a normal backup of the live volume.
# /etc
rdiff-backup -v2 --create-full-path /etc backup@backup0.int.ohgnetworks.com::/v0/ohgservers/stovepipe.ch2.mgmt/etc
rdiff-backup -v2 --remove-older-than 3M --force backup@backup0.int.ohgnetworks.com::/v0/ohgservers/stovepipe.ch2.mgmt/etc
# /opt
rdiff-backup -v2 --create-full-path /opt backup@backup0.int.ohgnetworks.com::/v0/ohgservers/stovepipe.ch2.mgmt/opt
rdiff-backup -v2 --remove-older-than 3M --force backup@backup0.int.ohgnetworks.com::/v0/ohgservers/stovepipe.ch2.mgmt/opt
# /var/log
rdiff-backup -v2 --create-full-path /var/log backup@backup0.int.ohgnetworks.com::/v0/ohgservers/stovepipe.ch2.mgmt/var/log
rdiff-backup -v2 --remove-older-than 3M --force backup@backup0.int.ohgnetworks.com::/v0/ohgservers/stovepipe.ch2.mgmt/var/log
SSH Config
The role creates an ssh config with host entries for each defined backup server, this file is critical for the automation of the backup tasks via cron
host backup0.int.ohgnetworks.com backup0 backup0.int
hostname backup0.int.ohgnetworks.com
user backup
identityfile /root/.ssh/id_rsa_backup
compression no
protocol 2
StrictHostKeyChecking no
ForwardX11 no
ForwardAgent no
Crontab
Finally the role creates a cron job in /etc/cron.d/backups that calls a wrapper script /usr/sbin/run-backups.sh which simply runs all commands under /etc/backup.d. The exact timing is randomized from 0000 to 0600 each time the role is deployed. The cron file is also seeded with a time zone variable that defaults to the local machines tz setting, but can be overridden with the backup_run_timezone variable so your jobs will run in the local overnight if you want.
backup_run_timezone: CST6CDT
TODO
- Further integration is planned for database and command history backups with existing scripts
dbump.shandhistorybak.sh.