Using restic to backup VPS data on CentOS 7

Publish: 2019-11-02 | Modify: 2019-11-02

restic is a fast, efficient, and secure backup program. It supports three mainstream operating systems (Linux, macOS, Windows) and offers various backup methods, including local backup, SFTP, AWS S3, Backblaze B2, etc.

In a production environment, data is crucial for a company. Regularly backing up data is essential. Although some service providers offer paid/free backup services, they cannot guarantee absolute security. In necessary cases, we can store data elsewhere. Restic supports encrypted backup, incremental backup, snapshot rollback, etc., making it suitable for data backup.

This article records the entire process of using restic to back up data to another server (SFTP method) in a CentOS 7 environment to prevent everyone from encountering difficulties. (Reading this article requires a certain level of Linux operation and maintenance knowledge. It is not recommended for beginners to tinker with it).

Installing restic

Restic is developed using Golang and provides a convenient binary version. Here, we choose to install it in binary mode. The latest version can be downloaded from Github: https://github.com/restic/restic/releases

# Download restic
wget https://github.com/restic/restic/releases/download/v0.9.5/restic_0.9.5_linux_amd64.bz2
# Decompress
bzip2 -d restic_0.9.5_linux_amd64.bz2
# Rename
mv restic_0.9.5_linux_amd64 /usr/sbin/restic
# Grant execution permission
chmod +x /usr/sbin/restic

After these simple steps, the installation of restic is complete. If everything goes well, we can see the usage help by executing the command restic -h.

[root@ali_sgp ~]# restic -h

restic is a backup program which allows saving multiple revisions of files and
directories in an encrypted repository stored on different backends.

Usage:
  restic [command]

Available Commands:
  backup        Create a new backup of files and/or directories
  cache         Operate on local cache directories
  cat           Print internal objects to stdout
  check         Check the repository for errors
  diff          Show differences between two snapshots
  dump          Print a backed-up file to stdout
  find          Find a file, a directory or restic IDs
  forget        Remove snapshots from the repository
  generate      Generate manual pages and auto-completion files (bash, zsh)
  help          Help about any command
  init          Initialize a new repository
  key           Manage keys (passwords)
  list          List objects in the repository
  ls            List files in a snapshot
  migrate       Apply migrations
  mount         Mount the repository
  prune         Remove unneeded data from the repository
  rebuild-index Build a new index file
  recover       Recover data from the repository
  restore       Extract the data from a snapshot
  self-update   Update the restic binary
  snapshots     List all snapshots
  stats         Scan the repository and show basic statistics
  tag           Modify tags on snapshots
  unlock        Remove locks other processes created
  version       Print version information

Flags:
      --cacert file               file to load root certificates from (default: use system certificates)
      --cache-dir string          set the cache directory. (default: use system default cache directory)
      --cleanup-cache             auto remove old cache directories
  -h, --help                      help for restic
      --json                      set output mode to JSON for commands that support it
      --key-hint string           key ID of key to try decrypting first (default: $RESTIC_KEY_HINT)
      --limit-download int        limits downloads to a maximum rate in KiB/s. (default: unlimited)
      --limit-upload int          limits uploads to a maximum rate in KiB/s. (default: unlimited)
      --no-cache                  do not use a local cache
      --no-lock                   do not lock the repo, this allows some operations on read-only repos
  -o, --option key=value          set extended option (key=value, can be specified multiple times)
      --password-command string   specify a shell command to obtain a password (default: $RESTIC_PASSWORD_COMMAND)
  -p, --password-file string      read the repository password from a file (default: $RESTIC_PASSWORD_FILE)
  -q, --quiet                     do not output comprehensive progress report
  -r, --repo string               repository to backup to or restore from (default: $RESTIC_REPOSITORY)
      --tls-client-cert string    path to a file containing PEM encoded TLS client certificate and private key
  -v, --verbose n                 be verbose (specify --verbose multiple times or level n)

Use "restic [command] --help" for more information about a command.

Initializing restic

xiaoz chose to back up the current server data to another server via SFTP. Therefore, before operation, please refer to: Configure passwordless login on Linux to ensure that the current server can automatically log in to the other server without a password using keys. Assuming you have completed this step, we can now initialize restic.

# Initialize restic
$ restic -r sftp:user@host:/srv/restic-repo init
enter password for new backend:
enter password again:
created restic backend f1c6108821 at sftp:user@host:/srv/restic-repo
Please note that knowledge of your password is required to access the repository.
Losing your password means that your data is irrecoverably lost.
  • When initializing, you will be prompted to enter the password twice. Please note that this password is used by restic to encrypt and decrypt data, not the server password. Please do not forget it. Once the password is forgotten, the data cannot be decrypted and will be lost.
  • /srv/restic-repo refers to the path on the other server.

For more initialization instructions, please refer to the official documentation: Preparing a new repository

Backing up data

After initialization, we can use the following command to back up the data:

restic -r sftp:user@host:/data/aliyun_sgp --verbose backup /data/wwwroot --exclude=/data/wwwroot/default
  • /data/aliyun_sgp: the directory on the remote server (target directory).
  • /data/wwwroot: the folder to be backed up (local folder).
  • /data/wwwroot/default: the folder to be excluded (directory that does not need to be backed up).

Viewing and removing snapshots

Restic uses incremental backup. When backing up again, restic only backs up files that have been modified or added and creates a snapshot (restore point). The commonly used commands for snapshots are as follows:

View snapshots of the target folder

$ restic -r /srv/restic-repo snapshots
enter password for repository:
ID        Date                 Host      Tags  Directory
----------------------------------------------------------------------
40dc1520  2015-05-08 21:38:30  kasimir         /home/user/work
79766175  2015-05-08 21:40:19  kasimir         /home/user/work
bdbd3439  2015-05-08 21:45:17  luigi           /home/art
590c8fc8  2015-05-08 21:47:38  kazik           /srv
9f0bc19e  2015-05-08 21:46:11  luigi           /srv

Delete a specific snapshot

$ restic -r /srv/restic-repo forget bdbd3439
enter password for repository:
removed snapshot d3f01f63

Clean up snapshot reference data (After deleting a snapshot, the data will not be released. Therefore, you need to clean up the reference data).

restic -r /srv/restic-repo prune

Restore a snapshot

$ restic -r /srv/restic-repo restore 79766175 --target /tmp/restore-work
enter password for repository:
restoring <Snapshot of [/home/user/work] at 2015-05-08 21:40:19.884408621 +0200 CEST> to /tmp/restore-work
  • /srv/restic-repo: the path to store the snapshots.
  • 79766175: the ID of the snapshot.
  • /tmp/restore-work: the target folder (where you want to restore to).

Passwordless operation

When operating restic, it will prompt for a password every time. If you want to avoid entering the password each time, you can do the following:

# Create a file and store the restic password in it
vi /root/.restic.pw
# Set it as an environment variable
export RESTIC_PASSWORD_FILE=/root/.restic.pw

This way, the password will not be prompted the next time you back up data, and you can easily write Shell scripts.

Finally

Restic encrypts and backs up data, uses incremental backup, and supports various backup methods. It is an excellent choice for backing up server data. For more usage instructions, please refer to the official documentation.


Comments