Join our Telegram: @serverrental_wiki | BTC Analysis | Trading Signals | Telegraph
Backup with Restic
This is a comprehensive tutorial for setting up Restic backups.
```wiki
Backup with Restic
Restic is a modern, fast, secure, and easy-to-use backup program. It supports various backends, including local directories, SFTP servers, and cloud storage like Amazon S3, Google Cloud Storage, and Azure Blob Storage. This guide will walk you through setting up Restic for encrypted backups to local, SFTP, and S3 destinations.
Prerequisites
Before you begin, ensure you have the following:
- A Linux server with root or sudo privileges.
- Basic understanding of the Linux command line.
- For SFTP backups: An SFTP server accessible from your backup server and a dedicated user account for backups.
- For S3 backups: An AWS account with an S3 bucket created and appropriate access credentials (Access Key ID and Secret Access Key).
- Restic installed on your backup server. If not installed, you can download the latest release from the Restic GitHub releases page and install it. For example, on Debian/Ubuntu:
wget https://github.com/restic/restic/releases/download/v0.16.0/restic_0.16.0_linux_amd64.deb sudo dpkg -i restic_0.16.0_linux_amd64.deb
- Ensure your system is up-to-date:
sudo apt update && sudo apt upgrade -y
Initializing a Restic Repository
A Restic repository is where your backups are stored. It's essential to initialize it before you can start backing up. You will need to choose a strong password to encrypt your backups. This password is crucial; if lost, your backups will be unrecoverable.
Local Repository
To initialize a repository on a local directory:
- Choose a directory for your repository. Ensure it has enough free space for your backups.
sudo mkdir /mnt/backups/restic_repo
- Initialize the repository, providing a password. Replace 'your_strong_password' with a secure password.
export RESTIC_PASSWORD='your_strong_password' restic init --repo /mnt/backups/restic_repo
Expected Output:
repository created
- It's recommended to store your password securely, for example, in an environment file.
echo "export RESTIC_PASSWORD='your_strong_password'" >> ~/.restic_env source ~/.restic_env
Security Implication: Storing the password in plain text in an environment file is convenient but can be a security risk if the file is not properly protected. Consider using a secrets management tool for production environments.
SFTP Repository
To initialize a repository on an SFTP server:
- Ensure you have an SFTP user (e.g., `backupuser`) and an SSH key for passwordless access.
- Create a directory on the SFTP server for your repository.
- Initialize the repository. Replace `sftp://user@your_sftp_server.com/path/to/repo` with your SFTP details.
export RESTIC_PASSWORD='your_strong_password' restic init --repo sftp://backupuser@your_sftp_server.com/home/backupuser/restic_repo
Expected Output:
repository created
Security Implication: Using SSH keys for authentication is more secure than password-based authentication. Ensure your private SSH key is protected.
S3 Repository
To initialize a repository on an S3 bucket:
- Ensure you have an S3 bucket created and your AWS Access Key ID and Secret Access Key.
- Set the AWS credentials as environment variables.
export AWS_ACCESS_KEY_ID='YOUR_ACCESS_KEY_ID' export AWS_SECRET_ACCESS_KEY='YOUR_SECRET_ACCESS_KEY' export RESTIC_PASSWORD='your_strong_password'
- Initialize the repository. Replace `s3:your-s3-bucket-name/restic_repo` with your bucket name and desired path.
restic init --repo s3:my-backup-bucket/restic_repo
Expected Output:
repository created
Security Implication: Never hardcode AWS credentials in scripts. Using environment variables or IAM roles is the recommended approach.
Performing Backups
Once your repository is initialized, you can start backing up your data.
Backup to Local Repository
To back up a directory (e.g., `/var/www/html`) to your local repository:
restic backup /var/www/html --repo /mnt/backups/restic_repo
Expected Output (will vary based on files):
repository contains X snapshots now: ... ... Files: 10000 Dirs: 1000 Size: 1.234 GiB [...] Snapshots created: 1 [...]
Explanation: Restic will scan the specified directory, identify new or changed files, encrypt them, and store them in the repository. The `backup` command creates a new snapshot of your data.
Backup to SFTP Repository
restic backup /var/www/html --repo sftp://backupuser@your_sftp_server.com/home/backupuser/restic_repo
Backup to S3 Repository
export AWS_ACCESS_KEY_ID='YOUR_ACCESS_KEY_ID' export AWS_SECRET_ACCESS_KEY='YOUR_SECRET_ACCESS_KEY' export RESTIC_PASSWORD='your_strong_password' restic backup /var/www/html --repo s3:my-backup-bucket/restic_repo
Automating Backups with Cron
To ensure regular backups, you should automate the process using `cron`.
