I've been contemplating improving my backup strategies lately.
Last year, I signed up with Backblaze to back up my MacBook to the cloud. There are a few players in this arena, another is Carbonite.
But off-site backup is only one leg of the backup stool. The wisest course for backup is a 3, 2, 1 strategy. That is to have three copies of your data, on two media (i.e. at least one of the copies should be on a different medium than the others), and one of the three should be offsite.
I consider on-line backup (a la Backblaze) to be a different medium, where rather than the medium just being a hard disk it's the whole off-line backup company's infrastructure.
Offline/offsite backup is really targeted for disaster recovery, if the building housing my on-site backups was destroyed by fire, or some other calamity, along with those backups I could recover the data from backblaze, but it would take a while to get it, either by downloading or getting them to ship me an external hard disk.
And for certain important data, I also use DropBox which can not only save data to the cloud, but sync that data between multiple machines. To make sure I've got a copy of the contents of this blog, I have a cron job on the Linux server where it runs which does a sql dump of the database to a dropbox folder, along with any new files (images, documents, etc) used by the blog. This runs in the wee-dark hours, and every morning, my MacBook informs me that DropBox has copied that data down to my MacBook.
But I've been feeling a gnawing need for better on-site backup, with faster access for either full recovery, or to get back a mistakenly deleted, or corrupted file.
One requirement is that the backups be done automatically. I've got too many other things on my mind than to remember to backup frequently, that's what I have computers for. Also I want the backups of my Macbook to work anywhere it can access the LAN. I tend to use my MBP in various areas of the house, upstairs in my office, where it's next to the server, and can be jacked into the same ethernet switch as the server, but also in the family room and even the bedroom, where it's connected by wi-fi.
TimeMachine
I've been wanting to use Apple's TimeMachine for a while, but haven't had the necessary hardware. I'd been thinking about buying a TimeCapsule, but I've been just a little leery since several of my friends have had their TimeCapsules die within a year.
I did a bit of research, and came up with the idea of looking at using my Linux server to hold a TimeMachine backup. The box has several available drive bays, and I could get a 2TB WD SATA drive for $120. With the cable and tax it came to just around $150.
But first I wanted to make sure that it would really work.
Existing How-Tos
I asked my friend Google about TimeMachine and Ubuntu and the first hit was a detailed how-to on kremaliscious.. Unfortunately that how-to is about two years old. Fortunately it still pretty much applies, but things have been simplified a bit.
That how-to, which was last updated when the latest Ubuntu was 8.04, "Hardy Heron" and the latest OS X was still 10.5.x, "Leopard", describes building a custom debian package for netatalk to add support for ssh connections. Netatalk is an open source implementation of Apple's AppleTalk Protocol Suite. I also encountered a much more succinct article by my old OTI friend Andrew "Roo" Low, which did the same.
For context, I'm running Ubuntu 10.04, "Lucid Lynx", on the Linux box, and OS X 10.6.4, "Snow Leopard" on the MBP.
A comment near the end of a long string of comments in that first article indicated that a custom netatalk package was no longer necessary, since the standard debian/ubuntu netatalk package now has ssh support. But following the rest of the instructions got me to the state where my Mac could see the shared volumes on the server, but when I tried to connect to them, I couldn't authenticate.
Figuring that I really did have to build a custom netatalk package, I followe Roo's article and built one. But it ended up in the same place.
It turned out that the crucial bit was a change to the configuration of netatalk's afp configuration.
The article gives the following configuration line in /etc/netatalk/afpd.conf
- - transall -uamlist uams_randnum.so,uams_dhx.so -nosavepassword -advertise_ssh
But with the current netatalk this needs to be changed to:
- - transall -uamlist uams_randnum.so,uams_dhx2.so -nosavepassword -advertise_ssh
This is actually mentioned in comment 330 (of 670!) but I missed it.
After making that change, I could connect to the shares. So I removed my custom netatalk package and installed the standard one, and it still works.
Avahi setup
Netatalk is one half of what's needed to have a Linux box participate in an Apple friendly network. The other half is Avahi which is an open source implementation of the Zeroconf standard or what Apple calls Bonjour. Bonjour/Zeroconf is how Macs find services on the local network.
