Good article convert from using the rsyncd server daemon to a pop-up daemon behind ssh. Essentially:
A special
rsyncd.conffile on the host to be backed up that provides a read-only view of the filesystem, with optional includes/excludes (see the rsync man page for details). Example:# /root/rsyncd.conf uid = root gid = root log file = /var/log/rsyncd.backup.log [home] path = /home/ read only = true exclude = lost+found/A key that is restricted to running rsync in daemon mode with the above config file:
# /root/.ssh/authorized_keys command="rsync --config=/root/rsyncd.conf --server --daemon .",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa ...And to restrict the ssh access of the root user to forced commands only:
# /etc/sshd_config [...] PermitRootLogin forced-commands-only [...]On the host doing the backup, we trigger daemon mode over ssh by using rsync daemon notation for the source combined with the
--rsh=sshoption, as described in thersyncman page:# rsync -av --rsh=ssh remote_host::home destination/When using
rsnapshot, the correctbackupline for/etc/rsnapshot.confis:backup remote_host::home destination/home/ +rsync_long_args=--rsh=sshNote that you have to specify the directory name again on the destination side, and of course use tabs to separate everything.
When using
swiftbackup, the format for thebackupoption is:backup = remote_host::home --rsh=sshWhat happens now is that
rsyncconnects via ssh to the remote host, where the forced command starts an rsync daemon for the lifetime of the ssh connection that does not listen on a TCP port and only talks to the rsync process on the local side. We won't have to change theauthorized_keysfile if we change rsync options on the client, and as an added bonus the rsync access is read-only.