Skip to content

Backup and restore the Nanitor Server

Introduction

In order to fully backup a Nanitor server both the database and data directories need to be backup and put into an NBA archive (Nanitor Backup Archive). This archive can then be stored anywhere for example in an encrypted S3 bucket. The Nanitor product both create a toolset to backup an installation into an NBA and also to restore the NBA to a fresh Nanitor server.

What is backed up?

  • PostgreSQL database
  • Data directory (/var/lib/nanitor/server)
  • /etc/nanitor

How do I backup a Nanitor server?

First we need to choose a directory where Nanitor writes the output, there has to be been space available on that partition to write the NBA. In this case we choose /var/lib because we know there is enough space there.

Run the following as root: 

mkdir -p /var/lib/nanitor/backups
chown nanitor:nanitor /var/lib/nanitor/backups
/opt/nanitor-server/bin/nanitor-server-ctl backup --output_path /var/lib/nanitor/backups/nanitor-backup-archive-20240823.tgz

This can take a while, depending on how big the Nanitor installation is, for thousands of devices it can take a long time to complete as the pg_dump command will take a while to run. It will create a temporary file in the current working directory and then remove it to the output_path specified.

Restore process

In order to restore an NBA on a fresh Debian server we need the following:

  • Sudo
  • Debian 12 (Bookworm)
  • PostgreSQL 15
  • Nanitor Server (latest stable version)
apt install -y postgresql postgresql-contrib nginx curl libpcre3
curl -o /etc/postgresql/15/main/pg_hba.conf https://nanitor.io/files/postgresql/pg_hba.conf
systemctl restart postgresql

# Adding the nanitor APT repository.
echo 'deb https://deb.nanitor.com/nanitor-server bookworm main' > /etc/apt/sources.list.d/nanitor-server.list
curl -o  /etc/apt/trusted.gpg.d/nanitor.gpg.asc  https://deb.nanitor.com/nanitor-agent/DEB-GPG-KEY-nanitor
apt update

apt -y install nanitor-server

Upload /path/to/nanitor-backup-archive-20240823.tgz to the restoration server, in this example we use nanitor-backup-archive-20240823.tgz

/opt/nanitor-server/bin/nanitor-server-ctl restore --path /root/nanitor-backup-archive-20240823.tgz
/opt/nanitor-server/bin/nanitor-server-ctl systemctl_start
/opt/nanitor-server/bin/nanitor-server-ctl systemctl_enable
sudo cp -f /usr/lib/nanitor-server/share/nginx.conf /etc/nginx/conf.d/nanitor.conf
sudo systemctl enable nginx
sudo systemctl start nginx

Then we recommend auto updating to the latest Nanitor Server as part of the unattended-upgrades process:

# We recommend using unattended-upgrades and configure it to automatically upgrade nanitor.
apt -y install unattended-upgrades

# Then edit /etc/apt/apt.conf.d/50unattended-upgrades and a line like this into Unattended-Upgrade::Origins-Pattern:
"origin=nanitor-server,codename=${distro_codename},label=nanitor-server";

Then run unattended-upgrade and make sure there are no errors in the output. Now the Nanitor Server will update itself when it applies security updates and such to the server.

Wipe out an existing Nanitor instance - Clean-up after previous restores

ALERT: This will wipe an existing Nanitor instance, so make sure you do not run this against a production machine, and that you have a backup of this server, only do this if you know what you are doing.

If you want to restore it again, after having unsuccessfully restored before and need to clean-up you can do the following:

sudo /usr/lib/nanitor-server/bin/nanitor-server-ctl systemctl_stop
sudo /usr/lib/nanitor-server/bin/nanitor-server-ctl systemctl_disable

cd /tmp/
sudo -u postgres -H dropdb nanitor 2>/dev/null || echo ""
sudo -u postgres -H dropuser nanitor 2>/dev/null || echo ""
sudo rm -rf /etc/ssl/local
sudo rm -rf /var/lib/nanitor/server