豆浆的博客
所有文章 标签 分类 关于
豆浆的博客

目录

使用 Restic 备份服务器数据

   约 1055 字   预计阅读 3 分钟    次阅读  

安装rest-server后端

我准备把后端放到 nas 上, 由于不想在 nas 上装 docker, 所以使用 systemd 管理进程, 系统为ubuntu20.04

1

sudo vim /etc/systemd/system/rest-server.service

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74

[Unit]
Description=Rest Server
After=syslog.target
After=network.target

# if you want to use socket activation, make sure to require the socket here
#Requires=rest-server.socket

[Service]
Type=simple
# You may prefer to use a different user or group on your system.
User=lomot
Group=lomot
ExecStart=/opt/rest-server/rest-server --path /nas/backup/restic --listen 0.0.0.0:8022 --no-auth
Restart=always
RestartSec=5

# The following options are available (in systemd v247) to restrict the
# actions of the rest-server.

# As a whole, the purpose of these are to provide an additional layer of
# security by mitigating any unknown security vulnerabilities which may exist
# in rest-server or in the libraries, tools and operating system components
# which it relies upon.

# IMPORTANT!
# The following line must be customised to your individual requirements.
ReadWritePaths=/nas/backup/restic

# Makes created files group-readable, but inaccessible by others
UMask=027

# If your system doesn't support all of the features below (e.g. because of
# the use of an older version of systemd), you may wish to comment-out
# some of the lines below as appropriate.
CapabilityBoundingSet=
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=true
PrivateUsers=true
ProtectSystem=strict
ProtectHome=yes
ProtectClock=true
ProtectControlGroups=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
# ProtectProc=invisible
ProtectHostname=true
RemoveIPC=true
RestrictNamespaces=true
RestrictAddressFamilies=AF_INET AF_INET6
RestrictSUIDSGID=true
RestrictRealtime=true
SystemCallArchitectures=native
SystemCallFilter=@system-service
# Additionally, you may wish to use some of the systemd options documented in
# systemd.resource-control(5) to limit the CPU, memory, file-system I/O and
# network I/O that the rest-server is permitted to consume according to the
# individual requirements of your installation.
#CPUQuota=25%
#MemoryMax=bytes
#MemorySwapMax=bytes
#TasksMax=N
#IOReadBandwidthMax=device bytes
#IOWriteBandwidthMax=device bytes
#IOReadIOPSMax=device IOPS, IOWriteIOPSMax=device IOPS
#IPAccounting=true
#IPAddressAllow=

[Install]
WantedBy=multi-user.target

其中--path /nas/backup/restic为备份存储路径, 注意ReadWritePaths=/nas/backup/restic字段一定要加上, 不然会没有文件写入权限

1
2
3

sudo systemctl daemon-reload
sudo systemctl start rest-server.service
sudo systemctl enable rest-server.service

开始备份

  • 在需要备份的机器上安装 restic
1

sudo apt install restic
  • 初始化备份仓库
1

restic -r rest:http://192.168.8.250:8022/test init

1
2
3
4
5
6
7

enter password for new repository:
enter password again:
created restic repository b4e2dff5d6 at rest:http://192.168.8.250:8022/test

Please note that knowledge of your password is required to access
the repository. Losing your password means that your data is
irrecoverably lost.
  • 备份数据
1

restic -r rest:http://192.168.8.250:8022/test backup important-data/

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

enter password for repository:
repository b4e2dff5 opened successfully, password is correct
created new cache in /home/lomot/.cache/restic

