This module contains the following backup related defined types:

puppet_infrastructure::sync : Implements synchronization between a remote directory and a local directory after a successful SSH key exchange.

puppet_infrastructure::backup : Implements backups for a local directory and stores them in N daily compressed tarballs.

puppet_infrastructure::backup_rsnapshot : Implements backups of a local directory into N snapshots - created with rsnapshot - making use of rsync and hard links for efficient space usage.

These defined types are usually instantiated at a backups server that will fetch data from remote machines and preserve N local daily copies.

This defined type is used for syncing between a remote and local directory. The details of the directories, users, and time of syncing can be specified. Files deleted on remote directories are deleted during the synchronization - making sure that access to deleted data is possible is the job of the backup and backup_rsnapshot defined types.

Note: The ssh connection to the remote host is automatically accepted even if the remote fingerprint changes. Make sure you are connecting to the right host and receiving the right data.

• localdir: The local directory that needs to be synchronized with the remote directory.
• remotedir: The directory on the remote server to synchronize with the local directory.
• localuser: The user on the local machine.
• remoteuser: The user on the remote server.
• hour: The hour at which the sync should occur.
• minute: The minute at which the sync should occur.
• hostlist: The list of hosts to sync from.
• suffix: A suffix to avoid name collision if needed.
• bwlimit_mbitps: Bandwidth limit in megabits per second.

This defined type is used for creating daily backups of a local directory. The backups are stored as compressed tarballs.

• basedir: The directory that needs to be backed up.
• prefix: A prefix to differentiate between different backups.
• backdir: The directory where the backups will be stored.
• ndays: The number of days to keep the backups.
• bindir: The directory where the backup scripts are stored.
• user: The user who will be running the backup. Defaults to 'root'.
• hour, minute, and monthday: The time at which the backup should be performed.
• compression: A Boolean flag indicating whether compression should be used.

This class is used for creating daily backups of a local directory. The backups are stored as snapshots created with rsnapshot.

• basedir: The directory that needs to be backed up.
• prefix: A prefix to differentiate between different backups.
• backdir: The directory where the backups will be stored.
• ndays: The number of days to keep the backups.
• bindir: The directory where the backup scripts are stored.
• user: The user who will be running the backup. Defaults to 'root'.
• hour and minute: The time at which the backup should be performed.

For consistency and organization, it's a common practice to perform backups across your infrastructure using a dedicated backup user. Our puppet_infrastructure::sync class requires an SSH key exchange to function, hence, at the puppet master, we'll create a backups user, generate its SSH key, and declare the user within Puppet's environment configuration. In this way the backups user is provisioned across every node associated with the Puppet master.

Here is the step-by-step process to be executed at the Puppet master:

1. Generate the ssh key pair for the backups user

ssh-keygen -f /tmp/backups_key -N ""

2. Create and manage the backups user with Hashman

# create the user
sudo /opt/puppet-infrastructure/bin/pp_auth.sh useradd "backups" "[email protected]" "Backups User" "Company Name" SILENT

# unlock user
sudo /opt/puppet-infrastructure/bin/pp_auth.sh unlock "backups" "Create Backups User"

# change password - please use letters, symbols and numbers
sudo /opt/puppet-infrastructure/bin/pp_auth.sh setpwint "backups"

# print the public key you created to the terminal and Copy the middle part of the key
cat /tmp/backups_key.pub

# add pubkey
sudo /opt/puppet-infrastructure/bin/pp_auth.sh setpubkey "backups" "MIDDLE_PART_OF_THE_PUBLIC_KEY"

# create directory under extra_files to store the private key
sudo mkdir -p /etc/puppetlabs/puppet/extra_files/backups/ssh

# move the private key to the correct directory
sudo mv /tmp/backups_key /etc/puppetlabs/puppet/extra_files/backups/ssh/backups_key
sudo chown puppet:puppet /etc/puppetlabs/puppet/extra_files/backups/ssh/backups_key

3. edit the /etc/puppetlabs/code/environments/production/manifests/nodes/passwd/generic.pp file and add the following classes at the end of the file:

class passwd_backups {

  # the backups user necessary for remote backups
  puppet_infrastructure::user { 'backups': myname => $::backups_cname, myhash => $::backups_pwd_hash, mykey => $::backups_ssh_key }

}

class passwd_backups_srv {

  # the backups user necessary for remote backups
  puppet_infrastructure::user { 'backups': myname => $::backups_cname, myhash => $::backups_pwd_hash, mykey => $::backups_ssh_key }

  file { '/home/backups/.ssh/id_rsa':
    mode   => '0600',
    owner  => 'backups',
    group  => 'backups',
    source => 'puppet:///extra_files/backups/ssh/backups_key',
    require => Puppet_infrastructure::User[ 'backups' ],
  }

}

4. In the node declaration of the nodes you wish to backup, instantiate the passwd_backups class:

[...]
include passwd_backups
[...]

