Cooking with Linux - Security for Your Database. It's Totally Mondo!

Security means different things to different people. On your Linux system, security isn't only about keeping people out, it's also about knowing you can restore the e-mail folder you deleted accidentally.

Why can't I log in to our main server, François? You were trying to improve the security? Without discussing it with me? Yes, yes, of course, I appreciate the spirit of your intentions, but now there's no way to access the system remotely at all. In fact, I can't even log in on the main console. You changed the passwords? And encrypted the filesystems? Mon Dieu, François, that is certainly a little over the top. Well, just tell me the new password, and I'll put things back to the way they were. What do you mean, you can't? You've forgotten the passphrase you used when you encrypted the filesystems?

Luckily for you, mon ami, our guests are already here, and we have backups. Head to the wine cellar and bring back the 2001 Mas la Plana Cabernet from Spain. And, while you are down there, don't lock any doors or change any combinations.

Welcome, mes amis, to Chez Marcel, where exceptional vintages are paired with exceptional Linux and open-source software. Please, take your seats and make yourselves comfortable. My faithful waiter is in the cellar fetching the wine. Before you arrived, François demonstrated admirably why it is important to have a reliable backup system. Backups can be simple collections of files burned to a CD, a tarred bundle stored on a remote system or a copy of your data on a separate drive. There are, in fact, thousands of ways to create a backup, and for many of us, it usually involves backing up only those files that are near and dear to our hearts. In a multiuser environment or on a large, busy system, picking up files here and there may not be enough. You need everything.

Ah, François, you have returned. Please, pour for our guests. Enjoy, mes amis, this is a wonderful wine with some some great, dark fruit complexity and just a hint of chocolate.

As excellent as the wine might be (and it is), the real star of tonight's menu is a powerful backup and system recovery program called Mondo Rescue. The spirit of Mondo Rescue resides in a scenario no one wants to envision, a catastrophic system failure. I'm not talking about losing your e-mail folder (although I would consider this a catastrophe as well). Mondo Rescue is concerned with “the hard disk is gone, the machine has exploded, and we need to start from scratch” kind of catastrophe. Or, as in François' case, security enhancements gone terribly wrong. Mondo Rescue works with a variety of backup media, and it can create bootable backups that let you restore a mirror image of your system prior to the disaster.

To get started, visit the Mondo Rescue Web site to pick up your copy of the software (see Resources). You'll need a few things to get started, because there isn't a single, all-inclusive Mondo Rescue package. Don't worry; it's a short list, and Mondo Rescue provides packages for an impressive number of distributions and release levels. The packages you need are afio, buffer, mindi, mindi-busybox, syslinux and the main package, the aptly named mondo. As I felt it necessary to use the word “aptly”, this is where Debian and Ubuntu users can claim bragging rights, because they can install everything they need by typing apt-get install mondo.

Mondo Rescue has, of course, two sides: preparation for disaster and recovery from that disaster. The backup program is called mondoarchive, and the restore program is called mondorestore. Let's start with the backup program.

The mondoarchive program runs in interactive mode by default, with a stylish (by ncurses standards) and easy-to-use interface. You navigate the interface by using your keyboard and pressing the Tab key to go from one menu option to another. Start mondoarchive from a shell prompt. You also need to be running as root, so something like sudo mondoarchive or su -c 'mondoarchive' should work well.

The Welcome screen (Figure 1) also is the selection screen for your backup medium. You can choose from CD-R or DVD-R disks, tapes, an NFS-mounted directory, a location somewhere else on disk and more. Given the nature of a catastrophic disaster, somewhere on your local disk may not appear to be the best choice, but you also can use Mondo Rescue to generate bootable-CD or DVD ISO images from which you can boot and restore your system. Because many home users have access to a CD or DVD writer to which they can burn these images, but not necessarily a tape drive, let's use that as our example.

Figure 1. Ready to back up? Select your medium of choice.

