Oleg Ovechkin

View Original

Using a Raspberry Pi for Time Machine


Updates:


This is a step-by-step, start-to-finish guide to configure a Raspberry Pi as a network storage device for macOS Time Machine backups. A few things to get out of the way before proceeding:

  • Since we are talking about Time Machine, I assume you have at least one Mac in your possession with working SSH client.

  • You are not afraid of Terminal and comfortable with command line.

  • I also assume that the Time Machine backups will be encrypted, so we won’t be dealing with encryption on the Raspberry Pi end.

Please note, just backing up your Mac to an external drive or network attached storage without sending those backups also off premises does not constitute a solid data backup and recovery strategy. Here is a paper from Carnegie Mellon University produced for US-CERT discussing the topic in more details.

Prerequisites

  • Raspberry Pi 4. While you can use almost any model of Raspberry Pi, I recommend Pi 4 simply because it features USB 3.0, which significantly improves speed of writing / reading to and from external hard drives and its Gigabit Ethernet port throughput is not capped at 300Mbps.

    • I buy kits made by CanaKit. They come with beefier 3.5 amp power supplies guaranteeing there will be enough juice to power an external 2.5 inch spinning hard drive. I also prefer passive cooling cases, and CanaKit has a few SKUs including those - I believe CanaKit rebrands cases made by Flirc. If you decide to go this route, I highly recommend getting a set of heatsinks as well, for some reason aluminum case CanaKit kits come with no heatsinks for memory or IO chips ¯\_(ツ)_/¯

  • MicroSD card. Raspberry Pi boots from a microSD card. Majority of kits include one, otherwise you will need to get it, 4GB or larger capacity.

  • MicroSD card reader that works with a Mac. We will be preparing bootable microSD media using a Mac.

  • External USB hard drive / SSD. Any will do as long as it’s roomy enough for your backup needs and has USB 3.0 interface. I purchased and use Seagate 5TB USB 3.0 2.5 inch external hard drive. Those are sold at Costco (and frequently go on sale). So far it has served me well without any issues.

  • Ethernet cable. It is a good idea to keep your Raspberry Pi off Wi-Fi network to ensure the best possible performance during backups.

Installing OS

Let’s get our microSD card ready for the first boot of the Raspberry Pi. The steps in this section are performed on a Mac.

  • First, download and install the official Raspberry Pi Imager software to your Mac.

  • Run Raspberry Pi Imager and choose Raspberry Pi OS Lite (32-bit) as shown below:

Fig 1. Raspberry Pi Imager Home Screen

Fig 2. Raspberry Pi Imager OS Selection. Raspberry Pi OS Other

Fig 3. Raspberry Pi Imager OS Selection. Raspberry Pi OS Lite

  • Next, click Choose Storage (middle button on the Raspberry Pi Imager Home Screen) and choose the card reader with the microSD in it.


⚠️ Note on Raspberry Pi OS Bullseye April 2022 update.

Fig 2022-04-20-Update-1. Interface of Raspberry Pi Imager v1.7.2

In April 2022, Raspberry Pi Foundation introduced several changes, including deprecating the default pi user account. Please refer to Simon Long's blog post for a detailed explanation. Check the version of your Raspberry Pi Imager, and if it is 1.7.2 or later, you have to click on the Cogwheel button to bring Advanced options dialog - please refer to Fig 2022-04-20-Update-2. The shown values for hostname, username, and password revert the Raspberry Pi's behavior to the pre-April 2022 state. While this makes following this guide easier, I would advise choosing a unique username and a strong password for your default user. Doing so increases the security of your Raspberry Pi - just remember to substitute pi with your default user's username everywhere below.

Note that Advanced options dialog now gives an option to enable SSH and provides for setting the hostname and configuring the timezone in advance. Feel free to skip the corresponding steps at the end of this article.

⚠️ Note that the April 2022 Update has introduced a new behavior enabling automatic console login for the user specified in Advanced options dialog. Not turning it OFF might compromise the security of your Raspberry Pi. Please read this article for more details.

Fig 2022-04-20-Update-2. Advanced Options Dialog of Raspberry Pi Imager v1.7.2


  • When everything looks good, proceed with writing the selected Raspberry Pi OS Lite to the chosen storage location of the microSD. The process takes anywhere from one to five minutes depending on whether the OS image needs to be downloaded and your broadband connection speed.

  • Once you see Write Successful dialog box appear, click on Continue button then quit Raspberry Pi Imager.

At this point, the microSD card has been unmounted by Raspberry Pi Imager, but we are not quite done yet. Let’s unplug and then attach the card reader one more time. Then:

  • Open Terminal on Mac.

  • From the Terminal window execute:

    $ cd /Volumes/boot && touch ssh && cd
  • Unmount / Eject the card.

This last command creates an empty file named ssh in the /boot partition of the microSD card. The presence of this file will make the Raspberry Pi OS enable SSH daemon on the subsequent boot, which is what we want, to avoid plugging in a keyboard and monitor to the Pi.

