2. rsyncd

由 datahunter 在四, 02/09/2021 - 18:06 發表

最後更新: 2021-09-22

rsyncd

rsyncd 可以用 daemon 或 xinetd 的形式運行, 不過用 xinetd 比較有好處, 原因有 2

更改 rsyncd.conf 後不用 restart 就生效
比較省資源 (rsyncd 不會長期在背景執行)

rsyncd 的設定

Centos 6
ubuntu 12.04 詳細設定

Centos 6 rsyncd 的設定

# 安裝:

yum install xinetd rsync

# 它一共有 3 個設定檔:

/etc/rsyncd.conf
/etc/rsyncd.secrets
/etc/xinetd.d/rsync

# /etc/rsyncd.conf

# rsyncd.conf

address = 0.0.0.0
# Default: 873
port = 1873

motd file=/etc/rsyncd_motd
use chroot = yes
max connections = 4
timeout = 300

pid file = /var/run/rsyncd.pid
log file = /var/log/rsyncd/rsyncd.log

# permissions on the secrets file will be checked ( The default is true )
strict modes = yes
secrets file = /etc/rsyncd.secrets

# 用此 setting 時 rsync 需要 root 權限運行,
# 功能可以令 file/folder 屬於其他人
uid = root
gid = root

# default yes
list = no



# not be compressed when pulling files from the daemon
# 相當於 Client 的 --skip-compress
dont compress = *.gz *.tgz *.bz2 *.zip *.z *.rpm *.deb *.iso *.jpg *.png

[module_name]
    path = /home/vmail
    
    log file = /var/log/rsyncd/module_name.log
    
    # The default is 0, which means no limit.
    max connections = 10
    
    # 當沒有設定時, Default 係 read only
    read only = no
    
    #### User ACL ####
    # specifies a comma and/or space-separated list
    # 當沒有設定 "auth users" 時, 什麼人都可以連 !!
    # connect without a password (this is called "anonymous rsync")
    auth users = vmail backup
    
    ####  IP ACL  ####
    # The "hosts allow" first, not match the "hosts deny" => Allow (Default)
    hosts allow = 192.168.0.0/24 192.168.1.0/24
    # Deny ALL (Default NULL)
    hosts deny = *
    
    timeout = 600
    
    refuse options = checksum dry-run
    
    # transfer logging = no
    # logging of downloads and uploads files
    # The daemon always logs the transfer at the end,
    # so if a transfer is aborted, no mention will be made in the log file.
    # log format = %t: host %h (%a) %o %f (%l bytes). Total %b bytes.

Mini

motd file=/etc/rsyncd_motd
use chroot = yes
max connections = 4
timeout = 300
pid file = /var/run/rsyncd.pid
log file = /var/log/rsyncd/rsyncd.log
strict modes = yes
secrets file = /etc/rsyncd.secrets
uid = root
gid = root
list = no
port = 1873
dont compress = *.gz *.tgz *.zip *.z *.rpm *.deb *.iso *.bz2 *.tbz

[module_name]
    path = /home/vmail
    log file = /var/log/rsyncd/module_name.log
    max connections = 10
    read only = no
    auth users = vmail backup
    hosts allow = 192.168.0.0/24 192.168.1.0/24
    hosts deny = *
    timeout = 600
    refuse options = checksum dry-run

ACL

IP > Auth # 當過唔到 IP ACL 時, 就不會問 Password

refuse options

# space-separated list

checksum
delete
dry-run
compress

list 的 server log:

... module-list request from UNKNOWN (x.x.x.x)

/etc/rsyncd.secrets

要有正確的權限:

touch /etc/rsyncd.secrets

chmod 600 /etc/rsyncd.secrets

chown root:root /etc/rsyncd.*

Format

user:pw

rsyncd firewall port

-A INPUT -s client_side_ip -p tcp -m multiport --dport 1873 -j ACCEPT

/etc/xinetd.d/rsync

service rsync
{
    disable         = no
    socket_type     = stream
    wait            = no
    user            = root
    server          = /usr/bin/rsync
    server_args     = --daemon
}

Test

telnet localhost 873

Escape character is '^]'.
@RSYNCD: 30.0

# Doc

man 5 rsyncd.conf

Rocky 8

dnf install rsync-daemon

Config

/etc/sysconfig/rsyncd
/etc/rsyncd.conf

Help

man rsyncd.conf

Service

systemctl start rsyncd
systemctl enable rsyncd

/etc/rsyncd.conf

uid = root
gid = root
pid file = /var/run/rsyncd.pid
exclude = lost+found/
# Log
transfer logging = yes
log file = /var/log/rsyncd/rsyncd.log
# Net
address = 0.0.0.0
port = 1873
timeout = 900
reverse lookup = no
dont compress = *.gz *.tgz *.zip *.z *.Z *.rpm *.deb *.bz2
max connections = 4
# secrets
use chroot = yes
secrets file = /etc/rsyncd.secrets
strict modes = yes
list = no