Most current linux distributions include Avahi, as does Ubuntu 10.04, so it was just a matter of configuring it. The instructions in the kremaliscious article are fine. However, while I was at it, I also configured Avahi to publish a VNC server which allows me to easily start a graphic login to the server from the Mac finder. Bonjour uses the service type rfb (remote frame buffer) for the VNC server. To get this working I followed this article. I combined the configuration of both the afpd and rfb services into a single configuration file in /etc/avahi/services/multi.service
Here's that file:
<?xml version="1.0" standalone='no'?><!--*-nxml-*--> <!DOCTYPE service-group SYSTEM "avahi-service.dtd"> <service-group> <name replace-wildcards="yes">%h</name> <service> <type>_rfb._tcp</type> <port>5901</port> </service> <service> <type>_afpovertcp._tcp</type> <port>548</port> </service> <service> <type>_device-info._tcp</type> <port>0</port> <txt-record>model=Xserve</txt-record> </service> </service-group>
File Server Setup
First I configured netatalk to give me a test 'drive' by publishing a directory in my own home directory on the linux box. Once I'd proved to myself that TimeMachine could in fact connect to this, it was time to buy that drive and hook it up.
I make it a standard procedure to install disks on Linux under control of LVM. Here's a pretty good and succinct guide on getting started with LVM on Ubuntu.
So I installed the drive, and set it up as an LVM Physical Volume called FileServer, I then added a couple of logical volumes to the group:
sudo lvdisplay --- Logical volume --- LV Name /dev/FileServer/TimeMachine VG Name FileServer LV UUID VIdN7y-0gDa-1Azr-0oYB-MRj3-Woxt-Utyef8 LV Write Access read/write LV Status available # open 1 LV Size 1.50 TiB Current LE 393216 Segments 1 Allocation inherit Read ahead sectors auto - currently set to 256 Block device 251:3 --- Logical volume --- LV Name /dev/FileServer/MunimulaClone VG Name FileServer LV UUID Y36agh-Tgnk-1dcf-34tw-AJLm-1Mc2-jcqsuk LV Write Access read/write LV Status available # open 0 LV Size 320.00 GiB Current LE 81920 Segments 1 Allocation inherit Read ahead sectors auto - currently set to 256 Block device 251:4
I gave TimeMachine 1.5 terabytes to play with, and reserved enough to hold a snapshot of my laptop drive in MunimulaClone. Munimula is the name I gave my MacBook pro, inspired by it's construction and a childhood memory. I then installed an ext3 filesystem in both of these logical volumes.
I set up /etc/fstab to mount these in to mount points in the /var directory
/dev/FileServer/TimeMachine /var/TimeMachine ext3 /dev/FileServer/MunimulaClone /var/MunimulaClone ext3
Following Roo's suggestion I created an empty file “/var/TimeMachine/.com.apple.timemachine.supported” with the touch command, and on the Mac I executed the command:
defaults write com.apple.systempreferences TMShowUnsupportedNetworkVolumes 1
Then I added the following two lines at the end of /etc/netatalk/AppleVolumes.default to publish the two network volumes:
/var/TimeMachine TimeMachine allow:rick cnidscheme:cdb options:usedots,upriv /var/MunimulaClone MunimulaClone allow:rick cnidscheme:cdb options:usedots,upriv
I did run into the problem encountered by others of TimeMachine giving an error that it couldn't create the backup disk image, but IIRC this only happened once, it created a file called munimula.tmp.sparsebundle, and removing the .tmp from the file name seemed to allow TimeMachine to proceed.
Results
With the MBP connected via an ethernet cable through a switch to the linux box, the first backup (about 290GB) took around 11-12 hours. It had just finished when I checked this morning. The second 'hourly' backup took just a few minutes. I then disconnected the hard-wired connection and brought the laptop downstairs.
It didn't seem to automatically start a new backup cycle over wifi when it should have, but getting it started by holding the mouse down over the TimeMachine icon in the dock until the menu appeared and then selecting "Back up now" got things kicked off, and it's been taking hourly backups wirelessly all day so far. The hourly backups take a bit longer, may 10-15 minutes. I'm not sure if that's because of lower bandwidth over wifi, or just because I've been using the laptop, and there's more delta data than there was first thing in the morning.
