This is the command clsync that can be run in the OnWorks free hosting provider using one of our multiple free online workstations such as Ubuntu Online, Fedora Online, Windows online emulator or MAC OS online emulator
PROGRAM:
NAME
clsync - live sync tool, written in GNU C
SYNOPSIS
clsync [ ... ] -- [ sync-handler-arguments ]
DESCRIPTION
clsync executes sync-handler with appropriate arguments on FS events in directory
watch-dir using the inotify(7) or other FS monitoring subsystems.
OPTIONS
This options can be passed as arguments or to be used in the configuration file.
To disable numeric option set to zero:
=0
To disable string option (for example path to file) set to empty string:
=
Also you can use previously set values while setting new options. Substring %option_name%
will be substituted with previously set value of option option_name. (see CONFIGURATION
FILE)
sync-handler-arguments applies only to modes:
simple, direct, shell, rsyncdirect, rsyncshell
To set sync-handler-arguments in config file use '--'. An example:
-- = -aH --exclude-from %EXCLUDE-LIST% --include-from=%INCLUDE-LIST% --exclude '*'
%watch-dir%/ %destination-dir%/
-W, --watch-dir watch-dir
Root directory to be monitored by clsync.
Required.
-S, --sync-handler sync-handler
Path to sync-handler to be used for syncing by clsync. (see --mode)
Is required for all modes except "direct" and "rsyncdirect" [see SYNC HANDLER
MODES]
-R, --rules-file rules-file
Path to file with filter rules of objects to be monitored. (see RULES)
Is not set by default.
-D, --destination-dir destination-directory
Defines directory to sync to for modes "rsyncdirect", "rsyncso" and "so". (see
--mode)
Is not set by default.
-M, --mode mode
Sets syncing mode. Possible values:
simple
calls sync-handler for every event
direct
calls sync-handler for every sync with passing files lists as
arguments
shell
calls sync-handler for every sync with passing files lists in a file
rsyncdirect
calls rsync by path sync-handler directly
rsyncshell
calls sync-handler that supposed to run rsync for every sync
(recommended mode)"
rsyncso
loads shared object by path sync-handler with dlopen(3) and calls
function clsyncapi_rsync function for every sync
so
loads shared object by path sync-handler with dlopen(3) and calls
function clsyncapi_sync function for every sync
See SYNC HANDLER MODES
Required.
-b, --background
Daemonize, forcing clsync to fork() on start.
Is not set by default.
-H, --config-file config-file-path
Use configuration from file config-file-path (see CONFIGURATION FILE).
Set to "/NULL/" if no config files should be read.
Is not set by default.
-K, --config-block config-block-name
Use configuration block with name config-block-name (see CONFIGURATION FILE).
The default value is "default".
--config-block-inherits config-parent-block-name
Use configuration block with name config-parent-block-name as parent for
config-block-name (see CONFIGURATION FILE). Options from config-parent-block-name
will be inherited to config-block-name.
The default value is "default".
--custom-signals custom-signals
Set a list of signals and corresponding config block names. The config block will
be use on catching the corresponding signal.
Format is
signal:config-block-name[,signal:config-block-name[,...]]
For example:
--custom-signals=29:debug,28:normal
In this line signals "28" and "29" will be added to the sighandler. And clsync
will use options from config block "debug" on signal 29 and "normal" on signal 28.
To reset all custom signals use the 0-th signal (e.g. "--custom-signals=0").
The default value is "".
-z, --pid-file path-to-pidfile
Writes pid to file by path path-to-pidfile.
Is not set by default.
--status-file status-file-path
Write status description into file with path status-file-path.
Possible statuses:
starting
initializing subsystems and marking file tree with FS monitor
subsystem
initsync
processing initial syncing
running
waiting for events or syncing
synchandler error
waiting between synchandler execution tries (after a failure) [is
used only while --threading=off]
rehashing
reloading configuration files
thread gc
running threads' garbage collector
preexit
executing the --pre-exit-hook
terminating
running the last iteration (if required) and preparing to die
exiting
executing the --exit-hook and cleaning up [for valgrind(1)]
Is not set by default.
-r, --retries number-of-tries
Tries limit to sync with sync-handler.
clsync will die after number-of-tries tries.
To try infinite set "0".
Delay between tries is equal to --delay-sync value.
The default value is "1".
--ignore-failures
Don't die on sync failures.
Is not set by default.
--exit-on-sync-skip
Exit if some event could be skipped due to any reason.
For example FreeBSD has a very short BSM event queue (1024). So it may be
overflowed and some events can not climb to the queue. This option forces clsync to
exit if the queue had been overflowed.
Is not set by default.
-p, --threading threading-mode
Use pthreads(7) to parallelize syncing processes. For example if clsync (with
--threading=off) is already syncing a huge file then all other syncs will be
suspended until the huge file syncing finish. To prevent this suspends you can use
"safe" or "full" threading mode.
Possbile values:
off
disable threading for syncing processes.
safe
parallelize syncs but suspend syncings of object that are already
syncing in another process (until the process finish).
full
parallelize syncs without suspendings.
Characteristics:
off
New modifications won't be synced until old ones finish.
safe
Theoretically is the best way. But may utilize of lot of CPU if
there's a lot of simultaneous parallel syncs. (also this way is not
well tested)
full
May cause multiple simultaneous syncing of the same file, which in
turn can cause bug inside sync-handler (see below).
