Tutorial for docker restic and restic server?

My apologies for a somewhat longer (first) question, which is: is there a tutorial somewhere that discusses restic via docker and that pays good attention to security?

Context:

I am looking at improving my backup situation as part of a re-architecting of my landscape. I run a small SoHo setup with a few systems and servers, both Linux (new) and macOS (existing). I provide mail (postfix, dovecot, etc.) and I also am the backup backend provider (MinIO) for family members (who all use macOS clients running Duplicati).

Basically, I’ve always had somewhat limited trust in Duplicati as I had too many corruption issues over the years. These were all solved with some backup (but no data) loss, but still… The central macOS server is therefore still backed up using CrashPlan for that reason. Crashplan has been reliable and good at dedup, but it has become a worse experience in what it forbids you to backup (even locally) over the years. ANd because of unexpected behaviour, I actually did lose data (though this was not a technical glitch).

I have looked around and have decided I will try to set up a new backup architecture using restic, which seems the best option after looking around. I will run restic and restic-server as a docker container on Ubuntu (22.04 LTS).

My main focus for now is security. Storage will be on a local internal SSD and a local RAID, both are encrypted when turned off, mainly to make sure that if someone takes off with my hardware, they don’t take off with my data. Linux file systems are all ext4, btw.

I want to keep users as separate as can be (for instance, I currently run fully separate MinIO instances for each family user on my macOS MinIO backend), but in the case of restic I might opt for a maximum in terms of deduplication (though I have not decided, as having multiple repositories does provide some extra robustness).

After reading I wondered if I could completely drop Duplicati and my own MinIO and use restic and restic server.

In the restic documentation, I did not find information on how to run restic and restic server via docker, only install. But running a docker container securely comes with its own special areas of attention.

Yes, you can. Just start running it.

It is pretty much out of scope. Setting up Docker and running containers with it is not something that should really be documented in the restic documentation, although if someone wants to write a guide for it that would be suitable for the Recipes section in this forum.

That said, there is an official Docker image for rest-server that you can use here: Docker

The restic client itself, while you can run it in a container, is really just a single binary, so I don’t see the point of running it in a container unless you have some specific use case for that.

Yes, that is a very different matter and something there is a lot to say about. If you want to tighten it down you should run your Docker daemon as non-root and/or use userns-remap, then make your images not have a root login and run their process as an unprivileged user, as well as when running the containers removing all capabilities (adding back only those that are needed, if any), making all filesystems/mounts read-only whenever possible, enable read-only on the container as a whole and also enable no-new-privileges. Then you have done much more than most people do.

Hey @gctwnl,

I am attempting to setup a similar setup for a similar situation. I am currently also using Duplicati.
It is already good to hear that somebody else is thinking along the same lines as I do. This means that both you and I are probably on the right track

I am wondering what you mean with

My main focus for now is security. Storage will be on a local internal SSD and a local RAID, both are encrypted when turned off, mainly to make sure that if someone takes off with my hardware, they don’t take off with my data. Linux file systems are all ext4, btw.

Do I need to understand that you don’t trust the encryption that is implemented in restic? By default all information that goes to the backup store is encrypted. This means that even if somebody walks off with your hard drives they cannot retrieve the actual data from it.

Or am I missing something?

Best regards,
Lieven.

Hi Lieven,

No. I have no problem with restic’s encryption, the SSD/RAID encryption was context information (don’t know what I was thinking at the time). I have halted this project for a while because of other pressing demands, so I’ll get back to it later.

Security is a many-sided thing. Storage, but also processes, etc. Having a single repository for multiple users versus having multiple repositories for multiple users. Etc. Restic must have access to all data, so I pay extra attention to how it is set up.

My first goal will be to get it running as a Docker container, simply because that is the way I can most simply manage all the configuration separate from the server itself. But I am currently lacking time.

That is the information I was looking for when I came to this post! Thank you

You can add me too. I also came to restic looking for a replacement for Duplicati. I’m still learning how to use restic and so far so good. I miss the Duplicati UI but restic gives me more confidence.