Provided by: clsync_0.4.5-2.1build1_amd64 
NAME
clsync - live sync tool, written in GNU C
SYNOPSIS
clsync [ ... ] -- [ sync-handler-arguments ]
DESCRIPTION
clsync executes sync-handler with appropriate arguments on FS events in directory watch-dir using the
inotify(7) or other FS monitoring subsystems.
OPTIONS
This options can be passed as arguments or to be used in the configuration file.
To disable numeric option set to zero:
=0
To disable string option (for example path to file) set to empty string:
=
Also you can use previously set values while setting new options. Substring %option_name% will be
substituted with previously set value of option option_name. (see CONFIGURATION FILE)
sync-handler-arguments applies only to modes:
simple, direct, shell, rsyncdirect, rsyncshell
To set sync-handler-arguments in config file use '--'. An example:
-- = -aH --exclude-from %EXCLUDE-LIST% --include-from=%INCLUDE-LIST% --exclude '*' %watch-dir%/
%destination-dir%/
-W, --watch-dir watch-dir
Root directory to be monitored by clsync.
Required.
-S, --sync-handler sync-handler
Path to sync-handler to be used for syncing by clsync. (see --mode)
Is required for all modes except "direct" and "rsyncdirect" [see SYNC HANDLER MODES]
-R, --rules-file rules-file
Path to file with filter rules of objects to be monitored. (see RULES)
Is not set by default.
-D, --destination-dir destination-directory
Defines directory to sync to for modes "rsyncdirect", "rsyncso" and "so". (see --mode)
Is not set by default.
-M, --mode mode
Sets syncing mode. Possible values:
simple
calls sync-handler for every event
direct
calls sync-handler for every sync with passing files lists as arguments
shell
calls sync-handler for every sync with passing files lists in a file
rsyncdirect
calls rsync by path sync-handler directly
rsyncshell
calls sync-handler that supposed to run rsync for every sync (recommended mode)"
rsyncso
loads shared object by path sync-handler with dlopen(3) and calls function
clsyncapi_rsync function for every sync
so
loads shared object by path sync-handler with dlopen(3) and calls function
clsyncapi_sync function for every sync
See SYNC HANDLER MODES
Required.
-b, --background
Daemonize, forcing clsync to fork() on start.
Is not set by default.
-H, --config-file config-file-path
Use configuration from file config-file-path (see CONFIGURATION FILE).
Set to "/NULL/" if no config files should be read.
Is not set by default.
-K, --config-block config-block-name
Use configuration block with name config-block-name (see CONFIGURATION FILE).
The default value is "default".
--config-block-inherits config-parent-block-name
Use configuration block with name config-parent-block-name as parent for config-block-name (see
CONFIGURATION FILE). Options from config-parent-block-name will be inherited to
config-block-name.
The default value is "default".
--custom-signals custom-signals
Set a list of signals and corresponding config block names. The config block will be use on
catching the corresponding signal.
Format is
signal:config-block-name[,signal:config-block-name[,...]]
For example:
--custom-signals=29:debug,28:normal
In this line signals "28" and "29" will be added to the sighandler. And clsync will use options
from config block "debug" on signal 29 and "normal" on signal 28.
To reset all custom signals use the 0-th signal (e.g. "--custom-signals=0").
The default value is "".
-z, --pid-file path-to-pidfile
Writes pid to file by path path-to-pidfile.
Is not set by default.
--status-file status-file-path
Write status description into file with path status-file-path.
Possible statuses:
starting
initializing subsystems and marking file tree with FS monitor subsystem
initsync
processing initial syncing
running
waiting for events or syncing
synchandler error
waiting between synchandler execution tries (after a failure) [is used only while
--threading=off]
rehashing
reloading configuration files
thread gc
running threads' garbage collector
preexit
executing the --pre-exit-hook
terminating
running the last iteration (if required) and preparing to die
exiting
executing the --exit-hook and cleaning up [for valgrind(1)]
Is not set by default.
-r, --retries number-of-tries
Tries limit to sync with sync-handler.
clsync will die after number-of-tries tries.
To try infinite set "0".
Delay between tries is equal to --delay-sync value.
The default value is "1".
--ignore-failures
Don't die on sync failures.
Is not set by default.
--exit-on-sync-skip
Exit if some event could be skipped due to any reason.
For example FreeBSD has a very short BSM event queue (1024). So it may be overflowed and some
events can not climb to the queue. This option forces clsync to exit if the queue had been
overflowed.
Is not set by default.
-p, --threading threading-mode
[Not available on Debian/kFreeBSD]
Use pthreads(7) to parallelize syncing processes. For example if clsync (with --threading=off) is
already syncing a huge file then all other syncs will be suspended until the huge file syncing
finish. To prevent this suspends you can use "safe" or "full" threading mode.
Possbile values:
off
disable threading for syncing processes.
safe
parallelize syncs but suspend syncings of object that are already syncing in another
process (until the process finish).
full
parallelize syncs without suspendings.
Characteristics:
off
New modifications won't be synced until old ones finish.
safe
Theoretically is the best way. But may utilize of lot of CPU if there's a lot of
simultaneous parallel syncs. (also this way is not well tested)
full
May cause multiple simultaneous syncing of the same file, which in turn can cause
bug inside sync-handler (see below).
If you're running clsync with option --threading=full in conjunction with rsync with option
--backup, you may catch a bug due to nonatomicity of rsync's file replace operation. (see
DIAGNOSTICS)
The default value is "off".
