Use btrbk for remote backup solution with btrfs
Introduction
In this “simple” post I’ll show you how to configure btrbk to send to a remote Linux box your subvolume, in order to backup your data, also I’ll show you how to limit permissions to btrbk using sudo and ssh_filter_btrbk.sh script file.
btrbk program uses the btrfs send / receive feature, but it simplifies the management of subvolumes and the ability to send from your source box and receive in your target box the subvolumes over ssh.
Requirements
You will need:
- Your source Linux box must use btrfs subvolume, in this post I’ll use the @home subvolume to backup / send to the remote box, but you could adapt to your needs and use another btrfs subvolume
- Your destination Linux box must have one btrfs device / file system;
- Ability to install btrbk on your preferred Linux distro, on both source and destination Linux boxes;
- Ability to create a dedicated user for backup, on both source and destination Linux boxes, in this post I’ll use backupuser;
- Ability to configure sudo permissions on both source and destination Linux boxes.
Install btrbk
Install btrbk on both source and destination hosts, using the package manager of your preferred distro; regarding the destination host we’ll use only the provided script ssh_filter_btrbk.sh, for this reason we’ll install also on destination host the btrbk program.
On Gentoo:
# emerge --ask app-backup/btrbk
On Fedora:
# dnf install btrbk
After the installation identifies where your distro install the ssh_filter_btrbk.sh script, on Gentoo and Fedora, this script is located on /usr/share/btrbk/scripts/ssh_filter_btrbk.sh
Configure your source box to backup
Mount btrfs volume
Mount your primary btrfs volume under the directory /mnt/btrbk_pool, doing this you’ll be able to backup all subvolumes
Create the directory:
# mkdir -p /mnt/btrbk_pool
Identify your btrfs UUID, in my case is a000eea9-d97c-4107-ae39-602049a6acaa:
# blkid | egrep 'TYPE=\"btrfs\"' | sed -E 's/.+\s+UUID=\"([0-9a-z\-]+)\"\s+.+/\1/g'
a000eea9-d97c-4107-ae39-602049a6acaa
Now edit your /etc/fstab in order to mount your btrfs volume under /mnt/btrbk_pool:
# vi /etc/fstab
# grep btrbk_pool /etc/fstab
UUID=a000eea9-d97c-4107-ae39-602049a6acaa /mnt/btrbk_pool btrfs noatime,relatime,compress=no,ssd,space_cache,discard=async 0 0
NOTE 1: remove ssd option if you’re using rotational disks
NOTE 2: remove discard=async if your’re using Kernel < 5.6
Mount the volume and check if the subvolume @home is present:
# mount -a
# btrfs subvolume list /mnt/btrbk_pool | egrep -E '\@home$'
ID 257 gen 84832 top level 5 path @home
Create backupuser
Now you can create on your source box the new user backupuser:
# useradd backupuser
Add sudo permission for backupser creating a new file /etc/sudoers.d/backupuser:
# cat /etc/sudoers.d/backupuser
%backupuser ALL=(ALL) NOPASSWD: /sbin/btrfs, /bin/readlink, /usr/bin/readlink
Create ssh Key
Create a new ssh key, which will be trusted on the destination box:
# mkdir /etc/btrbk/ssh
# chown backupuser. /etc/btrbk/ssh/
# chmod 0700 /etc/btrbk/ssh
# su - backupuser
backupuser@sourcebox ~ $ ssh-keygen -t rsa -b 4096 -f /etc/btrbk/ssh/id_rsa -C backuser@$(hostname) -N ""
Configure /etc/btrbk/btrbk.conf
In this example, I’ll backup and send to the remote Linux box only the @home subvolume, but you can adapt it based on your needs.
# cat /etc/btrbk/btrbk.conf
timestamp_format long
ssh_identity /etc/btrbk/ssh/id_rsa
ssh_user backupuser
backend_remote btrfs-progs-sudo
backend btrfs-progs-sudo
snapshot_preserve_min 2d
snapshot_preserve 14d
target_preserve_min no
target_preserve 20d 10w *m
volume /mnt/btrbk_pool
subvolume @home
target ssh://<FQDN>/ssddata/backup/lapdog
Change the FQDN with your target box IP or FQDN
Configure your target box to receive backup
Now we can configure the target box in order to receive the btrfs subvolume coming from our source box.
