Difference between revisions of "Quick Notes"
Jump to navigation
Jump to search
(→rDNS) |
|||
| (53 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
Sections here are really just placeholders with enough information to get started on building actual articles... | |||
= rDNS = | |||
This is gonna get interesting... | |||
What does it take to make rDNS work from outside the network? | |||
== Local Mail Service == | |||
(This will depend on whether rDNS works out...) | |||
= Better Permissions Handling = | = Better Permissions Handling = | ||
{{{!}} class="wikitable" style="float: right; width: 322px;" border="2" | |||
{{!}}+ Proven on: | |||
{{!}}- --="" debian="" | |||
{{!}} style="text-align: center; width: 60px;" {{!}} [[File:Logo Debian.png{{!}}60px{{!}}link=https://www.debian.org/{{!}}center{{!}}middle{{!}}frameless]] | |||
{{!}} style="text-align: center; width: 40px;" {{!}} 12 (bookworm) | |||
{{!}} <br> | |||
{{!}}} | |||
* <code>sudo apt install acl</code> | * <code>sudo apt install acl</code> | ||
* <code>sudo mkdir /FOOBAR</code> | * <code>sudo mkdir /FOOBAR</code> | ||
* <code>sudo chown :users /FOOBAR</code> | * <code>sudo chown -R :users /FOOBAR</code> | ||
* <code>sudo chmod g+ws /FOOBAR</code> | * <code>sudo chmod -R g+ws /FOOBAR</code> | ||
* <code>sudo setfacl - | * <code>sudo setfacl -R -m g:users:rwx /FOOBAR</code> | ||
Now, the directory '''/FOOBAR''' is writeable by anyone in the '''users''' group. | Now, the directory '''/FOOBAR''' is writeable by anyone in the '''users''' group. | ||
Do keep in mind that '''users''' is a default group that all accounts are a member of. You could also create specific groups and add each user to specific groups for finer granularity. | |||
== Some Links == | |||
* [https://en.wikipedia.org/wiki/Setuid Wikipedia : setuid] | |||
* [https://en.wikipedia.org/wiki/Access-control_list Wikipedia : Access-control list] | |||
* [https://unix.stackexchange.com/questions/115631/getting-new-files-to-inherit-group-permissions-on-linux/115632#115632 StackExchange : Getting new files to inherit group permissions on Linux] | |||
* [https://unix.stackexchange.com/questions/93868/using-setfacl-to-create-recursive-permissions-for-apache-with-rsync/93871#93871 StackExchange : Using setfacl to create recursive permissions for Apache with rsync] | |||
= Linux USERs and GROUPs = | |||
Eventually to be an article about how granular access control works on Linux... | |||
= Development Testing for a Backup Server = | |||
{{{!}} class="wikitable" style="float: right; width: 322px;" border="2" | |||
{{!}}+ Proven on: | |||
{{!}}- --="" debian="" | |||
{{!}} style="text-align: center; width: 60px;" {{!}} [[File:Logo Debian.png{{!}}60px{{!}}link=https://www.debian.org/{{!}}center{{!}}middle{{!}}frameless]] | |||
{{!}} style="text-align: center; width: 40px;" {{!}} 12 (bookworm) | |||
{{!}} <br> | |||
{{!}}} | |||
This will eventually be fully fleshed out as instructions for building proper backup servers on separate machines including off-site backups. | |||
Currently testing on a pair of LXCs, both configured as priveledged containers (tho this may not be needed). | |||
<span style="color: rgb(132, 63, 161);">'''Interesting side-quest:''' Apparently, unpriviledged containers do a bit of weirdness with bind-mount ownerships. There are </span>[https://pve.proxmox.com/wiki/Unprivileged_LXC_containers instructions]<span style="color: rgb(132, 63, 161);"> to work around this, but I have yet to work through this... For the moment, I'm using priviledged containers to work around it.</span> | |||
* VMID 999001: storage | |||
* VMID 999002: backup | |||
I've created a user named '''draal''' with specific responsibility for handling backups.(because remote access by '''''root''''' is stupid...) | |||
