borgbackup

最後更新: 2023-04-10

目錄

  • Usage
  • File Comparison
  • Checkpoint
  • 日常維護
  • SSH Settings

介紹

Borg is a fork of Attic and maintained by "The Borg collective"

  • deduplicating backup (chunks base - id_hash value)
  • compressing backup (lz4, zstd, zlib , lzma)
  • authenticated encryption (HMAC-SHA256 + ASE256)
  • local & client/server mode (ssh + borg serve)
  • Borg supports resuming backups (<archive-name>.checkpoint @ 30 min)
  • Mountable backups with FUSE

HomePage: https://www.borgbackup.org/

缺點

  • It push backups to remote repositories accessed via ssh
    The client uses SSH as a transport to talk to the remote agent(borg serve))
  • Single-threaded
    (多 Core CPU 也不能加快壓縮及加密)
  • Borg 1.2.4: Python >= 3.8
  • Compression: lz4, zstd, zlib, lzma or none
  • Mountable backups with FUSE

 


Installation

 

Install by Package

apt-get install borgbackup

Or

Install by Source (Get least version)

  1. apt-get install python3-dev python3-virtualenv
  2. virtualenv --python=python3 borg-env
  3. source borg-env/bin/activate
  4. pip install -U pip setuptools wheel
  5. pip install pkgconfig
  6. pip install borgbackup

P.S.

# 用 fuse (llfuse, pyfuse3) 時要安 llfuse

pip install llfuse

Check Version

borg --version

borg 1.2.0

 


Usage

 

Step 1: 建立儲存 Backup 的 Repo(Folder)

# --make-parent-dirs              # create the parent directories if they are missing
# --storage-quota QUOTA        # 設定 storage 可用的 Quota. Default: no quota.
# --encryption | -e MODE        # repokey | none | keyfile | authenticated
                                             # repokey-blake2| keyfile-blake2 | authenticated-blake2

borg init --encryption=repokey --storage-quota 450G /path/to/repo

 * For remote backups the encryption is done locally

 * need both RepoKEY AND PASSPHRASE to access this repo !!

 => Encrypt the key with your passphrase (又或者用 BORG_PASSPHRASE environment variable)

repokey & keyfile 加密及認證方式

  • AES-CTR-256 for encryption and
  • HMAC-SHA256 for authentication
  • in an encrypt-then-MAC (EtM) construction

repokey (-e repokey)

Store the encrypted borg key inside the repository directory (in the repo/config)

[repository]
...
id = ...
key = ...

可以用 "borg key export" 匯出 key

keyfile (-e keyfile)

~/.config/borg/keys/backup_borg

BORG_KEY ID
... KEY ...

authenticated mode

uses no encryption, but authenticates repository contents through the same HMAC-SHA256

Notes

Step 2: 在 repo backup

# --stats                                            # statistics
# --comment COMMENT
# -C | --compression COMPRESSION    # Default: lz4. 選項: none | zlib,6 | lzma,6 # 0~9

borg create [--stats] /path/to/repo::Monday ~/Data ~/Doc

* pathnames recorded in files cache are always absolute,
   even if you specify source directories with relative pathname
   (~/Data -> /root/Data)

* If the directory where you mount a filesystem is different every time,
   Borg assumes they are different files.
    (/root/Data X /home/Data)

Opts

  • --numeric-ids               # only store numeric user and group identifiers
  • -n, --dry-run

# Backup the root filesystem into an archive named "root-YYYY-MM-DD"

... /path/to/repo::root-{now:%Y-%m-%d}

# Exclude pyc files

... --exclude '*.pyc'

# Backup a raw device

# 4194304 = 4M

... --read-special --chunker-params fixed,4194304

--read-special

open and read block and char device files

--chunker-params PARAMS            # Default: buzhash,19,23,21,4095

ALGO, CHUNK_MIN_EXP, CHUNK_MAX_EXP, HASH_MASK_BITS, HASH_WINDOW_SIZE

# Backup a sparse disk image (detect sparse holes in input, supported only by fixed chunker)

... --sparse --chunker-params fixed,4194304

P.S.

--upload-ratelimit RATE

 

Step 3: 查看 Backup

borg list /path/to/repo

borg list /path/to/repo::Monday

borg info /path/to/repo::Monday        # information about the specified archive or repository

 

Step 4: Restoring File

borg extract

i.e.

borg extract /path/to/repo::Monday

borg mount               # FUSE mount

-f, --foreground     stay in foreground, do not daemonize

 

Step 5: Delete 舊 backup

deletes an archive from the repository

 * When deleting archives, repository disk space is not freed until you run borg compact

i.e.

