rsyncd

最後更新: 2021-09-22

目錄

  • rsyncd
  • chroot
  • Configure - &include and &merge
  • Global Parameters & Module Parameters
  • Log Rotate
  • pre-xfer exec, post-xfer exec

 


rsyncd

 

rsyncd 可以用 daemon 或 xinetd 的形式運行, 不過用 xinetd 比較有好處, 原因有 2

  • 更改 rsyncd.conf 後不用 restart 就生效
  • 比較省資源 (rsyncd 不會長期在背景執行)

rsyncd 的設定

 

Centos 6 rsyncd 的設定

# 安裝:

yum install xinetd rsync

# 它一共有 3 個設定檔:

  • /etc/rsyncd.conf
  • /etc/rsyncd.secrets
  • /etc/xinetd.d/rsync

# /etc/rsyncd.conf

motd file=/etc/rsyncd_motd
use chroot = yes
max connections = 4
timeout = 300

pid file = /var/run/rsyncd.pid
log file = /var/log/rsyncd/rsyncd.log

# permissions on the secrets file will be checked ( The default is true )
strict modes = yes
secrets file = /etc/rsyncd.secrets

# 用此 setting 時 rsync 需要 root 權限運行,
# 功能可以令 file/folder 屬於其他人
uid = root
gid = root

# default yes
list = no

# Default: 873
port = 1873

# not be compressed when pulling files from the daemon
# 相當於 Client 的 --skip-compress
dont compress = *.gz *.tgz *.zip *.z *.rpm *.deb *.iso *.bz2 *.tbz

[module_name]
    path = /home/vmail
    
    log file = /var/log/rsyncd/module_name.log
    
    # The default is 0, which means no limit.
    max connections = 10
    
    # 當沒有設定時, Default 係 read only
    read only = no
    
    #### User ACL ####
    # specifies a comma and/or space-separated list
    # 當沒有設定 "auth users" 時, 什麼人都可以連 !!
    # connect without a password (this is called "anonymous rsync")
    auth users = vmail backup
    
    ####  IP ACL  ####
    # The "hosts allow" first, not match the "hosts deny" => Allow (Default)
    hosts allow = 192.168.0.0/24 192.168.1.0/24
    # Deny ALL (Default NULL)
    hosts deny = *
    
    timeout = 600
    
    refuse options = checksum dry-run
    
    # transfer logging = no
    # logging of downloads and uploads files
    # The daemon always logs the transfer at the end,
    # so if a transfer is aborted, no mention will be made in the log file.
    # log format = %t: host %h (%a) %o %f (%l bytes). Total %b bytes.

mini

motd file=/etc/rsyncd_motd
use chroot = yes
max connections = 4
timeout = 300
pid file = /var/run/rsyncd.pid
log file = /var/log/rsyncd/rsyncd.log
strict modes = yes
secrets file = /etc/rsyncd.secrets
uid = root
gid = root
list = no
port = 1873
dont compress = *.gz *.tgz *.zip *.z *.rpm *.deb *.iso *.bz2 *.tbz
[module_name]
    path = /home/vmail
    log file = /var/log/rsyncd/module_name.log
    max connections = 10
    read only = no
    auth users = vmail backup
    hosts allow = 192.168.0.0/24 192.168.1.0/24
    hosts deny = *
    timeout = 600
    refuse options = checksum dry-run

ACL

IP > Auth              # 當過唔到 IP ACL 時, 就不會問 Password

refuse options

# space-separated list

  • checksum
  • delete
  • dry-run
  • compress

list 的 server log:

... module-list request from UNKNOWN (x.x.x.x)

# /etc/rsyncd.secrets

user:pw

要有正確的權限:

chmod 600 /etc/rsyncd.secrets

chown root:root /etc/rsyncd.*

# rsyncd firewall port

-A INPUT -s client_side_ip -p tcp -m multiport --dport 1873 -j ACCEPT

# /etc/xinetd.d/rsync

service rsync
{
    disable         = no
    socket_type     = stream
    wait            = no
    user            = root
    server          = /usr/bin/rsync
    server_args     = --daemon
}

# Test

telnet localhost 873

Escape character is '^]'.
@RSYNCD: 30.0

# Doc

man 5 rsyncd.conf

 

Ubuntu 12.04 rsyncd 的設定

設定檔:

  • /etc/default/rsync

學習:

man 5 rsyncd.conf

設定:

/etc/default/rsync

RSYNC_ENABLE=false       # 選項有"true", "false", and "inetd"
RSYNC_NICE='10'          # 0 - 19 (10 is a reasonable value)
RSYNC_IONICE='-c3'       # IO priority
RSYNC_OPTS=''            # 可用的選項 --address=x.x.x.x --port=8730

主設定(位置及設定值與 centos 一樣):

/etc/rsyncd.conf

remark:

cp -a /usr/share/doc/rsync/examples/rsyncd.conf /etc/rsyncd.conf

P.S.