-Y, --output log-destination
Sets destination for log writing (errors, warnings, infos and debugging).
Possible values:
stderr
stdout
syslog
The default value is "stderr".
--one-file-system
Don't follow to different devices' mount points. This option just adds option "FTS_XDEV" for
fts_open(3) function.
Warning! If you're using this option (but no --exclude-mount-points) clsync will write neither
includes nor excludes of content of mount points.
This may cause problems e.g. you're using rsync for sync-handler without similar option
"--one-file-system".
Is not set by default.
-X, --exclude-mount-points
Forces --one-file-system but also add excludes to do not sync mount points.
This requires to do stat(2) syscalls on every dir and can reduce performance.
Is not set by default.
--socket socket-path
Create a control socket by path socket-path.
This's very experimental feature.
Is not set by default.
--socket-own socket-owner-user[:socket-owner-group]
Sets the control socket owner user (and group).
Is not set by default
--socket-mod socket-mode
Sets the control socket mode [see chmod(2)].
Is not set by default.
--standby-file standby-file-path
Sets file to path that should be checked before every sync. If file exists the sync will be
suspended until the file is deleted. It may be useful if you need freeze destination directory
while running some scripts.
Is not set by default.
--max-iterations iterations-count
Sets synchronization iterations limit. One iteration means one sync-handler execution.
iterations-count
set to 0 means no limit (infinite loop).
set to 1 means that only initial sync will be done
set to n means that only initial sync and (n-1) sync-ups after that will be done
Hint: This option may be useful in conjunction with --exit-on-no-events to prevent infinite sync-
up processes.
The default value is "0".
--modification-signature signature-mask
Sets file/dir modification recheck signature. If file is not modified (according to the signature)
then don't sync it.
See struct stat in lstat(2) for possible fields.
For example reasonable signature-mask-s can be "dev,ino,mode,uid,gid,rdev,size,atime,mtime,ctime"
(there's an alias for that — "*") or "uid,gid".
Examples of use cases:
chown/chmod
If you're using clsync for fixing file/dir privileges [using chown(1) and/or
chmod(1)] than reasonable signature will be "uid,gid".
Full example: clsync -w5 -t5 -T5 -x1 -W /var/www/site.example.org/root -Mdirect
-Schown --uid 0 --gid 0 -Ysyslog -b1 --modification-signature uid,gid -- --from=root
www-data:www-data %INCLUDE-LIST%
bi-directional syncing
If you're going to setup bi-directional syncing then you may use
--modification-signature "*" to prevent sync loop between servers.
Not enough CPU
If rsync eats too many CPU with rechecking hashsums of files on their dry
open()/close() due to some hacky script (for example "chown -R www-data:www-data" in
cron) then you can use --modification-signature
"dev,ino,mode,uid,gid,rdev,size,atime,mtime" (without "blksize", "blocks", "nlink"
and "ctime").
Warning! This option may eat a lot of memory on huge file trees.
This option cannot be used together with "--cancel-syscalls=mon_stat"
To disable file/dir modification rechecking use empty value — "".
The default value is "".
-k, --timeout-sync sync-timeout
Sets timeout for syncing processes. clsync will die if syncing process alive more than
sync-timeout seconds.
Set "0" to disable the timeout.
The default value is "86400" ["24 hours"].
-w, --delay-sync additional-delay
Sets the minimal delay (in seconds) between syncs.
The default value is "30".
-t, --delay-collect ordinary-delay
Sets the delay (in seconds) to collect events about ordinary files and directories.
The default value is "30".
-T, --delay-collect-bigfile bigfiles-delay
Sets the delay (in seconds) to collect events about "big files" (see --threshold-bigfile).
The default value is "1800".
-B, --threshold-bigfile filesize-threshold
Sets file size threshold (in bytes) that separates ordinary files from "big files". Events about
"big files" are processed in another queue with a separate collecting delay. This is supposed to
be used as a means of unloading IO resources.
To disable detection of "big files" set "0" (zero). This can improve performance by removing
necessity in extra lstat() syscall.
The default value is "134217728" ["128 MiB"].
--cancel-syscalls syscalls-mask
Sets syscalls to be bypassed. This may be used for to squeeze more performance.
Possible values:
mon_stat
Skip lstat() calls while handling files/dirs events. This makes unpossible to
determine files sizes (that is used by --threshold-bigfile option) and to use option
--modification-signature.
You can combine this values using commas.
To disable this option just use empty value — "".
The default value is "".
-L, --lists-dir tmpdir-path
Sets directory path to output temporary events-lists files.
See SYNC HANDLER MODES.
Is not set by default.
--have-recursive-sync
Use action "recursivesync" instead of "synclist" for directories that were just marked (see SYNC
HANDLER MODES case shell).
Is not set by default.
--synclist-simplify
Removes the first 3 parameters in list files of action "synclist" (see SYNC HANDLER MODES case
shell).
Is not set by default.
--rsync-inclimit rsync-includes-line-limit
Sets soft limit for lines count in files by path rsync-listpath. Unfortunately, rsync works very
slowly with huge "--include-from" files. So, clsync splits that list with approximately
rsync-includes-line-limit lines per list if it's too big, and executes by one rsync instance per
list part. Use value "0" to disable the limit.
The default value is "20000".
--rsync-prefer-include
Forces clsync to prefer a "lot of includes" method instead of a "excludes+includes" for rsync on
recursive syncing.
