selective rsync cracked --precurse-parents

We all know that rsync is one of the elite unix programs. It has no equal and it is so well written and so powerful why would anyone try?

So what is my problem?

I want to back up /var/lib/mysql/ and /etc/pki/ and I want to do it recursively so that I recreate the actual path, (none of that incestuous relative stuff of me!)

What I /think/ I'm after is:

rsync --precurse-parents -maPAX \
--filter='+ /var/lib/mysql/**' \
--filter='+ /var/www/sites/*.org/**' \--filter='+ /var/www/sites/notice.*/**' \--filter='- /**' \
--filter='- *' \--rsync-path='sudo rsync' 'rsync@server:/' /var/backup/server

Where the --precurse-parents   would be like  --prune-empty-dirs

 but would include the parent dir /var and /var/lib because of /var/lib/mysql while excluding /var/* and /var/lib/*.

It is something that I've fought with for over a decade. I've written perl scripts to solve the problem. I've written bash scripts. I've even been crazy enough to read the documentation, (man rsync), but it wasn't until today that I understood.

about 83% of the way through the man is:

       Note  that,  when  using  the  --recursive  (-r)  option (which is implied by -a), every subcomponent of every path is visited from the top down, so
       include/exclude patterns get applied recursively to each subcomponent’s full name (e.g. to  include  "/foo/bar/baz"  the  subcomponents  "/foo"  and
       "/foo/bar" must not be excluded).  The exclude patterns actually short-circuit the directory traversal stage when rsync finds the files to send.  If
       a pattern excludes a particular parent directory, it can render a deeper include pattern ineffectual because rsync  did  not  descend  through  that
       excluded section of the hierarchy.  This is particularly important when using a trailing ’*’ rule.  For instance, this won’t work:

              + /some/path/this-file-will-not-be-found
              + /file-is-included
              - *

       This  fails  because  the  parent  directory "some" is excluded by the ’*’ rule, so rsync never visits any of the files in the "some" or "some/path"
       directories.  One solution is to ask for all directories in the hierarchy to be included by using a single rule: "+ */" (put it somewhere before the
       "-  *" rule), and perhaps use the --prune-empty-dirs option.  Another solution is to add specific include rules for all the parent dirs that need to
       be visited.  For instance, this set of rules works fine:

              + /some/
              + /some/path/
              + /some/path/this-file-is-found
              + /file-also-included
              - *

And that solved the problem for me:

rsync -maPAX \--filter='- *.swp' \--filter='- .git/' \--filter='+ /var/' \
--filter='+ /var/lib/' \
--filter='+ /var/lib/mysql**' \
--filter='+ /var/www/sites/' \
--filter='+ /var/www/sites/*.org/' \--filter='+ /var/www/sites/*.org/**' \--filter='+ /var/www/sites/notice.*/' \
--filter='+ /var/www/sites/notice.*/**' \--filter='- /var/www/sites/*' \
--filter='- /var/www/*' \
--filter='- /var/*/*' \
--filter='- /var/*' \--filter='- /**' \
--filter='- /*' \--prune-empty-dirs \
--rsync-path='sudo rsync' 'rsync@server:/' /var/backup/server
I think of this as, "include /var/ {so that rsync can see /var/www}"
"include /var/www/sites/*.org/ {include all of the .org sites}"
"include /var/www/sites/*.org/** {and the files+dirs of those .org sites}"

The mysql line includes the desired dir and everything in it, but would also match /var/lib/mysql_archive_do_NOT_backup, so it is a little more risky.
 
So each time rsync has to chose it goes through the whole filter form the top down and includes/excludes things that it finds, and if it hasn't included /var/www then /var/www/sites is _never_ going to match. The usual advice is to try the following:
 rsync -maPAX \
--filter='+ */' \
--filter='+ /var/www/sites/*.org/' \
--filter='- /var/www/sites/*.org/**' \
--filter='- /var/www/*' \
--filter='- /var/*/*' \
--filter='- /var/*' \
--filter='- /**' \

rsync@remote ~rsync/backup/
but I think that the first filter line
has the hardest implication to comprehend.


also
rsync -mnavvPAX  from to
is really helpful (the -nvv does a dry-run and gives additional info.)

 This would then be:

 

rsync -dwim --filter='+ /var/www/sites/*.org/**'  server /var/backup/server/

 

I'm sure there is still a better way to get rsync to precurse-parents, as it were, but I'm happy with this solution, (until some kind person adds a comment suggesting an even easier or quicker way to do this.