If you're running clsync with option --threading=full in conjunction with rsync
with option --backup, you may catch a bug due to nonatomicity of rsync's file
replace operation. (see DIAGNOSTICS)
The default value is "off".
-Y, --output log-destination
Sets destination for log writing (errors, warnings, infos and debugging).
Possible values:
stderr
stdout
syslog
The default value is "stderr".
--one-file-system
Don't follow to different devices' mount points. This option just adds option
"FTS_XDEV" for fts_open(3) function.
Warning! If you're using this option (but no --exclude-mount-points) clsync will
write neither includes nor excludes of content of mount points.
This may cause problems e.g. you're using rsync for sync-handler without similar
option "--one-file-system".
Is not set by default.
-X, --exclude-mount-points
Forces --one-file-system but also add excludes to do not sync mount points.
This requires to do stat(2) syscalls on every dir and can reduce performance.
Is not set by default.
--socket socket-path
Create a control socket by path socket-path.
This's very experimental feature.
Is not set by default.
--socket-own socket-owner-user[:socket-owner-group]
Sets the control socket owner user (and group).
Is not set by default
--socket-mod socket-mode
Sets the control socket mode [see chmod(2)].
Is not set by default.
--standby-file standby-file-path
Sets file to path that should be checked before every sync. If file exists the sync
will be suspended until the file is deleted. It may be useful if you need freeze
destination directory while running some scripts.
Is not set by default.
--max-iterations iterations-count
Sets synchronization iterations limit. One iteration means one sync-handler
execution.
iterations-count
set to 0 means no limit (infinite loop).
set to 1 means that only initial sync will be done
set to n means that only initial sync and (n-1) sync-ups after that will be
done
Hint: This option may be useful in conjunction with --exit-on-no-events to prevent
infinite sync-up processes.
The default value is "0".
--modification-signature signature-mask
Sets file/dir modification recheck signature. If file is not modified (according to
the signature) then don't sync it.
See struct stat in lstat(2) for possible fields.
For example reasonable signature-mask-s can be
"dev,ino,mode,uid,gid,rdev,size,atime,mtime,ctime" (there's an alias for that —
"*") or "uid,gid".
Examples of use cases:
chown/chmod
If you're using clsync for fixing file/dir privileges [using chown(1)
and/or chmod(1)] than reasonable signature will be "uid,gid".
Full example: clsync -w5 -t5 -T5 -x1 -W
/var/www/site.example.org/root -Mdirect -Schown --uid 0 --gid 0
-Ysyslog -b1 --modification-signature uid,gid -- --from=root
www-data:www-data %INCLUDE-LIST%
bi-directional syncing
If you're going to setup bi-directional syncing then you may use
--modification-signature "*" to prevent sync loop between servers.
Not enough CPU
If rsync eats too many CPU with rechecking hashsums of files on their
dry open()/close() due to some hacky script (for example "chown -R
www-data:www-data" in cron) then you can use --modification-signature
"dev,ino,mode,uid,gid,rdev,size,atime,mtime" (without "blksize",
"blocks", "nlink" and "ctime").
Warning! This option may eat a lot of memory on huge file trees.
This option cannot be used together with "--cancel-syscalls=mon_stat"
To disable file/dir modification rechecking use empty value — "".
The default value is "".
-k, --timeout-sync sync-timeout
Sets timeout for syncing processes. clsync will die if syncing process alive more
than sync-timeout seconds.
Set "0" to disable the timeout.
The default value is "86400" ["24 hours"].
-w, --delay-sync additional-delay
Sets the minimal delay (in seconds) between syncs.
The default value is "30".
-t, --delay-collect ordinary-delay
Sets the delay (in seconds) to collect events about ordinary files and directories.
The default value is "30".
-T, --delay-collect-bigfile bigfiles-delay
Sets the delay (in seconds) to collect events about "big files" (see
--threshold-bigfile).
The default value is "1800".
-B, --threshold-bigfile filesize-threshold
Sets file size threshold (in bytes) that separates ordinary files from "big files".
Events about "big files" are processed in another queue with a separate collecting
delay. This is supposed to be used as a means of unloading IO resources.
To disable detection of "big files" set "0" (zero). This can improve perfomance by
removing necessity in extra lstat() syscall.
The default value is "134217728" ["128 MiB"].
--cancel-syscalls syscalls-mask
Sets syscalls to be bypassed. This may be used for to squeeze more performance.
Possible values:
mon_stat
Skip lstat() calls while handling files/dirs events. This makes
unpossible to determine files sizes (that is used by
--threshold-bigfile option) and to use option
--modification-signature.
You can combine this values using commas.
To disable this option just use empty value — "".
The default value is "".
-L, --lists-dir tmpdir-path
Sets directory path to output temporary events-lists files.
See SYNC HANDLER MODES.
Is not set by default.
--have-recursive-sync
Use action "recursivesync" instead of "synclist" for directories that were just
marked (see SYNC HANDLER MODES case shell).
Is not set by default.
--synclist-simplify
Removes the first 3 parameters in list files of action "synclist" (see SYNC HANDLER
MODES case shell).
Is not set by default.
