[H-GEN] rsync and nfs

Bruce Campbell bc at humbug.org.au
Sat Nov 6 13:41:54 EST 1999 

[ Humbug *General* list - semi-serious discussions about Humbug and
Unix-related topics. ]

On Thu, 4 Nov 1999, James Lever wrote:

> On Mon, Nov 01, 1999 at 04:05:30PM +1000, Craig Armour trumpeted
> forth and spake thusly:
> 
> > I'm intending to use rsync  however, I have several ideas as to the best
> > way to do this.  
> 
> > a)  run rsyncd on the staging server and just use rsync like that

rsyncd is, IMHO, either suited towards providing anonymous rsync:://
services (ie, mirror.aarnet.edu.au), or as multiple users updating
services on a machine.  ie, overkill in your case.

> > b)  export via nfs the relevant bits to the live server and use rsync
> > locally

This requires that both of your 'live' server and your internal 'real'
server must be operational and networked for your web pages to be visible.
Then you've got the issues of allowing nfs through your firewall.

> > c)  variations on the above but mostly similar
> 
> If security is what you're after, use rsync over ssh and only
> have ssh INTO the staging server from the live server.

urm, from the staging server to the live server.

To expand on this, the website of my employer resides on a redundant
server outside the firewall.

The technical writer (and when we employ one, webmaster) edits the html
files on the internal server, via his Windoze NT box and visionFS (a
commercial equivilant of samba).  There is a password-protected web script
(on the internal web server)  where they can click on 'Update External
website' which triggers: 

	rsync -e "ssh -i /specific/ssh/identity/file" \
		-avz --progress \
		/path/to/master/copy/of/www \
		wwwuser at outside.box:/out/side/path/to/www \

On the outside.box, the ~wwwuser/.ssh/authorized_keys has an entry for the
ssh key described in /specific/ssh/identity/file for:

	host=firewall,command="rsync --the-specific-rsync-options"

ie, when that specific/ssh/identity/file is used, it can only execute that
one command.  We haven't gone as far as to only accept ssh on a specific
obscure ssh port which is blocked at the outside router, but thats what
I'd do in an extreme security environment as well.

> Otherwise, just use rsync over rsh, duh, though I wouldn't.

rsh is inherently insecure.  ugh.

--==--
Bruce.


--
This is list (humbug) general handled by majordomo at lists.humbug.org.au .
Postings only from subscribed addresses of lists general or general-post.

More information about the General mailing list