Secure RSYNC over SSH between two QNAP NAS

Discussion on remote replication.
evil79genius
New here
Posts: 2
Joined: Thu Jul 27, 2017 6:59 am

Re: Secure RSYNC over SSH between two QNAP NAS

Post by evil79genius » Sun May 31, 2020 6:43 pm

First of all, I've got to thank @pbqn2014 for the precious insights he's given: without them I wouldn't have been able to make it work.
I would also say that it's a shame that QNAP staff didn't take this serious bug into account: this thread is close to 7 years old.
pbqn2014 wrote:
Wed Dec 24, 2014 10:33 pm
After a tweak by setup an rsync job to a local destination using same user/pass and changing afterwards in /etc/config/rsync_schedule.conf related

Code: Select all

Remote IP = (real destination)
Remote Path = (real path)
Remote Volume = (empty)
Probably something has changed, but none of my two QNAPs let me run a job with an empty "Remote Volume", so I've patched the script some more:

Code: Select all

--- /etc/init.d/rsyncRR.sh.orig	dom mag 31 12:21:08 2020
+++ /etc/init.d/rsyncRR.sh	dom mag 31 11:20:31 2020
@@ -664 +664 @@ if [ "x${RR_opt_KBPS}" = "x0" ]; then
-		/usr/bin/rsync --snapshot --sever-mode=1 --dry-run -e "${RR_com_ssh}" --qnap-ssh-bwlimit --timeout=${xsTimeout} --password="${Passwd}" "${UserName}"@[${Remote_IP}]::
+		/usr/bin/rsync --snapshot --sever-mode=1 --dry-run -e "${RR_com_ssh}" --qnap-ssh-bwlimit --timeout=${xsTimeout} "${UserName}"@[${Remote_IP}]:
@@ -692 +692 @@ do
-				LC_ALL=en_US.UTF-8 /usr/bin/rsync -H -a ${RR_EXTAAR} --snapshot --sever-mode=${RR_MODE} --debug-progress=1 -e "${RR_com_ssh}" ${RR_options} --exclude='.streams/' --exclude=':2eDS_Store' --exclude='.AppleDB/' --exclude='.AppleDesktop/' --exclude='.AppleDouble/' --exclude='.digest/' --schedule="$1" --password="${Passwd}" --timeout=${xsTimeout} "${RR_local_path}/" "${UserName}"@[${Remote_IP}]::"${RR_remote_path}" -v -v -v 1>${SZF_OUTPUT} 2>"$SZF_ERROR_TMP"
+				LC_ALL=en_US.UTF-8 /usr/bin/rsync -H -a ${RR_EXTAAR} --snapshot --sever-mode=${RR_MODE} --debug-progress=1 -e "${RR_com_ssh}" ${RR_options} --exclude='.streams/' --exclude=':2eDS_Store' --exclude='.AppleDB/' --exclude='.AppleDesktop/' --exclude='.AppleDouble/' --exclude='.digest/' --schedule="$1" --timeout=${xsTimeout} "${RR_local_path}/" "${UserName}"@[${Remote_IP}]:/"${RR_remote_path}" -v -v -v 1>${SZF_OUTPUT} 2>"$SZF_ERROR_TMP"
@@ -701 +701 @@ do
-				LC_ALL=en_US.UTF-8 /usr/bin/rsync -H -a ${RR_EXTAAR} --snapshot --sever-mode=${RR_MODE} -e "${RR_com_ssh}" ${RR_options} --exclude='.streams/' --exclude=':2eDS_Store' --exclude='.AppleDB/' --exclude='.AppleDesktop/' --exclude='.AppleDouble/' --exclude='.digest/' --schedule="$1" --password="${Passwd}" --timeout=${xsTimeout} "${RR_local_path}/" "${UserName}"@[${Remote_IP}]::"${RR_remote_path}" 1>${SZF_OUTPUT} 2>"$SZF_ERROR_TMP"
+				LC_ALL=en_US.UTF-8 /usr/bin/rsync -H -a ${RR_EXTAAR} --snapshot --sever-mode=${RR_MODE} -e "${RR_com_ssh}" ${RR_options} --exclude='.streams/' --exclude=':2eDS_Store' --exclude='.AppleDB/' --exclude='.AppleDesktop/' --exclude='.AppleDouble/' --exclude='.digest/' --schedule="$1" --timeout=${xsTimeout} "${RR_local_path}/" "${UserName}"@[${Remote_IP}]:/"${RR_remote_path}" 1>${SZF_OUTPUT} 2>"$SZF_ERROR_TMP"
Basically, instead of simply dropping the second ":", I've replaced it with a "/" and changed /etc/config/rsync_schedule.conf to

Code: Select all

Remote IP = (real destination)
Remote Path = (remaining part of the path - with leading /)
Remote Volume = (first directory of the path - neither leading nor trailing /)
Also, given that I'm doing SSH key authentication on all my jobs, I've also pathced the command in order not to pass the password on the commandline:

Code: Select all

--- /etc/init.d/rsyncRR.sh.orig	dom mag 31 12:21:08 2020
+++ /etc/init.d/rsyncRR.sh	dom mag 31 11:20:31 2020
@@ -616 +616 @@ RR_SSH_PORT=`/sbin/getcfg "${RR_sche}" "SSH PORT"
-RR_com_ssh="/usr/bin/ssh -o StrictHostKeyChecking=no -l ${UserName} -j ${Passwd} -p ${RR_SSH_PORT}"
+RR_com_ssh="/usr/bin/ssh -o StrictHostKeyChecking=no -l ${UserName} -p ${RR_SSH_PORT}"
For reference, my current systems are:
  • QNAP TS-351 (Source)
    Version 4.4.2.1310 (2020/05/19)
  • QNAP TS-291P II (Source)
    Version 4.3.3.1252 (2020/04/09)
  • FreeNAS (Destination)
    Version 11.3-U3.1 (2020/05/21)
On the FreeNAS server I'm running the users on restricted rsync script: for the replication jobs to succeed I've had not to select "Replicate ACL and extended attributes"

Post Reply

Return to “Remote Replication/ Disaster Recovery”