From: Christopher Neufeld <neufeld@physics.utoronto.ca>
Earlier I posed the question on the Net, how does one back up a Linux
machine to a Colorado Jumbo 250 tape drive on an MS-DOS machine. From the
email I received, it seems that this is a frequently pondered problem.
Now that I've figured it out, I'm posting the method. If anybody wants to
massage this into a HOWTO document, let me know. I should thank Jim Nance
(jlnance@isscad.com) for pointing out that an MS-DOS machine need not
always be an MS-DOS machine. This technique should also work for any
other tape drive supported by the ftape module.
The criteria I set were that the resulting setup should be as secure
as possible and should be fairly simple, and take up little or no space
on the MS-DOS machine's hard drive. It should also be capable of
recovering from the worst system corruptions, up to and including the
theft of the hard disk, requiring a restore to a bare Linux file system.
The technique described here uses no hard drive space on the MS-DOS
machine, though it requires that that machine be assigned an IP#. You
will need three formatted, blank 1.44MB diskettes.
Throughout this description I will refer to two machines as "msdos"
and "linux". "msdos" is the name of the machine which has the tape drive
and is usually running MS-DOS. "linux" is the Linux machine whose disk
you are trying to back up or restore to the tape drive. For simplicity I
will refer to the first machine as "msdos" even when it is booted into
and running Linux. Further, all path names in this document should be
considered to be relative to the Linux machine with the Search-And-Rescue
(SAR) disks mounted somewhere on the system. That means that the file
/etc/passwd is the password file for your Linux machine's hard drive,
while, for instance, /tape144/etc/passwd is the corresponding file on the
floppy disk.
I am using Karel Kubat's backup scripts, version 1.03, available at
ftp://sunsite.enc.edu:/pub/Linux/system/Backup/backup-1.03.tar.gz.
Throughout this document I will refer to these simply as "the backup
scripts". You do not have to use these scripts for your own backups to
tape. I like these scripts as they form an uncompressed archive of
compressed files, rather than a compressed archive of uncompressed files.
The former is much safer if there is a media read error during the
restore.
First of all, obtain the ftape module. It is available at:
ftp://sunsite.unc.edu/pub/Linux/kernel/tapes/ftape-1.14d.tar.gz
Next, get a Slackware boot disk (I got the net disk, but it doesn't make
much difference) and the tape144 root disk, and put the images onto 3"1/2
floppies.
The ftape module will only work if it is installed in the kernel which
was running when you compiled it. I could not get it to work with the
ftape.o module on the tape144 root disk, I think because that module has
been stripped of symbols and won't install. So, you now have to make a
new kernel with network and ftape support, and then a new ftape.o. Read
the directions which ship with the ftape archive for directions at this
stage. Remember that the kernel you compile must support the Ethernet
cards on both the Linux machine and the MS-DOS machine.
Copy the newly created kernel image over top of the one on the Net
boot disk. Write protect the boot disk, and label it: SAR#1.
Now, mount the tape144 root disk. I'll assume that the mount point is
/tape144, to avoid confusion in file names. We need to free some space
on it, so delete the following files:
/tape144/bin/dialog
/tape144/bin/elvis
/tape144/bin/vi
/tape144/boot/ftape.o
Now, create a new file:
/tape144/etc/exports
which contains the following line:
/mnt msdos(ro)
Where "msdos" should be replaced with the name or IP# of the MS-DOS
machine which has the tape drive installed.
Next, so that you don't have to rely on a name server, add lines to
the file /tape144/etc/hosts with the names and IP numbers of the Linux
and MS-DOS machines. For instance, mine contains the following two lines:
128.100.75.114 caliban.physics.utoronto.ca caliban caliban.physics
128.100.75.111 ariel.physics.utoronto.ca ariel ariel.physics
Now, there's some sort of problem with the inetd configuration. We
have to put the full path name of the rsh daemon in it. Change line 19
of /tape144/etc/inetd.conf to read:
shell stream tcp nowait root /usr/etc/tcpd /usr/etc/in.rshd
Add local net routing information to /tape144/etc/rc.d/rc.inet1 to
enable the MS-DOS machine to use the network. The format of this depends
on your network configuration, you can just copy the appropriate format
out of your Linux /etc/rc.d/rc.inet1. For my network, the lines that
have to be added are:
/etc/ifconfig eth0 128.100.75.111 broadcast 128.100.75.0 netmask 255.255.255.0
/etc/route add -net 128.100.75.0 netmask 255.255.255.0
The IP# in the ifconfig entry is that of the MS-DOS machine.
Now, copy this file into /tape144/etc/rc.d/rc.inet1-l, and change the
IP# in the new file to reflect that of the Linux machine rather than the
MS-DOS machine.
Next, clip out lines 3 to 11 of /tape144/etc/rc.local. That's an if
statement which executes the rc.inet* files. We don't want this to
happen during the bootup.
