Backup e ripristino

The Backup and restore page manages backup destinations and schedules, and allows the download of the cluster backup, a small GPG-encrypted file containing cluster-wide configurations, like the backup destination settings, necessary to quickly restore applications. If you have a single-node cluster and want to restore it on a new NS8 node, see Disaster recovery.

The first time you access the Backup and restore page, you need to create a secret password to encrypt the cluster backup file.

Once the cluster backup password is set, the full Backup and restore page is displayed. It is divided into:

• Download cluster backup: Download the small cluster backup file and change its encryption password. See Cluster backup for more information.

• Backup destinations: decide where backup data can be sent, for example a remote S3 hosting service or a local SMB share. The destinations embed access secrets and an end-to-end backup encryption key.

• Scheduled backups: plan the backup runs at specific times, the retention policy, and what applications are included.

Finally, under the Restore tab, it is possible to start the restore of individual applications. See Restore applications.

The next sections illustrate each function in detail.

Backup destination

Una destinazione di backup è dove vengono salvati i dati di backup delle applicazioni. Definire una destinazione è un prerequisito per pianificare un backup o ripristinare un’applicazione.

Access the Backup and restore page, click on the Add destination button, and choose a provider. Supported providers are:

• Traduzione:

• Traduzione:

• Azure Blob Storage

• Generic S3, like RustFS

• Condividi file di Windows, tramite protocolli SMB2/3

• Local storage, allegato ad un nodo del cluster

Fill in the required fields for the chosen provider.

If adding a previously used destination (i.e., it already has data inside), you must fill the Data encryption key field under the Advanced section, otherwise existing backups cannot be opened. For new destinations leave the field empty to generate a random key.

La procedura di backup genera una struttura a due livelli in cui le istanze delle applicazioni sono raggruppate per tipo al primo livello, e da una cartella denominata UUID al secondo livello. Per esempio:

dokuwiki/
├─ dd5b0b7c-579e-42ee-96a3-282d10958cda/
├─ b1497438-76d9-4aa1-b6fd-d8a4f827563e/
├─ fcf7b6e3-2424-442d-b625-ab90438c74db/
mail/
├─ 92b8ee37-44dd-4f9f-9ee8-658e24556c55/
loki/
└─ 652ea526-b0dc-4bfb-a356-8a841b22bbd2/

Each UUID directory contains a Restic repository. All Restic repositories under the same backup destination share the same data encryption key.

L’accesso a basso livello ai repository Restic può essere eseguito utilizzando il comando restic-wrapper, come documentato nel Manuale NS8 Sviluppatore.

Local storage

The Local storage destination allows storing backup data on locally attached storage, like an external USB disk. Follow this procedure:

1. Format the disk with a supported filesystem, e.g., XFS:

   mkfs.xfs /dev/disk/by-id/some-disk-id
   

2. Create a Podman volume named backup00:

   podman volume create \
         --label org.nethserver.role=backup \
         --opt=device=/dev/disk/by-id/some-disk-id \
         --opt=o=noatime \
         backup00
   

3. Configura il rclone-webdav.service unità per l’uso di tale volume:

   echo BACKUP_VOLUME=backup00 > /var/lib/nethserver/node/state/rclone-webdav.env
   

4. Riavviare il servizio. Il disco viene montato automaticamente:

   systemctl restart rclone-webdav.service
   

   Nota

   The disk is unmounted when the rclone-webdav service is stopped.

5. Remove the default volume used by the service, as it is no longer needed. Existing content will be lost:

   podman volume rm rclone-webdav
   

Schedule application backup

To schedule the backup of installed applications:

• Click on the Schedule backup button.

• Select the applications to include.

• Choose one backup destination.

• Impostare la politica giorno, tempo e ritenzione per il backup.

• Enter a name for the backup schedule.

• Save the configuration by clicking the Schedule backup button.

To manually execute a backup, click the Run backup now item from the three-dots menu of the scheduled backup.

To change which applications are included in an existing backup, click the Edit item from the three-dots menu of the scheduled backup.

Dopo la prima esecuzione di un backup, lo stato del backup viene mostrato sotto ``Backup > Piani > Vedi i dettagli ``.

Restore applications

Per ripristinare un’applicazione, almeno una destinazione di backup deve essere disponibile.

If no destinations are present and you have an encrypted cluster backup file, go to the Backup and restore page and click Import destinations to quickly restore them.

Once destinations are defined, click the Restore tab and follow this procedure:

• Click on the Restore application button.

• A dialog box lists all applications found in the configured backup destinations. Select the application you want to restore.

• If the selected application is already installed, a Replace existing app checkbox becomes visible. When enabled, the existing application will be removed automatically at the end of the restore procedure.

• Select the backup snapshot from the list.

• Select the restore target node. Note that in some cases, restoring to certain cluster nodes may be restricted due to application policies or node resource limitations.

• Click on the Restore button.

Note that TLS certificates obtained from Let’s Encrypt are not part of the backup and are not restored with the application: they must be requested again from the application settings page after restore.

Some core applications have special behavior during restore:

• Traefik restores only uploaded certificates and user-defined HTTP routes. Refer to Upload custom TLS certificates and Create a custom HTTP route.

• Loki restore installs an additional inactive Loki instance. It can be used only for log searches, as explained in System logs.

• Samba restore behavior depends on whether the AD user domain is already present in the cluster. If present, only shared folder data is restored. If not present, the DC LDAP database is restored as well. See Restore file server from backup for more information.

Selective content restore

Alcune applicazioni consentono di cercare e ripristinare elementi specifici da una snapshot di backup. Per ulteriori informazioni, consultare:

• Samba Restore a single file or folder from a shared folder backup, per file e directory all’interno di una quota Samba.

• Mail Restore a mailbox folder from a backup, per caselle di posta pubbliche e cartelle della casella di posta utente.

Cluster backup

The cluster backup contains all required data for Disaster recovery, including destination configurations and their data encryption keys, which are also necessary for restoring individual application backups. It is a compressed JSON file encrypted with GPG.

The first time the Backup and restore page is accessed, you must set an encryption password and store it in a safe place. A new encryption password is needed after a new leader node is elected (see Promuovere un nodo a leader).

The cluster backup is automatically copied to backup destinations during scheduled runs, ensuring up-to-date backups of both your data and the cluster setup. If the cluster has an active subscription that includes cloud backup of the cluster configuration, the cluster backup is also available from the subscription portal.

Periodically download the cluster backup and keep it in a safe place. Click on the Download cluster backup button of the Backup and restore page.

Nota

If you lose the cluster backup, you can still restore applications to another cluster only if you know the data encryption password of the backup destination.

To inspect the content of the downloaded file, use the following command, replacing «SECRET» with your encryption password:

echo 'SECRET' | gpg --batch --passphrase-fd 0 --decrypt backup.json.gz.gpg | gunzip | jq

Disaster recovery

The disaster recovery procedure is designed for the restoration of a single-node cluster. You just need the original cluster backup file.

0. Make sure the new system has enough free disk space. The restore procedure does not check the free disk space.

1. Install a new cluster and log in using the default credentials.

2. Change the default administrator password.

3. Click on the Restore cluster button.

4. Choose whether to restore a cluster configuration from a remote HTTP server or upload the backup from your browser.

5. Inserisci il segreto di crittografia nel campo Backup password`.

6. Select the applications to restore.

Per ulteriori informazioni, fare riferimento al backup e ripristinare le note per ogni applicazione. Per esempio:

• Restore file server from backup