--rsync-inclimit rsync-includes-line-limit
Sets soft limit for lines count in files by path rsync-listpath. Unfortunately,
rsync works very slowly with huge "--include-from" files. So, clsync splits that
list with approximately rsync-includes-line-limit lines per list if it's too big,
and executes by one rsync instance per list part. Use value "0" to disable the
limit.
The default value is "20000".
--rsync-prefer-include
Forces clsync to prefer a "lot of includes" method instead of a "excludes+includes"
for rsync on recursive syncing.
See cases rsyncshell, rsyncdirect and rsyncso of SYNC HANDLER MODES.
This option is not recommended.
Is not set by default.
-x, --ignore-exitcode exitcode
Forces clsync to do not process exitcode exitcode of sync-handler as an error. You
can set multiple ignores by passing this option multiple times.
Recommended values for rsync case is "24". You can set multiple values with listing
a lot of "-x" options (e.g. "-x 23 -x 24") or via commas (e.g. "-x 23,24"). To drop
the list use zero exitcode (e.g. "-x 0"). For example you can use "-x 0,23" to drop
the list and set "23"-th exitcode to be ignored.
Is not set by default (or equally is set to "0").
-U, --dont-unlink-lists
Do not delete list-files after sync-handler has finished.
This may be used for debugging purposes.
Is not set by default.
--fts-experimental-optimization
Enable experimental features to optimize file tree scanning while using fts(3).
The features will be enabled by default after appropriate testing.
At the moment the option doesn't do anything but can be used in future.
Is not set by default.
-F, --full-initialsync
Ignore filter rules from rules-file on initial sync.
This may be useful for quick start or e.g. if it's required to sync "/var/log/"
tree but not sync every change from there.
Is not set by default.
--only-initialsync
Exit after initial syncing on clsync start.
Is not set by default.
--exit-on-no-events
Exit if there's no events. Works like --only-initialsync, but also syncs events
collected while the initial syncing.
Unlike --only-initialsync this option uses FS monitor subsystem to monitor for new
events while the initial syncing. This may reduce performance. On the other hand
this way may be used to be sure, that everything is synced at the moment before
clsync will exit.
Is not set by default.
--skip-initialsync
Skip initial syncing on clsync start.
Is not set by default.
--exit-hook path-of-exit-hook-program
Sets path of program to be executed on clsync exit.
If this parameter is set then clsync will exec on exit:
path-of-exit-hook-program label
The execution will be skipped if initial sync wasn't complete.
Is not set by default.
--pre-exit-hook path-of-pre-exit-hook-program
Sets path of program to be executed before the last sync iteration (see
--max-iterations, --exit-on-no-events and SIGNALS).
If this parameter is set then clsync will exec on exit:
path-of-pre-exit-hook-program label
The execution will be skipped if initial sync wasn't complete.
If clsync finishes due to --exit-on-no-events and --pre-exit-hook is set then the
pre-exit hook will be executed and additional sync iteration will be triggered.
Is not set by default.
-v, --verbose
This option is supposed to increase verbosity. But at the moment there's no
"verbose output" in the code, so the option does nothing. :)
Is not set by default.
-d, --debug
Increases debugging output. This may be supplied multiple times for more debugging
information, up to a maximum of five "d" flags (more will do nothing), for example
"-d -d -d -d -d" or "-d5" (equivalent cases)
Is not set by default.
--dump-dir
Directory to write clsync's instance information by signal 29 (see SIGNALS). The
directory shouldn't exists before dumping.
Is set to "/tmp/clsync-dump-%label%" by default.
-q, --quiet
Suppresses error messages.
Is not set by default.
--monitor monitor-subsystem
Switches FS monitor subsystem.
Possible values:
inotify
inotify(7) [Linux, (FreeBSD via libinotify)]
Native, fast, reliable and well tested Linux FS monitor subsystem.
There's no essential performance profit to use "inotify" instead of
"kevent" on FreeBSD using "libinotify". It backends to "kevent"
anyway.
FreeBSD users: The libinotify on FreeBSD is still not ready and
unusable for clsync to sync a lot of files and directories.
gio
Use gio library.
Crossplatform and tested library that backends to kqueue on FreeBSD
and inotify on Linux. See inotify and kqueue sections here for
details.
Not well tested. Use with caution!
kqueue
kqueue(2) [FreeBSD, (Linux via libkqueue)]
A *BSD kernel event notification mechanism (inc. timer, sockets,
files etc).
This monitor subsystem cannot determine file creation event, but it
can determine a directory where something happened. So clsync is have
to rescan whole dir every time on any content change. Moreover,
kqueue requires an open() on every watched file/dir. But FreeBSD
doesn't allow to open() symlink itself (without following) and it's
highly invasively to open() pipes and devices. So clsync just won't
call open() on everything except regular files and directories.
Consequently, clsync cannot determine if something changed in
symlink/pipe/socket and so on. However it still can determine if it
will be created or deleted by watching the parent directory and
rescaning it on every appropriate event.
Also this API requires to open every monitored file and directory. So
it may produce a huge amount of file descriptors. Be sure that
kern.maxfiles is big enough (in FreeBSD).
CPU/HDD expensive way.
Not well tested. Use with caution!
Linux users: The libkqueue on Linux is not working. He-he :)
bsm
bsm(3) [FreeBSD]
Basic Security Module (BSM) Audit API.