So far I'm pretty happy with the setup, I'll update this article should any surprises occur, good or bad.
Today was the day to upgrade the server running this blog to Ubuntu 9.10 "Karmic Koala".
Late in the upgrade, during the process of installing and configuring the Debian packages, the upgrade hung. I had just tried to stop bind9 and given an series of error messages indicating that rndc was unable to communicate with bind9.
After waiting a while I hit control-c and was warned that this might leave the system in an inconsistent state, but I figured I had little to lose, so I clicked ok. The upgrade continued, but didn't reboot, saying that there had been a problem
I tried to start bind9 manually, both with rndc start, and /etc/init.d/bind9 start but only got bad news.
So I then tried to start it while tailing the syslog, and noticed that I was getting an error about a failure to open /etc/ssl/openssl.cnf for read. This was strange since the permissions on that file allowed reading by anyone.
A little googling eventually revealed that I was running afoul of AppArmor, something I hadn't encountered before. It turns out that Ubuntu doesn't automatically include an AppArmor profile for bind9, not sure why.
The solution seems to have been to manually install the apparmor-profile package with apt-get.
After verifying that I could manually start bind9 and talk to it with rndc, I rebooted, and as they say "so far so good."
I'm speaking about the "RiCal experience" tomorrow evening 20 October 2009, at the October meeting of the Raleigh Ruby Brigade. As usual the meeting is at Red Hat HQ in Raleigh and starts at 7:00 pm.
I plan to talk about calendars, time, time zones, camels, icalendar, Ruby implementation of complex "stuff", among other things.
I hope to see you there!
After a few weeks of maturation on github, setting up a bug tracker, and a google group for project discussions, the bug reports died down to the point where I felt comfortable putting a more "official" release out on rubyforge.
Thanks to my most active 'beta-testers', Adam Williams who really drove the calendar generation DSL, and Paul Scott-Murphy, and Bruno Duyé gave a much needed workout to occurrence enumeration.
With folks from Australia and France providing input, it felt a bit like the old OTI days
About a week ago, Pat Eyler, who writes the "On Ruby" blog contacted me to ask if I would be willing to participate in one of his "Questions Five Ways" theme articles.
Pat picks five people who he thinks would make an interesting mix, throws a question at them to start a discussion, then sits back and lets the exchanges fly, then weaves them into an article.
So I had a very enjoyable several days discussing the topic with Steve Yegge, James Edward Gray II,, Diomedis Spinellis, and Don Stewart.
The result can be seen here.
Yesterday, I wrote about the crash project to resurrect this blog after a hardware failure. I'm now running it on an upgraded version of Typo (5.2 instead of 4.1), using Passenger on Ubuntu 8.10 (instead of a cobbled up stack of Apache, Pen, and Mongrel::Cluster on Ubuntu Dapper), and deployed from my MacBook using Capistrano with git as the source repository. I've been wanting to do a lot of this for a while, but never seemed to have the time. The crash gave me the motivation, and the necessity.
This article is to let me capture what I can remember while it's still fairly fresh in my memory, and hopefully provide help to others with similar goals.
Installing Passenger on Ubuntu 8.10
A bit of help from my friend google, led me to this how-to which I followed. I'm not entirely happy with the approach, since it installs Ruby using the debian package, and I generally prefer to install it from source. I also thought that it installed Rubygems from a package, but looking at it now it seems to have installed it from source, but installed in in /usr/bin which may not be the wisest place on a debian system, it really should be in /usr/local/bin or somewhere else that dpkg/apt-get doesn't muck with. I might need to straighten that out.
I had to hack his scripts a bit as well. They assume that the current directory is on the path, which is something I don't like to do, so I went through and added './' where necessary.
Finally, his script for upgrading to enterprise Ruby for improved performance didn't work, so that's a job for later.
I posted a few comments on the article about this, but as of now they are waiting for moderation.
Typo Upgrade
For those who haven't used it typo comes a a gem which provides a typo command, you use it to either install typo
typo install typo_dir
Either installs the latest version of typo, which is really just a rails app, in typo_dir, or upgrade an existng version.