 

 [dwim = Do What I mean; not a real rsync flag]

 

Easier before you are dead

Dead men tell no tails, 

(of what their passphrase is, once they are gone.)

I think that most of us can agree that it is hard to get much done after you are dead. I overheard two people talking about death and how hard it can be to clean up after people. The example that one gave was, "how do you take down their social-network?". This is a good question.

I introduced myself and asked if they wanted to know the answer. They seemed to, and that is what I'm going to share with you now. Before I do that there are just two things that I need to check.

You have installed a proper backup solution and that you have something like keepass in which to store all of your private details. (I'll wait while you download and install them - I'm not going anywhere... unless I've died.)

So now let us imagine that you have a nice long, but memorable phrase that you use to lock keepass. You can use something called Shamir's Secret Sharing Scheme to do a little mathamagic.

SSSS lets you take a number, (lets pick 15) and create a number of shares, (lets say five). Each share is useless on its own, but, (and this is the clever bit) you can chose how many have to be combined to recover the original number! (If your mind hasn't been blown then read on.)

1-0a8b
2-971c
3-aca4
4-381d
5-03b7

The number of shares required is called the quorum, (in this case 3), and it does not matter which of the shares are used as long as they add up to the quorum, (you can only use one share once.)

You can test this at http://point-at-infinity.org/ssss/demo.html paste in any three of the above and press combine. (If that site goes offline because not enough people have contributed or because someone has died, then there are ssss programs like ssss-split that you can download and use.)

So how does this help? Well the words that you are reading right now are on a computer, (unless you printed this out) and words, for a computer are just numbers. So it is possible to put your passphrase through SSSS and create a share for each of the people that you trust. This means that, after you die, they can get together, (or just email it to each other) and recreate your passphrase. I gave one share to each of my five best friends, and four shares to my lawyer. The quorum that I set was 7, so my lawyer will need any three of my friends to recreate my keepass passphrase, (I hope that no more than two of them die in that car crash with me!).

I change my keepass passphrase on the 1st of every month, so how do I get update to my lawyer?
I don't!
I have passwords.txt inside of a truecrypt encrypted container and on the first of every month I update it with the latest dump from keepass... (and then I check it in because I have the inside of pw.tc under GIT version control.) - so my friends have to find pw.tc, which is in my Documents and has a link from my desktop on a special computer that is encrypted with a passphrase that is recorded in each of their keepass, (and if they forget I have it mentioned/explained in my will.) 

 The only problem with this is that you will not be able to do this once you are dead, and you do not know when you are going to die, (so DO IT NOW!.)

The reason that SpiderOak is so good, (other than the encryption done properly) is that once it is installed you can forget about it. That means that it makes life easier rather than harder. Moving over to keeping important data in keepass might seem hard for those of you still silly enough to use one password for everything, but those that have a piece of paper with notes on should at least think of keepass as a good backup for when that paper is lost, (though you might be tempted to keep that piece of paper after you have entered all of your existing passphrases and bank details into keepass, but DON'T! It will only lead to problems in the long-run and possibly problems for those that you leave behind.)

Things that would be helpful.

1. An easy and encrypted way to transfer keepass entries to someone else. I'm thinking some sort of PGP based module in keepass that would encrypt and send one, (or a group) of entries to a remote address, and an easy way to import them. I don't mind holding onto a SSSS share for a friend, but I'd like to be able to import it as easily as cut-n-paste.

2. A nice way for a lawyer to store all of their clients shares. I've printed out the shares for my lawyer and they are part of my will, but so far my lawyer has resisted installing SpiderOak, (he is still running on windows 98!) because he does not trust it, (or it might be that I failed to explain how impressive it is to him - I'll have another try.)

2013 first quarter ameralration

January

Every day in the first month of 2013 I either did the whole of the Yang-style short-form or 8 pieces of brocade and qigong. I worked on and designing my  standing-on-stake practice, and wrote a blog entry that covered everything that I had experieced in my experiments into energy works.
 I also collected a few more qigong exercices and started to design a taichi/qigong database, to store all of the movements and forms.

I wondered how close we had got to a standard term for tai chi and qi gong. (So obvisouly I asked www.google.com/trends/):

February

It seems that qi gong is twice as popular as chi kung, but T'ai Chi ch'uan, (google is clever when it comes to ') dwarfs taiji ch'uan. So it looks like the standard is "Tai chi" and "Qi Gong", (even thought the chi/Qi parts are, as far as I understand, the same thing.)

