Tutorial for docker restic and restic server?

My apologies for a somewhat longer (first) question, which is: is there a tutorial somewhere that discusses restic via docker and that pays good attention to security?

Context:

I am looking at improving my backup situation as part of a re-architecting of my landscape. I run a small SoHo setup with a few systems and servers, both Linux (new) and macOS (existing). I provide mail (postfix, dovecot, etc.) and I also am the backup backend provider (MinIO) for family members (who all use macOS clients running Duplicati).

Basically, I’ve always had somewhat limited trust in Duplicati as I had too many corruption issues over the years. These were all solved with some backup (but no data) loss, but still… The central macOS server is therefore still backed up using CrashPlan for that reason. Crashplan has been reliable and good at dedup, but it has become a worse experience in what it forbids you to backup (even locally) over the years. ANd because of unexpected behaviour, I actually did lose data (though this was not a technical glitch).

I have looked around and have decided I will try to set up a new backup architecture using restic, which seems the best option after looking around. I will run restic and restic-server as a docker container on Ubuntu (22.04 LTS).

My main focus for now is security. Storage will be on a local internal SSD and a local RAID, both are encrypted when turned off, mainly to make sure that if someone takes off with my hardware, they don’t take off with my data. Linux file systems are all ext4, btw.

I want to keep users as separate as can be (for instance, I currently run fully separate MinIO instances for each family user on my macOS MinIO backend), but in the case of restic I might opt for a maximum in terms of deduplication (though I have not decided, as having multiple repositories does provide some extra robustness).

After reading I wondered if I could completely drop Duplicati and my own MinIO and use restic and restic server.

In the restic documentation, I did not find information on how to run restic and restic server via docker, only install. But running a docker container securely comes with its own special areas of attention.

Yes, you can. Just start running it.

It is pretty much out of scope. Setting up Docker and running containers with it is not something that should really be documented in the restic documentation, although if someone wants to write a guide for it that would be suitable for the Recipes section in this forum.

That said, there is an official Docker image for rest-server that you can use here: Docker

The restic client itself, while you can run it in a container, is really just a single binary, so I don’t see the point of running it in a container unless you have some specific use case for that.

Yes, that is a very different matter and something there is a lot to say about. If you want to tighten it down you should run your Docker daemon as non-root and/or use userns-remap, then make your images not have a root login and run their process as an unprivileged user, as well as when running the containers removing all capabilities (adding back only those that are needed, if any), making all filesystems/mounts read-only whenever possible, enable read-only on the container as a whole and also enable no-new-privileges. Then you have done much more than most people do.

1 Like