[--install remote-host]
[--upgrade]
-You will want to add following to C<~/.ssh/config>
+C<rsync> traffic is always transfered over ssh, but C<diff> or C<ch> can
+still leak sensitive information if C<bak> shell client connects directly
+to server host.
- RemoteForward 9001 localhost:9001
+Add following line to C<~/.ssh/config> under C<Host> for which you want encrypted
+controll channel (or to pass through server ssh hops using C<ProxyCommand>)
-bak command overview:
+ RemoteForward 9001 192.168.42.42:9001
+
+bak command, overview:
bak add /path
bak commit [/path [message]]
bak diff [host:][/path]
bak status [/path]
bak log [/path]
+ bak log-grep pattern
+ bak grep pattern
+ bak show
bak ch[anges]
bak revert [host:]/path
+ bak cat [host:]/path
+ bak grep pattern
+ bak find filename-pattern
+
bak - push all changed files to server
+ bak add,commit /path
+
+See L<http://blog.rot13.org/bak-git> for more information
+
=cut
use warnings;
die "usage: $0 /backup/directory 127.0.0.1\n" unless $dir;
$server_ip ||= '127.0.0.1';
-my $shell_client = <<__SHELL_CLIENT__;
-#!/bin/sh
-echo \$USER/\$SUDO_USER `hostname -s` `pwd` \$* | nc $server_ip 9001
-__SHELL_CLIENT__
+# parse ssh config
+my $ssh_tunnel;
+open(my $ssh_fd, '<', "$ENV{HOME}/.ssh/config");
+my $host;
+while(<$ssh_fd>) {
+ chomp;
+ next unless length($_) > 0;
+ next if m/^\s*#/;
+
+ if ( /^Host\s+(.+)/i ) {
+ $host = $1;
+ } elsif ( /^\s+(\S+)\s+(.+)/ ) {
+ $ssh_tunnel->{$host}++ if lc($1) eq 'remoteforward' && $2 =~ m/9001/;
+ } elsif ( /^\s+$/ ) {
+ # nop
+ } else {
+ warn "can't parse [$_]";
+ }
+}
+
+sub shell_client {
+ my ( $hostname ) = @_;
+ my $path = '/tmp/bak';
+ my $server = $server_ip;
+ $server = '127.0.0.1' if $ssh_tunnel->{$hostname};
+warn "# ssh_client $hostname $server";
+ open(my $fh, '>', $path);
+ print $fh "#!/bin/sh\n";
+ print $fh "echo \$USER/\$SUDO_USER $hostname `pwd` \$* | nc $server 9001\n";
+ close($fh);
+ chmod 0755, $path;
+ return $path;
+}
+
+sub _kill_ssh {
+ while ( my($host,$pid) = each %$ssh_tunnel ) {
+ warn "$host kill TERM $pid";
+ eval { kill 15, $pid; } # TERM
+ }
+}
+
+#$SIG{INT};
+$SIG{TERM} = &_kill_ssh;
chdir $dir;
system 'git init' unless -e '.git';
if ( $upgrade || $install ) {
- open(my $fh, '>', '/tmp/bak');
- print $fh $shell_client;
- close($fh);
- chmod 0755, '/tmp/bak';
my @hosts = grep { -d $_ } glob '*';
@hosts = ( $install ) if $install;
foreach my $hostname ( @hosts ) {
warn "install on $hostname\n";
system 'ssh-copy-id', "root\@$hostname" if ! -d $hostname;
- system "scp /tmp/bak root\@$hostname:/usr/local/bin/";
- system "ssh root\@$hostname apt-get install -y rsync";
+ my $path = shell_client( $hostname );
+ system "scp $path root\@$hostname:/usr/local/bin/";
+ system "ssh root\@$hostname apt-get install -y netcat rsync";
+ }
+} else {
+ my $ssh = $ENV{SSH} || 'ssh';
+ warn "# start $ssh tunnels...";
+ foreach my $host ( keys %$ssh_tunnel ) {
+last; # FIXME disabled
+ warn "## $host\n";
+ my $pid = fork;
+ if ( ! defined $pid ) {
+ die "fork: $!";
+ } elsif ( $pid ) {
+# waitpid $pid, 0;
+ warn "FIXME: waitpid $pid";
+ } else {
+ warn "EXEC $ssh $host";
+ exec "$ssh -N root\@$host";
+ }
+
+ $ssh_tunnel->{$host} = $pid;
}
}
+warn "dir: $dir listen: $server_ip:9001\n";
+
my $server = IO::Socket::INET->new(
Proto => 'tcp',
- LocalAddr => $server_ip,
+# LocalAddr => $server_ip,
LocalPort => 9001,
Listen => SOMAXCONN,
Reuse => 1
) || die $!;
-warn "dir: $dir listen: $server_ip:9001\n"
- , $shell_client
-;
+sub rsync {
+ warn "# rsync ",join(' ', @_), "\n";
+ system 'rsync', @_;
+}
sub pull_changes {
my $hostname = shift;
print $files "$_\n" foreach @_;
close($files);
}
- system "rsync -avv --files-from /tmp/$hostname.list root\@$hostname:/ $hostname/"
+ rsync split / /, "-avv --files-from /tmp/$hostname.list root\@$hostname:/ $hostname/";
+}
+
+sub mkbasedir {
+ my $path = shift;
+ $path =~ s{/[^/]+$}{};
+ warn "# mkpath $path\n";
+ mkpath $path || die $!;
}
while (my $client = $server->accept()) {