Create a new @backup subvolume
Identify your btrfs volume and create a new @backup subvolume, personally I’ve been using a luks device named “ssddata”, but you could use for example an hdd disk(s) /dev/sdX1.
Create a new subvolume:
# mount /dev/mapper/ssddata /mnt/ssddata
# cd /mnt/ssddata
# btrfs subvolume create @backup
update your /etc/fstab with the entry for subvolume @backup mounting it under /ssddata/backup
# mkdir -p /ssddata/backup
# vi /etc/fstab
# grep backup /etc/fstab
UUID=aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee /ssddata/backup btrfs noatime,relatime,compress=lzo,ssd,space_cache,discard=async,subvol=@backup 0 0
mount the subvolume:
# mount -a
and create the lapdog directory (if you want to change the name, remember to change it also on btrbk.conf on source box):
# mkdir -p /ssddata/backup/lapdog
Create backupuser
Now you can create on your target box the new user backupuser (same as we have done on source box 
):
# useradd backupuser
Add sudo permission for backupser creating a new file /etc/sudoers.d/backupuser:
# cat /etc/sudoers.d/backupuser
%backupuser ALL=(ALL) NOPASSWD: /sbin/btrfs, /bin/readlink, /usr/bin/readlink
Trust ssh key
Copy the content of the ssh pub file from your source box:
# cat /etc/btrbk/ssh/id_rsa.pub
Put the content of the file /etc/btrbk/ssh/id_rsa.pub in your clipboard and then go to your target box and run:
# su - backupuser
$ mkdir -p ~/.ssh
$ chmod 0700 ~/.ssh
and the edit the file vim ~/.ssh/authorized_keys of the backupuser adding first the command=”/usr/share/btrbk/scripts/ssh_filter_btrbk.sh -l –sudo –target –delete –info” and then, on the same line with only a space dividing them, the content of id_rsa.pub coming from your source box;
below an example of the ~/.ssh/authorized_keys file:
$ cat /home/backupuser/.ssh/authorized_keys
command="/usr/share/btrbk/scripts/ssh_filter_btrbk.sh -l --sudo --target --delete --info" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDwRPIBZMgomFVfXOyOwYm+CuSdWfWR7tMIh+aJgWGv1pK8zuTiZtoaCSnobrRVJNkWWNIeL672o9zgn8y5N2nb64pWxDCcJWFKHuxCZk3ZN1i70JPTZ25sUZ0YUQ8YCd4YtLIujPdIdCMNTESrB0QYe0CCyD6HnX2DRR36G3EVRbNmBpzeLLthIoZLzRpGXFeHMLIz3W9v5VrIwDYZGWdUptyqbh9YQd7x9+lqmaCSlAzRttMVk6HiH8hUuJLgseNtvamqqsEQcZGk3j4v3EbYR+oCQqb4njcxQ3YbPuKtc88PREIezNt/rcoo4m720nXOeKZCad5Ob0/gd9CnBPY3xo8Po1UZdOSrvUxr46moAhMMBVy8c9LO32AlJ7oKjgt2UFelOdWlx69vCZ7TezYRCSj5DS2ZtlYe4KN1pRfLwe1h+h/tt4QVMmKpbl771VKaTzb1xM3TwR8SSXRqct/NeXGWNm7CPrsPx1qK6NFsqx0KH/Wc93uIqbucC5fUhd7rc5yYX43yO3vDon+Omlc9OIAmfxtssTK8/XU7C9fQDMACgwcFxh7JixdPzqlVvJxNiJiSjpWSkixXubBRwgWlTf/L7hZppFcnS0j+ZtgsTiBofm5QiMHskQIUoZ0WmdyuzwJQVQMBV58rZdB7goxvLaW63SM/b6FVk5c0m9dV4w== backuser@lapdog
Run your first backup and send it via ssh to target box
Now you can run the first backup using btrbk and it will automagically send the btrfs subvolumes through ssh to the target box:
From your source box switch to backupuser and run it:
# su - backupuser
$ btrbk -c /etc/btrbk/btrbk.conf -v run
after it ends, you can run the list all command in order to see all backups:
# su - backupuser
$ btrbk -c /etc/btrbk/btrbk.conf -n list all