I'd like to propose a change in the backup process and like to hear comments.
The current system produces backups using the standard backup feature. This is done to bastion. Only I (or in case of emergency @Tinuva) has access to this. It's fairly manual to obtain backups for restoration as well. These also present some security risk as these backup files contain usernames and passwords.
Mikrotik changed the feature to encrypt backups by default but I have disable encryption as often it's impossible to track down the account used to encrypt the backup making restoration near impossible.
What we backup
The idea would be to have a daily run via WMS doing a
/export compact) from each OSPF RB. This will be done logged in as user
ctwug. This will export all settings but will not export any passwords / user accounts. These will need to be manually restored if the RB is restored.
Log into a router using ctwug/ctwug and run
/export compact on the terminal to see what it produces. See the Mikrotik Wiki for more info on this command.
The resultant files will be stored in a structure roughly as follows:
backups/[node name]/[ospf ip].rsc
How we keep track of backups
Then I propose that the whole backups folder gets tracked via git and made available on gitlab. Each day wms will commit any changes to configs to this repository.
This repository can be made public (at least on the wug side). This could perhaps be limited to network admins or otherwise as we see fit?
This will make it possible for anyone to track changes made by date for any OSPF rb. One would then be able to restore the state of any rb at any point in time in theory.
What do we gain/lose
I list my thinking on advantages or disadvantages below, but the disadvantages appear quite minor compared to the advantages?
- It's a backup but also a change tracking feature.
- More people have access making backup/restore process more accessible.
- Less security risk as we do not store user account details or passwords
- This can be expanded to cover any potential router text configuration file for other non-Mikrotik products.
- When restoring the user simply has to copy the script to the router and run it. It can also be done as part of a netinstall automatically.
- I'm not sure how large such a repository would be. Might become too large as it tracks every change on every OSPF RB.
- Passwords / user accounts will have to be restored manually (this includes OSPF passwords).
- It will not track who made changes. All changes will be committed under a default WMS user to the repository.
- It will only track changes on a daily basis.