Skip to main content
Gå til innhold

Restic

For teams that have their own AWS Account and wish to manage their own backup solution Restic can be used. Restic is a CLI tool that can do backup of local files and store them encrypted in various target repositories, like for example AWS S3 buckets.

Client installation

Manual

Restic is a single Go binary which can be downloaded from the restic releases page.

Puppet

For servers managed by Puppet, there is a puppet module that will install restic and configure it to do backups to an AWS S3 bucket.

See pmodule_restic README for more information.

In addition to managing which paths to take backup of and defining hooks in Puppet, you can also define this on the server in the following directories which Puppet will not touch, but Restic will pick up:

/etc/restic/backup-items/  # files containing paths to include in backup, one per line.
/etc/restic/pre-hooks/     # place scripts that should be run before backup is performed
/etc/restic/post-hooks/    # place scripts that should be run after backup is performed

Target repository

Restic needs a target reopository. Here is an example of how to set up an AWS S3 bucket with Cloudformation.

info

Note that Restic needs DeleteObject as it has its own retention management. The bucket is versioned to prevent that all backups can be deleted and overwritten with Restics credentials.

  "ExampleBackup":
    Type: "AWS::S3::Bucket"
    Properties:
      VersioningConfiguration:
        Status: Enabled
      LifecycleConfiguration:
        Rules:
          - AbortIncompleteMultipartUpload:
              DaysAfterInitiation: 7
            Status: Enabled
          - NoncurrentVersionExpirationInDays: 90
            Status: Enabled
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: 'AES256'
      BucketName: "sikt-vm-restic-backup-<FQDN>"
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
      Tags:
        - Key: "CostCenter"
          Value: "K123456"
        - Key: "Group"
          Value: "example123"

  "ExampleBackupUser":
    Type: "AWS::IAM::User"
    Properties:
      UserName: "sikt-vm-restic-backup-<FQDN>"

  "ExampleBackupPolicy":
    Type: "AWS::IAM::Policy"
    Properties:
      PolicyDocument:
        Statement:
          - Effect: "Allow"
            Action:
              - "s3:GetObject"
              - "s3:PutObject"
              - "s3:DeleteObject"
              - "s3:AbortMultipartUpload"
              - "s3:ListMultipartUploadParts"
            Resource: !Join
              - ""
              - - !GetAtt
                  - "ExampleBackup"
                  - "Arn"
                - "/*"
          - Effect: "Allow"
            Action:
              - "s3:ListBucket"
              - "s3:GetBucketLocation"
            Resource: !GetAtt
              - "ExampleBackup"
              - "Arn"
          - Effect: "Allow"
            Action: "s3:ListAllMyBuckets"
            Resource: "*"
      PolicyName: "S3Access"
      Users:
        - !Ref "ExampleBackupUser"

Restoring from backup:

Backups stored in S3 bucket can be restored with the same Restic client as the backup was created.
To restore a backup, one has to first get access to the s3 bucket containing backup data.\

Manual

You must first set up the following environment variables with the credentials you obtained while creating the bucket.

export AWS_ACCESS_KEY_ID=<MY_ACCESS_KEY>
export AWS_SECRET_ACCESS_KEY=<MY_SECRET_ACCESS_KEY>

It is a good practice to store the AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and password for repository in Vault so try your luck there.

With s3 bucket credentials on place we can start the actual restore process.
If you want to restore the latest backup, you can use the following command:

restic -r s3:<s3 bucket url> restore latest --target <destination path>

Restic expect the <s3 bucket url> to be path-style URL, for example s3.dualstack.eu-north-1.amazonaws.com/platon-vm-alamak.iaas.aws.unit.no.

If the latest backup is corrupted or you want to restore a specific backup, you need to find the backup id first:

restic -r s3:<s3 bucket url> snapshots

With specific version of the backup selected the backup is restored with:

restic -r s3:<s3 bucket url> restore <backup id> --target <destination path>

If you want to use more specific features like --path or --exclude you can use dive into the official documentation: https://restic.readthedocs.io/en/stable/050_restore.html

Puppet

If you are restoring on a machine where backup is controlled by Puppet, you can use restic-wrapper.sh script.
Add the desired restic command behind restic-wrapper.sh and the aws credentials will be handled by the script. The bucket URL can be omitted since the wrapper script exports the s3 bucket address as env variable.

Example:

sudo /opt/pmodule_restic/restic-wrapper.sh snapshots

Restic resources

https://restic.net/ https://restic.readthedocs.io/en/stable