One of the first things the upgrade does is to backup the database to a yml file. For a blog like mine with a lot of content, this took forever. As I sat there waiting, it occurred to me that I already had a mysql backup, which I'd already used to recreate the database, so I killed the upgrade and hacked the rails-app-installer gem (which typo uses) to skip the backup.
The next hurdle was a gem version problem. I got to the point where the upgrade script was trying to migrate the database, but Rake was failing
Migrating Typo's database to newest release rake aborted! RubyGem version error: actionpack(1.13.3 not = 1.13.6)
This was particularly strange since Typo 5.2 runs on Rails 2.2. Somebody was loading the wrong version of rails, and then complaining about the wrong version of actionpack. And the 1.13.6 version of the actionpack gem doesn't seem to be around anymore, probably left behind when Rails moved to github.
So I asked on the typo mailing list, and my former co-worker Ben Burdick gave me the solution:
sudo gem install datanoise-actionwebservice --source http://gems.github.com
This got me up to the point where I could run the blog on the MacBook. I used the very nice Passenger pane, you just drag the folder containing your rails project into the pane, and restart, and your app is running! Since I wanted to urls to match up. I told passenger pane to use a url of talklikeaduck.denhaven2.com instead of something.local, and put an entry into /etc/hosts to point that name to local host.
Once I was there, it was a matter of recreating the articles which had been lost since the last backup. Mark Imbriacco emailed me what he had cached for each article in his RSS reader. It turned out to be a pretty simple job of cutting and pasting, and telling Typo to publish the articles on their original dates which could be determined by the permalink urls. I didn't worry about the exact time.
I then did a mysqldump of the database, shipped it over to the server with scp, and recreated the database on the server.
Capistrano Deployment
Now the task was setting up Capistrano and having it get the code from git. For the time being I set up a git repository in my home directory on the server, and pushed the code to it from the MacBook over ssh.
The next step was to allow the apache user (which is www-data on debian based systems) to access the repo. This was a matter of generating a public/private key pair in the www-data users home directory, adding the public key part in the .ssh/authorized_keys file in MY home directory, and a
sudo su - www-data ssh rick@localhost # answer yes to the prompt to add the host being connected to exit
I then upgraded my capistrano gem and capified my typo project. Then I edited the config/deploy.rb based on a couple of blog posts and some trial and error.
set :application, "talklikeaduck" set :repository, "ssh://rick@aaa.bbb.ccc.ddd/home/rick/git/tlad.git" set :scm, :git set :branch, "master" set :deploy_via, :remote_cache set :user, "www-data" set :runner, "www-data" set :deploy_to, "/var/www/rails/#{application}" role :app, "aaa.bbb.ccc.ddd" role :web, "aaa.bbb.ccc.ddd" role :db, "aaa.bbb.ccc.ddd", :primary => true namespace :deploy do desc "Restarting mod_rails with restart.txt" task :restart, :roles => :app, :except => { :no_release => true } do run "touch #{current_path}/tmp/restart.txt" end [:start, :stop].each do |t| desc "#{t} task is a no-op with mod_rails" task t, :roles => :app do ; end end end desc "Link in the production database.yml" task :after_update_code do run "ln -nfs #{deploy_to}/#{shared_dir}/config/database.yml #{release_path}/config/database.yml" end
Note that I've replaced the lan address of the server with aaa.bbb.ccc.ddd, it probably wouldn't be a security exposure to show the real address behind the nat, but paranoia is paranoia. Normally I'd use a local dns server name, but I haven't gotten around to setting that back up.
Getting this working was a matter of trying cap deploy:check until I ironed out permissions issues, usually by sshing into the server creating files using sudo, then chowning them to www-data.www-data, since www-data doesn't have sudo privileges.
Then I worked on getting cap deploy:cold to work. More sshing, mkdiring, and chowning to set up the current, releases and shared subdirectories. I'd scratched my head a bit about what to do with config/database.yml which I'd gitignored as usual. Ben pointed me to a blog article which added a post setup task to upload it to the shared directory, but it turned out to be easier to just do it via scp and ssh.