Finishing up:

  • Insert the microSD into your Raspberry Pi.

  • Connect Ethernet cable to the ethernet port of your router.

  • Connect the power and power the Pi up!

Connecting to the Raspberry Pi

After a minute or two after powering up, your Raspberry Pi should become available on your home network. In most cases, I suspect, you should be able to SSH to it using raspberrypi.local name. If not, then you will need to login to your home router management console to find out the Pi’s IP address from the router device list.

Note: Official Raspberry Pi Documentation has an in-depth coverage of the Remote Access topic.

From here on I assume that the Pi is indeed accessible via raspberrypi.local.

  • Open Terminal on Mac, enter the following command:

    $ ssh pi@raspberrypi.local
  • Agree to accept the Raspberry Pi’s SSH fingerprint to your Mac’s known hosts list.

  • When prompted, enter the default password raspberry

On the greeting screen, Raspberry Pi OS warns you about the security risk associated with using the default password other SSH. Do not worry, we will take care of it at the end of the article.

Fig 4. Connecting to Raspberry Pi via SSH

  • Before diving into anything else, let’s refresh the software packages on our Pi. From the SSH console on your Mac execute:

    $ sudo apt update && sudo apt upgrade -y

Preparing the Storage

⚠️ Warning: all data on your external hard drive is about to be permanently deleted. Make sure there is nothing on it that you might regret not having later.

  • Connect external hard drive via USB to one of the blue USB 3.0 ports on the Raspberry Pi.

  • From SSH console execute:

    $ sudo lsblk

    You should see the list of devices and partitions present. Note the device name that does NOT have root (/) or boot (/boot) partitions associated with it. In my case this device is sda - refer to Fig 5 below. If your device name is different, you will need to be careful to update all the following commands with the actual name of your external hard drive device.

  • So, assuming sda, execute

    $ sudo dd if=/dev/zero of=/dev/sda bs=512 count=10000

    which zeros out the first ~5MB of the hard drive, erasing any service information like partitions, etc.

  • Then follow up with the following duo:

    $ sudo parted /dev/sda mklabel gpt
    $ sudo parted /dev/sda -a opt mkpart primary 0% 100%
  • The last command creates a single partition /sda/sda1 as confirmed by the output from:

    $ sudo lsblk

Fig 5. Partitioning External Hard Drive

  • To create ext4 file system on /sda/sda1 giving it label backups, proceed with:

    $ sudo mkfs.ext4 -L backups /dev/sda1

Mounting Backups Partition

  • Let’s create a directory to serve as the mounting point for the newly created backups filesystem:

    $ sudo mkdir /mnt/backups
  • To be able to mount this filesystem on our Raspberry Pi and access it like any other directory, we need to make an entry into /etc/fstab system file. Doing so also ensures that the mount persists between reboots. The command below appends an entry to the fstab letting Raspberry Pi know what should be mounted and where:

    $ echo 'LABEL=backups /mnt/backups ext4 noexec,nodev,noatime,nodiratime 0 0' | sudo tee -a /etc/fstab

Note of flags used in the command above:

  • noexec: do not allow execution of any binaries on the mounted filesystem as it’s only going to be used for backup storage;

  • nodev: do not interpret character or block special devices on the filesystem;

  • noatime: do not store access times on this filesystem;

  • nodiratime: do not store directory access times on this filesystem.

  • The two numbers at the end of the line instruct your Raspberry Pi to ignore this filesystem when using dump and not to check it with fsck when rebooting.

  • At this point we should be able to mount:

    $ sudo mount /mnt/backups

Optional: Putting the External Hard Drive to Sleep

For spinning disks that do not have to run constantly like in our case, it’s not a bad idea to put them to idle when there is no activity. Not only does that prolong disks life, but also reduces carbon footprint.

  • hdparm is there to help:

    $ sudo apt install hdparm -y
  • Then execute:

    $ sudo hdparm -S 120 /dev/disk/by-label/backups

Here we use -S option to specify the period of inactivity before spinning the drive down. I highly recommend reading more on hdparm options ($ man hdparm is your friend) because according to man pages, “The encoding of the timeout value is somewhat peculiar.” In our case, however, -S 120 instructs hdparm to wait for 10 minutes before spinning down.

  • We can make this permanent by adding the following to /etc/hdparm.conf:

    $ echo -e '\n/dev/disk/by-label/backups {\n\tspindown_time = 120\n}' | sudo tee -a /etc/hdparm.conf

Making the Pi Storage Network-Accessible

In this section we will be configuring two additional packages. Samba will help with accessing the backups partition over local network via Server Message Block protocol (or SMB for short). Meanwhile Avahi is used to advertise backups network share to Macs as a destination for Time Machine backups.

