suzanne.soy/qubes-doc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

admin-api: document backup profile

Browse Source
This commit is contained in:
Marek Marczykowski-Górecki 2017-06-27 16:01:57 +02:00
parent f23bca5bff
commit 3923a4c3f6
No known key found for this signature in database
GPG Key ID: F32894BE9684938A
1 changed files with 73 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

75
services/admin-api.md
View File

@ -195,8 +195,6 @@ does not by itself support translation.
## Tags ## Tags
*not implemented yet*
The tags provided can be used to write custom policies. They are not used in The tags provided can be used to write custom policies. They are not used in
a default Qubes OS installation. However, they are created anyway. a default Qubes OS installation. However, they are created anyway.
@ -206,6 +204,79 @@ a default Qubes OS installation. However, they are created anyway.
- `managed-by-<vm>` &mdash;&nbsp;Can be used for the same purpose, but it is - `managed-by-<vm>` &mdash;&nbsp;Can be used for the same purpose, but it is
not created automatically, nor is it forbidden to set or reset this tag. not created automatically, nor is it forbidden to set or reset this tag.
## Backup profile
Backup-related calls do not allow (yet) to specify what should be included in
the backup. This needs to be configured separately in dom0, with a backup
profile, stored in `/etc/qubes/backup/<profile>.conf`. The file use yaml syntax
and have following settings:
- `include` - list of VMs to include, can also contains tags using
`$tag:some-tag` syntax or all VMs of given type using `$type:AppVM`, known
from qrexec policy
- `exclude` - list of VMs to exclude, after evaluating `include` setting
- `destination_vm` - VM to which the backup should be send
- `destination_path` - path to which backup should be written in
`destination_vm`. This setting is given to `qubes.Backup` service and
technically it's up to it how to interpret it. In current implementation it is
interpreted as a directory where a new file should be written (with a name
based on the current timestamp), or a command where the backup should
be piped to
- `compression` - should the backup be compressed (default: True)? The value can be either
`False` or `True` for default compression, or a compression command (needs to
accept `-d` argument for decompression)
- `passphrase_text` - passphrase used to encrypt and integrity protect the backup
- `passphrase_vm` - VM which should be asked what backup passphrase should be
used. The asking is performed using `qubes.BackupPassphrase+profile_name`
service, which is expected to output chosen passphrase to its stdout. Empty
output cancel the backup operation. This service can be used either to ask
the user interactively, or to have some automated passphrase handling (for
example: generate randomly, then encrypt with a public key and send
somewhere)
Not all settings needs to be set.
Example backup profile:
```yaml
# Backup only selected VMs
include:
- work
- personal
- vault
- banking
# Store the backup on external disk
destination_vm: sys-usb
destination_path: /media/my-backup-disk
# Use static passphrase
passphrase_text: "My$Very!@Strong23Passphrase"
```
And slightly more advanced one:
```yaml
# Include all VMs with a few exceptions
include:
- $type:AppVM
- $type:TemplateVM
- $type:StandaloneVM
exclude:
- untrusted
- $tag:do-not-backup
# parallel gzip for faster backup
compression: pigz
# ask 'vault' VM for the backup passphrase
passphrase_vm: vault
# send the (encrypted) backup directly to remote server
destination_vm: sys-net
destination_path: ncftpput -u my-ftp-username -p my-ftp-pass -c my-ftp-server /directory/for/backups
```
## General notes ## General notes
- there is no provision for `qvm-run`, but there already exists `qubes.VMShell` call - there is no provision for `qvm-run`, but there already exists `qubes.VMShell` call