BackupPC is an awesome program for backing up your data in an efficient manner. It provides you with an easy to use web interface and some very complete documentation. Read more about it at the BackupPC SourceForge page.

For some reason, the FreeBSD ports tree still does not contain BackupPC! This guide details the configuration steps to get BackupPC running with an Apache (lighttpd also supported, though) web interface on a FreeBSD host.

Dependencies

Sadly, there is not a BackupPC port for FreeBSD so the dependencies will not be precalculated and installed automatically. To satisfy BackupPC dependencies, make sure a few ports are already installed.

Perl

For this installation, Perl and the BackupPC cgi script are set up with SUID privileges. If you would like to avoid this scenario, run the Apache webserver as the backuppc user instead of the default www user. You can edit this in /usr/local/etc/apache22/httpd.conf.

First, check to see if you have Perl installed. If you do, take note of which version it is so that you can rebuild the correction version.

1. pkg_info | grep ^perl

Now build perl with SUID support.

Change Perl version as necessary.

1. # cd /usr/ports/lang/perl5.10
2. # make config
3. 
4. # make install -DFORCE_PKG_REGISTER clean

Other Packages

• p5-Compress-Zlib
• p5-Archive-Zip
• p5-XML-RSS
• p5-File-RsyncP
• p5-libwww
• rsync
• samba-smbclient (for Windows backups)
• samba-nmblookup (for Windows backups)
• apache22

You can use the following as a template to figure out if you have a port currently installed:

1. $ pkg_info | grep package_name

Install the package if it is not found.

whereis package_name is another way to find the location of a port.

1. $ cd /usr/ports/*/package_name
2. # make install clean

User and Group

We do not want to run BackupPC as a privileged user, so we will create its own user (backuppc) and group (backuppc), which can be individually locked down later.

Your user and group name can be different, but please note what it is and change the rest of the guide accordingly!

1. # pw group add backuppc
2. # pw user add backuppc -g backuppc -m
3. # passwd backuppc

If you decide to remove this account for any reason, just use the rmuser <user> command.

Obtaining and Installing BackupPC

Now obtain the latest BackupPC archive, do a little prep work, and then install it.

1. # mkdir ~/backuppc_tmp

Download the latest BackupPC tar.gz archive from here. Place this file in the ~/backuppc_tmp directory that was just created.

1. # cd ~/backuppc_tmp
2. # tar xvzf BackupPC-3.2.0.tar.gz
3. # cd BackupPC-3.2.0

Now, we have everything in place and we can start configuring BackupPC.

I have provided everything you should need to keep a localized installation, but feel free to change these variables or even take a look at the full list by viewing perl configure.pl -help

1. # perl configure.pl \
        --batch \
        --backuppc-user=backuppc \
        --compress-level=5 \
        --install-dir     /home/backuppc \
        --config-dir      /home/backuppc/etc \
        --log-dir         /home/backuppc/log \
        --data-dir        /home/backuppc/data \
        --hostname        host.domain.tld \
        --cgi-dir         /home/backuppc/cgi-bin \
        --html-dir        /home/backuppc/htdocs \
        --html-dir-url     /bupc/htdocs
2. # chown -R backuppc:backuppc /home/backuppc
3. # chmod u=wrxs,go=rx /home/backuppc/cgi-bin/BackupPC_Admin
4. # chgrp www /home/backuppc/cgi-bin/BackupPC_Admin
5. # chgrp www /home/backuppc/etc
6. # chgrp www /home/backuppc/etc/config.pl

Starting / Stopping / Restarting BackupPC Daemon

Like any other server/daemon on FreeBSD, the easier way to facilitate start/stop/rrestarting services is via a script in /usr/local/etc/rc.d. I previously wrote one for this guide, but the newer versions of the BackupPC archives actually contain a valid script we can drop in.

Since we (most likely) want the BackupPC service to start when the machine boots, we need to add it to /etc/rc.conf.

1. # cd ~/backuppc_tmp/BackupPC-3.2.0/init.d
2. # cp freebsd-backuppc /usr/local/etc/rc.d/backuppc
3. # chmod +x /usr/local/etc/rc.d/backuppc
4. # echo 'backuppc_enable="YES"' >> /etc/rc.conf
5. # /usr/local/etc/rc.d/backuppc start
6. backuppc started

Setup BackupPC Web Interface

We need to create a htaccess password that Apache will use to authenticate users to the BackupPC web interface.

Be sure to use backuppc as the user when creating the htpasswd file. If you want to change it, use the name you would like but you must edit config.pl to reflect the change. Modify the $Conf{BackupPCUser} variable.

• # htpasswd -c /usr/local/etc/apache22/.htpasswd-backuppc backuppc

Now we need to configure Apache to publish the BackupPC web interface with the URL of http://<your hostname or IP>/bupc

1. # cd /usr/ports/www/apache22
2. # make install clean
3. # kldload accf_http
4. # echo 'accf_http_load="YES"' >> /etc/rc.conf
5. # echo 'apache22_enable="YES"' >> /etc/rc.conf

1. # vi /usr/local/etc/apache22/Includes/backuppc.conf
2. Alias /bupc/htdocs /home/backuppc/htdocs
3. ScriptAlias /bupc /home/backuppc/cgi-bin/BackupPC_Admin
4. <Directory "/home/backuppc/cgi-bin">
5.     #SSLRequireSSL
6.    
7.     Options +ExecCGI
8.     AllowOverride AuthConfig
9.     Order allow,deny
10.     #Allow from 192.168.0 192.168.5.44
11.     Allow from all
12.  
13.     AuthName "BackupPC Admin"
14.     AuthType Basic
15.     AuthUserFile /usr/local/etc/apache22/.htpasswd-backuppc
16.     Require valid-user
17. </Directory>
18.  
19. <Directory "/home/backuppc/htdocs">
20.     Order allow,deny
21.     Allow from all
22. </Directory>
23. # apachectl restart

We also have to set which user(s) (from the password dialog) have access to the functions provided by the web interface. Without setting this in config.pl, we would be provided with a minimal set of administrative links upon logging in to the web interface.

