Restic is an efficient and modern deduplicating backup system which supports encryption; it is able to store backups locally and remotely, via an SFTP connection or on one of the many supported storage platforms, such as Amazon S3 buckets and Google Cloud storage. By using the restic REST backend API, it is also possible to push backups using the HTTP or HTTPS protocols to a remote server which implements the restic REST API.
In this tutorial, we learn how to use Docker to deploy and configure a restic REST server instance on Linux.
In this tutorial you will learn:
- How to deploy a restic REST server using Docker on Linux
- How to configure authentication and use SSL/TLS encryption
| Category | Requirements, Conventions or Software Version Used |
|---|---|
| System | Distribution-agnostic |
| Software | Docker/Podman |
| Other | None |
| Conventions | # – requires given linux-commands to be executed with root privileges either directly as a root user or by use of sudo command$ – requires given linux-commands to be executed as a regular non-privileged user |
Creating the repository directory and generating credentials
Before we can deploy our restic REST server using docker, we need to choose the directory which will host our repository and backup data. For the sake of this tutorial, I will create a “data” directory inside my HOME. This directory will be bind-mounted inside the container:
$ mkdir ~/data
The restic REST server running inside the docker container, comes with authentication enabled by default. This is important in order to avoid unauthorized access to our data. The restic REST server authentication is implemented via an .htpasswd file; the REST server looks for this file in the same directory where snapshots are stored.
To generate our authentication credentials, we need to use the htpasswd utility. On Fedora and Fedora-based distributions, the utility is included in the httpd-tools package. We can install it with dnf:
$ sudo dnf install httpd-tools
On Debian and Debian-based distributions, instead, the package is called apache2-utils:
$ sudo apt-get update && sudo apt-get install apache2-utils
To populate the .htpasswd file, we run:
$ htpasswd -B -c ~/data/.htpasswd resticuser
With the command above, we create the configuration required to access the server with the “resticuser” username. If we don’t provide a password directly as argument to the command, we are prompted to enter it interactively:
New password: Re-type new password: Adding password for user restserver
Since we used the -B option, the password will be hashed using the bcrypt algorithm, which is considered very secure.
Running the restic REST server container
The restic REST server is free and open source software; like the restic application, it is written in Go, and developed on GitHub. The quickest and easiest way to deploy a restic REST server is to use Docker (or Podman), to run a container based on the server image provided by the project, which is available on DockerHub. To create and spawn a restic REST server container, all we have to do, is to use the following command:
$ docker run -p 8000:8000 -v ~/data:/data:z --name restic_rest_server docker.io/restic/rest-server
Let’s take a look at the options we used with the command. By default, the REST server inside the container listens on port 8000, therefore we used the
-p option to map port 8000 on the host to the same port inside the container (we could have used any host port, such as port 80, but using an unprivileged one, we can easily spawn the container as a non-root user. Take a look at this tutorial If you want to use a higher port when running Docker or Podman without root privileges).
In order to make backups persistent, as previously said, we bind-mounted the ~/data directory on the host, to the same directory inside the container, which is where snapshots are stored. In the example we used the :z option for the bind mount: this is required only if SELinux is active, and causes a change of context for the mounted directory, so that it is accessible from the container.
Initializing a repository
At this point, we should already be able to initialize a restic repository with the restic client, using the rest:http://resticuser:resticpassword@localhost:8000 URL:
restic -r rest:http://resticuser:resticpassword@localhost:8000 init
If everything goes as expected, the repository will be generated and initialized correctly:
created restic repository 0216975ff5 at rest:http://resticuser:***@localhost:8000/ Please note that knowledge of your password is required to access the repository. Losing your password means that your data is irrecoverably lost.
Although the repository was generated correctly, passing credentials over a plaintext HTTP connection is something we should really avoid. To use the restic REST server over HTTPS, we need to use an SSL/TLS certificate. Let’s see how to do it.
Using a secure HTTPS connection
There are many ways we can obtain an SSL/TLS certificate. If we intend to expose our restic REST server to the internet, we need to use a valid third-party certificate for our domain. We can easily obtain one from Let’s Encrypt, using certbot. If we just want to perform some tests, or we plan to use our server exclusively in our own network, however, it is enough to generate a self-signed certificate.
Here I will assume we already have both the certificate (which contains the public key), and the private key, stored as public_key, and private_key, respectively. The easiest way we can use them with the REST server running inside a docker container, is to place both in the data directory we bind-mounted inside the container (the same directory where the .htpasswd file is located), and run the server using the
--tls option. Since, however, we are not running the server directly, we need to pass this option via the OPTIONS environment variable, when running the container:
$ docker run -p 8000:8000 -v ~/data:/data:z -e OPTIONS="--tls" --name restic_rest_server docker.io/restic/rest-server
We can now communicate with the server over HTTPS. Since, in this case, we used an invalid self-signed certificate, we need to run the restic client with the --insecure-tls option, which skips TLS certificate verification when connecting to a repository:
$ restic -r rest:https://resticuser:resticpassword@localhost:8000 --insecure-tls init
Conclusions
In this tutorial, we learned how to deploy a restic REST server using Docker on Linux. With restic we can create backups locally or remotely, using SFTP connections, one of the supported third party storage services, or to a restic REST server. The latter provides better performance if compared to SFTP, and gives us the ability to run append-only connections. To know more about restic and how to perform efficient backups, you can take a look at our step by step tutorial.
