Backing up to Object Storage with GeeseFS
In this tutorial, you will configure backup of local files to Yandex Object Storage with GeeseFS.
GeeseFS enables mounting a bucket as a regular folder, so you can use familiar tools for copying and synchronization. Backup essentially involves copying and synchronizing data between the local folder and the bucket as if these are two directories, one hosted in the cloud. The process is optimized with synchronization tools, e.g., rsync or robocopy, which move only new and updated files.
To configure backup using GeeseFS:
- Get your cloud ready.
- Create a bucket.
- Create a service account.
- Create a static access key.
- Set up your environment.
- Mount your bucket.
- Synchronize the local folder with the bucket.
If you no longer need the resources you created, delete them.
Getting started
Sign up for Yandex Cloud and create a billing account:
- Navigate to the management console and log in to Yandex Cloud or create a new account.
- On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the
ACTIVEorTRIAL_ACTIVEstatus. If you do not have a billing account, create one and link a cloud to it.
If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure.
Learn more about clouds and folders here.
Required paid resources
The bucket support cost includes the fee for bucket data storage and data operations (see Yandex Object Storage pricing).
Create a bucket
Note
To protect your backups from accidental file deletion, enable S3 bucket versioning. This way, deleted or overwritten files will be saved as previous versions you can restore if needed. For more information about S3 bucket versioning, see this guide.
Without versioning, you will not be able to restore files deleted from S3, even if previously copied.
- In the management console, navigate to the relevant folder.
- Select Object Storage.
- Click Create bucket.
- Enter a name for the bucket according to the naming requirements.
- In the Read objects, Read object list, and Read settings fields, select
With authorization. - Click Create bucket.
-
If you do not have the AWS CLI yet, install and configure it.
-
Create a bucket by entering its name following the naming requirements:
aws --endpoint-url=https://storage.yandexcloud.net \ s3 mb s3://<bucket_name>Result:
make_bucket: backup-bucket
Use the create REST API method for the Bucket resource, the BucketService/Create gRPC API call, or the create S3 API method.
Create a service account
Create a service account to be used for backups.
- In the management console, select Identity and Access Management.
- Click Create service account.
- In the Name field, specify
sa-backup-to-s3. - Click Add role and select the
storage.editorrole. - Click Create.
If you do not have the Yandex Cloud CLI installed yet, install and initialize it.
By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.
-
Create a service account:
yc iam service-account create --name sa-backup-to-s3 \ --folder-name <folder_name>Result:
id: ajeab0cnib1p******** folder_id: b0g12ga82bcv******** created_at: "2025-10-03T09:44:35.989446Z" name: sa-backup-to-s3 -
Assign the
storage.editorrole for the folder to the service account:yc resource-manager folder add-access-binding <folder_name> \ --service-account-name sa-backup-to-s3 \ --role storage.editor \ --folder-name <folder_name>Result:
effective_deltas: - action: ADD access_binding: role_id: storage.editor subject: id: ajeab0cnib1p******** type: serviceAccount
- Create a service account named
sa-backup-to-s3. Do it by using the create REST API method for the ServiceAccount resource or the ServiceAccountService/Create gRPC API call. - Assign the
storage.editorrole for the current folder to the the service account. Do it by using the setAccessBindings REST API method for the Folder resource or the FolderService/SetAccessBindings gRPC API call.
Note
To work with objects in an encrypted bucket, a user or service account must have the following roles for the encryption key in addition to the storage.configurer role:
kms.keys.encrypter: To read the key, encrypt and upload objects.kms.keys.decrypter: To read the key, decrypt and download objects.kms.keys.encrypterDecrypter: This role includes thekms.keys.encrypterandkms.keys.decrypterpermissions.
For more information, see Yandex Key Management Service service roles.
Create a static access key
-
In the management console, select Identity and Access Management.
-
In the left-hand panel, select Service accounts.
-
Select the
sa-backup-to-s3service account. -
In the top panel, click Create new key and select Create static access key.
-
Enter a description for the key and click Create.
-
Save the ID and secret key for later when you are mounting the bucket.
Alert
After you close this dialog, the key value will no longer be available.
-
Run this command:
yc iam access-key create \ --service-account-name sa-backup-to-s3Where
--service-account-nameis the name of the service account you are creating the key for.Result:
access_key: id: aje726ab18go******** service_account_id: ajecikmc374i******** created_at: "2024-11-28T14:16:44.936656476Z" key_id: YCAJEOmgIxyYa54LY******** secret: YCMiEYFqczmjJQ2XCHMOenrp1s1-yva1******** -
Save the ID (
key_id) and secret key (secret) for later when you are mounting the bucket.