See cases rsyncshell, rsyncdirect and rsyncso of SYNC HANDLER MODES.
This option is not recommended.
Is not set by default.
-x, --ignore-exitcode exitcode
Forces clsync to do not process exitcode exitcode of sync-handler as an error. You can set
multiple ignores by passing this option multiple times.
Recommended values for rsync case is "24". You can set multiple values with listing a lot of "-x"
options (e.g. "-x 23 -x 24") or via commas (e.g. "-x 23,24"). To drop the list use zero exitcode
(e.g. "-x 0"). For example you can use "-x 0,23" to drop the list and set "23"-th exitcode to be
ignored.
Is not set by default (or equally is set to "0").
-U, --dont-unlink-lists
Do not delete list-files after sync-handler has finished.
This may be used for debugging purposes.
Is not set by default.
--fts-experimental-optimization
Enable experimental features to optimize file tree scanning while using fts(3). The features will
be enabled by default after appropriate testing.
At the moment the option doesn't do anything but can be used in future.
Is not set by default.
-F, --full-initialsync
Ignore filter rules from rules-file on initial sync.
This may be useful for quick start or e.g. if it's required to sync "/var/log/" tree but not sync
every change from there.
Is not set by default.
--only-initialsync
Exit after initial syncing on clsync start.
Is not set by default.
--exit-on-no-events
Exit if there's no events. Works like --only-initialsync, but also syncs events collected while
the initial syncing.
Unlike --only-initialsync this option uses FS monitor subsystem to monitor for new events while
the initial syncing. This may reduce performance. On the other hand this way may be used to be
sure, that everything is synced at the moment before clsync will exit.
Is not set by default.
--skip-initialsync
Skip initial syncing on clsync start.
Is not set by default.
--sync-on-quit
On SIGQUIT: clsync will perform one more final syncing to empty the queue of collected events
before exit.
Is not set by default.
--exit-hook path-of-exit-hook-program
Sets path of program to be executed on clsync exit.
If this parameter is set then clsync will exec on exit:
path-of-exit-hook-program label
The execution will be skipped if initial sync wasn't complete.
Is not set by default.
--pre-exit-hook path-of-pre-exit-hook-program
Sets path of program to be executed before the last sync iteration (see --max-iterations,
--exit-on-no-events and SIGNALS).
If this parameter is set then clsync will exec on exit:
path-of-pre-exit-hook-program label
The execution will be skipped if initial sync wasn't complete.
If clsync finishes due to --exit-on-no-events and --pre-exit-hook is set then the pre-exit hook
will be executed and additional sync iteration will be triggered.
Is not set by default.
-v, --verbose
This option is supposed to increase verbosity. But at the moment there's no "verbose output" in
the code, so the option does nothing. :)
Is not set by default.
-d, --debug
Increases debugging output. This may be supplied multiple times for more debugging information, up
to a maximum of five "d" flags (more will do nothing), for example "-d -d -d -d -d" or "-d5"
(equivalent cases)
Is not set by default.
--dump-dir
Directory to write clsync's instance information by signal 29 (see SIGNALS). The directory
shouldn't exists before dumping.
Is set to "/tmp/clsync-dump-%label%" by default.
-q, --quiet
Suppresses error messages.
Is not set by default.
--monitor monitor-subsystem
Switches FS monitor subsystem.
Possible values:
inotify
inotify(7) [Linux, (FreeBSD via libinotify)]
Native, fast, reliable and well tested Linux FS monitor subsystem.
There's no essential performance profit to use "inotify" instead of "kevent" on
FreeBSD using "libinotify". It backends to "kevent" anyway.
FreeBSD users: The libinotify on FreeBSD is still not ready and unusable for clsync
to sync a lot of files and directories.
gio
Use gio library.
Crossplatform and tested library that backends to kqueue on FreeBSD and inotify on
Linux. See inotify and kqueue sections here for details.
Not well tested. Use with caution!
kqueue
kqueue(2) [FreeBSD, (Linux via libkqueue)]
A *BSD kernel event notification mechanism (inc. timer, sockets, files etc).
This monitor subsystem cannot determine file creation event, but it can determine a
directory where something happened. So clsync is have to rescan whole dir every time
on any content change. Moreover, kqueue requires an open() on every watched
file/dir. But FreeBSD doesn't allow one to open() symlink itself (without following)
and it's highly invasively to open() pipes and devices. So clsync just won't call
open() on everything except regular files and directories. Consequently, clsync
cannot determine if something changed in symlink/pipe/socket and so on. However it
still can determine if it will be created or deleted by watching the parent
directory and rescaning it on every appropriate event.
Also this API requires to open every monitored file and directory. So it may produce
a huge amount of file descriptors. Be sure that kern.maxfiles is big enough (in
FreeBSD).
CPU/HDD expensive way.
Not well tested. Use with caution!
Linux users: The libkqueue on Linux is not working. He-he :)
bsm
bsm(3) [FreeBSD]
Basic Security Module (BSM) Audit API.
This is not a FS monitor subsystem, actually. It's just an API to access to audit
information (inc. logs). clsync can setup audit to watch FS events and report it
into log. After that clsync will just parse the log via auditpipe(4) [FreeBSD].
Reliable, but hacky way. It requires global audit reconfiguration that may hopple
audit analysis.
Warning! FreeBSD has a limit for queued events. In default FreeBSD kernel it's only
1024 events. So choose one of:
- To patch the kernel to increase the limit.
