TurnKey Linux Virtual Appliance Library

Big backup in S3 backed root

 

The backup is made in the root not mnt drive and it only just fits

- How do I redirect backup away from the 9Gb root drive 

- If I use a symbolic link, does (ephemeral) /mnt survive a restart or reboot? or will I have to attach an EBS and fstab it? Would either of these restore?

- Will I need to reconfigure Duplicity /tmp as in Restoring from a large (7GB+) backup fails

 

Thanks

Alon Swartz's picture

We deployed a tweak for this a while ago...

We deployed a tweak for this a while ago, which mount binds /tmp to /mnt/tmp so you can take advantage of the ephemeral storage.

The tweak is applied to all newly deployed servers, but if you need to apply it manually to a running server then it should be something like this:

mkdir -p /mnt/tmp
chmod 777 /mnt/tmp/
chmod o+t /mnt/tmp/
cp -ar /tmp/* /mnt/tmp/ >/dev/null 2>&1 || true
mount --bind /mnt/tmp /tmp

Ephemeral storage should survive a reboot, but not a start-stop (ebs backed).

If you would like the mount binding to happen automatically on reboot / start-stop, the following should help (note that you don't need to do this on newly launched instances:

FIRSTBOOT_MNTTMP=/usr/lib/inithooks/firstboot.d/26ec2-mnttmp
EVERYBOOT_MNTTMP=/usr/lib/inithooks/everyboot.d/26ec2-mnttmp

cat > $FIRSTBOOT_MNTTMP <<EOF
#!/bin/bash -e
# mount bind /mnt/tmp (ephemeral storage) on /tmp

is_mounted() {
    mount | grep -q "^\$1 on \$2 "
    return \$?
}

# skip if already mounted
is_mounted /mnt/tmp /tmp && exit 0

mkdir -p /mnt/tmp
chmod 777 /mnt/tmp/
chmod o+t /mnt/tmp/
cp -ar /tmp/* /mnt/tmp/ >/dev/null 2>&1 || true
mount --bind /mnt/tmp /tmp
EOF

chmod +x $FIRSTBOOT_MNTTMP
cp $FIRSTBOOT_MNTTMP $EVERYBOOT_MNTTMP

I hope the above helps...

I think that covers it and

I think that covers it and goes the extra mile too.  I'll also add a couple of paranoia options for overbackup

-- thanks for being comprehensive, responsive and......

awesome

 


noexec /tmp

I was trying to figure out where /mnt/tmp was created at boot time and stubled across this article.

Binding /mnt/tmp on /tmp is great for a bit more performance on the ephemeral side, great idea! (I've always wondered about using flashcache or bcache to write-through-cache ephemeral->ebs, but thats off-topic).

You might consider mounting the ephemeral storage on /mnt as noexec,nosuid.

This is good practice for /tmp in general and it blocks certain attack vector classes and increases Linux server security.  I've seen many attacks get in with weak 1777 dirs, I can't wait to see distros noexec'ing their 1777's by default.  I've yet to see a case where this breaks a system. 

my $0.02 :)

-Eric

www.globallinuxsecurity.pro

Post new comment

The content of this field is kept private and will not be shown publicly. If you have a Gravatar account, used to display your avatar.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <p> <span> <div> <h1> <h2> <h3> <h4> <h5> <h6> <img> <map> <area> <hr> <br> <br /> <ul> <ol> <li> <dl> <dt> <dd> <table> <tr> <td> <em> <b> <u> <i> <strong> <font> <del> <ins> <sub> <sup> <quote> <blockquote> <pre> <address> <code> <cite> <strike> <caption>

More information about formatting options

Leave this field empty. It's part of a security mechanism.
(Dear spammers: moderators are notified of all new posts. Spam is deleted immediately)