'''draal''' has an equivalent account on ALL involved machines and is set up with ssh keys to avoid the use of password-based access. | |||
== On the PVE Server: == | |||
(setting up the storage for the test LXCs...) | |||
* <code>mkdir /mnt/Storage-0</code> | |||
* <code>mkdir /mnt/Storage-1</code> | |||
* <code>mount -L Storage-0 /mnt/Storage-0</code> | |||
* <code>mount -L Storage-1 /mnt/Storage-1</code> | |||
* <code>vi /etc/fstab</code> | |||
LABEL=Storage-0 /mnt/Storage-0 ext4 defaults 0 0 | |||
LABEL=Storage-1 /mnt/Storage-1 ext4 defaults 0 0 | |||
* <code>pct set 999001 -mp0 /mnt/Storage-0,mp=/mnt/Storage # storage</code> | |||
* <code>pct set 999002 -mp0 /mnt/Storage-1,mp=/mnt/Storage # backup</code> | |||
== On "storage" == | |||
(logged in as '''draal''') | |||
* <code>ssh-keygen</code> | |||
* <code>ssh-copy-id '''''draal'''''@backup</code> | |||
* <code>sudo apt install acl rsync</code> | |||
* <code>sudo setfacl -R -m u:'''''draal''''':rwx /mnt/Storage</code> | |||
== On "backup" == | |||
(logged in as '''draal''') | |||
* <code>ssh-keygen</code> | |||
* <code>ssh-copy-id '''''draal'''''@storage</code> | |||
* <code>sudo apt install acl rsync</code> | |||
* <code>sudo setfacl -R -m u:'''''draal''''':rwx /mnt/Storage</code> | |||
== Testing '''rsync''' commands == | |||
In order to test things, I've basically dumped a copy of my Documents folder into '''/mnt/Storage''' on the '''storage''' LXC. This is around 25GB of incredibley mixed & sloppy crap varying from zero-length placeholders to USB binaries... | |||
Everything from here on is done while logged in to '''storage''' as '''draal'''. | |||
* <code>cd /mnt/Storage</code> | |||
* <code>rsync -Aaiz * backup:/mnt/Storage</code> | |||
** copies all files to the backup machine | |||
*** Took about 7 minutes... (measured by wrapping the command in a '''time''' command) | |||
** (& if you run it again, only copies NEW or CHANGED files) | |||
*** Every change I made took substantially under 1 second... | |||
* <code>rsync -Aaiz --delete * backup:/mnt/Storage</code> | |||
** Will actually synchronize. (i.e. It will '''DELETE''' any files from the destination that have been removed on the source.) | |||
** <span style="color: rgb(186, 55, 42);">'''DANGER...DANGER...DANGER'''</span> | |||
*** This may NOT be exactly what you want to do in a backup situation. | |||
*** (But it might... Your choice...) | |||
= Custom LXC Templates = | |||
* Create an LXC | |||
** My example is an NFS capable LXC with VMID 666... | |||
* Configure it | |||
** Install your preferred standard set of apps & such... | |||
== From the PVE command line: == | |||
* remove the network interface | |||
** <code>pct set 666 --delete net0</code> | |||
* Do a backup (Gonna need a bunch of available space) | |||
** <code>vzdump 666 --mode stop --compress zstd --dumpdir .</code> | |||
* Rename the backup to a more useful name | |||
** <code>mv vzdump-lxc-666-2025_02_04-14_19_43.tar.zst Deb-12-NFS.tar.zst</code> | |||
* Copy it to someplace you can access it from the PVE UI | |||
** Option 1: For direct '''Upload''' (Some oddities happen... More research needed) | |||
*** <code>scp Deb-12-NFS.tar.zst '''''user''''''''@''mydesktopmachine''''':~</code> | |||
** Option 2: For '''Download from URL''' | |||
*** <code>scp Deb-12-NFS.tar.zst '''''user''''''''@''mywebserver''''':/var/www/html/LXCtemplates/</code> | |||
Now you can add it to your '''CT Templates''' storage on any PVE server you're working on. | |||
Latest revision as of 14:30, 20 April 2025
Sections here are really just placeholders with enough information to get started on building actual articles...
rDNS
This is gonna get interesting...
What does it take to make rDNS work from outside the network?
Local Mail Service
(This will depend on whether rDNS works out...)
