readme.md hinzugefügt
This commit is contained in:
@@ -0,0 +1,180 @@
|
||||
# BorgBackup Pull-Backup: Raspberry Pi ← Docker-Host
|
||||
|
||||
## Konzept
|
||||
|
||||
```
|
||||
Docker-Host (Quelle) Raspberry Pi (Backup-Ziel)
|
||||
───────────────────── ──────────────────────────
|
||||
borgbackup-User (SSH) ←───── sshfs mount (read-only)
|
||||
/var/lib/docker/volumes borg create → lokales Repo
|
||||
/etc, /opt, /home Systemd-Timer (02:30 Uhr)
|
||||
```
|
||||
|
||||
Der Pi **zieht** die Daten – der Docker-Host hat **keinen** Zugriff
|
||||
auf das Borg-Repository. Ransomware oder Kompromittierung des
|
||||
Docker-Hosts kann die Backups nicht zerstören.
|
||||
|
||||
---
|
||||
|
||||
## Schritt-für-Schritt Einrichtung
|
||||
|
||||
### Schritt 1: Docker-Host vorbereiten
|
||||
|
||||
```bash
|
||||
# Als root auf dem Docker-Host:
|
||||
bash setup-docker-host.sh
|
||||
|
||||
# Alternativ mit direkter Key-Übergabe:
|
||||
bash setup-docker-host.sh "ssh-ed25519 AAAA... pi@raspberry"
|
||||
```
|
||||
|
||||
Das Skript legt den User `borgbackup` an und trägt den SSH-Key
|
||||
mit Einschränkungen ein (kein Port-Forwarding, kein PTY).
|
||||
|
||||
### Schritt 2: Pi einrichten
|
||||
|
||||
```bash
|
||||
# Als root auf dem Pi:
|
||||
bash setup-pi.sh 192.168.1.100 # IP des Docker-Hosts
|
||||
|
||||
# Das Skript:
|
||||
# - Installiert borgbackup, sshfs, fuse
|
||||
# - Erzeugt SSH-Key /home/pi/.ssh/borg_pull
|
||||
# - Initialisiert das Borg-Repository
|
||||
# - Installiert das Backup-Skript
|
||||
```
|
||||
|
||||
### Schritt 3: Backup-Skript anpassen
|
||||
|
||||
```bash
|
||||
nano /usr/local/bin/borg-pull-backup.sh
|
||||
```
|
||||
|
||||
Wichtige Variablen:
|
||||
| Variable | Bedeutung |
|
||||
|---|---|
|
||||
| `REMOTE_HOST` | IP/Hostname des Docker-Hosts |
|
||||
| `REMOTE_USER` | SSH-User (borgbackup) |
|
||||
| `SSH_KEY` | Pfad zum SSH-Key auf dem Pi |
|
||||
| `BORG_REPO` | Lokaler Pfad zum Repository |
|
||||
| `BORG_PASSPHRASE` | Verschlüsselungspasswort |
|
||||
| `BACKUP_PATHS` | Welche Pfade gesichert werden |
|
||||
| `KEEP_DAILY/WEEKLY/MONTHLY` | Aufbewahrungsrichtlinie |
|
||||
|
||||
### Schritt 4: Systemd-Timer aktivieren
|
||||
|
||||
```bash
|
||||
# Dateien kopieren
|
||||
cp borg-pull-backup.service /etc/systemd/system/
|
||||
cp borg-pull-backup.timer /etc/systemd/system/
|
||||
|
||||
# Aktivieren
|
||||
systemctl daemon-reload
|
||||
systemctl enable --now borg-pull-backup.timer
|
||||
|
||||
# Status prüfen
|
||||
systemctl status borg-pull-backup.timer
|
||||
systemctl list-timers borg-pull-backup.timer
|
||||
```
|
||||
|
||||
### Schritt 5: Testlauf
|
||||
|
||||
```bash
|
||||
# Backup manuell starten
|
||||
/usr/local/bin/borg-pull-backup.sh
|
||||
|
||||
# Oder via Systemd
|
||||
systemctl start borg-pull-backup.service
|
||||
|
||||
# Log verfolgen
|
||||
journalctl -fu borg-pull-backup.service
|
||||
tail -f /var/log/borg-pull-backup.log