Create a new file: /tape144/root/.rhosts containing the line:
linux root
where, again, "linux" is replaced with the full machine name (including
domain) or the IP# of the Linux machine.
Fill in the password field in /tape144/etc/passwd for the root login
to keep people from logging onto the MS-DOS machine while you're doing
the backup. You can do this by copying the corresponding field from your
Linux machine's /etc/passwd file.
Copy /usr/bin/rsh into /tape144/usr/bin.
Copy the following files from /usr/etc into /tape144/usr/etc:
in.rshd
rpc.mountd
rpc.nfsd
rpc.portmap
services
tcpd
Create a new script, /tape144/bin/tapesetup, which consists of the
following: (change "linux" to reflect your Linux machine name).
=== BEGIN /tape144/bin/tapesetup ===
#! /bin/sh
/bin/sh /etc/rc.d/rc.inet1
/bin/sh /etc/rc.d/rc.inet2
/bin/mount linux:/nfs /mnt
/bin/insmod /mnt/ftape.o
=== END /tape144/bin/tapesetup ===
Next, create another new script, /tape144/bin/msdosset, as follows:
(change "linux" to reflect your Linux machine name).
=== BEGIN /tape144/bin/msdosset ===
#! /bin/sh
/bin/sh /etc/rc.d/rc.inet1
/bin/sh /etc/rc.d/rc.inet2
mount linux:/mnt /mnt
/bin/insmod /mnt/ftape.o
=== END /tape144/bin/msdosset ===
Create a readable file, /tape144/root/notes which contains this
helpful information for use in full recovery:
=== BEGIN /tape144/root/notes ===
For a full recovery to a trashed hard disk, boot the Linux machine with
the SAR disks #1 and #2 then type the following:
/bin/sh /etc/rc.d/rc.inet1-l
/bin/sh /etc/rc.d/rc.inet2
/usr/etc/rpc.portmap
/usr/etc/rpc.mountd
/usr/etc/rpc.nfsd
Next, insert SAR disk #3 and type:
mount /dev/fd0 /mnt
Create a new mount point, with:
mkdir /mnt2
and mount your Linux hard disk partition on this point. You may have to
reformat the partition first, if so, follow the directions in the Linux
Installation HOWTO. The SAR disks contain all the files necessary to do
the reformat.
Finally, use disks SAR#1 and SAR#2 to boot up the MS-DOS machine and run
the /bin/msdosset script on that machine. It will take about a minute to
run that script because it is getting an NSF file from a floppy drive, so
be patient. Now, recover the tape to /mnt2 on the Linux machine.
=== END /tape144/root/notes ===
If you are using the backup scripts you will need to copy /bin/su
into the /tape144/bin subdirectory. Copy the backup scripts from your
Linux machine into the corresponding position on /tape144. You do not
need to copy the subdirectories 'lists', 'misc', 'stamps', or 'volumes'
from the /usr/local/etc/backup directory. You will need the other
contents of /usr/local/etc/backup, and also the following files from
/usr/local/bin: 'afio', 'backup', 'backup.bim', 'icm-comp', 'icm-exec',
'icm-pp', 'icmake', 'netbackup', 'netbackup.bim'. Put these into
/tape144/usr/local/bin.
I was unable to use the backup scripts as they come shipped. The
tape archive appears to build cleanly, but it is unrecoverable. I found
that removing the block size and conversion statements fixed it. Here is
the patch to the "netbackup" script. Apply this patch to the Linux
machine's hard disk copy of 'netbackup' as well as to the copy on the SAR
disks.
=== BEGIN /tape144/netbackup.patch ===
*** netbackup.orig Mon Jan 9 17:22:32 1995
--- netbackup Mon Jan 9 17:23:25 1995
***************
*** 35,41 ****
"'mknod", devname, "p'");
exec ("su -", USERNAME, "-c",
"'rsh ", REMOTE_HOST,
! "\"dd", "of=" REMOTE_DEVICE, "obs=20k", "conv=sync\"",
"<", devname,
"'&"
);
--- 35,41 ----
"'mknod", devname, "p'");
exec ("su -", USERNAME, "-c",
"'rsh ", REMOTE_HOST,
! "\"dd", "of=" REMOTE_DEVICE, "\"",
"<", devname,
"'&"
);
***************
*** 50,56 ****
"'mknod", devname, "p'");
exec ("su", USERNAME, "-c",
"'rsh ", REMOTE_HOST,
! "\"dd", "if=" REMOTE_DEVICE, "ibs=20k", "conv=sync\"",
">", devname,
"'&"
);
--- 50,56 ----
"'mknod", devname, "p'");
exec ("su", USERNAME, "-c",
"'rsh ", REMOTE_HOST,
! "\"dd", "if=" REMOTE_DEVICE, "\"",
">", devname,
"'&"
);
=== END /tape144/netbackup.patch ===
You have now finished your SAR disk #2. Write protect it.
