Backup Your Linode's Filesystem to Linode Object Storage with Restic

Introduction

It is vital to have backups of your Linode’s filesystem to allow you to restore in the event of a server fault, a user error or —worst-case— a hacking or defacing of your website or applications.

To be successful, backups should be automatic, reliable, and secure. This guide explains how to configure Restic on your Linode to backup your filesystem onto Linode Object Storage, so any of your files can be recovered even if your Linode is no longer accessible.

Restic is a backup utility written in Go. It is cross-platform and works on most Linux distributions with a kernel newer than 2.6.23. Each backup is stored as a snapshot in a repository. The repository can be stored on most cloud storage providers, or even in a separate directory on your Linode (not recommended.) This guide explains how to use Linode Object Storage to hold your backup repository.

Before You Begin

1. Ensure that you have followed the Getting Started and Securing Your Server guides.

2. Create an Object Storage bucket to hold your backup repository. Follow the Create a Bucket section of the How to Use Linode Object Storage guide if you do not already have one.

   Important

   Object Storage is similar to a subscription service. Once enabled, you will be billed at the flat rate regardless of whether or not there are active buckets on your account. You must Cancel Object Storage to stop billing for this service.

3. Generate Object Storage access keys.

4. Ensure your Linode has the wget and bzip2 utilities installed. Install them with the following commands:

   CentOS / Fedora

   yum install wget bzip2

   Ubuntu / Debian

   apt install wget bzip2

Install Restic

1. Download the latest version of Restic from the Github Releases page (version 0.15.2 at the time of writing):

    wget https://github.com/restic/restic/releases/download/v0.15.2/restic_0.15.2_linux_amd64.bz2
   

   Note

   Ensure you select the correct file for your system. The above command is correct for most Linux distributions on Linode.

2. Extract the downloaded file:

    bzip2 -d restic_0.15.2_linux_amd64.bz2
   

3. Move the extracted file to your system’s $PATH and make it executable for all users:

    sudo mv restic_0.15.2_linux_amd64 /usr/local/bin/restic
    sudo chmod ugo+x /usr/local/bin/restic
   

4. You can now run Restic using the command restic:

    restic version
   

   You should see a similar output:

   restic 0.15.2 compiled with go1.20.3 on linux/amd64

Create the Restic Repository

1. Configure Restic to use your Object Storage access key pair and to use the bucket you created in the Before You Begin section of this guide. Replace your-key, your-secret, and us-east-1.linodeobjects.com/your-bucket-name with your own values.

    AWS_ACCESS_KEY_ID=your-key AWS_SECRET_ACCESS_KEY=your-secret restic -r s3:us-east-1.linodeobjects.com/your-bucket-name init
   

   Note

   The above command references the us-east-1 cluster, which is located in the Newark, NJ cluster region. If your bucket is located in a different cluster region, replace us-east-1 with the appropriate cluster name.

   For example, for the Frankfurt, DE cluster region the command is:

   AWS_ACCESS_KEY_ID=your-key AWS_SECRET_ACCESS_KEY=your-secret restic -r s3:eu-central-1.linodeobjects.com/your-bucket-name init
   

   Important

   Ensure the name of your bucket is correct. If the bucket does not exist, Restic creates a new bucket for you in the cluster region you designate.

2. Following the prompt, set a password to encrypt your repository’s data. Enter your desired password twice, and you will see a similar output confirming that your repository has been created:

   enter password for new repository:
   enter password again:
   created restic repository c3ffbd1ea6 at s3:us-east-1.linodeobjects.com/restic-backups-example
   
   Please note that knowledge of your password is required to access
   the repository. Losing your password means that your data is
   irrecoverably lost.

   Important

   Store this password securely and somewhere other than your Linode. Your backups are inaccessible without the password.

Store the access key and secret

Your access key, secret key, and password are required every time Restic communicates with your repository. To make it easier to work with your repository, create a shell script containing your credentials.