即使是以 xinetd 執 rsyncd, 那仍是需要有 rsyncd.conf

/etc/init.d/rsync start

Starting rsync daemon: rsync.

/var/log/rsyncd.log

2012/06/13 10:57:29 [23747] rsyncd version 3.0.7 starting, listening on port 873

Disable reverse lookup in rsync daemon

# case the daemon will use the name "UNDETERMINED" instead.
reverse lookup = no

service rsync restart

 


Global Parameters & Module Parameters

 

Global

motd file, pid file, port, address, socket options, listen backlog

Module

comment, path, use chroot, daemon chroot, proxy protocol
numeric ids, munge symlinks, charset, max connections
log file, syslog facility, syslog tag, max verbosity
lock file, read only, write only, open noatime, list
uid, gid, daemon uid, daemon gid, fake super, filter
exclude, include, exclude from, include from
incoming chmod, outgoing chmod, auth users, secrets file
strict modes, hosts allow, hosts deny
reverse lookup, forward lookup, ignore errors, ignore nonreadable
transfer logging, log format, timeout, refuse options
dont compress, early exec, pre-xfer exec, post-xfer exec

 


chroot

 

有分 "use chroot" 及 "daemon chroot"

use chroot

chroot to the "path" before starting the file transfer with the client

Disadvantages:

 * requiring super-user privileges
 * not being able to follow symbolic links that are either absolute

 


Configure - &include and &merge

 

--config=FILE           specify alternate rsyncd.conf file

rsync --daemon --config=/etc/rsyncd.conf

 * reference to either a file or a directory ( &include /path/rsyncd.d / &include /path/rsyncd.d/bar.conf )

 * without any recursive scanning, with the files sorted into alpha order

 * it will read in all the *.conf or *.inc files

&include &merge directive

Both allow a reference to either a file or a directory(*.conf or *.inc).

&include directive

that you can define one or more modules in a separate file without worrying about unintended side-effects between the self-contained module files.

(&include directive treats each file as more distinct, with each one inheriting the defaults of the parent file)

&merge directive

that you can load config snippets that can be included into multiple module definitions

 


Log Rotate

 

/etc/logrotate.d/rsyncd

/var/log/rsyncd.log {
    daily
    compress
    rotate 14
    notifempty
    missingok
    copytruncate
    delaycompress
}

改善 log 的 format

2018/11/14 17:51:04 [3256] name lookup failed for 192.168.88.177: Name or service not known
2018/11/14 17:51:04 [3256] connect from UNKNOWN (192.168.88.177)
2018/11/14 09:51:13 [3256] rsync to test/ from test@UNKNOWN (192.168.88.177)
2018/11/14 09:51:13 [3256] receiving file list
2018/11/14 09:51:13 [3256] sent 50 bytes  received 98 bytes  total size 4

[1] name lookup failed for n.n.n.n

# rsync >= 3.1.0

reverse lookup = no

2018/11/14 17:51:04 [3256] name lookup failed for 192.168.88.177: Name or service not known
2018/11/14 17:51:04 [3256] connect from UNKNOWN (192.168.88.177)

變成了

2018/11/14 17:57:00 [3331] connect from UNDETERMINED (192.168.88.177)

[2] 解決 chroot 後 log 的 timezone 問題

[方案1]

mkdir ./etc

cp /etc/localtime ./etc

service rsyncd restart

[方案1]

/usr/lib/systemd/system/rsyncd.service

[Service]
EnvironmentFile=/etc/sysconfig/rsyncd

/etc/sysconfig/rsyncd

TZ='UTC-8'

service rsyncd restart

 


pre-xfer exec, post-xfer exec

 

run before and/or after the transfer

environment  variable:

  • RSYNC_MODULE_NAME
  • RSYNC_MODULE_PATH
  • RSYNC_HOST_ADDR
  • RSYNC_HOST_NAME
  • RSYNC_USER_NAME
  • RSYNC_REQUEST
  • RSYNC_EXIT_STATUS