On 6/10/19 4:04 PM, Otto Kratik wrote:
I have a lightweight solution that may be good-enough for some people
out there, and a simple suggestion at the bottom.
I have been bitten by this dom0 backup omission more times that I can
remember. The problem is that the standard dom0 backup system does not
save any of my dom0 highly tweaked system configuration files. Thus
whenever restoring from backup is required, I am forced to manually
reconfigure everything manually from scratch.
In order to have 'the privilege' of running Qubes-OS here as my desktop
system I am forced to configure my machine according to "the standard"
configuration. I need to install specific software, 2FA, install cron
jobs, run compliance reports, just to maintain access to network resources.
Example: I just got back from short term disability, and found I was
locked out and I needed to breach my own systems numerous security
controls, rebuild, and reconfigure from the ground up. I'm still picking
up the pieces and am trying to get everything back together for the
inspections starting next week.
To save myself from having to go through this fiasco even one more time
I am now saving off the dom0 configuration information using a specific
list of those things that I have to hand modify. I then I push that copy
to a dedicated AppVM where it will be backed up just as any normal AppVM
would be. The hardest part is remembering to add any changed
configuration file to my configuration save list, though I am sure this
too can be automated.
The super simple command I am using to save this set of configuration
files is:
sudo tar cf - --derefrence --files-from=$FILELIST | \
qvm-run -a -p $DOCVM "cd /home/user/dom0-config ; tar xvf -"
Here I am deliberately expanding the directory tree on the other side,
but you might want instead to simply create an archive and label it with
a date time-stamp before moving the archive over. I use this tree to
diff and document my system within that dedicated AppVM. If any dom0
configuration files have changed it will be obvious. When recovering, by
simply moving this configuration tree back to dom0, it will put me back
to where I was before.
Apart from that there may be some rpm packages to install and scripts to
run, but that is Ok with me because I have all that documented and
scripted. I don't need to backup everything in dom0. Just the important
stuff in /etc, /usr/local/*, software archives, special rpm's, etc. If I
didn't have to edit it, run, or install it, then I really don't need to
back it up. Its simply a minimalist recovery capsule.
suggestion - If the standard dom0 command line backup tool could be
extended to allow a dom0 include-list argument, then it might mitigate
this whole problem. If the user could simply add and remove file
references to this include-list, then a full backup of dom0 might not be
necessary. The user then decides what is important to add to this list.
When restoring, the user would still have to move the individual
recovered files back into place, but at least the user would *have* all
the pieces needed to get up and running again.
steve