To create an access key, use the create REST API method for the AccessKey resource or the AccessKeyService/Create gRPC API call.
Save the ID (key_id) and secret key (secret) for later when you are mounting the bucket.
Set up your environment
Install GeeseFS
-
Make sure the FUSE utilities are installed in the distribution:
apt list --installed | grep fuseWarning
Many Linux distributions have the utilities for working with FUSE pre-installed by default. Reinstalling or deleting them may lead to OS failures.
-
If the FUSE utilities are not installed, run this command:
sudo apt-get install fuse -
Download and install GeeseFS:
wget https://github.com/yandex-cloud/geesefs/releases/latest/download/geesefs-linux-amd64 chmod a+x geesefs-linux-amd64 sudo cp geesefs-linux-amd64 /usr/bin/geesefs
-
Make sure the FUSE utilities are installed in the distribution:
yum list installed | grep fuseWarning
Many Linux distributions have the utilities for working with FUSE pre-installed by default. Reinstalling or deleting them may lead to OS failures.
-
If the FUSE utilities are not installed, run this command:
sudo yum install fuse -
Download and install GeeseFS:
wget https://github.com/yandex-cloud/geesefs/releases/latest/download/geesefs-linux-amd64 chmod a+x geesefs-linux-amd64 sudo cp geesefs-linux-amd64 /usr/bin/geesefs
-
Install the macFUSE package.
-
Enable support for third-party core extensions. This step is only required the first time you use MacFUSE on an Apple Silicon Mac.
-
Allow loading the MacFUSE core extension (Apple Silicon and Intel Mac).
For more information on installing macFUSE, see this installation guide in the macFUSE GitHub repository.
-
Download and install GeeseFS:
platform='arm64' if [[ $(uname -m) == 'x86_64' ]]; then platform='amd64'; fi wget https://github.com/yandex-cloud/geesefs/releases/latest/download/geesefs-mac-$platform chmod a+x geesefs-mac-$platform sudo cp geesefs-mac-$platform /usr/local/bin/geesefs
-
Download and install WinFSP.
-
Download the
geesefs-win-x64.exefile. -
Rename
geesefs-win-x64.exetogeesefs.exefor convenience. -
Create a folder named
geesefsand move thegeesefs.exefile there. -
Add
geesefsto thePATHvariable:- Click Start and type Change system environment variables in the Windows search bar.
- Click Environment Variables... at the bottom right.
- In the window that opens, find the
PATHparameter and click Edit. - Add your folder path to the list.
- Click OK.
You can also build GeeseFS yourself using its source code. For more information, see this guide in the GeeseFS repository on GitHub.
Get authenticated in GeeseFS
GeeseFS uses the static access key to Object Storage you got earlier. You can set it using one of the following methods:
-
Using the
credentialsfile, which you need to put into the~/.aws/folder:-
Create a directory:
mkdir ~/.aws -
Create a file named
credentialswith the following contents:[default] aws_access_key_id = <key_ID> aws_secret_access_key = <secret_key>If the key file is located elsewhere, specify its path in the
--shared-configparameter when mounting the bucket:geesefs \ --shared-config <path_to_key_file> \ <bucket_name> <mount_point>The key file must have the same structure as
~/.aws/credentials.
-
-
Using environment variables:
export AWS_ACCESS_KEY_ID=<key_ID> export AWS_SECRET_ACCESS_KEY=<secret_key>
Note
You can run the geesefs command with superuser privileges (sudo). In this case, make sure to send information about the key either in the --shared-config parameter or using environment variables.
-
Using the
credentialsfile, which you need to put into theusers/<current_user>/.aws/folder:[default] aws_access_key_id = <key_ID> aws_secret_access_key = <secret_key>If the key file is located elsewhere, specify its path in the
--shared-configparameter when mounting the bucket:geesefs ^ --shared-config <path_to_key_file> ^ <bucket_name> <mount_point>The key file must have the same structure as
~/.aws/credentials.Specify an existing folder as the mount point.
-
Using environment variables:
set AWS_ACCESS_KEY_ID=<key_ID> set AWS_SECRET_ACCESS_KEY=<secret_key>
When using GeeseFS on a Compute Cloud VM that has a linked service account, you can enable simplified authentication that does not require a static access key. To do this, use the --iam parameter when mounting the bucket.