This is not a FS monitor subsystem, actually. It's just an API to
access to audit information (inc. logs). clsync can setup audit to
watch FS events and report it into log. After that clsync will just
parse the log via auditpipe(4) [FreeBSD].
Reliable, but hacky way. It requires global audit reconfiguration
that may hopple audit analysis.
Warning! FreeBSD has a limit for queued events. In default FreeBSD
kernel it's only 1024 events. So choose one of:
- To patch the kernel to increase the limit.
- Don't use clsync on systems with too many file events.
- Use bsm_prefetch mode (but there's no guarantee in this case
anyway).
See also option --exit-on-sync-skip.
Not well tested. Use with caution! Also file
/etc/security/audit_control will be overwritten with:
#clsync
dir:/var/audit
flags:fc,fd,fw,fm,cl
minfree:0
naflags:fc,fd,fw,fm,cl
policy:cnt
filesz:1M
unless it's already starts with "#clsync\n" ("\n" is a new line
character).
bsm_prefetch
The same as bsm but all BSM events will be prefetched by an
additional thread to prevent BSM queue overflow. This may utilize a
lot of memory on systems with a high FS events frequency.
However the thread may be not fast enough to unload the kernel BSM
queue. So it may overflow anyway.
The default value on Linux is "inotify". The default value on FreeBSD is "kqueue".
-l, --label label
Sets a label for this instance of clsync. The label will be passed to sync-handler
every execution.
The default value is "nolabel".
-h, --help
Outputs options list and exits with exitcode "0".
Is not set by default.
-V, --version
Outputs clsync version and exits with exitcode "0".
Is not set by default.
--cgroup-group-name cg-group-name
Set cgroup group name [see cgroup_new_cgroup()].
Is set to "clsync/%PID%" by default.
SECURITY OPTIONS
--secure-splitting
Implies "--splitting=process --check-execvp-arguments --seccomp-filter
--forbid-devices"
-u, --uid uid
Drop user privileges to uid uid with setuid(2)
If there's a capabilities(7) support then the default value is "nobody" (or "65534"
if "nobody" not found), otherwise the option is not set by default;
-g, --gid gid
Drop group privileges to gid gid with setgid(2)
If there's a capabilities(7) support then the default value is "nogroup" (or
"65534" if "nogroup" not found), otherwise the option is not set by default;
--privileged-uid sync-handler-uid
An user ID to be used for the privileged process (see --splitting=process).
The default value is "$UID".
--privileged-gid sync-handler-gid
A group ID to be used for the privileged process (see --splitting=process).
The default value is "$GID".
--sync-handler-uid sync-handler-uid
An user ID to be used for sync-handler.
See --preserve-capabilities.
The default value is same as for --privileged-uid.
--sync-handler-gid sync-handler-gid
A group ID to be used for sync-handler.
See --preserve-capabilities.
The default value is same as for --privileged-gid.
-C, --preserve-capabilities capabilities-list
[Linux only, requires capabilities]
Use capset(2) and prctl(2) to preserve "CAP_DAC_READ_SEARCH", "CAP_SETUID" or/and
"CAP_SETGID" [see capabilities(7)] Linux capability for process using fts(3),
inotify(7) and execve(2). This allows the preservation of enough FS privileges to
watch a file tree and execute the sync-handler with required uid and gid [see
--sync-handler-uid and --sync-handler-gid] after dropping privileges via setuid(2)
and setgid(2) [see --uid and --gid]
Possible values:
CAP_DAC_READ_SEARCH
To bypass FS read checks (for fts and inotify).
CAP_SETUID
To be able to use setuid(2) before execve(2) on the sync-handler.
CAP_SETGID
To be able to use setgid(2) before execve(2) on the sync-handler.
CAP_KILL
To be able to kill setuid()-ed processes
Any combinations of this values are also supported. The list may be
presented as a comma separated values, like:
CAP_DAC_READ_SEARCH,CAP_SETUID,CAP_SETGID
The default value is "CAP_DAC_READ_SEARCH,CAP_SETUID,CAP_SETGID,CAP_KILL" if the
clsync runner have such privileges.
--inherit-capabilities
[Linux only, requires capabilities]
Sets a mode for capabilities inheriting.
Possible values:
permitted
Inherits all permitted capabilities
dont-touch
Don't change inheritable capabilities set
clsync
Use clsync's effective capabilities set
empty
Reset all capabilities
The default value is "empty".
--splitting splitting-type
Split the process/thread to privileged and non-privileged. This's an additional way
to secure your system from any bug in clsync while running it with capabilities or
root privileges. But clsync may utilize in few times more CPU resources. So it's a
performance vs security trade off.
You can essentialy reduce the overhead with using "high load locks"
("--enable-highload-locks" of "./configure" file).
If you're using this option and running the sync-handler with the root user then
it's highly recommended to enable --check-execvp-arguments, too. Otherwise in case
of clsync security bug a hacker will be able to use execvp() with any arguments
with root privileges.
Possible values:
off
Disable this feature
thread
[Linux only, requires capabilities]
Creates a separate thread for privileged operations.
It's highly recommended to enable --seccomp-filter in this case. But
that will forbid --threading.
process
More secure and portable way, but uses separate process and:
- forbids fanotify (that is not implemented yet anyway);
- more complex code (and higher probability of error).