Creating Backup User

  • Let’s start by creating a separate user for storing backups. I call mine keeper:

    $ sudo adduser --disabled-password --gecos "" keeper
  • Let’s also create a subdirectory for Samba sharing:

    $ sudo mkdir /mnt/backups/backups
  • Then set the ownership for the backups partition and everything below to the newly created user keeper:

    $ sudo chown -R keeper: /mnt/backups
  • And install samba and avahi packages:

    $ sudo apt install samba avahi-daemon -y

Configuring Samba

In order to make our Mac see the external hard drive attached to the Raspberry Pi over the network, we will add a new share definition for /mnt/backups/backups to our Samba configuration in /etc/samba/smb.conf. Here is how the definition looks:


[backups]
    comment = Backups
    path = /mnt/backups/backups
    valid users = keeper
    read only = no
    vfs objects = catia fruit streams_xattr
    fruit:time machine = yes

  • And this is the command line to achieve that:

    $ echo -e '\n[backups]\n\tcomment = Backups\n\tpath = /mnt/backups/backups\n\tvalid users = keeper\n\tread only = no\n\tvfs objects = catia fruit streams_xattr\n\tfruit:time machine = yes' | sudo tee -a /etc/samba/smb.conf
  • The default /etc/samba/smb.conf has some fluff like definitions for sharing home directories and printers that we really have no use for. To make it clean and nice:

    $ sudo nano /etc/samba/smb.conf
  • Scroll down to Share Definitions section and comment out [homes], [printers] and [print$]. Fig 6 and Fig 7 show the end result. Look for lines starting with double semi-column, they indicate the lines needing touches. Then press ^x to save and exit.

Fig 6. Editing smb.conf. 1 of 2

Fig 7. Editing smb.conf. 2 of 2

  • In order to connect to the SMB share as user keeper, we need to explicitly add user keeper to Samba’s password file and set a password with smbpasswd:

    $ sudo smbpasswd -a keeper
  • A quick way to check your Samba configuration is by executing

    $ sudo testparm -s

    Make sure that your output looks exactly like the one in Fig 8.

Fig 8. Samba Config Check

  • Finally, reload Samba service to pick up the changes:

    $ sudo service smbd reload

Configuring Avahi (And Making It Pretty)

We will use Avahi to advertise the Samba share to Macs via zero-configuration networking and service discovery protocols. When built with mDNS support, Samba can do it on its own. Unfortunately, the build of Samba currently available for Raspberry Pi OS Lite does not have this functionality. Avahi will help us to make Macs aware that:

  • Raspberry Pi runs SMB server on port 445.

  • There is an SMB share point available for Time Machine backups.

As a bonus (this is the pretty part), we are also going to advertise our Raspberry Pi as an Xserve so that it appears sporting Xserve graphics in the Finder.

We are going to create file /etc/avahi/services/samba.service and populate it with the following XML:


<?xml version="1.0" standalone='no'?><!--*-nxml-*-->
<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
<service-group>
  <name replace-wildcards="yes">%h</name>
  <service>
    <type>_smb._tcp</type>
    <port>445</port>
  </service>
  <service>
    <type>_device-info._tcp</type>
    <port>9</port>
    <txt-record>model=Xserve1,1</txt-record>
  </service>
  <service>
    <type>_adisk._tcp</type>
    <port>9</port>
    <txt-record>dk0=adVN=backups,adVF=0x82</txt-record>
    <txt-record>sys=adVF=0x100</txt-record>
  </service>
</service-group>

  • Invoke nano text editor:

    $ sudo nano /etc/avahi/services/samba.service
  • Paste the above XML then ^x to save and exit.

  • Restart Avahi

    $ sudo service avahi-daemon restart

Testing It All

At this point, using your Mac, you should be able to see raspberrypi listed in Network section of the Finder. Next, open Time Machine from System Preferences…, click on Select Disk… and confirm that you see backups on raspberrypi.local as an option. Do not configure your Mac’s Time Machine just yet though.

Securing the Raspberry Pi

Let’s address that security warning on the Raspberry Pi’s greeting screen now.

  • From SSH console run:

    $ sudo raspi-config
  • Navigate to 1 System Options -> S3 Password to change the default password for user pi

Fig 9. Changing System Password

Renaming the Raspberry Pi

  • From SSH console run:

    $ sudo raspi-config
  • Navigate to 1 System Options -> S4 Hostname.

  • Enter a new hostname to your liking. I call my Raspberry Pi keeper, so this is what you are going to see on the screenshots that follow.

  • Click Tab key to select Ok,

  • Click Tab key twice to Finish.

  • Choose Yes to reboot.

Fig 10. Changing System Name

Once your Raspberry Pi comes back online, it should be accessible by its new name - in my case:

$ ssh pi@keeper.local

You Mac’s Finder should also reflect the new name.

Your Raspberry Pi is now ready to serve as a network destination for Macs’ Time Machine backups. On your Mac, go to System Preferences… -> Time Machine, select Select Disk… and pick your Raspberry Pi from the list. Your will need to provide credentials for the Samba user. One more thing: I highly recommend checking Encrypt backups option.


Keep it Safe. Back Up!