1. To keep your credentials secure, using a text editor, create the example script in the root user’s home directory, and run all your Restic scripts as the root user. The example uses the Nano text editor.

    sudo nano /root/restic_params
   

   Copy and paste the example file’s content and replace your-key, and your-secret with your own Object Storage account’s access key credentials.

   File: /root/restic_params

   1 2	export AWS_ACCESS_KEY_ID=your-key export AWS_SECRET_ACCESS_KEY=your-secret

   Note

   Whenever you want to use Restic, import this file using the command below or include it in your user’s login script:

   source /root/restic_params
   

2. Create a password file to hold your Restic password:

    sudo nano /root/restic_pw
   

   Enter your Restic password and save the file.

   File: /root/restic_pw

   1	YourPasswordGoesHere

   Note

   You can pass your password filename to Restic using the -p flag:

   restic -p /root/restic_pw ...
   

Backup All Files

This section’s example script instructs Restic to backup all files on the filesystem, starting from the root filesystem. If you have mounted block storage devices, these will also be backed up.

1. Create a file in your /usr/local/bin directory:

   sudo nano /usr/local/bin/backup_files

2. Copy the following contents into the file:

   File: /usr/local/bin/backup_files

   1 2 3 4

   #!/bin/bash PATH="/usr/local/bin:$PATH" source /root/restic_params restic -r s3:us-east-1.linodeobjects.com/your-bucket-name -p /root/restic_pw -q backup --exclude={/dev,/media,/proc,/run,/sys,/tmp,/var/tmp} /

3. Make the script executable:

   sudo chmod u+x /usr/local/bin/backup_files

4. Run your first backup using the script you created:

   sudo backup_files

   You should see a similar output:

   repository 64962280 opened successfully, password is correct
   created new cache in /root/.cache/restic
   no parent snapshot found, will read all files
   
   Files:       26065 new,     0 changed,     0 unmodified
   Dirs:         3182 new,     0 changed,     0 unmodified
   Added to the repo: 947.676 MiB
   
   processed 26065 files, 979.212 MiB in 0:47
   snapshot be80fb7c saved

5. Executing the script creates a snapshot in your Restic repository. Use Restic’s snapshot command to view it:

   sudo /bin/bash -c "source /root/restic_params; restic -r s3:us-east-1.linodeobjects.com/your-bucket-name -p /root/restic_pw snapshots"

   Restic returns a similar output:

   repository 64962280 opened successfully, password is correct
   ID        Time                 Host        Tags        Paths
   ------------------------------------------------------------
   be80fb7c  2021-03-23 12:17:00  li269-232               /
   ------------------------------------------------------------
   1 snapshots

Set Up Automated Backups

Linux has several ways of running a job on a defined schedule. This section outlines several common methods that you can use to configure the backup script to run periodically. Read through the methods and select one that suits your needs.

Cron

System Cron jobs exist as entries in the /etc/crontab file. Open your systems crontab file for editing with the following command:

sudo crontab -e

Add a line pointing to your backup script. This example runs the backup at 12am every day. See the Schedule tasks with Cron article for additional scheduling options.

0 0 * * * /usr/local/bin/backup_files > /tmp/backup-log.txt 2>&1

Systemd

Systemd can run commands (known as units) on a periodic basis using timers. You can use systemd commands to monitor when the timers and commands last ran, and the output from running the commands.

To schedule a command, you need two configuration files: the service file which includes the commands to run and a timer file which defines when to run the service.

Create the service configuration file and copy and paste the contents of the example:

sudo nano /etc/systemd/system/backup-files.service

File: /etc/systemd/system/backup-files.service

1 2 3 4 5

[Unit] Description=Backup local filesystems [Service] ExecStart=/usr/local/bin/backup_files Environment=USER=root HOME=/root

Create the timer configuration file and copy and paste the contents of the example. The OnCalendar line instructs Systemd when to execute the service file’s commands. In the example, the service file’s commands are run at 12am every day.

