I’m just starting to use restic. So far it’s looking like the right solution for me. I just finished backing up about 7TB from my Windows server to an unraid backup destination hosting a restic rest-server docker container. Right now these two servers are in the same location, but the idea is to move the unraid box to a remote location for true off-site backups. It’s with the Windows Server box now to seed the initial backup.
My question is this: Is it possible/good/bad to run restic backup from the Windows Server over the VPN, then run restic forget, restic prune, and restic check on the actual backup server? I understand that the rest-server repo format is identical to the local repo format. It seems like it would run much faster locally vs over my VPN. Is this true?
Next question: If the above is possible, can I also run restic check --read-data from the backup server? Does it read the backed up files and compare them to the originals on disk, or does it just check all the pack files in the repo?
This is perfectly possible and should be of course faster.
Also possible. restic check --read-data only reads and checks the repository.
There is so far no (direct) possibility in restic to compare snapshots in the repository with the “originals”.
(but you can run a backup --force and see if restic would add some pack files to the repo. If not, your “originals” are equal to one of the snapshots in the repo. The WIP --dry-run option would even allow this without actually modifying the repo)
rest-server: and the best idea of all is to run the rest-server with --append-only, so you can be sure an infected client/windows can’t destroy your backup…
But as you can guess, now from client/windows you can only check your backup.
forget --prune needs to write to your repo. So you can’t do this from client/windows via rest-server in append-only mode.
But you can do this simply on/to the rest-server filesystem.
Keep in mind: rest-server is running as www-data. So you can run forget --prune as www-data, if you allow www-data to have a shell (disabled by default (/usr/sbin/nologin)).
Or run as root. But now there are files written as root to your repo. This must be “repaired” with chmod -R www-data:www-data…
rest-server: and the best idea of all is to run the rest-server with --append-only , so you can be sure an infected client/windows can’t destroy your backup…
I’ll definitely do this. I wasn’t going to run in --append-only mode because I figured I’d need write access to prune/forget the data. But I can do that from the backup server directly. Sweet.
Keep in mind: rest-server is running as www-data. So you can run forget --prune as www-data, if you allow www-data to have a shell (disabled by default (/usr/sbin/nologin)).
Or run as root. But now there are files written as root to your repo. This must be “repaired” with chmod -R www-data:www-data…
Good callout! In my case I think I’m okay. It looks like the docker image keeps all files owned by root, which is nice.