# -n, --dry-run     do not change repository

borg delete /path/to/repo::Monday

GLOB

# -a GLOB, --glob-archives GLOB        only consider archive names matching the glob.

... --glob-archives '*-2023-03-*' ...

 

Other Opts

-n, --dry-run     do not change repository

--cache-only     delete only the local cache for the given repository

 


File Comparison

 

This comparison can operate in different modes as given by --files-cache:

  • ctime,size,inode    (default)
  • mtime,size,inode  (default behaviour of borg versions older than 1.1.0rc4)
  • rechunk,ctime      (all files are considered modified - rechunk, cache ctime)
  • rechunk,mtime     (all files are considered modified - rechunk, cache mtime)
  • disabled               (disable the files cache, all files considered modified - rechunk)

* inode number: better safety, but often unstable on network filesystems

ctime v.s. mtime

ctime: it can't be set from userspace

mtime: it can be arbitrarily set from userspace
(to set mtime back to the same value it had before a content change happened)

 


Checkpoint

 

<archive-name>.checkpoint (Default: 每 30 分鐘一次)

This checkpoint archive is a valid archive, but it is only a partial backup
the checkpointing mechanism creates hidden, partial files in an archive,
so that checkpoints even work while a big file is being processed.

<filename>.borg_part_<N>

 


日常維護

 

Check

# --verify-data     perform a full integrity verification (decrypting and decompressing) of data
#                         (as opposed to checking the CRC32 of the segment)

borg check [--verify-data] [REPOSITORY_OR_ARCHIVE]

 * If checking a remote repo via ssh:, the repo check is executed on the server without causing significant network traffic

# To set a default for the repo URL

export BORG_REPO='ssh://user@host:port/path/to/repo'

Compacting & prune

compact - compacting the segment files in the repo

 * compact does not need a key (invoke it from the client / server)

# A segment is compacted if the amount of saved space is above the % value
# --threshold 10 (Default)

borg compact [--progress] /path/to/repo

prune - deleting all archives not matching any of the specified retention options

 * space is not freed until you run borg compact

# --keep-within INTERVAL     to keep all archives within this time interval

borg prune --keep-within 7d REPO

# --keep-daily D                   to keep the latest backup on each day

borg prune --keep-within 7 REPO

 * recommended to always run prune -v --list --dry-run ... first

 * The default of prune is to apply to all archives in the repository

config

# reserve some space in Borg itself (recommend)

borg config /path/to/repo additional_free_space 2G

Key

borg key change-passphrase [REPOSITORY]

borg key export [--paper | --qr-html] /path/to/repo > encrypted-key-backup

import

* For repositories using the repokey encryption the key is saved in the repository in the config file.

borg key import [REPOSITORY] [PATH]

If the BORG_KEY_FILE environment variable is set and non-empty, borg key import creates or overwrites that file

 * If a key file is found in $BORG_KEYS_DIR, borg key import overwrites it.

 


SSH Settings

 

Key Settings

.ssh/authorized_keys

command="borg serve ...",restrict ssh-rsa <key used for backup management> <key host>
command="borg serve --restrict-to-repository /home/<user>/repository",restrict ssh-rsa <key> <key host>
command="borg serve --append-only ...",restrict ssh-rsa <key used for not-always-trustable backup clients> <key host>
command="export BORG_XXX=value; borg serve [...]",restrict ssh-rsa ...

--restrict-to-path PATH

to allow the client access to several directories.

Can be specified multiple times

Access to all sub-directories is granted implicitly

PATH doesn't need to directly point to a repository

--restrict-to-repository PATH

restrict repository access. Only the repository located at PATH s accessible.

Can be specified multiple times

--append-only

Append-only mode => forbid compaction

Borg will never overwrite or delete committed data

borg config /path/to/repo append_only 1

--storage-quota QUOTA

Default: 0 (disable the quota)

SSH Config Settings

~/.ssh/config                       # Client

Host X.X.X
    ServerAliveInterval 10
    ServerAliveCountMax 6

/etc/ssh/sshd_config            # Server

ClientAliveInterval 10
ClientAliveCountMax 6

 


 

Creative Commons license icon Creative Commons license icon