Better Permissions Handling
 |
12 (bookworm) |
sudo apt install aclsudo mkdir /FOOBARsudo chown -R :users /FOOBARsudo chmod -R g+ws /FOOBARsudo setfacl -R -m g:users:rwx /FOOBAR
Now, the directory /FOOBAR is writeable by anyone in the users group.
Do keep in mind that users is a default group that all accounts are a member of. You could also create specific groups and add each user to specific groups for finer granularity.
Some Links
- Wikipedia : setuid
- Wikipedia : Access-control list
- StackExchange : Getting new files to inherit group permissions on Linux
- StackExchange : Using setfacl to create recursive permissions for Apache with rsync
Linux USERs and GROUPs
Eventually to be an article about how granular access control works on Linux...
Development Testing for a Backup Server
|
12 (bookworm) |
This will eventually be fully fleshed out as instructions for building proper backup servers on separate machines including off-site backups.
Currently testing on a pair of LXCs, both configured as priveledged containers (tho this may not be needed).
Interesting side-quest: Apparently, unpriviledged containers do a bit of weirdness with bind-mount ownerships. There are instructions to work around this, but I have yet to work through this... For the moment, I'm using priviledged containers to work around it.
- VMID 999001: storage
- VMID 999002: backup
I've created a user named draal with specific responsibility for handling backups.(because remote access by root is stupid...)
draal has an equivalent account on ALL involved machines and is set up with ssh keys to avoid the use of password-based access.
On the PVE Server:
(setting up the storage for the test LXCs...)
mkdir /mnt/Storage-0mkdir /mnt/Storage-1mount -L Storage-0 /mnt/Storage-0mount -L Storage-1 /mnt/Storage-1vi /etc/fstab
LABEL=Storage-0 /mnt/Storage-0 ext4 defaults 0 0 LABEL=Storage-1 /mnt/Storage-1 ext4 defaults 0 0
pct set 999001 -mp0 /mnt/Storage-0,mp=/mnt/Storage # storagepct set 999002 -mp0 /mnt/Storage-1,mp=/mnt/Storage # backup
On "storage"
(logged in as draal)
ssh-keygenssh-copy-id draal@backupsudo apt install acl rsyncsudo setfacl -R -m u:draal:rwx /mnt/Storage
On "backup"
(logged in as draal)
ssh-keygenssh-copy-id draal@storagesudo apt install acl rsyncsudo setfacl -R -m u:draal:rwx /mnt/Storage
Testing rsync commands
In order to test things, I've basically dumped a copy of my Documents folder into /mnt/Storage on the storage LXC. This is around 25GB of incredibley mixed & sloppy crap varying from zero-length placeholders to USB binaries...
Everything from here on is done while logged in to storage as draal.
cd /mnt/Storagersync -Aaiz * backup:/mnt/Storage- copies all files to the backup machine
- Took about 7 minutes... (measured by wrapping the command in a time command)
- (& if you run it again, only copies NEW or CHANGED files)
- Every change I made took substantially under 1 second...
- copies all files to the backup machine
rsync -Aaiz --delete * backup:/mnt/Storage- Will actually synchronize. (i.e. It will DELETE any files from the destination that have been removed on the source.)
- DANGER...DANGER...DANGER
- This may NOT be exactly what you want to do in a backup situation.
- (But it might... Your choice...)
Custom LXC Templates
- Create an LXC
- My example is an NFS capable LXC with VMID 666...
- Configure it
- Install your preferred standard set of apps & such...
From the PVE command line:
- remove the network interface
pct set 666 --delete net0
- Do a backup (Gonna need a bunch of available space)
vzdump 666 --mode stop --compress zstd --dumpdir .
- Rename the backup to a more useful name
mv vzdump-lxc-666-2025_02_04-14_19_43.tar.zst Deb-12-NFS.tar.zst
- Copy it to someplace you can access it from the PVE UI
- Option 1: For direct Upload (Some oddities happen... More research needed)
scp Deb-12-NFS.tar.zst user'''@mydesktopmachine:~
- Option 2: For Download from URL
scp Deb-12-NFS.tar.zst user'''@mywebserver:/var/www/html/LXCtemplates/
- Option 1: For direct Upload (Some oddities happen... More research needed)
Now you can add it to your CT Templates storage on any PVE server you're working on.