- slower due to copying data between private and shared memory
pages.
Recommended.
Is set to "off" by default.
--check-execvp-arguments
[Requires --splitting=[thread|process]]
[Blocks --mode=direct]
Enables execvp() arguments recheck in the privileged process (in case of their
substitution to any exploit-given arguments).
This option doesn't utilize a lot of CPU resources but forbids run-time changing of
sync-handler-arguments and hook file paths.
This option cannot be used in conjunction with --mode=direct due to an arbitrary
number of arguments in this mode.
Is not set by default.
--add-permitted-hook-files [hook-path0,[hook-path1[,...]]]
[Requires --check-execvp-arguments]
Adds paths to the list of permitted hook paths to bypass --check-execvp-arguments
checks. It may be required if you're going to change the hooks in run-time using
--custom-signals or --socket.
Is not set by default.
--seccomp-filter
[Linux only]
Use seccomp filter to forbid syscalls that shouldn't be used by clsync.
Forbid all syscalls for non-privileged process/thread, but
futex inotify_init1 alert stat fstat lstat open write close wait4 unlink
tgkill clock_gettime rt_sigreturn brk mmap munmap wait4 rmdir exit_group
select read rt_sigprocmask rt_sigaction nanosleep
Is not set by default.
--permit-mprotect
[Requires --seccomp-filter]
Permits mprotect(2) syscall.
This syscall is required by pthread_create(3), so it's required for --threading.
Makes --shm-mprotect to be useless.
Also it enables ability to change memory of privileged thread from non-privileged,
so using of --splitting=thread with this option is useless, too.
Is set to "0" by default if --splitting is set. Otherwise "1".
--shm-mprotect
[Requires --splitting=process]
Forbid writing or reading to/from shared memory when it shouldn't be. mprotect(2)
is used for the protection.
This option is useless while --permit-mprotect is enabled.
--chroot chroot-directory
clsync chroot()-s [see chroot(2)] to directory chroot-directory before any syncing
processes.
This option may be used in conjunction with --uid, --gid or/and --pivot-root for
security reasons.
Remember! If you're chroot()-ing somewhere, the sync-handler will be limited by the
chroot-environment, too. If you're using rsync then you may want to "mount --bind"
some directories to the chroot-directory.
Is not set by default.
--pivot-root pivot-root-way
[Linux only, requires --chroot]
Sets a way of using pivot_root(2) syscall to the chroot-directory (to umount(2) old
rootfs).
Possible values:
auto
Creates a directory "/dev/shm/clsync-rootfs", unshare(2)-ing the
mount namespace, mount(2)-s the chroot-directory to the directory and
then pivot_root(2)-ing, chroot(2)-ing and umount(2)-ing old rootfs.
Directory "/dev/shm/clsync-rootfs" won't be deleted after clsync
finish.
auto-ro
The same as auto but mounts the directory with read-only option
(MS_RDONLY).
direct
unshare(2)-ing the mount namespace, pivot_root(2)-ing, chroot(2)-ing
and umount(2)-ing old rootfs. Directory "old_root" should be created
in chroot-directory before running clsync in this mode.
off
Don't pivot_root(2).
The default value is "off". If --chroot is used then recommended value is
"auto-ro".
--mountpoints [mountpoint[,mountpoint[,mountpoint]]]
[Linux only]
Umount (with MNT_DETACH) everything except listed mountpoints.
Supposed to be used for security reasons as an alternative to --pivot-root option.
Is not set by default.
--detach-network detach-network-mode
[Linux only]
Removes network in clsync instance.
Possible values:
everywhere
Removes network for all processes.
non-privileged
Removes network from non-privileged process if option
--process-splitting is enabled, otherwise doesn't do anything.
off
Don't do anything.
The default value is "non-privileged".
--detach-ipc
[Linux only]
Make an own IPC namespace.
Is set by default.
--detach-miscellanea
[Linux only]
unshare(2) on everything not listed above.
Is not set by default.
--forbid-devices
[Linux only]
Forbid any access to all devices except listed ones:
read access to:
/dev/console
/dev/zero
/dev/urandom
/dev/random
write access to:
/dev/console
/dev/null
Is not set by default.
PERFORMANCE
Recommendations to improve the perfomance:
- Disable thread/process splitting.
- Don't use clsync rules (use rules on sync-handler side) or/and use option
"--full-initialsync"
- Use option "-B0".
- Use option "--cancel-syscalls=mon_stat".
- Use option "-p safe" or "-p full".
- Disable debugging with "-d0" or better disable debugging support at all with
"./configure" option "--enable-debug=no"
- Don't use option "--exclude-mount-points"
- Free memory for disk cache
You shouldn't follow all this recommendation blindfold. You should use only the ideas that
fixes performance problems in your specific use case. And only if it's necessary.
SYNC HANDLER MODES
clsync executes sync-handler that supposed to take care of the actual syncing process.
