Re: Home server performing offsite back ups to Alibab OSS

There is potentially a nasty gotcha which is the firewall. ClearOS firewalling and docker do not play well together so, if you install app-docker, it will stop docker changing the firewall. If your docker app needs various firewall rules, and would normally create them itself, what I've done is edited /etc/sysconfig/docker-network to enable iptables. Then I restart the firewall and then docker. Snapshot the filter and nat firewall e.g:
Then start your docker container and dump the firewall again:
You then need to diff the files to work out the extra rules added by your image. Create the rules in a file /etc/clearos/firewall.d/20-something (use a number greater than 10 in the name) and add your rules to it.

You can see how I've done it if you install the ClearGLASS app or look in GitLab, but note that I've also integrated the firewall rules into the systemd unit file so when you start ClearGLASS the rules are added. See the 20-clearglass and clearglass.service files in clearglass-community in GitLab I've done something similar for the Samba Active Directory implementation in this post, but in this case I did not integrate it with any systemd file (there is not one). When Creating the firewall rules I took short-cuts. For the Samba AD one, docker was creating a rule for every port. I just created a single rule which covered the IP address and not the individual ports and protocols. Also docker was creating funny rules like a rule covering a docker interface then another identical rule covering all interfaces except the docker interface. I combined them into a single rule. I omitted rules where there were pre-existing ClearOS ones which took precedence. I think this relates to the "RELATED,ESTABLISHED" rules but I can't remember offhand.

This should be fixed by tomorrow.

This should be fixed by tomorrow.

BackupPC or BareMetal Backup?

I would like to backup my ClearOS server locally, so that should it crash I can restore it to what it was in its glory. I want to include all apps and their latest updates. It would be nice to include the latest subscription updates from Clear Center.

The down sides I see to both apps in the subject line are: (1) BareMetal only does home directories, flexshares, and server configuration files, rather than your entire ClearOS server (i.e. / ). In doing a restore, home folders and flexshares can only be restored if they don't exist. I'm thinking this includes even flexshares that are websites. Does this mean users would have to be deleted so when doing a restore, they're reinstated with their home directories? Does this mean that all websites would have to be deleted from your webroot (and flexshares)? And finally, your entire server contents are not backed up; just the three areas mentioned.

(2) BackupPC should be able to backup your entire server (i.e. / ), but it does this using samba, tar, or rsync. That's fine and all, but when doing a direct restore in BackupPC, it will not be able to write all the files back to the local server if the files on the server are not write permissive, which they will never be, because that would be stupid and unsafe thanks to hackers.

Anyone willing to share what they think the pros and cons are to each method? Maybe I'm not thinking through this right? Maybe it's not that important to backup the whole server? My ClearOS server is being implemented at a business for multiple uses, i.e. internet gateway (firewall, content filter, antimalware, etc.), web server, mail server, etc. Maybe if it goes down, installing ClearOS 7 from scratch and then restoring configuration files is the best way to go about it? I would like to figure this out rather than wait until our server crashes and I'm down until I'm up again. Thanks for any insight the community can offer (and any Clear gurus that run across this post).

I had to regenerate all my rpm database files a few weeks ago to increase the size of the database because "rpm -qa" queries were taking too long. Anyway most of my files are dated today as I did a localinstall of a package earlier this morning.

The updates you've listed mainly came from clearos-updates.

Hey Nick, that's what I figured, but I know that ClearOS-Updates was enabled because that's the first one I looked for. Problem is I can't remember which one I had to enable. Wish I had written it down, but I'd swear it was the plain ClearOS repo.

Can you verify if the files in /var/lib/rpm get updated whenever there's an update installed? If you look at the link I shared of an older post, at that time I was getting a repo error in the system log that was dated the same as the files in /var/lib/rpm. I'm not getting one now, but that doesn't mean it's not related.

Hi Dirk,
The updates you've listed mainly came from clearos-updates. This is not normally available for paid users. I'm pretty certain there is an issue with the clearsdn updates as I am seeing noting either. I am waiting to hear back from Dave on them.

Check to make sure your ClearOS repositories are enabled. I can't for the life of me remember which one was disabled, that when re-enabling allowed me to get the latest update. I was noticing the same thing. I want to say it was the ClearOS repository itself, being that's related to pertinent app updates rather than contributors to ClearOS. I don't know how it got disabled. I'm telling you, something got whacked out when files got updated in /var/lib/rpm back in February. Check out this post and you'll see what I mean. I had to rebuild the rpmdb to get it back to working. I never updated the rpmdb that would've caused the glitch.

The following are the latest updates I got after enabling the repository. Sorry I can't remember which repository it was, but it would've been a number of days after the rpmdb rebuild I mentioned above. Dunno if they're linked. Pretty sure it was just the ClearOS repository that was disabled.

libcomps-0.1.8-7.el7 Updated Mar 21, 17:00:25
python2-libcomps-0.1.8-7.el7 Updated Mar 21, 17:00:25
app-firewall-2.6.5-1.v7 Updated Mar 21, 17:00:25
app-attack-detector-2.3.6-1.v7 Updated Mar 21, 17:00:25
app-events-2.5.2-1.v7 Updated Mar 21, 17:00:25
app-firewall-core-2.6.5-1.v7 Updated Mar 21, 17:00:24
app-network-core-2.6.0-4.v7 Updated Mar 21, 17:00:23
app-network-2.6.0-4.v7 Updated Mar 21, 17:00:23
app-attack-detector-core-2.3.6-1.v7 Updated Mar 21, 17:00:23
app-events-core-2.5.2-1.v7

I have knocked up some basic app documentation at https://www.clearos.com/resources/documentation/clearos/content:en_us:7_ug_proxypass. Please can you review it and add any comments. It is based on a bit of testing and some observations. I only have the app working for subdomains (e.g. subdomain.domain.com) and not for paths such as domain.com/subdomain, but this is probably intentional.

I have not tested http -> https redirects or the extra box. "Validate SSL connection to target" which sometimes appears.

There is potentially a nasty gotcha which is the firewall. ClearOS firewalling and docker do not play well together so, if you install app-docker, it will stop docker changing the firewall. If your docker app needs various firewall rules, and would normally create them itself, what I've done is edited /etc/sysconfig/docker-network to enable iptables. Then I restart the firewall and then docker. Snapshot the filter and nat firewall e.g:
Then start your docker container and dump the firewall again:
You then need to diff the files to work out the extra rules added by your image. Create the rules in a file /etc/clearos/firewall.d/20-something (use a number greater than 10 in the name) and add your rules to it.

You can see how I've done it if you install the ClearGLASS app, but note that I've also integrated the firewall rules into the systemd unit file so when you start ClearGLASS the rules are added. See the 20-clearglass and clearglass.service files in clearglass-community in GitLab I've done something similar for the Samba Active Directory implementation in this post, but in this case I did not integrate it with any systemd file (there is not one). When Creating the firewall rules I took short-cuts. For the Samba AD one, docker was creating a rule for every port. I just created a single rule which covered the IP address and not the individual ports and protocols. Also docker was creating funny rules like a rule covering a docker interface then another identical rule covering all interfaces except the docker interface. I combined them into a single rule. I omitted rules where there were pre-existing ClearOS ones which took precedence. I think this relates to the "RELATED,ESTABLISHED" rules but I can't remember offhand.