- Don't use clsync on systems with too many file events.
- Use bsm_prefetch mode (but there's no guarantee in this case anyway).
See also option --exit-on-sync-skip.
Not well tested. Use with caution! Also file /etc/security/audit_control will be
overwritten with:
#clsync
dir:/var/audit
flags:fc,fd,fw,fm,cl
minfree:0
naflags:fc,fd,fw,fm,cl
policy:cnt
filesz:1M
unless it's already starts with "#clsync\n" ("\n" is a new line character).
bsm_prefetch
The same as bsm but all BSM events will be prefetched by an additional thread to
prevent BSM queue overflow. This may utilize a lot of memory on systems with a high
FS events frequency.
However the thread may be not fast enough to unload the kernel BSM queue. So it may
overflow anyway.
The default value on Linux is "inotify". The default value on FreeBSD is "kqueue".
-l, --label label
Sets a label for this instance of clsync. The label will be passed to sync-handler every
execution.
The default value is "nolabel".
-h, --help
Outputs options list and exits with exitcode "0".
Is not set by default.
-V, --version
Outputs clsync version and exits with exitcode "0".
Is not set by default.
--cgroup-group-name cg-group-name
Set cgroup group name [see cgroup_new_cgroup()].
Is set to "clsync/%PID%" by default.
SECURITY OPTIONS
--secure-splitting
Implies "--splitting=process --check-execvp-arguments --seccomp-filter --forbid-devices"
-u, --uid uid
Drop user privileges to uid uid with setuid(2)
If there's a capabilities(7) support then the default value is "nobody" (or "65534" if "nobody"
not found), otherwise the option is not set by default;
-g, --gid gid
Drop group privileges to gid gid with setgid(2)
If there's a capabilities(7) support then the default value is "nogroup" (or "65534" if "nogroup"
not found), otherwise the option is not set by default;
--privileged-uid sync-handler-uid
An user ID to be used for the privileged process (see --splitting=process).
The default value is "$UID".
--privileged-gid sync-handler-gid
A group ID to be used for the privileged process (see --splitting=process).
The default value is "$GID".
--sync-handler-uid sync-handler-uid
An user ID to be used for sync-handler.
See --preserve-capabilities.
The default value is same as for --privileged-uid.
--sync-handler-gid sync-handler-gid
A group ID to be used for sync-handler.
See --preserve-capabilities.
The default value is same as for --privileged-gid.
-C, --preserve-capabilities capabilities-list
[Linux only, requires capabilities]
Use capset(2) and prctl(2) to preserve "CAP_DAC_READ_SEARCH", "CAP_SETUID" or/and "CAP_SETGID"
[see capabilities(7)] Linux capability for process using fts(3), inotify(7) and execve(2). This
allows the preservation of enough FS privileges to watch a file tree and execute the sync-handler
with required uid and gid [see --sync-handler-uid and --sync-handler-gid] after dropping
privileges via setuid(2) and setgid(2) [see --uid and --gid]
Possible values:
CAP_DAC_READ_SEARCH
To bypass FS read checks (for fts and inotify).
CAP_SETUID
To be able to use setuid(2) before execve(2) on the sync-handler.
CAP_SETGID
To be able to use setgid(2) before execve(2) on the sync-handler.
CAP_KILL
To be able to kill setuid()-ed processes
Any combinations of this values are also supported. The list may be presented as a comma
separated values, like:
CAP_DAC_READ_SEARCH,CAP_SETUID,CAP_SETGID
The default value is "CAP_DAC_READ_SEARCH,CAP_SETUID,CAP_SETGID,CAP_KILL" if the clsync runner
have such privileges.
--inherit-capabilities
[Linux only, requires capabilities]
Sets a mode for capabilities inheriting.
Possible values:
permitted
Inherits all permitted capabilities
dont-touch
Don't change inheritable capabilities set
clsync
Use clsync's effective capabilities set
empty
Reset all capabilities
The default value is "empty".
--splitting splitting-type
Split the process/thread to privileged and non-privileged. This's an additional way to secure your
system from any bug in clsync while running it with capabilities or root privileges. But clsync
may utilize in few times more CPU resources. So it's a performance vs security trade off.
You can essentialy reduce the overhead with using "high load locks" ("--enable-highload-locks" of
"./configure" file).
If you're using this option and running the sync-handler with the root user then it's highly
recommended to enable --check-execvp-arguments, too. Otherwise in case of clsync security bug a
hacker will be able to use execvp() with any arguments with root privileges.
Possible values:
off
Disable this feature
thread
[Linux only, requires capabilities]
Creates a separate thread for privileged operations.
It's highly recommended to enable --seccomp-filter in this case. But that will
forbid --threading.
process
More secure and portable way, but uses separate process and:
- forbids fanotify (that is not implemented yet anyway);
- more complex code (and higher probability of error).
- slower due to copying data between private and shared memory pages.
Recommended.
Is set to "off" by default.
--check-execvp-arguments
[Requires --splitting=[thread|process]]
[Blocks --mode=direct]
Enables execvp() arguments recheck in the privileged process (in case of their substitution to any
exploit-given arguments).
This option doesn't utilize a lot of CPU resources but forbids run-time changing of
sync-handler-arguments and hook file paths.
This option cannot be used in conjunction with --mode=direct due to an arbitrary number of
arguments in this mode.
Is not set by default.