If I recall correctly, the next hurdle was familiar, cap:deploy cold was failing for the same reasons as on the Mac, the gem version problem killing Rake. The solution here was to rake gems:push, git a
rake gems:unpack git add vendor/gems git commit git push origin cap deploy:cold
Now I ran into a problem because I'd missed a bit of code in the deploy.rb from the article I was using a model. It was this piece:
[:start, :stop].each do |t| desc "#{t} task is a no-op with mod_rails" task t, :roles => :app do ; end end
Without this capistrano was trying to get the www-data user to sudo to run script/spinner. Before I noticed the omission I was considering writing scripts to stop the server by disabling the virtual host, and reloading apache, and starting in in a similar manner, and giving www-data limited sudo privileges to run those scripts. It turns out that this is unnecessary using Passenger, so it was just a matter of overriding the default capistrano tasks to do nothing.
So now there was joy in Mudville. The cap deploy:cold worked. At this point I created a vhost configuration in /etc/apache2/sites-available, used a2ensite to enable it, and reloaded apache. Now to check it out.
One Last Wafer Thin Mint
Back on the MacBook, I edited /etc/hosts to now point to the servers lan address. I still wasn't ready to expose port 80 of the server to the internets.
I cranked up my browser and reloaded the url. Everything was working! But being the suspicious type, I wanted to make sure. Tailing the log on the server showed no acivity, hmmmm?
I pinged talklikeaduck.denhaven2.com on the MacBook, and it was pinging 127.0.0.1. I knew that I'd changed /etc/hosts. Ben told me over ichat to try dscacheutil -flushcache, which seemed to have no effect. So I rebooted the MacBook, and it was still resolving talklikeaduck.denhaven2.com to localhost.
At that point I tried:
$ dscacheutil -q host 127.0.0.1
Which produced:
name: talklikeaduck.denhaven2.com ip_address: 127.0.0.1 name: localhost ip_address: 127.0.0.1 name: talklikeaduck.denhaven2.com ip_address: aaa.bbb.ccc.ddd
So there were two cache entries, and the local host one was winning.
I finally got a clue when I grepped /etc for references to talklikeaduck, and found one in /etc/hosts, but also one in /etc/apache2/sites-available/tlad which was the vhost configuration generated by Passenger pane. When I removed the blog project directory from the Passenger pane, and hit restart, then did the dscacheutil -flushcache, the name was now resolving to the server.
Now I was hitting the server, and I did a little more prodding to make sure things were working, including writing my resurrection announcement.
Now I was finally ready to unblock port 80 on the router.
Hopefully someone will find something useful in this post, at least I've captured the lessons I learned from the exercise.
What a long strange trip it's been
Sometime on Wednesday March 11, the server running this blog died a horrible death.
I'd been happily working on a consulting sub-contract when I returned home late at night to the realization that things weren't right. I couldn't get on the internet, but thought it was an ISP problem. In the morning, I discovered that it was the server, which besides running the blog and a few other web apps, was also running a dns server for local lan addresss, a dhcp server and other vital services here at denhaven2.
When I found time to investigate, I discovered that one of the disks was acting badly. I rebooted, and it took quite a while, but eventually I could snoop around, but when I tried rebooting again, it wouldn't.
My good friend, Mark Imbriacco, who is one of the two sys admins at 37signals, and who lives in the neighborhood, came by to help me diagnose things. The more we snooped around, the more it looked like it was actually the IDE controller on the mother board which had gone flakey.
Mark, bless his heart, offered up a machine he was no longer using, and the process of rebuilding began.
Luckily, I had put a graphics card in the old system, did I tell you that it wasn't just a server? I used to use it as a development workstation as well. This was lucky because Mark had used the new system as a gaming machine, and it had a nice gamer's graphics card installed, whose on board fan was hanging limply from it's attachment. I invested in a 500GM SATA drive for the install, I wanted to bring the system up before touching the drives from the old server.
I'd been holding off updating the system, which was running on Ubuntu 6.06 "Dapper Drake" for nearly 3 years. I'd fallen for the "Long Term Support" pitch, which had the effect of leaving me behind on things like Apache. So this seemed like the right time to take the step up. I decided to just use the latest Ubuntu 8.10 release.