Therefore clsync is only a convenient way to run a syncing script.
clsync can run sync-handler in seven ways. Which way will be used depends on specified
mode (see --mode)
sync-handler-arguments are used only in modes:
simple
direct
shell
rsyncdirect
rsyncshell
If sync-handler-arguments are not set then the default setting is used (see below).
case simple
Executes for every syncing file/dir:
sync-handler sync-handler-arguments
Default sync-handler-arguments are:
sync %label% %EVENT-MASK% %INCLUDE-LIST%
In this case, sync-handler is supposed to non-recursively sync file or directory by
path %INCLUDE-LIST%. With %EVENT-MASK% it's passed bitmask of events with the file
or directory (see "/usr/include/linux/inotify.h").
Additional substitutions:
%EVENT-MASK%
Is replaced by integer of events IDs.
%INCLUDE-LIST%
Is replaced by absolute path of a file/dir to be synced.
case direct
Executes for every sync:
sync-handler sync-handler-arguments
Default sync-handler-arguments are:
%INCLUDE-LIST% %destination-dir%/
Additional substitutions:
%INCLUDE-LIST%
Is replaced by a list of relative paths of files/dirs to be synced.
case shell
Executes for every sync (if recursivesync is not used instead):
sync-handler sync-handler-arguments
Default sync-handler-arguments are:
synclist %label% %INCLUDE-LIST-PATH%
Default sync-handler-arguments for initial sync if --have-recursive-sync is set
are:
initialsync %label% %INCLUDE-LIST%
In this case, sync-handler is supposed to non-recursively sync files and
directories from list in a file by path %INCLUDE-LIST-PATH% on "synclist".
Also sync-handler is supposed to recursively sync data from directory by path
%INCLUDE-LIST-PATH% with manual excluding extra files on "initialsync".
Additional substitutions:
%TYPE%
Is replaced by "sync"/"initialsync".
%INCLUDE-LIST-PATH%
Is replaced by the path of the include list file.
%INCLUDE-LIST%
Is replaced by a list of relative paths of files/dirs to be synced.
Not recommended. Not well tested.
case rsyncdirect
Executes for every sync:
sync-handler sync-handler-arguments
sync-handler is supposed to be a path to rsync binary.
Default sync-handler-arguments are:
-aH --delete --exclude-from %EXCLUDE-LIST-PATH% --include-from
%INCLUDE-LIST-PATH% --exclude='*' %watch-dir%/ %destination-dir%/
if option --rsync--prefer-include is not set and
-aH --delete --include-from %INCLUDE-LIST-PATH% --exclude='*' %watch-dir%/
%destination-dir%/
if the option is set
Error code "24" from sync-handler will be ignored in this case. We also recommend
to ignore exitcode "23".
Additional substitutions:
%INCLUDE-LIST-PATH%
Is replaced by the path of the include list file
%EXCLUDE-LIST-PATH%
Is replaced by the path of the exclude list file
%RSYNC-ARGS%
Is replaced by default sync-handler-arguments, but without
"%watch-dir%/ %destination-dir%/"
Recommended case.
case rsyncshell
Executes for every sync:
sync-handler sync-handler-arguments
Default sync-handler-arguments are:
rsynclist %label% %INCLUDE-LIST-PATH% [%EXCLUDE-LIST-PATH%]
In this case, sync-handler is supposed to run "rsync" application with parameters:
-aH --delete-before --include-from %INCLUDE-LIST-PATH% --exclude '*'
if option --rsync-prefer-include is enabled.
And with parameters:
-aH --delete-before --exclude-from %EXCLUDE-LIST-PATH% --include-from
%INCLUDE-LIST-PATH% --exclude '*'
if option --rsync-prefer-include is disabled.
Additional substitutions:
%INCLUDE-LIST-PATH%
Is replaced by the path of the rsync include list file
%EXCLUDE-LIST-PATH%
Is replaced by the path of the rsync exclude list file
Recommended case.
case rsyncso
In this case there's no direct exec*() calling. In this case clsync loads sync-
handler as a shared library with dlopen(3) and calls function "int
clsyncapi_rsync(const char *inclist, const char *exclist)" from it for every sync.
inclist is a path to file with rules for "--include-from" option of rsync. This
argument is always not NULL.
exclist is a path to file with rules for "--exclude-from" option of rsync. This
argument is NULL if --rsync-prefer-include is set.
Excludes takes precedence over includes.
Also may be defined functions "int clsyncapi_init(ctx_t *, indexes_t *)" and "int
clsyncapi_deinit()" to initialize and deinitialize the syncing process by this
shared object.
To fork the process should be used function "pid_t clsyncapi_fork(ctx_t *)" instead
of "pid_t fork()" to make clsync be able to kill the child.
See example file "clsync-synchandler-rsyncso.c".
Recommended case.
case so
In this case there's no direct exec*() calling. In this case clsync loads sync-
handler as a shared library with dlopen(3) and calls function "int
clsyncapi_sync(int n, api_eventinfo_t *ei)" from it for every sync. n is number of
elements of ei. ei is an array of structures with information about what and how
to sync (see below).
api_eventinfo_t is a structure:
struct api_eventinfo {
uint32_t evmask; // event bitmask for file/dir by
path path.
uint32_t flags; // flags of "how to sync" the
file/dir
size_t path_len; // strlen(path)
const char *path; // the path to file/dir need to be
synced
eventobjtype_t objtype_old; // type of object by path path
before the event.
eventobjtype_t objtype_new; // type of object by path path after
the event.
