Installing CrashPlan on WHS part 2

In my previous post “Installing CrashPlan on WHS” I looked at installing CrashPlan on my home server and making it use UNC paths. In this post I was originally intending to look at what was needed to perform a backup between two home servers using a backup seeded from a portable hard disk.

I did manage to get all of that set up and working and was about to post when my friend noticed a problem. For some reason his backup files got erased and CrashPlan started a full backup over the net, this was going to take nearly 2 months.

After restoring the backup from portable hard disk again and starting things off it did the same thing again. So for now we’ve decided to uninstall CrashPlan until we have time to look into what’s going on.

Installing CrashPlan on WHS

I’ve been looking at a backup solution for my home server for a bit. Now I’ll forgive you at this point if you are thinking why do you need a backup solution for WHS when it does duplication.

Well several reasons but the main one being I want an offsite copy of most of the server contents in case of theft or fire. There are plenty of solutions out there for this but most of them require you to upload your files to the cloud and that is rather slow when trying to send a TB or so over a 800kbps uplink.

CrashPlan has the nice feature that you can back up to a friend’s machine and you can seed the backup locally. So the plan is to get a new removable hard disk, backup, take to friends then update over the net.

Installing CrashPlan

I downloaded CrashPlan (www.crashplan.com) and installed it on my home server. I went to add my folders to the sources for backup and immediately hit a problem. CrashPlan doesn’t let you specify a UNC path for the source (or the backup archive folder for that matter). Now I could just use D: but recommended practice for WHS is to always access data through the UNC paths so that’s what I’d like to do.

The reason for this is that CrashPlan runs as SYSTEM and this account doesn’t have network privileges and thus cannot access UNC paths.

To get around this I just changed the service to run as administrator and manually edited the %programfiles%/crashplan/conf/my.service.xml file to use UNC paths. The easiest way to do this is to add a dummy directory using the UI then find it in the config and change it. Use / instead of \ in the config file as it’s a Java app and needs that.

I’ve only tested scanning to see if it can read the files and it seems to work, getting a removable drive and doing a backup is the next step.

Issues

Doing the above has 2 main issues, first you are running a service that provides a remote access interface on the internet as administrator, the second is that administrator may not have permissions to read the files being backed up.

To be honest both of these issues are present with CrashPlan anyway, it runs as SYSTEM and exposes the remote interface and SYSTEM can be denied permission on ACLs and so prevent backups from working. Fortunately WHS seems to create directories with ACLs that have both SYSTEM and Administrator in them with Full Control so it should work, I’ll just have to remember not to change the ACLs on any files to remove those permissions.

Ideally the service interface should be running in a separate service with limited permissions and the backup engine service should be running as a user in the backup operators group.

I did initially try creating a new user in the backup operators group and run CrashPlan as that user, unfortunately CrashPlan doesn’t use backup semantics when opening the files for backup and as such the ACL bypassing of the backup operators group doesn’t kick in and it still can’t access protected files.

I have suggested to the developers that the split the remote interface from the backup engine and use backup semantics when calling CreateFile() to access the files during backup. I’ll let you know if I hear anything from them.

In the meantime I’m hoping the configuration I’ve built works ok, I’ll follow this post up once I’ve got my external drive and have a backup done.

Installing SwissCenter on WHS

I use a Pinnacle ShowCenter for as my network media player for playing back music and movies on my A/V equipment. It’s a nice bit of hardware but the software it comes with doesn’t fit my needs. Fortunately the player uses a simple web browser for it’s UI and this is served from the Pinnacle server so it’s possible to replace the server component with a new one that provides whatever functionality you like.

There are a few open source server packages out there for the ShowCenter (and other Syabas based media devices) but the one I use, and in my opinion the best of them, is the SwissCenter (available from www.swisscenter.co.uk).

This software is written using PHP, Apache and MySQL and runs on either Linux or Windows. However, on Windows there is a nice simple install option using another project called Simese (Simple Media Server). This provides a single installer for the Simese media server, PHP, MySQL and SwissCenter.

You can install this on a WHS quite easily, I just downloaded the latest build (1.45 Simese and 1.20.1 SwissCenter at the time of writing), logged on via terminal services and installed it. I made sure that I entered the media locations as UNC paths and that the user Simese was running as had access to the media locations and it all works fine. Upgrading the box to 2GB helped though since running this stuff on a standard HP MediaSmart with 512MB is a little slow.

In addition to installing Simese and SwissCenter I also installed MusicIP. This is an optional component that SwissCenter can use in order to create custom playlists based on similar music, you simply select a track in SwissCenter and then get a link to ‘play similar’, this functionality uses MusicIP to generate the playlist which the SwissCenter then plays.

Installing MusicIP on the WHS was also pretty easy, I just followed the instructions for a standard install on Windows. The only thing I needed to change was to change the user the service runs as to ensure it had access to my media.

Overall a nice little setup and I’m quite happy I can run it all from my home server now.

Using SSL certs from IIS on WHS with Apache

I recently installed a Subversion server on my WHS box. In the past I’ve usually installed and configured Apache and mod_svn myself, but this time I decided to use the pre-packaged version from the people behind VisualSVN.

This version still uses Apache as the server however. Now I don’t like sending passwords in the clear over the net, especially to things like a source repository. The default install of VisualSVN does support SSL and comes with an SSL cert that you can use. However, since I have a cert for my WHS box anyway I thought it would be nice to be able to reuse that. In the end it was quite easy, the steps are below.

  • Download OpenSSL from http://www.slproweb.com/products/Win32OpenSSL.html. You can download the Light version for this.
  • Install on the machine you are going to work on (I did this on my desktop, doesn’t have to be WHS).
  • Ensure that the OpenSSL bin directory is in your path (makes things easier)
  • Export the cert from IIS or certmgr.msc on the WHS
  • In IIS go to site properties for the WHS site and then directory security and click the server certificate button
    • Then select export a current certificate and give it a filename
  • Make sure you export the private key along with the cert (IIS export does this automatically) but using certmgr.msc you’ll need to select it
  • Use OpenSSL to extract the private key and cert
  • First export the key into a passworded file, then export the cert, finally remove the password from the key so Apache / VisualSVN can use it
    • openssl pkcs12 –in mycert.pfx –nocerts –out key.pem
    • openssl pkcs12 –in mycert.pfx –clcerts –nokeys –out cert.pem
    • openssl rsa –in key.pem –out server.key
  • Finally you have a cert (cert.pem) and key (server.key) you can use with Apache and VisualSVN. Just update the httpd.conf files to use those files. I dropped them into c:\certs on my box so I can share them between multiple apps.