5. run the agent at every node that you wish to backup

sudo puppet agent -t

6. When writing the node declaration for you backups server machine, instantiate the passwd_backups_srv class:

[...]
include passwd_backups_srv
[...]

7. Because the backups user is an unprivileged user, to be able to ssh into the desired machine(s), you will need to edit the /etc/puppetlabs/code/environments/production/data/common.yaml file and and the following line(s):

REMOTE_MACHINE01_NODENAME::ssh::othergroups: 'backups'
REMOTE_MACHINE02_NODENAME::ssh::othergroups: 'backups'
...

Upon completing these steps, your dedicated backups user is fully configured and prepared to perform secure data transfers across your diverse nodes.

node 'backups01' {

  # Basic declarations
  class { 'puppet_infrastructure::node_base':
    filesystem_security => false, # the unprivileged user 'backups' needs to execute the ssh command
  }
  include passwd_common
  include passwd_backups_srv
  include puppet_infrastructure::backup_rsnapshot_pre

  $bindir = lookup('filesystem::bindir')

  # defaults for the classes below
  # can be overrriden
  $mydir      = '/home/backups/in'
  $myuser     = 'backups'
  $snapdir    = '/home/backups/snapshots'
  $tarballdir = '/home/backups/tarballs'
  $mynode1    = 'hostname.domain.xxx'

  file { [ $mydir, $snapdir, $tarballdir ]:
    ensure  => directory,
    mode    => '0644',
    owner   => $myuser,
    group   => $myuser,
  }

  # fetches data from a remote directory
  puppet_infrastructure::sync { "${mynode01}_folders":
    localdir       => $mydir,
    localuser      => $myuser,
    remotedir      => '/directory/to/backup',
    remoteuser     => $myuser,
    hour           => '15',
    minute         => '00',
    hostlist       => "${mynode1}:22",
    bwlimit_mbitps => 80,
  }

  # performs backups of a local directory keeping 7 days of tarball copies
  puppet_infrastructure::backup { "${mynode01}_backups" :
    basedir  => "${mydir}/${mynode01}",
    prefix   => '',
    backdir  => "${tarballdir}/${mynode01}",
    ndays    => 7,
    bindir   => $bindir,
  }

  # performs backups of a local directory, keeping 30 days of rsnapshots copies
  puppet_infrastructure::backup_rsnapshot { "${mynode1}":
    basedir => "${mydir}/${mynode01}",
    prefix  => '',
    backdir => "${snapdir}/${mynode01}",
    user    => $myuser,
    hour    => '03',
    minute  => '0',
    ndays   => 30,
  }

}

In certain scenarios, your infrastructure may include machines not managed by Puppet or ones with a more complex architecture, making the deployment of the backups user infeasible. In these instances, the sync process might have to be done with a user other than backups. You will need to manually establish a secure connection using SSH, implement the key exchange and ensure that the backups server machine is granted firewall access.

1. Copy Public Key to Target Machine Copy the public key of the backups user to the target machine(s) that aren't managed by Puppet. You can get it via

sudo /usr/local/AS/bin/pp_auth.sh printpubkey backups

This key should be appended to the ~/.ssh/authorized_keys file of the user from which you want to pull backups in the form:

ssh-rsa the-output-of-print-pub-key backups@remote

This ensures that the backup machine can securely connect to the target machine without requiring a password.

2. Adjust the firewall settings Ensure that your firewall settings on both the backup and target machines allow traffic on the required ports. For an SSH connection, the default port is 22, but it could be different if you have customized it. Update your firewall rules to allow inbound connections on this port.

3. Test the connection Finally, verify the setup by attempting to SSH from the backup machine to the target machine without supplying a password. If everything is set up correctly, this should be successful.

By following these steps, you can manually set up an SSH connection for backup purposes, even on machines not managed by Puppet. Remember to always maintain the security of your keys and update your firewall rules as necessary to protect your data.