By the way, this isn't the same as backing up directly to a CD- or DVD-recordable drive. If you choose that option, you are asked to insert blank disks at various points in the process.

Tab to the Hard disk option, and press Enter. You'll be asked for the pathname to the disk location you want to use for your backup (Mondo Rescue will provide a suggestion). If you chose a tape-drive backup, Mondo Rescue would try to guess the location of your tape drive—normally successfully.

The next screen (Figure 2) is worth thinking about, because it seriously affects the performance of your backup. This is the compression screen. To minimize the space in which backups are stored, the mondoarchive program can compress files on the fly. You can elect to skip compression or select minimum, average or maximum compression. The higher the compression, the more impact on speed and performance.

Figure 2. Compression can affect the performance of your backups dramatically.

Those of you following along with my example will be writing bootable-ISO image backups to disk, but what kind of images? CD-Rs can store 650MB–700MB of data (depending on the type you bought), and DVDs can store roughly 4GB. Enter the information in megabytes, press Tab to select OK, and then move on to the next screen. The ISO images are called mondorescue-1.iso, mondorescue-2.iso and so on. You now have the opportunity to override that naming convention by selecting a different name. If you're happy with the default, press Enter to continue.

Next, is the Backup Paths screen. By default, everything is backed up from the root (/), on down. Most people will be happy with this and can safely move on to the next screen. Incidentally, should you happen to have a system with NTFS partitions (such as on dual-boot systems with Windows), Mondo Rescue offers to back up those as well and informs you of their presence. You can accept these or remove them from the list of backed-up partitions.

Having mentioned that it makes sense to back up the whole system, I recognize you probably really don't want everything. On my system, I often have entire filesystems where I download ISOs of Linux distributions so I can experiment with them on virtual machines. I don't want to back these up. I also have folders filled with what can be described only as ephemeral junk—things that seemed like a good idea at the time, but that I haven't gotten around to cleaning up, and certainly don't want to back up. Simply list all the folders you want to exclude from backup, separated by spaces.

Figure 3. You can trim your backups by excluding certain folders or filesystems.

At this point, you are almost ready to roll. The mondoarchive program asks whether you want to verify your backup, and then it follows up with a very strange question: “Are you confident that your kernel is a sane, sensible, standard Linux kernel? Say 'no' if you are using Gentoo < 1.4 or Debian < 3.0, please.” Mondo Rescue wants to make sure the kernel it uses to boot the CD (or DVD) has the smarts to boot properly. If you have any doubts, or you like to spin your own kernels, say no, and Mondo Rescue will use its own. Once you have made a choice, the mondoarchive program alerts you that it is ready to start. This is your last chance to change your mind.

The backup begins, also in ncurses graphical mode, starting with the creation of a catalog of filenames to back up (Figure 4).

Figure 4. Mondo Rescue creates a catalog of files when starting the backup.

What follows next is interesting only the first few times—mostly because you probably have better things to do with your time. The screen shows a report of the backup broken up into file sets, the creation of boot diskettes and so on. At this point, Mondo Rescue is ready to back up your data and displays a nice progress bar, telling you which ISO is being written, how much of it is done and how long you can expect the whole process to take (Figure 5).

Figure 5. The backup is underway, with an on-screen progress report.

Speaking of better things to do with our time, this is probably a good time for a wine refill. François, please make sure our guests' glasses are topped up.

This is all well and good, but sitting in front of a terminal session running a backup isn't what most people want to do most of the time. Consequently, all of this can be done from the command line, which is exactly what you want if you are going to run the program from a cron job. For example, take a look at the following command:

mondoarchive -Oid /mnt/bigdrive -l GRUB -F -V -3 -N

That command says to create a mondoarchive backup (-O), to create ISO images (-i), to use a location on disk (-d), that the bootloader is GRUB (-l), to skip the creation of boot diskettes (-F), to verify the backup (-V), to use moderate compression (-3) and to ignore NFS-mounted partitions (-N). I'm going to concentrate on the interactive mode of the backup here, but I invite you to examine the various options by typing man mondoarchive at a command prompt.

Eventually, you will have a complete backup and, in this case, one or more ISO images that you can burn to a CD or DVD. The first disk in the set is the one from which you'll want to boot. In a few seconds, you'll see a menu like the one shown in Figure 6 (currently running in a QEMU virtual machine).

Figure 6. The Mondo Rescue Boot Menu

You have several options when it comes to restoring your system (nuke, interactive and expert), including not restoring your system (compare). If you choose the nuke option, your system is restored as it was, and any filesystems currently on your computer are destroyed and re-created from the backup. Use this option with extreme care. You also might want to restore one or more files and folders. For this, use interactive mode. Finally, expert mode drops you to a command prompt. You also can simply wait a few seconds, and the restore disk boots normally and then takes you to a graphical (ncurses) interface for the mondorestore program (Figure 7).

Figure 7. The Top-Level Menu for the mondorestore Program

Your four choices, although worded differently, are the same as those you saw earlier at boot time. If you choose Interactively, you'll be prompted for the source of your backups. Before we go any further, it's worth noting that the idea behind Mondo Rescue is to provide a means of disaster recovery when everything is gone, which is why backups are created to be bootable (tapes, CDs and so forth). This is fantastic if major disaster strikes, but what if it's a minor disaster, such as accidentally deleting your boss' e-mail folder? You certainly don't want to take down a running production system, even if the only important information in his e-mail folder are stats from a football pool. Luckily, you can restore a file or folder to a live system, interactively. This is how you do it.

From the command line, type mondorestore. An ncurses-based display appears asking for your boot disk, CD or floppy. Simply press Enter, and you'll find yourself at the file catalog.

It may take a few seconds for the program to extract the file catalog, but soon you'll be presented with a list of files and folders starting from the root directory. Using the arrow keys, you can navigate up and down through the list. Along the bottom of this screen are text buttons labeled Less, More, Toggle, RegEx, Cancel and OK (Figure 8). To expand a folder or directory, cursor to the right, go to the More button, and press Enter. To select a file or folder for restoring, cursor right again to the Toggle button, and press Enter. An asterisk appears to the left of the filename you've selected. Press Enter again to deselect it. To continue searching through the file list, cursor left past the Less button, and you can scroll up and down through the list again.

Figure 8. Choosing the Files or Folders to Restore

Before you ask, the reason I didn't mention the RegEx button is that this is still a feature under development, and it really doesn't do anything at this time.

Once you have selected everything you want to restore, cursor over to the OK button, and press Enter. An alert pops up asking whether you are happy with your selection. Press Yes to continue with the restore. On the next screen, select a restore path. If you want to restore in place (and overwrite any current files), accept the default, which is the root directory. Often, you'll want to restore a file into an alternate location and move it back when you are satisfied with its content. If that is the case, enter an alternate path, and press Enter. The next screen (Figure 9), boasts “Restoring from archives” and provides a nice report of the restore process.

Figure 9. Hurrah! The lost files are being restored.

The dialog displays the tarball in which it is currently searching, on which disc, a percentage of completion and an estimated time remaining before all your files are restored. That's it. Your all-important files (and, they are all important when lost) have been restored.

Once again, mes amis, the clock indicates that it is indeed closing time. I trust you are feeling satisfied and relaxed from the wine. While François refills your glasses a final time, I should point out that development on Mondo Rescue is ongoing, and there is a helpful and enthusiastic user base, ready to help with any issues you might encounter. Take a moment to visit the support page and join the mailing list on the Mondo Rescue site, and you'll not only be more relaxed, you also will sleep soundly knowing your data can be restored. Please raise your glasses, mes amis, and let us all drink to one another's health. A vôtre santé Bon appétit!

______________________

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix