I’ve been looking at a backup solution for my home server for a bit. Now I’ll forgive you at this point if you are thinking why do you need a backup solution for WHS when it does duplication.
Well several reasons but the main one being I want an offsite copy of most of the server contents in case of theft or fire. There are plenty of solutions out there for this but most of them require you to upload your files to the cloud and that is rather slow when trying to send a TB or so over a 800kbps uplink.
CrashPlan has the nice feature that you can back up to a friend’s machine and you can seed the backup locally. So the plan is to get a new removable hard disk, backup, take to friends then update over the net.
I downloaded CrashPlan (www.crashplan.com) and installed it on my home server. I went to add my folders to the sources for backup and immediately hit a problem. CrashPlan doesn’t let you specify a UNC path for the source (or the backup archive folder for that matter). Now I could just use D: but recommended practice for WHS is to always access data through the UNC paths so that’s what I’d like to do.
The reason for this is that CrashPlan runs as SYSTEM and this account doesn’t have network privileges and thus cannot access UNC paths.
To get around this I just changed the service to run as administrator and manually edited the %programfiles%/crashplan/conf/my.service.xml file to use UNC paths. The easiest way to do this is to add a dummy directory using the UI then find it in the config and change it. Use / instead of \ in the config file as it’s a Java app and needs that.
I’ve only tested scanning to see if it can read the files and it seems to work, getting a removable drive and doing a backup is the next step.
Doing the above has 2 main issues, first you are running a service that provides a remote access interface on the internet as administrator, the second is that administrator may not have permissions to read the files being backed up.
To be honest both of these issues are present with CrashPlan anyway, it runs as SYSTEM and exposes the remote interface and SYSTEM can be denied permission on ACLs and so prevent backups from working. Fortunately WHS seems to create directories with ACLs that have both SYSTEM and Administrator in them with Full Control so it should work, I’ll just have to remember not to change the ACLs on any files to remove those permissions.
Ideally the service interface should be running in a separate service with limited permissions and the backup engine service should be running as a user in the backup operators group.
I did initially try creating a new user in the backup operators group and run CrashPlan as that user, unfortunately CrashPlan doesn’t use backup semantics when opening the files for backup and as such the ACL bypassing of the backup operators group doesn’t kick in and it still can’t access protected files.
I have suggested to the developers that the split the remote interface from the backup engine and use backup semantics when calling CreateFile() to access the files during backup. I’ll let you know if I hear anything from them.
In the meantime I’m hoping the configuration I’ve built works ok, I’ll follow this post up once I’ve got my external drive and have a backup done.