--add-permitted-hook-files [hook-path0,[hook-path1[,...]]]
[Requires --check-execvp-arguments]
Adds paths to the list of permitted hook paths to bypass --check-execvp-arguments checks. It may
be required if you're going to change the hooks in run-time using --custom-signals or --socket.
Is not set by default.
--seccomp-filter
[Linux only]
Use seccomp filter to forbid syscalls that shouldn't be used by clsync.
Forbid all syscalls for non-privileged process/thread, but
futex inotify_init1 alert stat fstat lstat open write close wait4 unlink tgkill
clock_gettime rt_sigreturn brk mmap munmap wait4 rmdir exit_group select read
rt_sigprocmask rt_sigaction nanosleep
Is not set by default.
--permit-mprotect
[Requires --seccomp-filter]
Permits mprotect(2) syscall.
This syscall is required by pthread_create(3), so it's required for --threading.
Makes --shm-mprotect to be useless.
Also it enables ability to change memory of privileged thread from non-privileged, so using of
--splitting=thread with this option is useless, too.
Is set to "0" by default if --splitting is set. Otherwise "1".
--shm-mprotect
[Requires --splitting=process]
Forbid writing or reading to/from shared memory when it shouldn't be. mprotect(2) is used for the
protection.
This option is useless while --permit-mprotect is enabled.
--chroot chroot-directory
clsync chroot()-s [see chroot(2)] to directory chroot-directory before any syncing processes.
This option may be used in conjunction with --uid, --gid or/and --pivot-root for security reasons.
Remember! If you're chroot()-ing somewhere, the sync-handler will be limited by the
chroot-environment, too. If you're using rsync then you may want to "mount --bind" some
directories to the chroot-directory.
Is not set by default.
--pivot-root pivot-root-way
[Linux only, requires --chroot]
Sets a way of using pivot_root(2) syscall to the chroot-directory (to umount(2) old rootfs).
Possible values:
auto
Creates a directory "/dev/shm/clsync-rootfs", unshare(2)-ing the mount namespace,
mount(2)-s the chroot-directory to the directory and then pivot_root(2)-ing,
chroot(2)-ing and umount(2)-ing old rootfs. Directory "/dev/shm/clsync-rootfs" won't
be deleted after clsync finish.
auto-ro
The same as auto but mounts the directory with read-only option (MS_RDONLY).
direct
unshare(2)-ing the mount namespace, pivot_root(2)-ing, chroot(2)-ing and
umount(2)-ing old rootfs. Directory "old_root" should be created in chroot-directory
before running clsync in this mode.
off
Don't pivot_root(2).
The default value is "off". If --chroot is used then recommended value is "auto-ro".
--mountpoints [mountpoint[,mountpoint[,mountpoint]]]
[Linux only]
Umount (with MNT_DETACH) everything except listed mountpoints.
Supposed to be used for security reasons as an alternative to --pivot-root option.
Is not set by default.
--detach-network detach-network-mode
[Linux only]
Removes network in clsync instance.
Possible values:
everywhere
Removes network for all processes.
non-privileged
Removes network from non-privileged process if option --process-splitting is
enabled, otherwise doesn't do anything.
off
Don't do anything.
The default value is "non-privileged".
--detach-ipc
[Linux only]
Make an own IPC namespace.
Is set by default.
--detach-miscellanea
[Linux only]
unshare(2) on everything not listed above.
Is not set by default.
--forbid-devices
[Linux only]
Forbid any access to all devices except listed ones:
read access to:
/dev/console
/dev/zero
/dev/urandom
/dev/random
write access to:
/dev/console
/dev/null
Is not set by default.
PERFORMANCE
Recommendations to improve the performance:
- Disable thread/process splitting.
- Don't use clsync rules (use rules on sync-handler side) or/and use option "--full-initialsync"
- Use option "-B0".
- Use option "--cancel-syscalls=mon_stat".
- Use option "-p safe" or "-p full".
- Disable debugging with "-d0" or better disable debugging support at all with "./configure"
option "--enable-debug=no"
- Don't use option "--exclude-mount-points"
- Free memory for disk cache
You shouldn't follow all this recommendation blindfold. You should use only the ideas that fixes
performance problems in your specific use case. And only if it's necessary.
SYNC HANDLER MODES
clsync executes sync-handler that supposed to take care of the actual syncing process. Therefore clsync
is only a convenient way to run a syncing script.
clsync can run sync-handler in seven ways. Which way will be used depends on specified mode (see --mode)
sync-handler-arguments are used only in modes:
simple
direct
shell
rsyncdirect
rsyncshell
If sync-handler-arguments are not set then the default setting is used (see below).
case simple
Executes for every syncing file/dir:
sync-handler sync-handler-arguments
Default sync-handler-arguments are:
sync %label% %EVENT-MASK% %INCLUDE-LIST%
In this case, sync-handler is supposed to non-recursively sync file or directory by path
%INCLUDE-LIST%. With %EVENT-MASK% it's passed bitmask of events with the file or directory (see
"/usr/include/linux/inotify.h").
Additional substitutions:
%EVENT-MASK%
Is replaced by integer of events IDs.
