![首頁 Logo Keith ]p !!](/themes/mytheme/logo.png){kind=logo}
最後更新: 2021-09-22
目錄
- rsyncd
- chroot
- Configure - &include and &merge
- Global Parameters & Module Parameters
- Log Rotate
- pre-xfer exec, post-xfer exec
rsyncd
rsyncd 可以用 daemon 或 xinetd 的形式運行, 不過用 xinetd 比較有好處, 原因有 2
- 更改 rsyncd.conf 後不用 restart 就生效
- 比較省資源 (rsyncd 不會長期在背景執行)
rsyncd 的設定
Centos 6 rsyncd 的設定
# 安裝:
yum install xinetd rsync
# 它一共有 3 個設定檔:
- /etc/rsyncd.conf
- /etc/rsyncd.secrets
- /etc/xinetd.d/rsync
# /etc/rsyncd.conf
motd file=/etc/rsyncd_motd use chroot = yes max connections = 4 timeout = 300 pid file = /var/run/rsyncd.pid log file = /var/log/rsyncd/rsyncd.log # permissions on the secrets file will be checked ( The default is true ) strict modes = yes secrets file = /etc/rsyncd.secrets # 用此 setting 時 rsync 需要 root 權限運行, # 功能可以令 file/folder 屬於其他人 uid = root gid = root # default yes list = no # Default: 873 port = 1873 # not be compressed when pulling files from the daemon # 相當於 Client 的 --skip-compress dont compress = *.gz *.tgz *.bz2 *.zip *.z *.rpm *.deb *.iso *.jpg *.png [module_name] path = /home/vmail log file = /var/log/rsyncd/module_name.log # The default is 0, which means no limit. max connections = 10 # 當沒有設定時, Default 係 read only read only = no #### User ACL #### # specifies a comma and/or space-separated list # 當沒有設定 "auth users" 時, 什麼人都可以連 !! # connect without a password (this is called "anonymous rsync") auth users = vmail backup #### IP ACL #### # The "hosts allow" first, not match the "hosts deny" => Allow (Default) hosts allow = 192.168.0.0/24 192.168.1.0/24 # Deny ALL (Default NULL) hosts deny = * timeout = 600 refuse options = checksum dry-run # transfer logging = no # logging of downloads and uploads files # The daemon always logs the transfer at the end, # so if a transfer is aborted, no mention will be made in the log file. # log format = %t: host %h (%a) %o %f (%l bytes). Total %b bytes.
Mini
motd file=/etc/rsyncd_motd use chroot = yes max connections = 4 timeout = 300 pid file = /var/run/rsyncd.pid log file = /var/log/rsyncd/rsyncd.log strict modes = yes secrets file = /etc/rsyncd.secrets uid = root gid = root list = no port = 1873 dont compress = *.gz *.tgz *.zip *.z *.rpm *.deb *.iso *.bz2 *.tbz [module_name] path = /home/vmail log file = /var/log/rsyncd/module_name.log max connections = 10 read only = no auth users = vmail backup hosts allow = 192.168.0.0/24 192.168.1.0/24 hosts deny = * timeout = 600 refuse options = checksum dry-run
ACL
IP > Auth # 當過唔到 IP ACL 時, 就不會問 Password
refuse options
# space-separated list
- checksum
- delete
- dry-run
- compress
list 的 server log:
... module-list request from UNKNOWN (x.x.x.x)
/etc/rsyncd.secrets
要有正確的權限:
touch /etc/rsyncd.secrets
chmod 600 /etc/rsyncd.secrets
chown root:root /etc/rsyncd.*
Format
user:pw
rsyncd firewall port
-A INPUT -s client_side_ip -p tcp -m multiport --dport 1873 -j ACCEPT
/etc/xinetd.d/rsync
service rsync
{
disable = no
socket_type = stream
wait = no
user = root
server = /usr/bin/rsync
server_args = --daemon
}
Test
telnet localhost 873
Escape character is '^]'. @RSYNCD: 30.0
# Doc
man 5 rsyncd.conf
Rocky 8
dnf install rsync-daemon
Config
- /etc/sysconfig/rsyncd
- /etc/rsyncd.conf
Help
man rsyncd.conf
Service
- systemctl start rsyncd
- systemctl enable rsyncd
/etc/rsyncd.conf
uid = root
gid = root
pid file = /var/run/rsyncd.pid
exclude = lost+found/
# Log
transfer logging = yes
log file = /var/log/rsyncd/rsyncd.log
# Net
address = 0.0.0.0
port = 1873
timeout = 900
reverse lookup = no
dont compress = *.gz *.tgz *.zip *.z *.Z *.rpm *.deb *.bz2
max connections = 4
# secrets
use chroot = yes
secrets file = /etc/rsyncd.secrets
strict modes = yes
list = no
[maildata]
path = /maildata
comment = email data
read only = no
auth users = timFirewall
firewall-cmd --add-rich-rule='rule family="ipv4" source address="x.x.x.x" port protocol="tcp" port="1873" accept' \
--permanent
Ubuntu 12.04 rsyncd 的設定
設定檔:
- /etc/default/rsync
學習:
man 5 rsyncd.conf
設定:
/etc/default/rsync
RSYNC_ENABLE=false # 選項有"true", "false", and "inetd"
RSYNC_NICE='10' # 0 - 19 (10 is a reasonable value)
RSYNC_IONICE='-c3' # IO priority
RSYNC_OPTS='' # 可用的選項 --address=x.x.x.x --port=8730主設定(位置及設定值與 centos 一樣):
/etc/rsyncd.conf
remark:
cp -a /usr/share/doc/rsync/examples/rsyncd.conf /etc/rsyncd.conf
P.S.
