Hetzner - DokuWiki

Tartarus Backup-Konfiguration/en


Tartarus Backup

Tartarus is a backup system based on classic and widespread Unix Tools which is specifically geared to dedicated server requirements.


Debian users can easily install the program via the package system and keep it up to date by adding the following line to the APT configuration (e.g.in /etc/apt/sources.list.d/tartarus.list):

deb http://wertarbyte.de/apt/ ./

After an "apt-get update", the script can easily be installed using "apt-get install tartarus".

The following commands are sufficient for importing the GnuPG key, which signs the repository, and installing the program:

wget -O /etc/apt/sources.list.d/wertarbyte.list http://wertarbyte.de/apt/wertarbyte-apt.list
wget -O - http://wertarbyte.de/apt/software-key.gpg | apt-key add -
apt-get update
apt-get install tartarus

The script uses a wide range of classic Unix tools which are installed - if this has not taken place automatically - via the package management:

apt-get install tar bzip2 lvm2 gnupg curl

If you do not have Debian (or Ubuntu, for example) the program can be installed manually by simply downloading it from the website and after unzipping the files placing it in /usr/local/. After installing it, you can simply run the tartarus command like you would run it on Debian.

On the other hand, installation via the package system is recommended as new versions can be installed automatically.

If a current Ubuntu distribution is being used (from 10), errors occur with curl and sftp, so curl needs to be compiled separately. Instructions on this can be found here: Curl with sftp

Backup Configuration

Tartarus reads its configuration profile files that are stored in the /etc/tartarus/. These are shell scripts that are processed by the backup process, so it is also possible to include on the command "source" other configuration files in a profile. This can be exploited to store generic settings for all backup profiles centrally:

General Configuration

# /etc/tartarus/generic.inc
# Generic settings for the backup
# on the Hetzner FTP Server
# Address of the FTP Server
# FTP access
# Encrypt transfer and use SFTP
# Compression method
# Size of LVM snapshot
# Backup data encrypt symmetrically
# Password from /etc/tartarus/backup.sec read
# During backup setup
# do not go beyond file system limits

These settings encrypt backups with a password read from /etc/tartarus/backup.sec. The file contents are needed for unpacking the archive again later; and should, therefore, be kept safely (possibly also in printed format).

Simple Backup

A simple profile for the safety of the root file system could look like this:

# /etc/tartarus/root.conf
# Read main config
source /etc/tartarus/generic.inc
# Profile name
# Directory / Backup
# Backup no temporary files
# separate several folders with a space
# No LVM snapshot

Simply start backup with the following:

/usr/sbin/tartarus /etc/tartarus/root.conf

Backup with LVM Snapshot

LVM snapshots enable a file system to be frozen in time during operation. The LVM system creates a virtual block device and stores obvious changes in a separate logical volume.

# /etc/tartarus/home.conf
source /etc/tartarus/generic.inc
# Create LVM Snapshot
# LVM volume which stores the file system
# Mountpoint, which hooks the file system

To integrate the snapshot file systems, Tartarus uses /snap: The frozen file systems are latched on to the corresponding subdirectories.

Incremental Backups

Incremental backups only save the changes since the last full backup and do not archive the whole file system. Tartarus creates marker files to determine the exact date of the last backup. To perform incremental backups, you first need to create a directory that contains these files:

mkdir -p /var/spool/tartarus/timestamps/

The configuration profiles now have the following line (with corresponding file name):


After each successful backup, the script updates the file. To perform an incremental backup, start Tartarus with the additional parameter "-i":

/usr/sbin/tartarus -i /etc/tartarus/home.conf

Automatic Backup

A typical system has several backup files in the directory in /etc/tartarus/; to call them up automatically use the following script:

# /usr/local/sbin/backup.sh
# Run all backup profile found in /etc/tartarus/ and pass
# command line arguments on to tartarus (e.g. -i)
for profile in /etc/tartarus/*.conf; do
 /usr/sbin/tartarus $* "$profile"

Now it can be exceuted with or without parameter, to run all profiles on full or incremental backup:

/usr/local/sbin/backup.sh # full backup
/usr/local/sbin/backup.sh -i # incremental backup

The command "crontab -e" edits the crontab for the root user:

# m    h       dom     mon     dow     command
0      1       *       *       mon-sat /usr/local/sbin/backup.sh -i
0      1       *       *       sun     /usr/local/sbin/backup.sh

This is an example on full backup every Sunday at approx 1 am and the other days incremental backups.


Since Tartarus is based on simple Unix utilities, a backup is easy to restore from the rescue system. To show the files in backup, use the following command line:

curl [[Ftp: |
gpg --decrypt | tar tpvj

To unpack the archive in the directory /mnt/restore modify the line as follows:

curl [[Ftp: |
gpg --decrypt | tar xpvj -C /mnt/restore

Delete Old Backups

If backups are created on a regular basis, the FTP server quota soon reaches its limits - old backups should therefore be removed regularly. This is automatically done with "charon.ftp": The following command checks all backups designated "home" on the FTP server for their "best-before date". The parameter "--dry-run" does not really remove the files.

/usr/sbin/charon.ftp --host \
--user USERNAME \
--password PASSWORD \
--profile home \
--maxage 7 \

Charon removes all files created more than 7 days ago. This only happens however if there are no other incremental backups based on them.

To automatically clean up the FTP server after a successful backup, use the Tartarus hook. The following entry in the Tartarus settings (e.g. generic.inc) checks for out-of-date archives after each backup run on the server:

# Clean up FTP server after backup
   echo -n "$STORAGE_FTP_PASSWORD" | /usr/sbin/charon.ftp \
   --host "$STORAGE_FTP_SERVER" \
   --user "$STORAGE_FTP_USER" --readpassword \
   --maxage 7 \
   --dir "$STORAGE_FTP_DIR" --profile "$NAME"

In this way, the script takes over the settings directly from the Tartarus configuration. To ensure that the password is not shown in the processing list, it is read from the standard input.

Documentation and Contact

Further information on Tartarus can be found in the project page, the program documentation and the mailing list.

To report errors in the script, keep informed of further developments or to participate, log on there.

© 2019. Hetzner Online GmbH. Alle Rechte vorbehalten.