Backup and restore the Nanitor Server
Introduction
In order to fully backup a Nanitor server both the database and data directories need to be backup and put into anNBA archive (Nanitor Backup Archive). This archive can then be stored anywhere for example in an encrypted S3 bucket. The Nanitor product both create a toolset to backup an installation into an NBA and also to restore the NBA to a fresh Nanitor server.
What is backed up?
- PostgreSQL database
- Data directory (/var/lib/nanitor/server)
- /etc/nanitor
How do I backup a Nanitor server?
First we need to choose a directory where Nanitor writes the output, there has to be been space available on that partition to write the NBA. In this case we choose /var/lib because we know there is enough space there.
Run the following as root:
mkdir-p/var/lib/nanitor/backupschownnanitor:nanitor/var/lib/nanitor/backups/opt/nanitor-server/bin/nanitor-server-ctlbackup--output_path/var/lib/nanitor/backups/nanitor-backup-archive-20240823.tgz
This can take a while, depending on how big the Nanitor installation is, for thousands of devices it can take a long time to complete as the pg_dump command will take a while to run. It will create a temporary file in the current working directory and then remove it to the output_path specified.
Restore process
In order to restore an NBA on a fresh Debian server we need the following:
- Sudo
- Debian 12 (Bookworm)
- PostgreSQL 15
- Nanitor Server (latest stable version)
aptinstall-ypostgresqlpostgresql-contribnginxcurllibpcre3curl-o/etc/postgresql/15/main/pg_hba.confhttps://nanitor.io/files/postgresql/pg_hba.confsystemctlrestartpostgresql# Adding the nanitor APT repository.echo'deb https://deb.nanitor.com/nanitor-server bookworm main'>/etc/apt/sources.list.d/nanitor-server.listcurl-o/etc/apt/trusted.gpg.d/nanitor.gpg.aschttps://deb.nanitor.com/nanitor-agent/DEB-GPG-KEY-nanitoraptupdateapt-yinstallnanitor-server
Upload /path/to/nanitor-backup-archive-20240823.tgz to the restoration server, in this example we use nanitor-backup-archive-20240823.tgz
/opt/nanitor-server/bin/nanitor-server-ctlrestore--path/root/nanitor-backup-archive-20240823.tgz/opt/nanitor-server/bin/nanitor-server-ctlsystemctl_start/opt/nanitor-server/bin/nanitor-server-ctlsystemctl_enablesudocp-f/usr/lib/nanitor-server/share/nginx.conf/etc/nginx/conf.d/nanitor.confsudosystemctlenablenginxsudosystemctlstartnginx
Then we recommend auto updating to the latest Nanitor Server as part of the unattended-upgrades process:
# We recommend using unattended-upgrades and configure it to automatically upgrade nanitor.apt-yinstallunattended-upgrades# Then edit /etc/apt/apt.conf.d/50unattended-upgrades and a line like this into Unattended-Upgrade::Origins-Pattern:"origin=nanitor-server,codename=${distro_codename},label=nanitor-server";Thenrununattended-upgradeandmakesuretherearenoerrorsintheoutput.NowtheNanitorServerwillupdateitselfwhenitappliessecurityupdatesandsuchtotheserver.
Wipe out an existing Nanitor instance - Clean-up after previous restores
ALERT: This will wipe an existing Nanitor instance, so make sure you do not run this against a production machine, and that you have a backup of this server, only do this if youknow what you are doing.
If you want to restore it again, after having unsuccessfully restored before and need to clean-up you can do the following:
sudo /usr/lib/nanitor-server/bin/nanitor-server-ctl systemctl_stopsudo /usr/lib/nanitor-server/bin/nanitor-server-ctl systemctl_disablecd /tmp/sudo -u postgres -H dropdb nanitor 2>/dev/null || echo ""sudo -u postgres -H dropuser nanitor 2>/dev/null || echo ""sudo rm -rf /etc/ssl/localsudo rm -rf /var/lib/nanitor/server