1

We are configuring a Linux backup server at work that all of our other servers (also mostly Linux) will send backups to. The backups are hundreds of gigabytes in size, and have thousands of files, 99% of which don't change from day to day.

Normally, this is the perfect use case for rsync. Unfortunately, one of our requirements is that the backup server be write-only, so that servers can upload backups to it, but nothing can have access to those backups remotely, in case any of those servers get compromised. We currently have vsftpd setup to work in write-only mode, which works great, except for the fact that hundreds of gigabytes of data needs to go through the network every night.

As far as I know, because rsync does a comparison of the remote files with local files, it needs both read and write access on the remote server.

My question is this: is there any mode that rsync can run in where the backup server can reveal the checksums, and filenames of the files on it, but not the actual data? That means it would still be a write-only server, but we could do differential backups instead of full backups.

Improve this question
4
  • I doubt it. But why don't you just do it the Linux way, and create a separate user on the backup server for each server-client? Then each server-client only has access to its own backups. Commented Mar 3, 2018 at 7:23
  • So the clients may not even read their own backup? Commented Mar 3, 2018 at 8:21
  • 1
    use btrfs and transfer only the differences between snapshots. btrfs.wiki.kernel.org/index.php/Manpage/btrfs-send Commented Mar 3, 2018 at 9:14
  • 1
    Note, rsync only reads file contents when it has found a mismatch in the size or timestamp etc (depending on your options), and wants to optimise the network copy of the changes. You can stop this with --whole-file and the whole new file will be copied over. Commented Mar 3, 2018 at 16:49

2 Answers 2

Reset to default
2

If you are just trying to reduce network traffic, but don't mind wasting local disk space, a novel solution is to "mirror" the backup locally, then use rsync's batch mode to send the differences to the remote.

Loosely, you would do local backups with

rsync --write-batch=foo -a /src/dir/ /localcopy/dir/

This creates a file foo with all the changes to make, and a one-line script in foo.sh to run on the remote to interpret the contents. Copy both to the remote, then run the script on the remote:

scp foo foo.sh remote:
ssh remote ./foo.sh /dir/

or if you prefer:

ssh remote rsync --read-batch=- -a /dir/ <foo

You might also look at duplicity for rsync which encrypts the data on the remote, so you would also need to steal the encryption key to exploit the data.

Improve this answer
2

There is a write only mode in rsync version 2.6.3 or later (for implementation details see commit 7a92ded39a). It behaves as you described in your question.

Configuration in rsyncd.conf:

write only

This parameter determines whether clients will be able to download files or not. If "write only" is true then any attempted downloads will fail. If "write only" is false then downloads will be possible if file permissions on the daemon side allow them. The default is for this parameter to be disabled.

[module]
path = /some/path
read only = no
write only = yes
...

If you try to receive files from a write only repo you will get an error:

$ rsync rsync_host::module .
ERROR: module is write only
rsync error: syntax or usage error (code 1) at main.c(804) [sender=3.1.2]
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.