Once the system was installed, it was time to examine the wreckage. It turned out that one of the two 160GB drives had gone bad, or had perhaps been corrupted by the controller. One of the two drives held the home directories, and various other directories, the other was used to hold a nice rsync backup set, kind of a home-built Time Machine using techniques I'd learned at the local Linux user's group. Right after the crash, I thought that it was actually the backup drive which had gone bad, since the first time I booted, I did seem to have access to the data on the 'live drive.' But now linux couldn't find the superblocks, and all I had was the backup.
Two minor problems. The first was that I discovered that the last good backup I had was from sometime in January, so I was going to lose some data. The second was that my nice backups was full of files whose permissions were based on the /etc/passwd and /etc/groups files on the OLD system. I'd faced this problem back when I'd moved the system from Redhat/Fedora to Ubuntu. Redhat distros tend to assign fixed uid's and gid's for the users associated with server processes, while Debian based systems assign them when packages are installed. Reconciling the differences is a major pain, and most of the data is still on the backup drive waiting for me to slog through it.
What I did have were good copies of my database backups (at least until sometime in January, and my local code, like the instance of Typo running this blog. I decided to reconstruct the blog on my MacBook, upgrade it from Typo 4.1 to the latest version of typo, and make it deployable on the server using capistrano, with git for the scm, and passenger, now that I had a version of apache that was modern enough to handle it. No more of the old rube-goldberg setup of Apache talking to pen for load balancing, talking to a mongrel cluster.
I haven't done so much concentrated system admin in quite a while. I've got to thank Mark, and my other friend Ben Burdick, who used to be the sysadmin and QA guru at Near-Time and now works for RackSpace/Slicehost, who have been subject to repeated iChat sessions, when my googling skills flagged.
Mark also had my blog posts for quite a while cached in his RSS reader, and provided me with the contents of the articles I'd written since the last backup. The few image files I needed were still on my MacBook. So I think I've been able to recover everything from the blog, except for any comments made on those missing posts.
Some of the things I've learned from this episode are:
- How to get the apache user to ssh back to the same server to access git.
- How to configure capistrano using git and passenger instead of subversion and mongrel/mongrel-cluster
- That running apache/passenger using the passenger pane on os x, is cool. It let me easily check out the blog. But, I had a final head-scratching moment. I'd changed /etc/hosts on the Mac so that talklikeaduck.denhaven2.com would resolve to local host, which worked great. But when I changed it to point to the lan address of the server, the Mac stubbornly refused to resolve it to anything but 127.0.0.1. I was chatting with Ben during this episode, and he told me to use
dscacheutil --flushcache to clear out the Mac's dns cache, but this didn't work, even after a reboot . Ben just kept saying "That's wierd." I was thinking that some other configuration file must be causing this, so I tried:
grep -R talklikeaduck /etc Which revealed that the only other place the word occurred was in the VHost configuration file which the Passenger pane had generated. I tried removing the blog entry from the Passenger pane and restarting apache, and lo and behold, after clearing the cache, the host was now resolving to the server!
You'll notice that the blog has a new style. The old theme wasn't compatible with Typo 5.2, and getting the blog back up was a higher priority than porting it. Actually I like the new theme, and although I kind of miss old Ruby the Duck Dog. I suspect that he'll she will be coming back in a new form when I get the time to do it.
So having written this first article after the great crash of 2009, I think I'm ready to once again expose the server to the inter-tubes.
Better late than never
A few weeks back Jared Richardson interviewed me about the talk I gave at the inaugural RubyRX No Fluff, Just Stuff’s first foray into a Ruby oriented conference.
Although this was supposed to be published before the conference, it’s just now made it to the DZone web site. I hope you enjoy it.
I was playing around with Pixelmator today, and made a new sketch of Ruby the DuckDog whose photo graces the masthead here.
When the old dog say her picture, she told me that she wouldn’t mind sharing it, so I decided to put it on a few items which the two or three fans of this site might enjoy.
You can find them at the Talk Like A Duck Store.
Consider this post the grand opening. The small profit from any purchases will help keep Ruby in DuckDog food, and support the activites here at TalkLikeADuck HQ.