Next, mount a clean, formatted disk (create it with fdformat and
mkfs). Copy the ftape.o file onto it, and label it SAR#3. For some
reason things go badly if you write protect this disk, so leave it
write-enabled. If you are using the backup scripts, copy /bin/tcsh onto
this disk as well. The backup scripts don't like to run from the version
of bash on the tape144 disk.
On the Linux machine, create a new directory for NFS file serving. I
made a directory:
/nfs
Put the ftape.o (unstripped, about 500+ kB) into this subdirectory.
Create an entry in your Linux's exports file /etc/exports:
/nfs msdos(ro)
Note that all files in your NFS directory and it's subdirectories are not
secure. Somebody else could boot the MS-DOS machine into Linux with his
own boot disks and mount this directory, so be certain that you don't put
anything sensitive in your NFS subdirectory.
Restart your NFS daemons, rpc.mountd and rpc.nfsd. They don't seem to
take kindly to a SIGHUP restart, so kill them and reinvoke them. If
you're not activating these daemons in your /etc/rc.d/rc.inet2 you might
want to do so now.
OK, now we're all set to back up and recover. To make a full backup
from the Linux machine, boot the MS-DOS machine with SAR#1. When
prompted for the second disk, load SAR#2. Log in as root, and execute
the script: /bin/tapesetup. Log out of the MS-DOS machine. If you're
using the backup scripts, the netbackup command will now work. You can
also use the "-f msdos:/dev/ftape" switch on GNU tar, cpio, or mt, and
make your backup this way. If you have a backup program which is only
capable of writing to a local file, do the following. Assume that the
backup program is called "localbackup" and writes to the file
represented by its command line argument:
mknod /tmp/tapepipe p
rsh msdos dd of=/dev/ftape < /tmp/tapepipe &
localbackup /tmp/tapepipe
when it's done, delete /tmp/tapepipe.
Recovering to a live Linux machine: the netbackup script, tar, cpio,
and so on will all work without special actions on the part of the
operator. If you have a local recovery program which recovers from a
file, do this:
mknod /tmp/tapepipe p
rsh -n msdos dd if=/dev/ftape >> /tmp/tapepipe &
localrecovery /tmp/tapepipe
and delete /tmp/tapepipe when you're done.
Notice that I'm using 'rsh' to the root user on the MS-DOS machine.
This works with a correct .rhosts entry. The configuration on the
'tape144' disk allows rsh to root, but does not allow telnet or rlogin to
root, logins are restricted to the console. This is good for security.
Finally, the directions for a complete recovery to a trashed hard
disk. This assumes that the Linux partition is completely unrecoverable.
If necessary, reformat that partition as described in the Linux
Installation HOWTO. Boot the Linux machine from SAR disk #1. When
prompted, insert disk #2. Now, follow the directions in the file
/root/notes (this was /tape144/root/notes when it was mounted on your
Linux machine). Once both machines have been booted up, run the recovery
routine you need. If you are running the backup scripts you have to do it
from tcsh, so type "/mnt/tcsh" before you use the "netbackup -restore \*"
function. Remember to change the working directory to the mount point of
the hard disk before running netbackup.
Notes:
The commands listed in the /tape144/root/notes file could be run from
a script. When I tried, I got rpc setup errors. I suspect it was just
that the commands were run too quickly, and the portmapper hadn't
properly installed itself. I found that typing the sequence in manually
worked fine, so I've recommended that.
I think this setup is secure. Note that somebody can still get access
to all your files if they go to the tape drive and pull the tape out
before you get there, then then read the tape themselves. People with very
sensitive data might consider encrypting the stream from the archiver.
Archive to standard output and pipe the output to the encrypter, and
redirect the output of the encrypter to append to the named pipe
/tmp/tapepipe as described above.
The rc.inet1 directions I've included will allow only communication
with the local network, not the rest of the world through a gateway.
During a full recovery to a blank hard disk the SAR disk #3 provides
ftape.o to the MS-DOS machine through NFS. This is because some old
versions of the ftape module can't control some tape drives when there is
a disk mounted in the floppy drive.
This is very important. ***TEST*** the SAR recovery procedure. I did,
but don't leave anything to chance. Make sure that you can recover at
least one file from your tape to the Linux machine using only the SAR
disks (ie. without mounting the hard disk). If you can't reboot the Linux
machine without inconveniencing a lot of users, change the setup
information on the SAR disks to assign the "linux" identity to another
MS-DOS machine and then boot the two MS-DOS machines into Linux to make
sure everything works. Then, change the "linux" identity back again so
that you have usable SAR disks.
Copyright Jan 10, 1995 by Christopher Neufeld (neufeld@physics.utoronto.ca)
--
Christopher Neufeld....Just a graduate student neufeld@physics.utoronto.ca
Home page: http://caliban.physics.utoronto.ca/neufeld/Intro.html
"Don't edit reality for the sake of simplicity"