};
typedef struct api_eventinfo api_eventinfo_t;
The event bitmask (evmask) values can be learned from
"/usr/include/linux/inotify.h".
There may be next flags' values (flags):
enum eventinfo_flags {
EVIF_NONE = 0x00000000, // No modifier
EVIF_RECURSIVELY = 0x00000001 // sync the file/dir recursively
};
Flag "EVIF_RECURSIVELY" may be used if option --have-recursive-sync is set.
Is that a file or directory by path path can be determined with objtype_old and
objtype_new.
objtype_old reports about which type was the object by the path before the event.
objtype_new reports about which type became the object by the path after the event.
objtype_old and objtype_new have type eventobjtype_t.
enum eventobjtype {
EOT_UNKNOWN = 0, // Unknown
EOT_DOESNTEXIST = 1, // Doesn't exist (not created yet or already
deleted)
EOT_FILE = 2, // File
EOT_DIR = 3, // Directory
} typedef enum eventobjtype eventobjtype_t;
Also may be defined functions "int clsyncapi_init(options_t *, indexes_t *)" and
"int clsyncapi_deinit()" to initialize and deinitialize the syncing process by this
shared object.
To fork the process should be used function "pid_t clsyncapi_fork(options_t *)"
instead of "pid_t fork()" to make clsync be able to kill the child.
See example file "clsync-synchandler-so.c".
Recommended case.
ENVIRONMENT VARIABLES
Output variables - variables that are set by clsync before calling sync-handler.
Output variables
CLSYNC_STATUS - clsync's status (see possible statuses in description of
--status-file)
CLSYNC_ITERATION - count of done synchronizaton iterations after initial sync see
--max-iterations option
RULES
Filter rules can be used to set which events clsync should monitor and which events it
should ignore.
Caution! This rules doesn't guarantee that filtered file/dir won't be synced. This can
occur because file or directory can appear in the moment of sync-handler running (or after
it but before the sync-handler will reach the directory), so it'll be too late to add an
exclusion. If you need a guarantee of file syncing preventing you can use internal filter
rules of the sync-handler program (for example, rsync has options "--exclude",
"--exclude-from" and "--filter") or use disable any "recursive" syncs in clsync (and
remove "-av" option of rsync if it's used). To disable recursive syncs you can use:
simple
Already non-recursive
direct
Already non-recursive
shell
Don't enable option --have-recursive-sync.
rsyncdirect
Use option --rsync-prefer-include and set sync-handler-arguments to -lptgoD
--delete --include-from %INCLUDE-LIST-PATH% --exclude='*' %watch-dir%/
%destination-dir%/
rsyncshell
Use option --rsync-prefer-include.
rsyncso
Use option --rsync-prefer-include.
so
Don't enable option --have-recursive-sync.
Filter rules can be placed into rules-file with one rule per line.
Rule format: [+-][fdw*]regexp
+ - means include; - - means exclude; f - means file; d - means directory; w - means
walking to directory; * - means all.
For example: -*^/[Tt]est
It's not recommended to use w rules in modes "rsyncdirect", "rsyncshell" and "rsyncso".
rsync(1) allows one to set syncing and walking only together in "--include" rules
("--files-from" is not appropriate due to problem with syncing files deletions). So there
may be problems with clsync's w rules in this cases.
More examples:
Syncing pwdb files and sshd_config (non-rsync case):
+f^/passwd$
+f^/group$
+f^/shadow$
+f^/ssh/sshd_config$
+w^$
+w^/ssh$
-*
Syncing pwdb files and sshd_config (rsync case):
+f^/passwd$
+f^/group$
+f^/shadow$
+f^/ssh/sshd_config$
+d^$
+d^/ssh$
-*
Syncing /srv/lxc tree (rsync case):
-d/sess(ion)?s?$
-f/tmp/
+*
SIGNALS
1 - (HUP) rereads filter rules
2 - (INT) exits without waiting of syncing processes ("hard kill", kills children)
3 - (QUIT) waits for current syncing processes and exit ("soft kill", waits for children)
10 - runs threads' GC function
12 - runs full resync
15 - (TERM) exits without waiting of syncing processes ("hard kill", kills children)
16 - interrupts sleep()/select() and wait() [for debugging and internal uses]
29 - dump information to dump-dir [for debugging]
If you need to kill clsync but leave children then you can use 9-th (KILL) signal.
DIAGNOSTICS
Initial rsync process works very slow on clsync start
Probably there's too huge exclude list is passed to rsync. This can happened if
you're excluding with regex in clsync's rules a lot of thousands files. They will
be passed to rsync's exclude list one by one.
To diagnose it, you can use "-U" option and look into rsync-exclude-listpath file
(see SYNC HANDLER case d)
To prevent this, it's recommended to write such rules for rsync directly (not via
clsync).
For example, often problem is with PHP's session files. You shouldn't exclude them
in clsync's rules with "-f/sess_.*", but you should exclude it in rsync directly
(e.g with «--exclude "sess_*"»).
The following diagnostics may be issued on stderr:
Error: Cannot inotify_add_watch() on [...]: No space left on device (errno: 28)
Not enough inotify watching descriptors is allowed. It can be fixed by increasing
value of "sysctl fs.inotify.max_user_watches"
Error: Got non-zero exitcode exitcode [...]
sync-handler returned non-zero exitcode. Probably, you should process exitcodes in
it or your syncer process didn't worked well. I case of using rsync, you can find
the exitcodes meanings in man 1 rsync.
