Running Rsync under Daemontools and UCSPI-TCP

Rsync provides a means of fast low bandwidth incremental file transfer utility. Its connections can be sent in the clear or encrypted via OpenSSH. It is commonly used to do nightly backups and mirror creations.

Daemontools is a collection of tools for managing Unix services. It provides a means of monitoring a service, starting and stopping it and logging any debug and/or error messages. Daemontools provides easy service installation and removal, easy first time service startup, reliable restarts, easy, reliable signalling, clean process state and OS portability.

Ucspi-tcp is a collection of command line tools for building TCP client server applications. It is commonly used as a replacement for inetd and xinetd.

Running rsync from daemontools and ucspi-tcp provides numerous advantages, not the least of which is automatic restarts of crashed services. Ucspi-tcp allows you to restrict the number of connections to the service and limit the connections by IP address. Granted iptables can also limit connections by IP address, but a little defense in depth never hurt.

Setting up the Service Directories

First verify the daemontools "svscan" process is running. Choose a location where you want the physical service directories. I usually use "/var/service", however any directory may be used as long as it is not "/service".

Create the service directories with the following commands.

# mkdir -m 1755 /var/service/rsync
# mkdir -p -m 755 /var/service/rsync/log

Download the "run" scripts for rsync and its log.

# cd /var/service/rsync
# wget -c http://www.antagonism.org/scripts/rsync-run
# mv rsync-run run
# chmod 755 run
# cd log
# wget -c http://www.antagonism.org/scripts/log-run
# mv log-run run
# chmod 755 run

Warning, before using either of my "run" scripts, make sure you understand what the commands do. In the rsync "run" script, the tcpserver options I have configured do the following:

• "-x /etc/tcp/rsync.cdb" follows the rules compiled into /etc/tcp/rsync.cdb by tcprules
• "-v" prints error and status messages
• "-c 10" limit the number of connections to 10.
• "-U" sets the UID and GID of the daemon
• "-H" tells tcpserver not to look up remote hostnam
• "-l 0" tells tcpserver not to look up the local host name in DNS; rather it will use the value 0.
• "-R" no reverse lookup for remote host is conducted
• "192.168.10" binds the servicce to the IP address 192.168.0.10. A value of 0 will bind this to all addresses available on the machine. I recommend against this as it is more memory intensive and it is a bad idea to bind a service to addresses you don't need.
• "873" binds the service to the TCP port 873. A value of 0 will bind the service to a free TCP port.

The rsync options I have configured do the following:

• "--daemon" tells rsync to run as rsync
• "--no-detach" tells rsync to run in the foreground. This is required to run with daemontools
• "--config=/etc/rsyncd.conf" tells rsync to use /etc/rsyncd.conf as the config file.

Create a "rsync" file in the "/etc/tcp" directory which contains your access controls. A default control list which will allow all traffic may look like this:

:allow

After creating the file, download and edit the Makefile so the line reading "all:" contains the file name "rsync.cdb". Below is an example.

all: rsync.cdb

Running the "make" command will create/update the CDB files as needed.

Activating the Service

(The below section is taken almost verbatim from the following page created by John Simpson. I felt that his description on what happens when you activate a service was the most clear and easy to understand, so why change a thing?)

Once the directories are set up, you need to make them start running. This is done by creating a symbolic link from /service/(whatever) to the physical directory where the service lives. The "svscan" program checks /service every five seconds, and when it sees a new directory (or symbolic link) there, it starts a "supervise" process for that directory. In addition, if the directory has the sticky bit set and a child directory called "log", it starts a "supervise" process for the "log" child directory and sets up a pipe between the two processes (so that the main process's logs end up being sent to the log process).

The "supervise" program works by running the "run" script inside of whatever directory it's watching. If that child process (either the "run" script itself, or whatever process it runs using "exec") stops, it starts it back up by running the "run" script again.

The following commands will create the symbolic links needed to start the rsync service.

# ln -s /var/service/sshd /rsync/

After running this command, wait ten seconds (to give it time to start) and then run the "svstat" command to see what's running:

# svstat /service/rsync /service/rsync/log
/service/rsync: up (pid 2542) 7 seconds
/service/rsync/log: up (pid 2544) 7 seconds

As long as the new services show "up" with a timer of more than one second, the services are running correctly. If the timer on a service is 0 or 1 second, then wait about five seconds and run the same command - it should now be higher than 1 second. If it's still 0 or 1, then the service is having a problem and you need to fix it. This page provides some steps to troubleshoot daemontools service installations.

Downloads

Copyright 2006-2008 Patrick R. McDonald <marlowe@antagonism.org> (GPG key)
This document last modified (none)