my $line = <$client>;
chomp($line);
- warn "<<< $line\n";
+
+ my $peerhost = $client->peerhost;
+ if ( $peerhost !~ m/^(10\.13\.37\.|10\.60\.0\.|10\.200\.100\.)/ ) {
+ print $client "$peerhost not allowed\n";
+ next;
+ }
+
+ warn "<<< $peerhost $line\n";
my ($user,$hostname,$pwd,$command,$rel_path,$message) = split(/\s+/,$line,6);
+ $hostname =~ s/\..+$//;
my $on_host = '';
if ( $rel_path =~ s/^([^:]+):(.+)$/$2/ ) {
}
my $path = $rel_path =~ m{^/} ? $rel_path : "$pwd/$rel_path";
+ foreach my $command ( split /,/, $command ) { # XXX command loop
+
warn "$hostname [$command] $on_host:$path | $message\n";
+
+ my $args_message = $message;
+
$message ||= "$path [$command]";
$message = "$hostname: $message";
pull_changes $hostname;
} elsif ( $command eq 'add' ) {
mkpath "$hostname/$dir" unless -e "$hostname/$dir";
- system 'rsync', '-avv', "root\@$hostname:$path", "$hostname/$path";
- print $client git 'add', "$hostname/$path";
+ while ( $path ) {
+ rsync( '-avv', "root\@$hostname:$path", "$hostname/$path" );
+ print $client git 'add', "$hostname/$path";
+
+ $args_message =~ s/^(.+)\b// || last;
+ $path = $1;
+ warn "? $path";
+ }
} elsif ( $command eq 'commit' ) {
pull_changes $hostname;
$message =~ s/'/\\'/g;
} elsif ( $command =~ m{(diff|status|log|ch)} ) {
$command .= ' --stat' if $command eq 'log';
$command = 'log --patch-with-stat' if $command =~ m/^ch/;
- pull_changes( $hostname, $path ) if $command eq 'diff';
+ pull_changes( $hostname ) if $command eq 'diff';
if ( $on_host ) {
- system 'rsync', '-avv', "root\@$on_host:$path", "$on_host/$path";
+ mkpath $_ foreach grep { ! -e $_ } ( "$hostname/$dir", "$on_host/$dir" );
+ rsync( '-avv', "root\@$hostname:$path", "$hostname/$path" );
+ rsync( '-avv', "root\@$on_host:$path", "$on_host/$path" );
open(my $diff, '-|', "diff -Nuw $hostname$path $on_host$path");
while(<$diff>) {
print $client $_;
}
} else {
# commands without path will show host-wide status/changes
- print $client git($command, $rel_path ? $backup_path : $hostname);
+ my $backup_path = $path ? "$hostname/$path" : "$hostname/";
+ # hostname must end with / to prevent error from git:
+ # ambiguous argument 'arh-hw': both revision and filename
+ # to support branches named as hosts
+ print $client git($command, $backup_path);
}
} elsif ( $command eq 'revert' ) {
if ( $on_host ) {
- system 'rsync', '-avv', "$on_host/$path", "root\@$hostname:$path";
+ rsync( '-avv', "$on_host/$path", "root\@$hostname:$path" );
} else {
print $client git "checkout -- $hostname/$path";
- system 'rsync', '-avv', "$hostname/$path", "root\@$hostname:$path";
+ rsync( '-avv', "$hostname/$path", "root\@$hostname:$path" );
+ }
+ } elsif ( $command eq 'cat' ) {
+ my $file_path = ( $on_host ? $on_host : $hostname ) . "/$path";
+ if ( -r $file_path ) {
+ open(my $file, '<', $file_path) || warn "ERROR $file_path: $!";
+ while(<$file>) {
+ print $client $_;
+ }
+ close($file);
+ } else {
+ print $client "ERROR: $file_path: $!\n";
+ }
+ } elsif ( $command eq 'ls' ) {
+ my $file_path = ( $on_host ? $on_host : $hostname ) . "/$path";
+ print $client `ls $file_path 2>&1`;
+ } elsif ( $command eq 'show' ) {
+ print $client `git show $rel_path`;
+ } elsif ( $command eq 'log-grep' ) {
+ #print $client `git log -g --grep=$rel_path`;
+ } elsif ( $command eq 'grep' ) {
+ print $client `git grep $rel_path`;
+ } elsif ( $command eq 'find' ) {
+ print $client `find . -iname '*$rel_path*' | sed -e 's,^./,,' -e 's,/,:/,'`
+ } elsif ( $command eq 'link' ) {
+ if ( $on_host ) {
+ mkbasedir "$on_host/$path";
+ rsync( '-avv', "root\@$on_host:$path", "$on_host/$path" );
+ mkbasedir "$hostname/$path";
+ link "$on_host/$path", "$hostname/$path";
+ rsync( '-avv', "$hostname/$path", "root\@$hostname:$path" );
+ } else {
+ print $client "ERROR: link requires host:/path\n";
}
} else {
- print $client "Unknown command: $command\n";
+ print $client "ERROR: unknown command: $command\n";
}
+ } # XXX command, loop
+
+ close($client);
}