%INCLUDE-LIST%
Is replaced by absolute path of a file/dir to be synced.
case direct
Executes for every sync:
sync-handler sync-handler-arguments
Default sync-handler-arguments are:
%INCLUDE-LIST% %destination-dir%/
Additional substitutions:
%INCLUDE-LIST%
Is replaced by a list of relative paths of files/dirs to be synced.
case shell
Executes for every sync (if recursivesync is not used instead):
sync-handler sync-handler-arguments
Default sync-handler-arguments are:
synclist %label% %INCLUDE-LIST-PATH%
Default sync-handler-arguments for initial sync if --have-recursive-sync is set are:
initialsync %label% %INCLUDE-LIST%
In this case, sync-handler is supposed to non-recursively sync files and directories from list in
a file by path %INCLUDE-LIST-PATH% on "synclist".
Also sync-handler is supposed to recursively sync data from directory by path %INCLUDE-LIST-PATH%
with manual excluding extra files on "initialsync".
Additional substitutions:
%TYPE%
Is replaced by "sync"/"initialsync".
%INCLUDE-LIST-PATH%
Is replaced by the path of the include list file.
%INCLUDE-LIST%
Is replaced by a list of relative paths of files/dirs to be synced.
Not recommended. Not well tested.
case rsyncdirect
Executes for every sync:
sync-handler sync-handler-arguments
sync-handler is supposed to be a path to rsync binary.
Default sync-handler-arguments are:
-aH --delete --exclude-from %EXCLUDE-LIST-PATH% --include-from %INCLUDE-LIST-PATH%
--exclude='*' %watch-dir%/ %destination-dir%/
if option --rsync--prefer-include is not set and
-aH --delete --include-from %INCLUDE-LIST-PATH% --exclude='*' %watch-dir%/
%destination-dir%/
if the option is set
Error code "24" from sync-handler will be ignored in this case. We also recommend to ignore
exitcode "23".
Additional substitutions:
%INCLUDE-LIST-PATH%
Is replaced by the path of the include list file
%EXCLUDE-LIST-PATH%
Is replaced by the path of the exclude list file
%RSYNC-ARGS%
Is replaced by default sync-handler-arguments, but without "%watch-dir%/
%destination-dir%/"
Recommended case.
case rsyncshell
Executes for every sync:
sync-handler sync-handler-arguments
Default sync-handler-arguments are:
rsynclist %label% %INCLUDE-LIST-PATH% [%EXCLUDE-LIST-PATH%]
In this case, sync-handler is supposed to run "rsync" application with parameters:
-aH --delete-before --include-from %INCLUDE-LIST-PATH% --exclude '*'
if option --rsync-prefer-include is enabled.
And with parameters:
-aH --delete-before --exclude-from %EXCLUDE-LIST-PATH% --include-from %INCLUDE-LIST-PATH%
--exclude '*'
if option --rsync-prefer-include is disabled.
Additional substitutions:
%INCLUDE-LIST-PATH%
Is replaced by the path of the rsync include list file
%EXCLUDE-LIST-PATH%
Is replaced by the path of the rsync exclude list file
Recommended case.
case rsyncso
In this case there's no direct exec*() calling. In this case clsync loads sync-handler as a shared
library with dlopen(3) and calls function "int clsyncapi_rsync(const char *inclist, const char
*exclist)" from it for every sync.
inclist is a path to file with rules for "--include-from" option of rsync. This argument is
always not NULL.
exclist is a path to file with rules for "--exclude-from" option of rsync. This argument is NULL
if --rsync-prefer-include is set.
Excludes takes precedence over includes.
Also may be defined functions "int clsyncapi_init(ctx_t *, indexes_t *)" and "int
clsyncapi_deinit()" to initialize and deinitialize the syncing process by this shared object.
To fork the process should be used function "pid_t clsyncapi_fork(ctx_t *)" instead of "pid_t
fork()" to make clsync be able to kill the child.
See example file "clsync-synchandler-rsyncso.c".
Recommended case.
case so
In this case there's no direct exec*() calling. In this case clsync loads sync-handler as a shared
library with dlopen(3) and calls function "int clsyncapi_sync(int n, api_eventinfo_t *ei)" from it
for every sync. n is number of elements of ei. ei is an array of structures with information
about what and how to sync (see below).
api_eventinfo_t is a structure:
struct api_eventinfo {
uint32_t evmask; // event bitmask for file/dir by path path.
uint32_t flags; // flags of "how to sync" the file/dir
size_t path_len; // strlen(path)
const char *path; // the path to file/dir need to be synced
eventobjtype_t objtype_old; // type of object by path path before the event.
eventobjtype_t objtype_new; // type of object by path path after the event.
};
typedef struct api_eventinfo api_eventinfo_t;
The event bitmask (evmask) values can be learned from "/usr/include/linux/inotify.h".
There may be next flags' values (flags):
enum eventinfo_flags {
EVIF_NONE = 0x00000000, // No modifier
EVIF_RECURSIVELY = 0x00000001 // sync the file/dir recursively
};
Flag "EVIF_RECURSIVELY" may be used if option --have-recursive-sync is set.
Is that a file or directory by path path can be determined with objtype_old and objtype_new.
objtype_old reports about which type was the object by the path before the event.
objtype_new reports about which type became the object by the path after the event.
objtype_old and objtype_new have type eventobjtype_t.
enum eventobjtype {
EOT_UNKNOWN = 0, // Unknown
EOT_DOESNTEXIST = 1, // Doesn't exist (not created yet or already deleted)
EOT_FILE = 2, // File
EOT_DIR = 3, // Directory
} typedef enum eventobjtype eventobjtype_t;
Also may be defined functions "int clsyncapi_init(options_t *, indexes_t *)" and "int
clsyncapi_deinit()" to initialize and deinitialize the syncing process by this shared object.
