Skip to content
GitLab

Container Backups with Restic · Changes

Page history
Create Container Backups with Restic authored by Mara Karagianni's avatar Mara Karagianni
Hide whitespace changes
Inline Side-by-side
Container-Backups-with-Restic.md 0 → 100644
View page @ baaa38e6
Steps we follow to backup AS LXC containers:
*Note: all system paths and parameters in this HOWTO are fictional.
Process
- stop the containers (because AS containers were created and managed by root user, they need root privlege to stop them. We solved this by allowing the specific lxc stop/start commands for the backup user via the sudoes.d configuration.)
- backup the containers
- restart the containers
System setup
- a backup 'user'
- ssh keys to access remote backup repo
- password for restic backup command
- bash script with the necessary commands to run the process above
- cron job added via the backup user to run the bash script on regular intervals.
Configuration of the system setup
1. How to access the remote backup repo?
- create new ssh keys for ssh access to the remote backup repo, and give directory flag for saving the keys under the desired directory.
- scp the new pub key in the remote backup repo, under the remote user's home .ssh/authorized_keys. Remote user is the one who owns the repo where our backups will be placed.
To securely copy the public key, we shall enable password authentication at remote's server file */etc/ssh/sshd_config*, and disable it after having copied the public key.
`$ ssh-copy-id -i ~/.ssh/other_key.pub user@remote-host`
https://www.simplified.guide/ssh/copy-public-key
2. How to run the backup command without root privelege when some of the filesystem to be backed-up is accessed only by root, aka execute a binary meant for root without being root?
The idea is to execute the restic binary from backup user's home or from /usr/bin.
<code> # useradd backupuser </code>
# creates the new user and a group with the same name
<code> # chown root:backupuser /usr/bin/restic</code>
# makes user root and group backupuser owners of the restic binary
<code> # chmod 750 /usr/bin/restic </code>
# user root has now read, write, execute permissions, and users in backupuser group can execute and read the restic binary
<code> # setcap cap_dac_read_search=+ep ~backupuser/bin/restic </code>
# assigns capabilities to backup the whole system
Ref: https://restic.readthedocs.io/en/stable/080_examples.html#backing-up-your-system-without-running-restic-as-root
\ No newline at end of file