1. # su backuppc
2. $ vim ~/etc/config.pl
3. ... ... snip ... snip ... ...
4. $Conf{CgiAdminUsers}    = 'backuppc';
5. ... ... snip ... snip ... ...

Now open up your web browser and go to http://<local ip or hostname>/bupc and you should see the htaccess password dialog box. Enter the authentication you configured earlier. You should eventually be greeted with a page similar to the following:

Edit config.pl

I, personally, like to run the BackupPC client process (on the client!) as the user bupc and I lock it down so it can execute rsync with root privileges. Since I do this, I usually change the default arguments for the command that gets piped to the client to initiate the backup.

1. # su backuppc
2. $ vi /home/backuppc/etc/config.pl
3. ... ... snip ... snip ... ...
4. $Conf{RsyncClientCmd} = '$sshPath -q -x -l bupc $host sudo $rsyncPath $argList+'
5. ... ... snip ... snip ... ...
6. $Conf{RsyncClientRestoreCmd} = '$sshPath -q -x -l bupc $host sudo $rsyncPath $argList+';
7. ... ... snip ... snip ... ...

As I plan to mostly backup Linux/BSD boxes, I want to make rsync the default backup choice when I go to setup a new host.

1. # su backuppc
2. $ vi /home/backuppc/etc/config.pl
3. ... ... snip ... snip ... ...
4. $Conf{XferMethod} = 'rsync';
5. ... ... snip ... snip ... ...

Changes to config.pl are instantaneous, as it is loaded on every page hit.

BackupPC Client Config

As mentioned earlier, I use a SSH authorized key authentication and sudo combination. I also have setup BackupPC to run rsync by default, as most of my hosts I plan to setup are *nix boxes. Now we just have to do a little prep work on our client.

We use SSH key authentication because BackupPC is unable to "login" traditionally by manually supplying a username and password. Instead, it will use the keys we will set up and only allow a specific username/host combination have direct access

Create bupc User

First, we need to create the user that BackupPC logs into the clients with. I plan to create the bupc user on the system we plan to backup.

I prefer to assign the /bin/sh shell until I get done with configuring the user...then I change it to a shell with no environment (/usr/sbin/nologin).

The following is for creating users on another FreeBSD box. You can use utilities such as adduser and useradd on Linux.

1. # pw user add bupc -s /bin/sh -m
2. # passwd bupc

Install sudo and Enable SSH

sudo is needed to run rsync with temporary root privileges

FreeBSD Example

1. # cd /usr/ports/security/sudo
2. # make install clean
3. # rehash
4. # echo 'sshd_enable="YES"' >> /etc/rc.conf
5. # /etc/rc.d/sshd start

apt-get based system (Debian, Ubuntu, etc) Example

1. # apt-get install ssh sudo

yum based system (RedHat, CentOS, Fedora, etc) Example

1. # yum install ssh sudo

Now, all we have left is to edit the sudoers file so the bupc user can access rsync with root privileges (it will have Permission Denied errors for many file, otherwise).

1. # visudo
2. ... ... snip ... snip ... ...
3. bupc    ALL=(ALL) NOPASSWD: /usr/local/bin/rsync

Now a quick test to make sure that we can execute rsync with root privileges.

1. # su bupc
2. $ sudo rsync
3. <some rsync output>

If you get prompted for a password, check your steps because something is wrong.

Setup Authorized Keys on Client

Now we need to do a few things to enable the BackupPC server to talk to clients without dealing with login prompts (when issuing commands on remote boxes via ssh). SSH Key-Authentication works perfectly for this. The server and client know are set up in such a way that they establish a connection based on an encrypted key file swapped between the two.

Client

1. # su bupc
2. $ ssh-keygen -t rsa

Server

1. # su backuppc
2. $ ssh-keygen -t rsa
3. $ scp ~/.ssh/id_rsa.pub bupc@CLIENT_HOST:~/.ssh/BackupPC.pub

Client

In my case, my authorized keyfile is ~/.ssh/authorized_keys but yours could be different! Check out your sshd_config file. You can find it by running find / -name sshd_config

1. # su bupc
2. $ cd ~/.ssh
3. $ ls
4. id_rsa
5. id_rsa.pub
6. BackupPC.pub
7. $ cat BackupPC.pub >> authorized_keys

Server

Now test that we can login to our client using authorized keys from the backuppc user on the BackupPC server.

1. # su backuppc
2. $ ssh bupc@CLIENT_HOST

... and we should be in with no password!

Finally, just test a remote sudo execution of rsync to make sure everything is working correctly.

1. # su backuppc
2. $ ssh bupc@CLIENT_HOST sudo rsync

Again, you should get get some generic rsync usage information and not be prompted for a password.

If all is well, you are ready to configure clients to be backed up. Visit the web interface we previously setup and start adding hosts!

Adding Clients