To fork the process should be used function "pid_t clsyncapi_fork(options_t *)" instead of "pid_t
fork()" to make clsync be able to kill the child.
See example file "clsync-synchandler-so.c".
Recommended case.
ENVIRONMENT VARIABLES
Recognized variables - variables used by clsync.
Recognized variables
HOME - user's HOME directory, clsync looks for configuration file here
TMPDIR - use this directory as a prefix to create clsync temporary directory inside, if unset /tmp
will be used
Output variables - variables that are set by clsync before calling sync-handler.
Output variables
CLSYNC_STATUS - clsync's status (see possible statuses in description of --status-file)
CLSYNC_ITERATION - count of done synchronizaton iterations after initial sync see --max-iterations
option
RULES
Filter rules can be used to set which events clsync should monitor and which events it should ignore.
Caution! This rules doesn't guarantee that filtered file/dir won't be synced. This can occur because
file or directory can appear in the moment of sync-handler running (or after it but before the
sync-handler will reach the directory), so it'll be too late to add an exclusion. If you need a guarantee
of file syncing preventing you can use internal filter rules of the sync-handler program (for example,
rsync has options "--exclude", "--exclude-from" and "--filter") or use disable any "recursive" syncs in
clsync (and remove "-av" option of rsync if it's used). To disable recursive syncs you can use:
simple
Already non-recursive
direct
Already non-recursive
shell
Don't enable option --have-recursive-sync.
rsyncdirect
Use option --rsync-prefer-include and set sync-handler-arguments to -lptgoD --delete
--include-from %INCLUDE-LIST-PATH% --exclude='*' %watch-dir%/ %destination-dir%/
rsyncshell
Use option --rsync-prefer-include.
rsyncso
Use option --rsync-prefer-include.
so
Don't enable option --have-recursive-sync.
Filter rules can be placed into rules-file with one rule per line.
Rule format: [+-][fdWwms*]regexp
+ - means include;
- - means exclude;
f - means file;
d - means directory (the same as an combination of "w" + "m" + "s");
w - means walking to directory;
m - means monitor events in the directory;
s - means sync the the directory if modified;
W - means walk + monitor the directory (the same as an combination of "w" + "m");
* - means all.
For example: -*^/[Tt]est
It's not recommended to use w rules in modes "rsyncdirect", "rsyncshell" and "rsyncso". rsync(1) allows
one to set syncing and walking only together in "--include" rules ("--files-from" is not appropriate due
to problem with syncing files deletions). So there may be problems with clsync's w rules in this cases.
More examples:
Syncing pwdb files and sshd_config (non-rsync case):
# which files to sync:
+f^passwd$
+f^group$
+f^shadow$
+f^ssh/sshd_config$
# walk and monitor next directories:
+W^$
+W^ssh$
# forbid the rest:
-*
Syncing pwdb files and sshd_config (rsync case):
+f^passwd$
+f^group$
+f^shadow$
+f^ssh/sshd_config$
+d^$
+d^ssh$
-*
Syncing /srv/lxc tree (rsync case):
-d/sess(ion)?s?$
-f/tmp/
+*
SIGNALS
1 - (HUP) rereads filter rules
2 - (INT) exits without waiting of syncing processes ("hard kill", kills children)
3 - (QUIT) waits for current syncing processes and exit ("soft kill", waits for children). See also
--sync-on-quit.
10 - runs threads' GC function
12 - runs full resync
15 - (TERM) exits without waiting of syncing processes ("hard kill", kills children)
16 - interrupts sleep()/select() and wait() [for debugging and internal uses]
29 - dump information to dump-dir [for debugging]
If you need to kill clsync but leave children then you can use 9-th (KILL) signal.
DIAGNOSTICS
clsync misses events:
Try to run command: sysctl fs.inotify.max_queued_events=1048576
Initial rsync process works very slow on clsync start
Probably there's too huge exclude list is passed to rsync. This can happened if you're excluding
with regex in clsync's rules a lot of thousands files. They will be passed to rsync's exclude
list one by one.
To diagnose it, you can use "-U" option and look into rsync-exclude-listpath file (see SYNC
HANDLER case d)
To prevent this, it's recommended to write such rules for rsync directly (not via clsync).
For example, often problem is with PHP's session files. You shouldn't exclude them in clsync's
rules with "-f/sess_.*", but you should exclude it in rsync directly (e.g with «--exclude
"sess_*"»).
The following diagnostics may be issued on stderr:
Error: Cannot inotify_add_watch() on [...]: No space left on device (errno: 28)
Not enough inotify watching descriptors is allowed. It can be fixed by increasing value of "sysctl
fs.inotify.max_user_watches"
Error: Got non-zero exitcode exitcode [...]
sync-handler returned non-zero exitcode. Probably, you should process exitcodes in it or your
syncer process didn't worked well. I case of using rsync, you can find the exitcodes meanings in
man 1 rsync.
If exitcode equals to 23 and you're using clsync in conjunction with rsync, this may happen, for
example, in the following cases:
- Not enough space on destination.
- You're running clsync with --threading=full and rsync with --backup. See a bugreport
⟨https://bugzilla.samba.org/show_bug.cgi?id=10081⟩.
To confirm the problem, you can try to add "return 0" or "exit 0" into your sync-handler.