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Wiederherstellung
|
||||
|
||||
```bash
|
||||
export BORG_PASSPHRASE="dein-passwort"
|
||||
REPO="/media/backup/borg/docker-host"
|
||||
|
||||
# Archive auflisten
|
||||
borg list "$REPO"
|
||||
|
||||
# Einzelne Datei / Verzeichnis wiederherstellen
|
||||
cd /tmp/restore
|
||||
borg extract "$REPO::docker-host-2024-01-15T02-30-00" \
|
||||
var/lib/docker/volumes/mein-volume
|
||||
|
||||
# Komplettes Archiv wiederherstellen
|
||||
borg extract --list "$REPO::docker-host-2024-01-15T02-30-00"
|
||||
|
||||
# Archiv-Inhalt durchsuchen ohne zu extrahieren
|
||||
borg list "$REPO::docker-host-2024-01-15T02-30-00" | grep "volumes"
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Wichtige Hinweise
|
||||
|
||||
### Repokey sichern!
|
||||
```bash
|
||||
# Einmalig nach der Initialisierung:
|
||||
borg key export /media/backup/borg/docker-host \
|
||||
/media/backup/borg-key-docker-host.txt
|
||||
|
||||
# Diesen Key getrennt aufbewahren (USB-Stick, Passwortmanager)
|
||||
# Ohne Key + Passwort sind die Backups WERTLOS
|
||||
```
|
||||
|
||||
### Docker Volumes konsistent sichern
|
||||
|
||||
Für Datenbanken entweder:
|
||||
|
||||
**Option A: Container kurz stoppen**
|
||||
```bash
|
||||
# Im Backup-Skript vor borg create:
|
||||
ssh borgbackup@docker-host \
|
||||
"docker compose -f /opt/myapp/docker-compose.yml stop"
|
||||
# ... backup ...
|
||||
ssh borgbackup@docker-host \
|
||||
"docker compose -f /opt/myapp/docker-compose.yml start"
|
||||
```
|
||||
|
||||
**Option B: Dump vorher erstellen**
|
||||
```bash
|
||||
# PostgreSQL
|
||||
ssh borgbackup@docker-host \
|
||||
"docker exec postgres pg_dumpall -U postgres > /opt/backup/pg_dump.sql"
|
||||
|
||||
# MySQL/MariaDB
|
||||
ssh borgbackup@docker-host \
|
||||
"docker exec mysql mysqldump -u root -p... --all-databases > /opt/backup/mysql_dump.sql"
|
||||
```
|
||||
|
||||
### Mehrere Docker-Hosts
|
||||
|
||||
Das Skript ist pro Host ausgelegt. Für mehrere Hosts:
|
||||
|
||||
```bash
|
||||
# Kopie für jeden Host
|
||||
cp /usr/local/bin/borg-pull-backup.sh \
|
||||
/usr/local/bin/borg-pull-backup-host2.sh
|
||||
|
||||
# Separate Timer/Services anlegen
|
||||
cp /etc/systemd/system/borg-pull-backup.{service,timer} \
|
||||
/etc/systemd/system/borg-pull-backup-host2.{service,timer}
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Troubleshooting
|
||||
|
||||
| Problem | Lösung |
|
||||
|---|---|
|
||||
| `sshfs: connection failed` | SSH-Key prüfen, User `borgbackup` vorhanden? |
|
||||
| `Permission denied` auf `/var/lib/docker` | borgbackup-User braucht Lesezugriff |
|
||||
| Mount hängt nach Fehler | `fusermount -u /mnt/borg-pull/docker-host` |
|
||||
| Backup sehr langsam | Compression auf `zstd` ändern statt `lz4` |
|
||||
| `Repository already locked` | `borg break-lock /media/backup/borg/docker-host` |
|
||||
Reference in New Issue
Block a user