Building a FreeBSD backup server

In order to backup my Linux and Mac OS X boxes I set up a FreeBSD server running Netatalk and rsync as daemon. Netatalk plays nicely with Time Machine on the Macs, while rsyncd handles all files sent from my Linux box. This is a home setup, so I want things to be easy and didn't install BackupPC, Bacula, or such. And since my backup server runs inside a virtual machine, I chose good old UFS2 over ZFS after some testing. Interestingly, ZFS (gzip) compression saved more free space (overall ratio was about 1.6:1 of real data to compressed data) than deduplication (benefit was just 1.05:1).

• Set up a VM with 1 vCPU, 2 GB RAM, 20 GB harddisk for the base os, and two 500 GB harddisks for the backup area
• Install FreeBSD 9.2 amd64 (i386 would be ok, too) on the 20 GB harddisk:

  =>      34  41942973  ada0  GPT  (20G)
          34       128     1  freebsd-boot  (64k)
         162  33554432     2  freebsd-ufs  (16G)
    33554594   8386560     3  freebsd-swap  (4G)
    41941154      1853        - free -  (926k)
  

• Install all packages except lib32
• Put this to /etc/make.conf:

  WITHOUT_X11=yes
  WANT_BDB_VER=5
  

• Install rsync:

  # make -C /usr/ports/net/rsync install clean
  

  Choose Docs, SSH, and ZLIB_BASE only
• Install netatalk version 3:

  # make -C /usr/ports/net/netatalk3 install clean
  

  Choose DBUS, PAM, and SENDFILE
• While the config dialogs for subsequent packages were being shown, I deselected any options that would have pulled X11, GTK, and such in. I installed avahi and dbus without any options
• To allow netatalk to authenticate system users via PAM I created /usr/local/etc/pam.d/netatalk:

  auth	required	pam_unix.so	try_first_pass
  account	required	pam_unix.so	try_first_pass
  session	required	pam_permit.so
  

• Create a Time Machine group and user:

  # pw groupadd tm -g 548
  # pw useradd tm -u 548 -g tm -s /usr/sbin/nologin -c "Time Machine user" -d /nonexistent
  # passwd tm
  

• Prepare and mount the backup volumes. Time Machine/netatalk area:

  # gpart create -s GPT ada1
  # gpart add -t freebsd-ufs ada1
  # newfs -U -j ada1p1
  # mkdir /backup
  # mount -o noatime /dev/ada1p1 /backup
  # mkdir -m 0700 /backup/macbook
  # chown tm:tm /backup/macbook
  

  rsync area:

  # gpart create -s GPT ada2
  # gpart add -t freebsd-ufs ada2
  # newfs -U ada2p1
  # mkdir /backup2
  # mount -o noatime /dev/ada2p1 /backup2
  # mkdir -m 0700 /backup2/linux
  # chown nobody:nobody /backup2/linux
  

• Adjust /etc/fstab:

  /dev/ada0p2	/		ufs	rw,noatime	1	1
  /dev/ada0p3	none		swap	sw		0	0
  /dev/ada1p1	/backup		ufs	rw,noatime	2	2
  /dev/ada2p1	/backup2	ufs	rw,noatime	2	2
  

• My /usr/local/etc/afp.conf looks like this:

  [Global]
  mimic model = TimeCapsule
  
  [macbook]
  path = /backup/macbook
  hosts allow = macbook
  valid users = tm
  time machine = yes
  vol size limit = 300000
  

  You can omit vol size limit if you use ZFS, create a separate file system for path, and set a quota of for example 300 GB for that file system.
• My /usr/local/etc/rsyncd.conf:

  pid file = /var/run/rsyncd.pid
  
  [linux]
  fake super = yes
  hosts allow = linux
  path = /backup2/linux
  read only = no
  

• Append this to /etc/rc.conf:

  rsyncd_enable="YES"
  dbus_enable="YES"
  avahi_daemon_enable="YES"
  netatalk_enable="YES"
  

• Reboot the backup server or start all services manually:

  # service rsyncd start
  # service dbus start
  # service avahi-daemon start
  # service netatalk start
  

That's all! Neither a fancy avahi nor netatalk configuration is needed. On your Mac open the Time Machine preferences, and click on Add or Remove Backup Disk. Under Available Disks you can select the volume exported by your backup server. If you do so, you will be asked for the tm user's password.
On my Linux box I use a simple shell script to backup my workstation:

#!/bin/sh

rsync -avAHS --del --progress --exclude=/dev --exclude=/media --exclude=/mnt \
	--exclude=/proc --exclude=/run --exclude=/sys --exclude=/tmp \
	--exclude=/usr/portage --exclude=/var/lib/nfs/rpc_pipefs \
	--exclude=/var/tmp --exclude=/var/run \
	/ rsync://backup/linux/

#!/bin/sh

today=`date +%a`
rm -f "/backup2/.snap/$today"
mksnap_ffs "/backup2/.snap/$today"

Time Machine with Samba on ZFS

Starting with Mac OS X 10.12, Time Machine over SMB is supported. Hence, I replaced Netatalk with Samba, and also moved the backup volumes to a ZFS filesystem on a FreeBSD 12 box.

1. I recommend a dedicated filesystem for /timemachine (assuming that your ZFS pool is named zroot):

   # zfs create -o mountpoint=/timemachine zroot/timemachine
   

2. Install Samba 4.8:

   # make -C /usr/ports/net/samba48 install clean
   

   I just selected these options:
   • AESNI
   • UTMP
   • GSSAPI_BUILTIN
   • AVAHI
3. Recent versions of Samba ship with a virtual file system module named fruit which simplifies our configuration. My /usr/local/etc/smb4.conf looks like this:

   [global]
   	workgroup = WORKGROUP
   	security = user
   	netbios name = backup
   	server string = backup.your-local-domain.invalid
   	hostname lookups = yes
   
   	load printers = no
   	show add printer wizard = no
   	time server = yes
   	map to guest = Bad User
   	use mmap = yes
   
   	dos charset = 850
   	unix charset = UTF-8
   	mangled names = no
   
   	log level = 0
   	vfs objects = fruit streams_xattr zfsacl
   
   	fruit:model = MacPro
   	fruit:resource = file
   	fruit:metadata = netatalk
   
   ; time machines
   [macbook]
   	path = /timemachine/macbook
   	read only = no
   	use sendfile = yes
   	browseable = no
   	hosts allow = macbook.your-local-domain.invalid fe80::/10
   	fruit:time machine = yes
   	fruit:time machine max size = 500G
   	valid users = tm
   

4. Despite the configured maximum size of 500G for the share, newer versions of Mac OS X seem to honor the size of the filesystem only. Hence, I set a ZFS quota:

   # zfs set refquota=500G zroot/timemachine
   

5. Add the system user tm to Samba, and enable that user:

   # smbpasswd -a tm
   New SMB password: <enter a secure password>
   Retype new SMB password: <repeat that secure password>
   # smbpasswd -e tm
   

   Please note that Samba password for the user tm and its system password are not synchronized, and thus can be different.
6. Stop and disable Netatalk, and enable and start Samba:

   # service netatalk stop
   # service netatalk disable
   # service samba_server enable
   # service samba_server start
   

7. Now remove the former, Netatalk based backup target from the System Preferences dialog, and add the new Samba based target.