- Edit your crontab:
crontab -e
- Add a line to schedule your backup. This example runs a backup every day at 2 AM to the local repository:
0 2 * * * /usr/bin/restic --repo /mnt/backups/restic_repo backup /var/www/html --password-file /etc/restic/repo.pass > /var/log/restic_backup.log 2>&1
Explanation:
- `0 2 * * *`: Cron schedule (minute, hour, day of month, month, day of week).
- `/usr/bin/restic`: Full path to the Restic executable.
- `--repo`: Specifies the repository location.
- `--password-file`: Points to a file containing your repository password. Create this file and secure its permissions:
sudo mkdir -p /etc/restic echo 'your_strong_password' | sudo tee /etc/restic/repo.pass sudo chmod 600 /etc/restic/repo.pass
- `> /var/log/restic_backup.log 2>&1`: Redirects standard output and standard error to a log file for review.
Security Implication: Using `--password-file` is generally preferred over `RESTIC_PASSWORD` environment variable in cron jobs for better security. Ensure the password file has strict permissions (readable only by root).
Managing Backups
Restic provides commands to manage your snapshots and repository.
Listing Snapshots
To list all snapshots in a repository:
restic snapshots --repo /mnt/backups/restic_repo
Expected Output:
ID Time Host Tags Paths ---------------------------------------------------------------------------- a1b2c3d4 2023-10-27 02:00:00 myserver /var/www/html e5f6g7h8 2023-10-28 02:00:00 myserver /var/www/html ---------------------------------------------------------------------------- 2 snapshots
Pruning Old Snapshots
To save space, you should periodically remove old snapshots.
restic forget --keep-daily 7 --keep-weekly 4 --keep-monthly 6 --repo /mnt/backups/restic_repo restic prune --repo /mnt/backups/restic_repo
Explanation:
- `forget`: Marks snapshots for deletion based on retention policies.
* `--keep-daily 7`: Keep the last 7 daily snapshots. * `--keep-weekly 4`: Keep the last 4 weekly snapshots. * `--keep-monthly 6`: Keep the last 6 monthly snapshots.
- `prune`: Actually removes the marked snapshots and any associated data that is no longer referenced.
Performance Benchmark: Pruning can be I/O intensive, especially for large repositories. Schedule it during off-peak hours. The time taken depends on the repository size and the number of snapshots being pruned.
Checking Repository Integrity
It's good practice to periodically check your repository's integrity.
restic check --repo /mnt/backups/restic_repo
Explanation: This command verifies the repository's data integrity and checks for any corruption.
Restoring Data
In case of data loss, you can restore your files.
Listing Files in a Snapshot
First, find the snapshot ID you want to restore from.
restic snapshots --repo /mnt/backups/restic_repo
Then, list the files in that snapshot:
restic ls <snapshot_id> --repo /mnt/backups/restic_repo
Restoring a Snapshot
To restore a specific snapshot to a directory:
restic restore <snapshot_id> --target /tmp/restore --repo /mnt/backups/restic_repo
Explanation: This will restore all files from the specified snapshot into the `/tmp/restore` directory.
Restoring Specific Files/Directories
To restore a specific file or directory from a snapshot:
restic restore <snapshot_id> --target /tmp/restore --include '/var/www/html/index.html' --repo /mnt/backups/restic_repo
Troubleshooting
- `restic init` fails with "repository already exists": This means the repository has already been initialized. You can proceed to use it or re-initialize if you intend to start fresh (ensure you have a backup of the old repository if needed).
- `restic backup` is slow:
* Ensure your network connection (for SFTP/S3) is stable and has sufficient bandwidth. * Check disk I/O performance on your backup source and repository destination. * For S3, consider using a region closer to your server. * Use the `--compression` flag (though Restic compresses by default).
- `restic restore` fails:
* Verify the snapshot ID is correct. * Check if the target directory exists and has write permissions. * Ensure you have sufficient disk space at the target location. * If using SFTP/S3, verify your credentials and network connectivity.
- Cron job not running:
* Check cron logs (e.g., `/var/log/syslog` or `/var/log/cron`). * Ensure the Restic executable path is correct in the crontab. * Verify the `RESTIC_PASSWORD` or `--password-file` is correctly set and accessible. * Ensure the user running the cron job has necessary permissions.