Pull mode #175
Comments
Keep in mind, that this puts much harder requirements on attic with regards to security. One tiny vulnerability, and the pulling server becomes the weakest link between an attacker and full access to all backed up clients. In a push setup, on the other hand, the worst case scenario is remote code execution with the privileges of an attic-specific, otherwise powerless user account on the server. And with all remote data being encrypted, the worst case scenario is deletion of backups, which is far less bad. And there are effective mitigations available, like filesystem snapshots. |
Much better than having server ssh private keys on each machine. The possibility for malicious client to erase whole attic repository or putting some 0day malware in the shell is not the kind of security that i want. Connecting to client over ssh and running |
|
+1 for pull mode. |
|
I'd love this, too! I've a "workaround" that I've been using that I'd love comments on, if anyone has them. Basically, I have a
Then, from ssh client "attic create ~/client-repo.attic::$(date +Y-%m-%d)"
rsync --archive --compress --verbose --delete client:~/client-repo.attic/ ~/client-repo/.It definitely doesn't address all of the advantages of a pull mode, but it gets a couple. My big question: using |
|
I would be surprised if --compress helps at all since the backup is already Would something like this work? You setup a tunnel from the remote machine to back to ssh on the server. I haven't tried it, but it seems like it could work. On Wed, May 6, 2015 at 11:27 AM, David Alan Hjelle <[email protected]
|
|
Yeah, I didn't measure it, but I took out @wscott, that's an interesting idea I hadn't thought of! I'm not super familiar with the |
|
ssh -R cause a tunnel to be created so that connections to one port on the So I did the simple case of just mapping a port to the local side's ssh We could do one better and use 'nc' and a fake 'ssh' executable so that All of this would be easier if attic had some better support for this sort On Wed, May 6, 2015 at 3:21 PM, David Alan Hjelle [email protected]
|
|
+1 for some sort of pull mode. If you have a server that is exposed to the net through multiple attack surfaces (web, email, etc) then it is much more likely to be compromised that an extremely locked down backup server which just has ssh enabled on it. It would be nice if the client machines had an easy way to be set up so that an account with read only ssh privileges to just the directories to be backed up could be created. So that even if the backup server is compromised at the worst they will be able to only read the contents to be backed up. |
|
+1 I'm also for a pull mode. |
|
I would like a pull option too... |
|
+1 I would also like a pull option. |
|
after a quick review, it seems that Obnam does "pull" through |
I tried that, but occasionally it leads to a full retransmission of the data, so it's not really a bandwidth-efficient solution. |
|
@brumsoel correct. sshfs (and even more sftp, due to small and unchangeable block size) would have bad performance. In fact everything reading the data source via a (network-)fs-like thing will have bad performance as duplicate file contents will first go over the network before they reach attic (and its chunker cuts chunks which may be identified as duplicates). |
|
+1 for pull mode. mainly for jasonfharris' security reasons. |
|
What about implementing something ssh-y so you have the feature now, then fix performance issues later? It wouldn't be any worse than other systems that use ssh for backups. |
I would like to vote for a pull mode feature.
There is already 'attic serve', but it is spawned by attic with ssh.
I would like something like 'attic client' listening on a tcp port, where 'attic serve' would initialize backup from a central server. And there should be possibility for mutual certificate based authentication.
Advantages of that solution are:
And probably more.
The text was updated successfully, but these errors were encountered: