diff --git a/roles/backup_client/molecule/default/group_vars/parameters-mandatory.yml b/roles/backup_client/molecule/default/group_vars/parameters-mandatory.yml index dc2ef3e47b323008ebeeb789d2680dce49237d0d..7630a5b45117240703eda5791d27a46096a1c010 100644 --- a/roles/backup_client/molecule/default/group_vars/parameters-mandatory.yml +++ b/roles/backup_client/molecule/default/group_vars/parameters-mandatory.yml @@ -1,7 +1,7 @@ --- backup_encryption_key: "{{ lookup('file', 'tests/data/gnupg/parameters-mandatory.asc') }}" -backup_server: 10.31.127.10 +backup_server: 192.168.56.10 backup_server_host_ssh_public_keys: - "{{ lookup('file', 'tests/data/ssh/server_rsa.pub') }}" - "{{ lookup('file', 'tests/data/ssh/server_ed25519.pub') }}" diff --git a/roles/backup_client/molecule/default/group_vars/parameters-optional.yml b/roles/backup_client/molecule/default/group_vars/parameters-optional.yml index 6a39667964d968f3092d891cebd120659deb4ca4..eebb13779147fd725e5f22f9183724317fbde886 100644 --- a/roles/backup_client/molecule/default/group_vars/parameters-optional.yml +++ b/roles/backup_client/molecule/default/group_vars/parameters-optional.yml @@ -6,7 +6,7 @@ backup_additional_encryption_keys: - "{{ lookup('file', 'tests/data/gnupg/additional_encryption_key_3.asc') }}" backup_client_username: backupuser backup_encryption_key: "{{ lookup('file', 'tests/data/gnupg/parameters-optional.asc') }}" -backup_server: 10.31.127.10 +backup_server: 192.168.56.10 backup_server_destination: "/duplicity/{{ inventory_hostname }}" backup_server_host_ssh_public_keys: - "{{ lookup('file', 'tests/data/ssh/server_rsa.pub') }}" diff --git a/roles/backup_client/molecule/default/molecule.yml b/roles/backup_client/molecule/default/molecule.yml index 4c9d403b9fb43ff2e9e164d619babe2ed7fcb5d1..dd5a154133386ff6c4eba0a9f95314971eb8087c 100644 --- a/roles/backup_client/molecule/default/molecule.yml +++ b/roles/backup_client/molecule/default/molecule.yml @@ -23,7 +23,7 @@ platforms: cpus: 1 interfaces: - auto_config: true - ip: 10.31.127.10 + ip: 192.168.56.10 network_name: private_network type: static @@ -35,7 +35,7 @@ platforms: cpus: 1 interfaces: - auto_config: true - ip: 10.31.127.20 + ip: 192.168.56.20 network_name: private_network type: static @@ -47,31 +47,7 @@ platforms: cpus: 1 interfaces: - auto_config: true - ip: 10.31.127.21 - network_name: private_network - type: static - - - name: parameters-mandatory-s64 - groups: - - parameters-mandatory - box: debian/contrib-stretch64 - memory: 256 - cpus: 1 - interfaces: - - auto_config: true - ip: 10.31.127.30 - network_name: private_network - type: static - - - name: parameters-optional-s64 - groups: - - parameters-optional - box: debian/contrib-stretch64 - memory: 256 - cpus: 1 - interfaces: - - auto_config: true - ip: 10.31.127.31 + ip: 192.168.56.21 network_name: private_network type: static diff --git