December 30th, 2010

A script to backup FreeBSD jails offsite

I always had very little time to spend in scripting, but the need to have a “near-online” offsite backup for configuration files and data of several jails consolidated on a single FreeBSD host forced me to build this simple solution.

At first, I wrote a couple of rows to target a single specific need of mine but then, surprisingly, I was able to clean up the code so much to make it useful for a bit wider range of scenarios. Thus I think this little work might be useful for someone out there.

The idea of using rsync(1) to remotely backup data is not new… the only value added this solution brings is to make it as simple as possible. Anyone can use it to selectively backup configuration files and data on a per-jail basis.
Basically, now the “jailback” script leverage on the periodic(8) utility to build and maintain via SSH a remote copy of a set of selected folders for each jail (a jail administrator list them in the .jailback configuration file, in the root of the jail).

The advantages of using this script instead of a comprehensive data backup product (such as Amanda or Bacula):

  • No need to setup, configure and maintain any backup agent on each jail.
  • It has very little dependancies from code external to the base system (only rsync needs to be installed, and only on the host systems, not on every jail).
  • This script is able to read the ezjail configuration file, thus barely integrating in your existing jail management framework.

Other important features, not exclusive of this solution:

  • All data transfer between the source host and the backup server are encrypted.
  • The amount of bandwidth required to keep synchronized the offsite copy is minimal, since rsync is able to transfer only the bits changed from the latest backup.

I creatively named this solution “jailback”. Here you can download the two files you need to give it a try:

You need to put this shell script  into /usr/local/etc/periodic/daily. When done, you’ll able to activate and customize the behavior of the script by defining the following variables in periodic.conf(5):

daily_jailback_enable (self-explanatory)

By default, all data is saved in a directory whose name is set to the hostname of the source machine, under /var/backups/ on the destination host. This variable enables you to specify a different folder name).

If ezjail(5) is installed on source host, by default the value of ${ezjail_jaildir} from the file ezjail.conf is used (then, it defaults to the folder /usr/jails). This variables allows you to specify the folder in which all your jails reside (symlinks are allowed).

By default the script use the standard SSH port (TCP 22). If your backup server is only reachable on another port you can specify it here.

You need to place this file in the root of each jail. In this way, if you delegate to other people the management of each single jail, they will be able to define what needs to be backed up without annoying you.


To have this method working, remember to test that you have the SSH daemon running on the backup host, to be able to reach it from the systems backed up and to have the key authentication method working correctly between the two.

It’s also desirable to protect data on the backup host with some sort of disk encryption method. Often this machine is located several kilometers away in a site without the same level of physical protection the main site has.


On march 28, 2011 I finally added a feature I needed since the first release of the script: it’s now possible to manage an exclusion list (for example, have all *.tmp files in a folder we want to backup excluded from the process). You can simply add a file named .jailback-exclude in the root of each jail where all excluded patterns are defined (see the options named “–exclude-from” in the rsync(1) man page).

The latest release of the script is always available here.