If exitcode equals to 23 and you're using clsync in conjunction with rsync, this
may happend, for example in next cases:
- Not enough space on destination.
- You're running clsync with --threading=full and rsync with --backup. See
a bugreport ⟨https://bugzilla.samba.org/show_bug.cgi?id=10081⟩.
To confirm the problem, you can try to add "return 0" or "exit 0" into your
sync-handler.
Bad system call
If --use-seccomp option is enabled then the error is probably caused by using of
forbidden syscall. It's a clsync bug or hack attack attempt.
To get support see SUPPORT.
CONFIGURATION FILE
clsync supports configuration file.
By default clsync tries to read next files (in specified order):
~/.clsync.conf
/etc/clsync/clsync.conf
This may be overrided with option --config-file.
clsync reads only one configuration file. In other words, if option --config-file is not
set and file ~/.clsync.conf is accessible and parsable, clsync will not try to open
/etc/clsync/clsync.conf. Command line options have precedence over config file options.
Configuration file is parsed with glib's g_key_file_* API. That means, that config should
consits from groups (blocks) of key-value lines as in the example:
[default]
background = 1
mode = rsyncshell
debug = 0
output = syslog
label = default
pid-file = /var/run/clsync-%label%.pid
[debug]
config-block-inherits = default
debug = 5
background = 0
output = stderr
[test]
mode=rsyncdirect
debug=3
Also glib's gkf API doesn't support multiple assignments. If you need to list some values
(e.g. exitcodes) just list them with commas in single assignment (e.g.
"ignore-exitcode=23,24").
In this example there're 3 blocks are set - "default", "debug" and "test". And block
"debug" inherited setup of block "default" except options "debug", "background" and
"output".
By default clsync uses block with name "default". Block name can be set by option
--config-block.
CLUSTERING
Not implemented yet. Don't try to use cluster functionality.
Not described yet.
EXAMPLES
Mirroring a directory:
clsync -Mrsyncdirect -W/path/to/source_dir -D/path/to/destination_dir
Syncing 'authorized_keys' files:
mkdir -p /etc/clsync/rules
printf "+w^$0^[^/]+$0^[^/]+/.ssh$0^[^/]+/.ssh/authorized_keys$0" >
/etc/clsync/rules/authorized_files_only
clsync -Mdirect -Scp -W/mnt/master/home/ -D/home
-R/etc/clsync/rules/authorized_files_only -- -Pfp --parents %INCLUDE-LIST%
%destination-dir%
Mirroring a directory, but faster:
clsync -w5 -t5 -T5 -Mrsyncdirect -W/path/to/source_dir -D/path/to/destination_dir
Instant mirroring of a directory:
clsync -w0 -t0 -T0 -Mrsyncdirect -W/path/to/source_dir -D/path/to/destination_dir
Making two directories synchronous:
clsync -Mrsyncdirect --background -z /var/run/clsync0.pid --output syslog
-Mrsyncdirect -W/path/to/dir1 -D/path/to/dir2 --modification-signature '*'
clsync -Mrsyncdirect --background -z /var/run/clsync1.pid --output syslog
-Mrsyncdirect -W/path/to/dir2 -D/path/to/dir1 --modification-signature '*'
Fixing privileges of a web-site:
clsync -w3 -t3 -T3 -x1 -W/var/www/site.example.org/root -Mdirect -Schown --uid 0
--gid 0 -Ysyslog -b1 --modification-signature uid,gid -- --from=root
www-data:www-data %INCLUDE-LIST%
'Atomic' sync:
clsync --exit-on-no-events --max-iterations=20 --mode=rsyncdirect -W/var/www_new
-Srsync -- %RSYNC-ARGS% /var/www_new/ /var/www/
Moving a web-server:
clsync --exit-on-no-events --max-iterations=20 --pre-exit-hook=/root/stop-here.sh
--exit-hook=/root/start-there.sh --mode=rsyncdirect --ignore-exitcode=23,24
--retries=3 -W /var/www -S rsync -- %RSYNC-ARGS% /var/www/ rsync://clsync@another-
host/var/www/
Copying files to slave-nodes using pdcp(1):
clsync -Msimple -S pdcp -W /opt/global -b -Y syslog -- -a %INCLUDE-LIST%
%INCLUDE-LIST%
Copying files to slave-nodes using uftp(1):
clsync -Mdirect -S uftp -W/opt/global --background=1 --output=syslog -- -M
248.225.233.1 %INCLUDE-LIST%
A dry running to see rsync(1) arguments that clsync will use:
clsync -Mrsyncdirect -S echo -W/path/to/source_dir -D/path/to/destination_dir
An another dry running to look how clsync will call pdcp(1):
clsync -Msimple -S echo -W /opt/global -b0 -- pdcp -a %INCLUDE-LIST% %INCLUDE-LIST%
More working examples you can try out in "/usr/share/doc/clsync/examples/" directory. Copy
this directory somewhere (e.g. into "/tmp"). And try to run "clsync-start-rsync.sh" in
there. Any files/directories modifications in "testdir/from" will be synced to
"testdir/to" in a few seconds.
Use clsync online using onworks.net services