a/roles/backup_client/molecule/default/tests/data/ssh/parameters-mandatory-known_hosts b/roles/backup_client/molecule/default/tests/data/ssh/parameters-mandatory-known_hosts index b74cff96f3436a758dfa282d4a3ea4fb0f6af40c..3eefa58645e63055488609c1754f5b68e3c25555 100644 --- a/roles/backup_client/molecule/default/tests/data/ssh/parameters-mandatory-known_hosts +++ b/roles/backup_client/molecule/default/tests/data/ssh/parameters-mandatory-known_hosts @@ -1,6 +1,6 @@ -[10.31.127.10]:2222 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2SqbwZNanhTMM8wL1iGtNOR7nYbXcCQNbU65crXN43W1tz4GXoyluHEEXs0we7jmZZyow19X89Ve5w8ODL42KRDtNXoN8wjoLwZ1l7iGsrN1oUXJP7i6i9lH/0F+fudFB3Tm53ieBr0MEMdxAQBpk+MCi64G0iuvZeE0sKG5JfSky82ZZ26m5EchORJuiiKObB17EsUGl091S8eiLXIIiQQvg4d9933oAqNCLe0uxbNfJcbMJAdr+m9rYxyVoPXweUm1beb/6/vZQzAf0HL5+Ic/mbLu3z4httCh0dIlCqjRe/8llqF21psIlN8D8hZkzY6WEo7/v9wHAGFTFFFlJ -10.31.127.10 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2SqbwZNanhTMM8wL1iGtNOR7nYbXcCQNbU65crXN43W1tz4GXoyluHEEXs0we7jmZZyow19X89Ve5w8ODL42KRDtNXoN8wjoLwZ1l7iGsrN1oUXJP7i6i9lH/0F+fudFB3Tm53ieBr0MEMdxAQBpk+MCi64G0iuvZeE0sKG5JfSky82ZZ26m5EchORJuiiKObB17EsUGl091S8eiLXIIiQQvg4d9933oAqNCLe0uxbNfJcbMJAdr+m9rYxyVoPXweUm1beb/6/vZQzAf0HL5+Ic/mbLu3z4httCh0dIlCqjRe/8llqF21psIlN8D8hZkzY6WEo7/v9wHAGFTFFFlJ -[10.31.127.10]:2222 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQzNj16lZ3ucIJvwnFYzR/vZT3SuWiIVPNOhK5JGlq6 -10.31.127.10 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQzNj16lZ3ucIJvwnFYzR/vZT3SuWiIVPNOhK5JGlq6 -[10.31.127.10]:2222 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLaZb8xcw5PbzQ8Jo8xygcUaI6ziGLs+ZqsAqJSOIou9iN0zSKO9a4ujbeMgIbfZZPB5UWcv1CxNekTZ4tkrAaM= -10.31.127.10 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLaZb8xcw5PbzQ8Jo8xygcUaI6ziGLs+ZqsAqJSOIou9iN0zSKO9a4ujbeMgIbfZZPB5UWcv1CxNekTZ4tkrAaM= +[192.168.56.10]:2222 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2SqbwZNanhTMM8wL1iGtNOR7nYbXcCQNbU65crXN43W1tz4GXoyluHEEXs0we7jmZZyow19X89Ve5w8ODL42KRDtNXoN8wjoLwZ1l7iGsrN1oUXJP7i6i9lH/0F+fudFB3Tm53ieBr0MEMdxAQBpk+MCi64G0iuvZeE0sKG5JfSky82ZZ26m5EchORJuiiKObB17EsUGl091S8eiLXIIiQQvg4d9933oAqNCLe0uxbNfJcbMJAdr+m9rYxyVoPXweUm1beb/6/vZQzAf0HL5+Ic/mbLu3z4httCh0dIlCqjRe/8llqF21psIlN8D8hZkzY6WEo7/v9wHAGFTFFFlJ +192.168.56.10 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2SqbwZNanhTMM8wL1iGtNOR7nYbXcCQNbU65crXN43W1tz4GXoyluHEEXs0we7jmZZyow19X89Ve5w8ODL42KRDtNXoN8wjoLwZ1l7iGsrN1oUXJP7i6i9lH/0F+fudFB3Tm53ieBr0MEMdxAQBpk+MCi64G0iuvZeE0sKG5JfSky82ZZ26m5EchORJuiiKObB17EsUGl091S8eiLXIIiQQvg4d9933oAqNCLe0uxbNfJcbMJAdr+m9rYxyVoPXweUm1beb/6/vZQzAf0HL5+Ic/mbLu3z4httCh0dIlCqjRe/8llqF21psIlN8D8hZkzY6WEo7/v9wHAGFTFFFlJ +[192.168.56.10]:2222 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQzNj16lZ3ucIJvwnFYzR/vZT3SuWiIVPNOhK5JGlq6 +192.168.56.10 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQzNj16lZ3ucIJvwnFYzR/vZT3SuWiIVPNOhK5JGlq6 +[192.168.56.10]:2222 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLaZb8xcw5PbzQ8Jo8xygcUaI6ziGLs+ZqsAqJSOIou9iN0zSKO9a4ujbeMgIbfZZPB5UWcv1CxNekTZ4tkrAaM= +192.168.56.10 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLaZb8xcw5PbzQ8Jo8xygcUaI6ziGLs+ZqsAqJSOIou9iN0zSKO9a4ujbeMgIbfZZPB5UWcv1CxNekTZ4tkrAaM= diff --git a/roles/backup_client/molecule/default/tests/data/ssh/parameters-optional-known_hosts b/roles/backup_client/molecule/default/tests/data/ssh/parameters-optional-known_hosts index a6ded363b306f46862a10c471778984c63969dad..b9324f6b1df23f9ae7cfe1f2aa40d384040b09e4 100644 --- a/roles/backup_client/molecule/default/tests/data/ssh/parameters-optional-known_hosts +++ b/roles/backup_client/molecule/default/tests/data/ssh/parameters-optional-known_hosts @@ -1,6 +1,6 @@ -[10.31.127.10]:3333 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2SqbwZNanhTMM8wL1iGtNOR7nYbXcCQNbU65crXN43W1tz4GXoyluHEEXs0we7jmZZyow19X89Ve5w8ODL42KRDtNXoN8wjoLwZ1l7iGsrN1oUXJP7i6i9lH/0F+fudFB3Tm53ieBr0MEMdxAQBpk+MCi64G0iuvZeE0sKG5JfSky82ZZ26m5EchORJuiiKObB17EsUGl091S8eiLXIIiQQvg4d9933oAqNCLe0uxbNfJcbMJAdr+m9rYxyVoPXweUm1beb/6/vZQzAf0HL5+Ic/mbLu3z4httCh0dIlCqjRe/8llqF21psIlN8D8hZkzY6WEo7/v9wHAGFTFFFlJ -10.31.127.10 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2SqbwZNanhTMM8wL1iGtNOR7nYbXcCQNbU65crXN43W1tz4GXoyluHEEXs0we7jmZZyow19X89Ve5w8ODL42KRDtNXoN8wjoLwZ1l7iGsrN1oUXJP7i6i9lH/0F+fudFB3Tm53ieBr0MEMdxAQBpk+MCi64G0iuvZeE0sKG5JfSky82ZZ26m5EchORJuiiKObB17EsUGl091S8eiLXIIiQQvg4d9933oAqNCLe0uxbNfJcbMJAdr+m9rYxyVoPXweUm1beb/6/vZQzAf0HL5+Ic/mbLu3z4httCh0dIlCqjRe/8llqF21psIlN8D8hZkzY6WEo7/v9wHAGFTFFFlJ -[10.31.127.10]:3333 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQzNj16lZ3ucIJvwnFYzR/vZT3SuWiIVPNOhK5JGlq6 -10.31.127.10 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQzNj16lZ3ucIJvwnFYzR/vZT3SuWiIVPNOhK5JGlq6 -[10.31.127.10]:3333 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLaZb8xcw5PbzQ8Jo8xygcUaI6ziGLs+ZqsAqJSOIou9iN0zSKO9a4ujbeMgIbfZZPB5UWcv1CxNekTZ4tkrAaM= -10.31.127.10 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLaZb8xcw5PbzQ8Jo8xygcUaI6ziGLs+ZqsAqJSOIou9iN0zSKO9a4ujbeMgIbfZZPB5UWcv1CxNekTZ4tkrAaM= +[192.168.56.10]:3333 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2SqbwZNanhTMM8wL1iGtNOR7nYbXcCQNbU65crXN43W1tz4GXoyluHEEXs0we7jmZZyow19X89Ve5w8ODL42KRDtNXoN8wjoLwZ1l7iGsrN1oUXJP7i6i9lH/0F+fudFB3Tm53ieBr0MEMdxAQBpk+MCi64G0iuvZeE0sKG5JfSky82ZZ26m5EchORJuiiKObB17EsUGl091S8eiLXIIiQQvg4d9933oAqNCLe0uxbNfJcbMJAdr+m9rYxyVoPXweUm1beb/6/vZQzAf0HL5+Ic/mbLu3z4httCh0dIlCqjRe/8llqF21psIlN8D8hZkzY6WEo7/v9wHAGFTFFFlJ +192.168.56.10 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2SqbwZNanhTMM8wL1iGtNOR7nYbXcCQNbU65crXN43W1tz4GXoyluHEEXs0we7jmZZyow19X89Ve5w8ODL42KRDtNXoN8wjoLwZ1l7iGsrN1oUXJP7i6i9lH/0F+fudFB3Tm53ieBr0MEMdxAQBpk+MCi64G0iuvZeE0sKG5JfSky82ZZ26m5EchORJuiiKObB17EsUGl091S8eiLXIIiQQvg4d9933oAqNCLe0uxbNfJcbMJAdr+m9rYxyVoPXweUm1beb/6/vZQzAf0HL5+Ic/mbLu3z4httCh0dIlCqjRe/8llqF21psIlN8D8hZkzY6WEo7/v9wHAGFTFFFlJ +[192.168.56.10]:3333 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQzNj16lZ3ucIJvwnFYzR/vZT3SuWiIVPNOhK5JGlq6 +192.168.56.10 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQzNj16lZ3ucIJvwnFYzR/vZT3SuWiIVPNOhK5JGlq6 +[192.168.56.10]:3333 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLaZb8xcw5PbzQ8Jo8xygcUaI6ziGLs+ZqsAqJSOIou9iN0zSKO9a4ujbeMgIbfZZPB5UWcv1CxNekTZ4tkrAaM= +192.168.56.10 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLaZb8xcw5PbzQ8Jo8xygcUaI6ziGLs+ZqsAqJSOIou9iN0zSKO9a4ujbeMgIbfZZPB5UWcv1CxNekTZ4tkrAaM= diff --git a/roles/backup_client/molecule/default/tests/test_parameters_mandatory.py b/roles/backup_client/molecule/default/tests/test_parameters_mandatory.py index a84a56d2ccd614a8b23db22c8f08cecb0a2a8dd5..7da2d5a8e8024f013ed9c62fff82db238000dee2 100644 --- a/roles/backup_client/molecule/default/tests/test_parameters_mandatory.py +++ b/roles/backup_client/molecule/default/tests/test_parameters_mandatory.py @@ -70,7 +70,7 @@ def test_duply_configuration_content(host): assert "GPG_KEYS_ENC='59C26F031A129C54'" in duply_configuration.content_string assert "GPG_KEY_SIGN='59C26F031A129C54'" in duply_configuration.content_string - assert "TARGET='pexpect+sftp://bak-%s@10.31.127.10:2222//duplicity'" % hostname in duply_configuration.content_string + assert "TARGET='pexpect+sftp://bak-%s@192.168.56.10:2222//duplicity'" % hostname in duply_configuration.content_string assert "DUPL_PARAMS=\"$DUPL_PARAMS --ssh-options='-oLogLevel=ERROR -oUserKnownHostsFile=/dev/null " \ "-oGlobalKnownHostsFile=/etc/duply/main/ssh/known_hosts -oIdentityFile=/etc/duply/main/ssh/identity'\"" in duply_configuration.content_string diff --git a/roles/backup_client/molecule/default/tests/test_parameters_optional.py b/roles/backup_client/molecule/default/tests/test_parameters_optional.py index dc02af311ff1ca1585200ea84ebb40317e61518e..89b8d844fa6b958513288471641c13b76b9f553a 100644 --- a/roles/backup_client/molecule/default/tests/test_parameters_optional.py +++ b/roles/backup_client/molecule/default/tests/test_parameters_optional.py @@ -69,7 +69,7 @@ def test_duply_configuration_content(host): assert "GPG_KEYS_ENC='C4B2AE9F7A4F400A,3093C91BC3A9444B,86816FD928063B3F,8A14CD6C71223B72'" in duply_configuration.content_string assert "GPG_KEY_SIGN='C4B2AE9F7A4F400A'" in duply_configuration.content_string - assert "TARGET='pexpect+sftp://backupuser@10.31.127.10:3333//duplicity/%s'" % hostname in duply_configuration.content_string + assert "TARGET='pexpect+sftp://backupuser@192.168.56.10:3333//duplicity/%s'" % hostname in duply_configuration.content_string assert "DUPL_PARAMS=\"$DUPL_PARAMS --ssh-options='-oLogLevel=ERROR -oUserKnownHostsFile=/dev/null " \ "-oGlobalKnownHostsFile=/etc/duply/main/ssh/known_hosts -oIdentityFile=/etc/duply/main/ssh/identity'\"" in duply_configuration.content_string diff --git a/roles/backup_client/tasks/main.yml b/roles/backup_client/tasks/main.yml index 65ac161dfefcd6d0d8870fc9ca6e65961ce691e3..e3cf02096b2823ed70506c416b74d459924966b1 100644 --- a/roles/backup_client/tasks/main.yml +++ b/roles/backup_client/tasks/main.yml @@ -1,6 +1,9 @@ --- -- name: Install pexpect for pexpect+sftp Duplicity backend (mainly needed on Stretch) +# See duply_main_conf.j2 for details on why this is required (at least +# on Debian 10 Buster). With newer versions of Debian it might be +# possible to switch to Paramiko backend. +- name: Install pexpect for pexpect+sftp Duplicity backend apt: name: "python-pexpect" state: present diff --git a/roles/backup_client/templates/duply_main_conf.j2 b/roles/backup_client/templates/duply_main_conf.j2 index b2ff4393f658c7a3f8965c28eb4c80a4c3cfd2ab..0ae4120d9bafa0185bfaccb19609db97f7c927c0 100644 --- a/roles/backup_client/templates/duply_main_conf.j2 +++ b/roles/backup_client/templates/duply_main_conf.j2 @@ -9,6 +9,14 @@ GPG_KEY_SIGN='{{ backup_encryption_key_id.stdout }}' GPG_OPTS="--homedir /etc/duply/main/gnupg/ --trust-model always" # Destination where the backups are stored at. +# +# Use the pexpect+sftp backend for Duplicity so we can (see also +# DUPL_PARAMS and --ssh-options): +# +# - Pass in custom options for user/global known_hosts files (not +# possible with Duplicity shipping with Debian 10 Buster). +# - Reduce logging verbosity (avoiding output from sftp that mentions +# updates of user's known_hosts file with IP addresses). TARGET='pexpect+sftp://{{ backup_client_username }}@{{ backup_server }}:{{ backup_server_port }}/{{ backup_server_destination }}' # Base directory to backup (root). File selection is done via include/exclude @@ -43,10 +51,12 @@ ARCH_DIR="/var/cache/duply/main/" # without any encryption, this effectively means no prompts. DUPL_PARAMS="$DUPL_PARAMS --use-agent" -# Use the pexepct backend for Duplicity so we can pass in all the -# ssh-options. Use dedicated known hosts and identity file when connecting over -# SFTP. Using -oLogLevel=ERROR makes output a bit less verbose. This is mainly -# to avoid output from sftp telling us it added IP address to known_hosts. +# Rely only on global known_hosts file (which should only contain +# resolvable names), bypassing addition of IP addresses to root's +# known_hosts file. Log level is configured to reduce verbosity +# (mentions of IP address additions to user's known_hosts file). Use +# dedicated private key for performing logins towards the backup +# server. DUPL_PARAMS="$DUPL_PARAMS --ssh-options='-oLogLevel=ERROR -oUserKnownHostsFile=/dev/null -oGlobalKnownHostsFile=/etc/duply/main/ssh/known_hosts -oIdentityFile=/etc/duply/main/ssh/identity'" # By default we exclude everything, and then include only specific patterns.