Files:           1 new,     0 changed,     0 unmodified
Dirs:            0 new,     0 changed,     0 unmodified
Added to the repo: 444 B

processed 1 files, 60 B in 0:00
snapshot 00e81d67 saved
  • 查看备份快照
1

restic -r rest:http://192.168.8.250:8022/test snapshots

1
2
3
4
5
6
7
8

enter password for repository:
repository b4e2dff5 opened successfully, password is correct
ID        Time                 Host           Tags        Paths
------------------------------------------------------------------------------------
00e81d67  2022-01-15 11:50:05  lomot-service              /home/lomot/important-data
bef1d9e5  2022-01-15 11:52:13  lomot-service              /home/lomot/important-data
------------------------------------------------------------------------------------
2 snapshots
  • 恢复数据
1

restic -r rest:http://192.168.8.250:8022/test restore bef1d9e5 --target ./tmp

1
2
3

enter password for repository:
repository b4e2dff5 opened successfully, password is correct
restoring <Snapshot 00e81d67 of [/home/lomot/important-data] at 2022-01-15 11:50:05.621230745 +0800 CST by lomot@lomot-service> to ./tmp
  • 删除备份快照
1

restic -r rest:http://192.168.8.250:8022/test forget 00e81d67

1
2
3

enter password for repository:
repository b4e2dff5 opened successfully, password is correct
removed snapshot 00e81d67

看一下删掉后得结果

1

restic -r rest:http://192.168.8.250:8022/test snapshots

1
2
3
4
5
6
7

enter password for repository:
repository b4e2dff5 opened successfully, password is correct
ID        Time                 Host           Tags        Paths
------------------------------------------------------------------------------------
bef1d9e5  2022-01-15 11:52:13  lomot-service              /home/lomot/important-data
------------------------------------------------------------------------------------
1 snapshots

免密码备份

  • 创建密码文件
1

echo '123456' > /home/lomot/.restic_passwd

备份

1

restic -r rest:http://192.168.8.250:8022/test backup important-data/ --password-file /home/lomot/.restic_passwd

1
2
3
4
5
6
7
8

repository b4e2dff5 opened successfully, password is correct

Files:           1 new,     0 changed,     2 unmodified
Dirs:            0 new,     0 changed,     0 unmodified
Added to the repo: 419 B

processed 3 files, 137 B in 0:00
snapshot a8cfbbf2 saved

删除策略

1

restic -r rest:http://192.168.8.250:8022/test forget --keep-monthly 6 --keep-weekly 4 --keep-daily 7 --keep-last 3 --prune

保留 6 个月最新备份, 4 个周最新备份, 7 个日最新备份, 至少 3 个历史

定时备份 gitea 的脚本

  • 备份脚本
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

#!/bin/bash

BACKUP_LOG_FILE=${LOG_FILE:-/var/log/remote-backup.log}
RESTIC_REPO=${RESTIC_REPO:-"rest:http://192.168.8.250:8022/gitea"}
PASSWORD_FILE=${PASSWORD_FILE:-"/root/.restic_passwd"}

function remoteBackup() {
  # local backupDate=$(date "+%Y%m%d-%H-%M-%S")
  local backupName=$1
  local srcDir=$2
  local restic_repo=$3

  echo "[$(date)] [start backup] ${backupName}"
  restic -r ${restic_repo} backup ${srcDir} --password-file ${PASSWORD_FILE}
  echo "[$(date)] [finish backup] ${backupName}"
}

function cleanUp() {
  local restic_repo=$1
  echo "[$(date)] [start cleanUp] ${restic_repo}"
  restic -r ${restic_repo} forget --keep-monthly 6 --keep-weekly 4 --keep-daily 7 --keep-last 3 --prune --password-file ${PASSWORD_FILE}
  echo "[$(date)] [start cleanUp] ${restic_repo}"
}

remoteBackup "gitea" /opt/gitea/ ${RESTIC_REPO} &>>${BACKUP_LOG_FILE}
remoteBackup "git-home" /home/git/ ${RESTIC_REPO} &>>${BACKUP_LOG_FILE}
# clean up
cleanUp ${RESTIC_REPO} &>>${BACKUP_LOG_FILE}
  • crontab 定时任务
1

crontab -e

1

0 2 * * * /opt/gitea/backup.sh
更新于 2022-02-03  d1bbeae
 Restic运维
返回 | 主页