sudo nano /etc/systemd/system/backup-files.timer

File: /etc/systemd/system/backup-files.timer

1 2 3 4 5 6

[Unit] Description=Backup local filesystems [Timer] OnCalendar=*-*-* 00:00:00 [Install] WantedBy=timers.target

When you are satisfied with your timer’s configurations, enable the timer:

sudo systemctl enable --now backup-files.timer

You can monitor all your system’s timers with the following command:

sudo systemctl list-timers

You should see a similar output:

NEXT                         LEFT     LAST  PASSED  UNIT                ACTIVATES
Wed 2021-03-24 00:00:00 UTC  11h left n/a   n/a     backup-files.timer  backup-files.service

The NEXT and LEFT column tells you the exact time and how long until the timer executes the service file next. The LAST and PASSED columns display information on when the timer last executed the service file.

Finishing Up

Log into your Linode Cloud Manager account and view the Object Storage bucket you created to store your Restic backups. You should see a set of files like the ones displayed in the screenshot below. These files collectively make up the Restic repository; you will not see your individual files.

To explore the backups and files held within the Restic repository, you must issue the restic command from the machine that you installed Restic on when following the steps in the Before You Begin section.

Create an Alias

It can get tedious typing out the arguments to the Restic command. To make life easier for maintenance and daily management, create an alias for the command with the arguments you need.

In your root user’s .profile file, add the lines in the example. For example, on an Ubuntu system this file is located in /root/.profile. To learn more about creating reusable aliases, see the How to Add the Linux alias Command in the .bashrc File guide.

File: /root/.profile

1 2 3

... source /root/restic_params alias myrestic='restic -r s3:us-east-1.linodeobjects.com/your-bucket-name -p /root/restic_pw'

After logging out of your system and back in again, you can run restic using your aliased command:

myrestic snapshots

Restore a Backup

Backups are not useful if you cannot restore them. It’s a good idea to test out your backups once in a while. To restore the latest useable backup from Restic, run the restore latest command:

restic -r s3:us-east-1.linodeobjects.com/your-bucket-name -p /root/restic_pw restore latest -t /root

/home/myuser/etc/network/interfaces

To restore a backup from a particular point-in-time, issue the example command to find the snapshot ID for the specific backup.

sudo /bin/bash -c "source /root/restic_params; restic -r s3:us-east-1.linodeobjects.com/your-bucket-name -p /root/restic_pw snapshots"

The output resembles the example, where the first column displays the snapshot ID:

repository 64962280 opened successfully, password is correct
ID        Time                 Host        Tags        Paths
------------------------------------------------------------
be80fb7c  2021-03-23 12:17:00  li269-232               /
------------------------------------------------------------
1 snapshots

Pass the selected ID to the restore command instead of latest. Replace be80fb7c in the example with your own snapshot ID:

sudo /bin/bash -c "source /root/restic_params; restic -r s3:us-east-1.linodeobjects.com/your-bucket-name -p /root/restic_pw restore be80fb7c -t /root"

The above commands restore all files taken in the backup. Usually, you’ll only want a single file or directory.

To restore a single file, pass the file path using the -i option, along with either latest or the snapshot ID:

sudo /bin/bash -c "source /root/restic_params; restic -r s3:us-east-1.linodeobjects.com/your-bucket-name -p /root/restic_pw restore be80fb7c -i /etc/network/interfaces -t /root"

To restore a directory, pass the directory path using the -i option, along with either latest or the snapshot ID:

sudo /bin/bash -c "source /root/restic_params; restic -r s3:us-east-1.linodeobjects.com/your-bucket-name -p /root/restic_pw restore be80fb7c -i /home -t /root"

Maintain your Repository

Your backup repository’s size can grow very quickly, especially if you backup a large filesystem every day.

Restic can automatically clean-up your backup snapshots according to a flexible policy using snapshot policies.

Consider automatically running a policy using the forget command on a frequent basis (e.g. daily) to keep your backup repository’s size down. Refer to the snapshot policies article for more details.

More Information

You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.

• Preparing a new Restic repository
• Backing up
• Removing snapshots according to a policy