Bad system call
If --use-seccomp option is enabled then the error is probably caused by using of forbidden
syscall. It's a clsync bug or hack attack attempt.
To get support see SUPPORT.
CONFIGURATION FILE
clsync supports configuration file.
By default clsync tries to read next files (in specified order):
~/.clsync.conf
/etc/clsync/clsync.conf
This may be overridden with option --config-file.
clsync reads only one configuration file. In other words, if option --config-file is not set and file
~/.clsync.conf is accessible and parsable, clsync will not try to open /etc/clsync/clsync.conf. Command
line options have precedence over config file options.
Configuration file is parsed with glib's g_key_file_* API. That means, that config should consits from
groups (blocks) of key-value lines as in the example:
[default]
background = 1
mode = rsyncshell
debug = 0
output = syslog
label = default
pid-file = /var/run/clsync-%label%.pid
[debug]
config-block-inherits = default
debug = 5
background = 0
output = stderr
[test]
mode=rsyncdirect
debug=3
Also glib's gkf API doesn't support multiple assignments. If you need to list some values (e.g.
exitcodes) just list them with commas in single assignment (e.g. "ignore-exitcode=23,24").
In this example there're 3 blocks are set - "default", "debug" and "test". And block "debug" inherited
setup of block "default" except options "debug", "background" and "output".
By default clsync uses block with name "default". Block name can be set by option --config-block.
CLUSTERING
Not implemented yet. Don't try to use cluster functionality.
Not described yet.
EXAMPLES
Mirroring a directory:
clsync -Mrsyncdirect -W/path/to/source_dir -D/path/to/destination_dir
Syncing 'authorized_keys' files:
mkdir -p /etc/clsync/rules
printf "+w^$\n+w^[^/]+$\n+W^[^/]+/.ssh$\n+f^[^/]+/.ssh/authorized_keys$\n-*" >
/etc/clsync/rules/authorized_files_only
clsync -Mdirect -Scp -W/mnt/master/home/ -D/home -R/etc/clsync/rules/authorized_files_only -- -Pfp
--parents %INCLUDE-LIST% %destination-dir%
Mirroring a directory, but faster:
clsync -w5 -t5 -T5 -Mrsyncdirect -W/path/to/source_dir -D/path/to/destination_dir
Instant mirroring of a directory:
clsync -w0 -t0 -T0 -Mrsyncdirect -W/path/to/source_dir -D/path/to/destination_dir
Making two directories synchronous:
clsync -Mrsyncdirect --background -z /var/run/clsync0.pid --output syslog -Mrsyncdirect
-W/path/to/dir1 -D/path/to/dir2 --modification-signature '*'
clsync -Mrsyncdirect --background -z /var/run/clsync1.pid --output syslog -Mrsyncdirect
-W/path/to/dir2 -D/path/to/dir1 --modification-signature '*'
Fixing privileges of a web-site:
clsync -w3 -t3 -T3 -x1 -W/var/www/site.example.org/root -Mdirect -Schown --uid 0 --gid 0 -Ysyslog
-b1 --modification-signature uid,gid -- --from=root www-data:www-data %INCLUDE-LIST%
'Atomic' sync:
clsync --exit-on-no-events --max-iterations=20 --mode=rsyncdirect -W/var/www_new -Srsync --
%RSYNC-ARGS% /var/www_new/ /var/www/
Moving a web-server:
clsync --exit-on-no-events --max-iterations=20 --pre-exit-hook=/root/stop-here.sh
--exit-hook=/root/start-there.sh --mode=rsyncdirect --ignore-exitcode=23,24 --retries=3 -W
/var/www -S rsync -- %RSYNC-ARGS% /var/www/ rsync://clsync@another-host/var/www/
Copying files to slave-nodes using pdcp(1):
clsync -Msimple -S pdcp -W /opt/global -b -Y syslog -- -a %INCLUDE-LIST% %INCLUDE-LIST%
Copying files to slave-nodes using uftp(1):
clsync -Mdirect -S uftp -W/opt/global --background=1 --output=syslog -- -M 248.225.233.1
%INCLUDE-LIST%
A dry running to see rsync(1) arguments that clsync will use:
clsync -Mrsyncdirect -S echo -W/path/to/source_dir -D/path/to/destination_dir
An another dry running to look how clsync will call pdcp(1):
clsync -Msimple -S echo -W /opt/global -b0 -- pdcp -a %INCLUDE-LIST% %INCLUDE-LIST%
Automatically run 'make build' if any '*.c' file changed
printf "%s\n" "+f.c$" "-f" | clsync --have-recursive-sync -W . -R /dev/stdin -Mdirect -r1
--ignore-failures -t1 -w1 -Smake -- build
More working examples you can try out in "/usr/share/doc/clsync/examples/" directory. Copy this directory
somewhere (e.g. into "/tmp"). And try to run "clsync-start-rsync.sh" in there. Any files/directories
modifications in "testdir/from" will be synced to "testdir/to" in a few seconds.
AUTHOR
Dmitry Yu Okunev <dyokunev@ut.mephi.ru> 0x8E30679C
SUPPORT
You can get support on official IRC-channel in Freenode "#clsync" or on github's issue tracking system of
the clsync repository ⟨https://github.com/clsync/clsync⟩.
Don't be afraid to ask about clsync configuration, ;).
SEE ALSO
rsync(1), pthreads(7), inotify(7) kqueue(2)
Linux APRIL 2020 CLSYNC(1)