[mail_data]
    path = /home/mail_data
    comment = email data
    read only = no
    auth users = tim

Firewall

firewall-cmd --add-rich-rule='rule family="ipv4" source address="x.x.x.x" port protocol="tcp" port="1873" accept' \
--permanent

Ubuntu 12.04 rsyncd 的設定

設定檔:

/etc/default/rsync

學習:

man 5 rsyncd.conf

設定:

/etc/default/rsync

RSYNC_ENABLE=false       # 選項有"true", "false", and "inetd"
RSYNC_NICE='10'          # 0 - 19 (10 is a reasonable value)
RSYNC_IONICE='-c3'       # IO priority
RSYNC_OPTS=''            # 可用的選項 --address=x.x.x.x --port=8730

主設定(位置及設定值與 centos 一樣):

/etc/rsyncd.conf

remark:

cp -a /usr/share/doc/rsync/examples/rsyncd.conf /etc/rsyncd.conf

P.S.

即使是以 xinetd 執 rsyncd, 那仍是需要有 rsyncd.conf

/etc/init.d/rsync start

Starting rsync daemon: rsync.

/var/log/rsyncd.log

2012/06/13 10:57:29 [23747] rsyncd version 3.0.7 starting, listening on port 873

Disable reverse lookup in rsync daemon

# case the daemon will use the name "UNDETERMINED" instead.
reverse lookup = no

service rsync restart

Global Parameters & Module Parameters

Global

motd file, pid file, port, address, socket options, listen backlog

Module

comment, path, use chroot, daemon chroot, proxy protocol
numeric ids, munge symlinks, charset, max connections
log file, syslog facility, syslog tag, max verbosity
lock file, read only, write only, open noatime, list
uid, gid, daemon uid, daemon gid, fake super, filter
exclude, include, exclude from, include from
incoming chmod, outgoing chmod, auth users, secrets file
strict modes, hosts allow, hosts deny
reverse lookup, forward lookup, ignore errors, ignore nonreadable
transfer logging, log format, timeout, refuse options
dont compress, early exec, pre-xfer exec, post-xfer exec

chroot

有分 "use chroot" 及 "daemon chroot"

use chroot

chroot to the "path" before starting the file transfer with the client

Disadvantages:

* requiring super-user privileges
* not being able to follow symbolic links that are either absolute

Configure - &include and &merge

--config=FILE specify alternate rsyncd.conf file

rsync --daemon --config=/etc/rsyncd.conf

* reference to either a file or a directory ( &include /path/rsyncd.d / &include /path/rsyncd.d/bar.conf )

* without any recursive scanning, with the files sorted into alpha order

* it will read in all the *.conf or *.inc files

&include &merge directive

Both allow a reference to either a file or a directory(*.conf or *.inc).

&include directive

that you can define one or more modules in a separate file without worrying about unintended side-effects between the self-contained module files.

(&include directive treats each file as more distinct, with each one inheriting the defaults of the parent file)

&merge directive

that you can load config snippets that can be included into multiple module definitions

Log Rotate

/etc/logrotate.d/rsyncd

/var/log/rsyncd.log {
    daily
    compress
    rotate 14
    notifempty
    missingok
    copytruncate
    delaycompress
}

改善 log 的 format

2018/11/14 17:51:04 [3256] name lookup failed for 192.168.88.177: Name or service not known
2018/11/14 17:51:04 [3256] connect from UNKNOWN (192.168.88.177)
2018/11/14 09:51:13 [3256] rsync to test/ from test@UNKNOWN (192.168.88.177)
2018/11/14 09:51:13 [3256] receiving file list
2018/11/14 09:51:13 [3256] sent 50 bytes  received 98 bytes  total size 4

[1] name lookup failed for n.n.n.n

# rsync >= 3.1.0

reverse lookup = no

2018/11/14 17:51:04 [3256] name lookup failed for 192.168.88.177: Name or service not known
2018/11/14 17:51:04 [3256] connect from UNKNOWN (192.168.88.177)

變成了

2018/11/14 17:57:00 [3331] connect from UNDETERMINED (192.168.88.177)

[2] 解決 chroot 後 log 的 timezone 問題

[方案1]

mkdir ./etc

cp /etc/localtime ./etc

service rsyncd restart