So on to February. My resolution for 201302 was to stretch at least once a day. I found ways to strech while being at the keyboard, and I focused on the flexiblity in my legs, (my arms are quite flexible already.)

In just the first week I managed to go from "wildly grasping to touch my toes with my finger-tips" to "being able to comfortable rest the knucles of my closed fists on the ground. My goal is to be able to hug my knees this year.

March

March-ing on I don't have a plan, so that is why I'm writing this to help me think.
I guess a month without alcohol could be possible. Or at least 30 minutes working the soil per day. I'm still doing more Taichi than I was in the last quarter of 2012. 

Doing an update and it spits out:
 
Error reading from server. Remote end closed connection [IP: 213.138.101.222 80]
Fetched 2,422 kB in 23s (104 kB/s)
W: GPG error: http://ppa.launchpad.net raring Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 32B18A1260D8DA0B
W: Failed to fetch http://notice.alexx.net/apt/en  Error reading from server. Remote end closed connection [IP: 213.138.101.222 80]

E: Some index files failed to download. They have been ignored, or old ones used instead.

(happened to be ubuntu 12.Unity_sux).

Google found the solution for me on http://gentoo-blog.de/ubuntu/ubuntu-gpg-error-httpppalaunchpadnet-intrepid-release/  but as it was not the first link I wanted to help bump it up, (if linking to a page still does that) and thank (I'm guessing from whois) Simon Pearce, for having the perfect reminder well laid out; thank you.

gpg --keyserver subkeys.pgp.net --recv 32B18A1260D8DA0B && \
gpg -a --export 32B18A1260D8DA0B | sudo apt-key add -

Not a gpg function that I perform on a weekly basis, so having a note can be helpful.

50 shades of Spartacus

I see that the Spartacus train has got to the third season. I wonder if this will damage the sales of 50 shades books.

New CMS - Notice::Pages

Have you ever wanted a CMS to manage a website [0] that creates static pages, (either with or without a template) ?

Do you want that template to be just HTML with no micro-language, (other than HTML) ?
Do you want that template to have the option of having as much CSS and javascript as you, (or they) want?

Do you want someone, (or even a team) to be able to write and edit the pages and only the Editor, (or Editors) to have the power to actually publish, (set live) the pages that are ready, (and even un-publish them.)

Welcome to Notice::Pages A small perl module build on Notice

Notice::Pages creates flat-files and integrates with an instillation of Notice to create the static portion of the website. (All of the dynamic parts and those that require authentication reside the far side of Notice::Login.)

Deceptively simple, but infinitely flexible, (and with a touch more development it will have the option of a separate template for each page and one static site per account - so that Notice can optionally host multiple sites at the same time.)

Using the deceptively powerful CKeditor, Notice::Pages is light-weight, ready to use, (and looking for a strap-line - and some feed-back.)


[0] or more likely you want the customer, (your friend/parent/sibling) to manage their own website.

You can't move

or

The new Zeno's paradox

Imagine an infinitely long conveyor belt that is one kilometre wide. On each side of the conveyor belt is flat uninterrupted terrain of the same material as  the belt. (The belt is also empty east of where our story is set.) On this conveyor belt we find two twins, (they are each others twin, not one from two pairs of twins.)

They grow up on the conveyor belt until they are twenty-one years old. They are, (by the miracle that improbable does not equal impossible) remain identical to this day. To celebrate their birthday they decide to have a straight line drag-race. They have two almost identical cars, except that one has a maximum speed of 2 kilometres per hour and the other has a maximum of 4 kilometres per hour.
(Not the most exciting of drag-races, but it makes it easier to remember the numbers.)

The starting blocks for these two vehicles is a contraption at the edge of the conveyor belt and suspends the slower car one millimetre above the belt, (no the wheels are not touching the belt), and the other one millimetre above the surrounding flat land. Neither car can turn left or right and the starting contraption, (that will drop both cars at the same time), sends them off parallel to the edge of the belt. (The wheels have been constructed so that they have perfect friction and both will start at their maximum speed.)

The belt is moving east, (always has, always will) at exactly 2 kilometres per hour, (this is the direction of the race).

You are friends with one of the twins and she asks you which car she should pick.

Those of you that know v1+v2 != (v1+v2) will tell her to pick the 4 kilometre per hour car as the 2 kilometre per hour car will be going ever so slightly slower than 4 kilometres per hour car.

So if this happened in a galaxy that is already moving at the speed of light, would they be able to move at all?