即使是以 xinetd 執 rsyncd, 那仍是需要有 rsyncd.conf
/etc/init.d/rsync start
Starting rsync daemon: rsync.
/var/log/rsyncd.log
2012/06/13 10:57:29 [23747] rsyncd version 3.0.7 starting, listening on port 873
Disable reverse lookup in rsync daemon
# case the daemon will use the name "UNDETERMINED" instead. reverse lookup = no
service rsync restart
Global Parameters & Module Parameters
Global
motd file, pid file, port, address, socket options, listen backlog
Module
comment, path, use chroot, daemon chroot, proxy protocol
numeric ids, munge symlinks, charset, max connections
log file, syslog facility, syslog tag, max verbosity
lock file, read only, write only, open noatime, list
uid, gid, daemon uid, daemon gid, fake super, filter
exclude, include, exclude from, include from
incoming chmod, outgoing chmod, auth users, secrets file
strict modes, hosts allow, hosts deny
reverse lookup, forward lookup, ignore errors, ignore nonreadable
transfer logging, log format, timeout, refuse options
dont compress, early exec, pre-xfer exec, post-xfer exec
chroot
有分 "use chroot" 及 "daemon chroot"
use chroot
chroot to the "path" before starting the file transfer with the client
Disadvantages:
* requiring super-user privileges
* not being able to follow symbolic links that are either absolute
Configure - &include and &merge
--config=FILE specify alternate rsyncd.conf file
rsync --daemon --config=/etc/rsyncd.conf
* reference to either a file or a directory ( &include /path/rsyncd.d / &include /path/rsyncd.d/bar.conf )
* without any recursive scanning, with the files sorted into alpha order
* it will read in all the *.conf or *.inc files
&include &merge directive
Both allow a reference to either a file or a directory(*.conf or *.inc).
&include directive
that you can define one or more modules in a separate file without worrying about unintended side-effects between the self-contained module files.
(&include directive treats each file as more distinct, with each one inheriting the defaults of the parent file)
&merge directive
that you can load config snippets that can be included into multiple module definitions
Log Rotate
/etc/logrotate.d/rsyncd
/var/log/rsyncd.log {
daily
compress
rotate 14
notifempty
missingok
copytruncate
delaycompress
}改善 log 的 format
2018/11/14 17:51:04 [3256] name lookup failed for 192.168.88.177: Name or service not known 2018/11/14 17:51:04 [3256] connect from UNKNOWN (192.168.88.177) 2018/11/14 09:51:13 [3256] rsync to test/ from test@UNKNOWN (192.168.88.177) 2018/11/14 09:51:13 [3256] receiving file list 2018/11/14 09:51:13 [3256] sent 50 bytes received 98 bytes total size 4
[1] name lookup failed for n.n.n.n
# rsync >= 3.1.0
reverse lookup = no
2018/11/14 17:51:04 [3256] name lookup failed for 192.168.88.177: Name or service not known 2018/11/14 17:51:04 [3256] connect from UNKNOWN (192.168.88.177)
變成了
2018/11/14 17:57:00 [3331] connect from UNDETERMINED (192.168.88.177)
[2] 解決 chroot 後 log 的 timezone 問題
[方案1]
mkdir ./etc
cp /etc/localtime ./etc
service rsyncd restart
[方案1]
/usr/lib/systemd/system/rsyncd.service
[Service] EnvironmentFile=/etc/sysconfig/rsyncd
/etc/sysconfig/rsyncd
TZ='UTC-8'
service rsyncd restart
pre-xfer exec, post-xfer exec
run before and/or after the transfer
environment variable:
- RSYNC_MODULE_NAME
- RSYNC_MODULE_PATH
- RSYNC_HOST_ADDR
- RSYNC_HOST_NAME
- RSYNC_USER_NAME
- RSYNC_REQUEST
- RSYNC_EXIT_STATUS