Mount a bucket
Select the folder or disk where you want to mount the bucket. Make sure you have sufficient permissions to perform this operation.
When mounting a bucket, you can also configure GeeseFS settings for system performance and object access permissions. To view the list of options and their descriptions, run geesefs --help.
-
For one-time bucket mounting:
Linux/macOSWindows-
Create a folder for mounting:
mkdir <mount_point> -
Mount the bucket:
geesefs <bucket_name> <mount_point>Specify an existing folder as the mount point.
Mount the bucket:
geesefs <bucket_name> <mount_point>As the mount point, specify the name of the new folder that will be created when you mount the bucket. You cannot specify the name of an existing folder.
Result:
2025/10/06 21:14:27.488504 main.INFO File system has been successfully mounted. The service geesefs has been started. -
-
To automatically mount a bucket at system startup:
LinuxmacOSWindows-
Create a folder for automatic mounting:
mkdir <mount_point> -
Open
/etc/fuse.conf:sudo nano /etc/fuse.conf -
Add the following line to it:
user_allow_other -
Open
/etc/fstab:sudo nano /etc/fstab -
Add the following line to the
/etc/fstabfile:<bucket_name> /home/<username>/<mount_point> fuse.geesefs _netdev,allow_other,--file-mode=0666,--dir-mode=0777,--shared-config=/home/<username>/.aws/credentials 0 0If you had created the
.aws/credentialsfile for therootuser, you do not need to specify the--shared-configparameter.Note
For the bucket to be mounted correctly, provide the full absolute path to the mount point and to the key file without
~, e.g.,/home/user/. -
Reboot your PC and check that the bucket has been mounted to the specified folder.
To disable automounting, remove the line with the bucket name from the
/etc/fstabfile.-
Create a folder for automatic mounting:
mkdir <mount_point> -
Create a file named
com.geesefs.automount.plistwith the autorun agent configuration:nano /Users/<username>/Library/LaunchAgents/com.geesefs.automount.plist -
Set the agent configuration by specifying the name of the bucket and the absolute path to the mount point:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key> <string>com.geesefs.automount</string> <key>ProgramArguments</key> <array> <string>/usr/local/bin/geesefs</string> <string><bucket_name></string> <string><absolute_path_to_mount_point></string> </array> <key>RunAtLoad</key> <true/> <key>KeepAlive</key> <dict> <key>NetworkState</key> <true/> </dict> </dict> </plist>Note
Specify an existing empty folder as the mount point.
For the bucket to be mounted correctly, provide the full absolute path to the mount point and to the key file without
~, e.g.,/home/user/. -
Enable the agent you created:
launchctl load /Users/<username>/Library/LaunchAgents/com.geesefs.automount.plist -
Reboot your PC and check that the bucket has been mounted to the specified folder.
To disable agent autorun, use this command:
launchctl unload /Users/<username>/Library/LaunchAgents/com.geesefs.automount.plistCreate a Windows service that will automatically run at system startup:
-
Run
CMDas an administrator. -
Run this command:
sc create <service_name> ^ binPath="<command_for_mounting>" ^ DisplayName= "<service_name>" ^ type=own ^ start=autoWhere
binPathis the path to thegeesefs.exefile with the required mounting parameters. Here is an example:C:\geesefs\geesefs.exe <bucket_name> <mount_point>. As the mount point, specify the name of the new folder that will be created when you mount the bucket. You cannot specify the name of an existing folder.Result:
[SC] CreateService: Success -
Click Start and start typing
Servicesin the Windows search bar. Run the Services application as an administrator. -
In the window that opens, find the service you created earlier, right-click it, and select Properties.
-
On the Log on tab, select This account and specify your Windows account name and password.
If necessary, click Browse → Advanced → Search to find the user you need on the computer.
-
Click OK.
To delete the created service, open
CMDas an administrator and run the following command:sc delete <service_name>Result:
[SC] DeleteService: Success -
Synchronize the local folder with the bucket
As the final backup configuration step, set up manual or automatic synchronization between the local folder and the bucket.
Manual synchronization
For a one-off synchronization, run this command:
rsync -av \
--no-owner \
--no-group \
--no-perms \
--no-times \
--delete \
<local_folder_path>/ \
<mount_folder_path>/
Where --delete is a flag to delete files from the bucket when they are deleted from the local folder.
Note
Specify the full absolute path to folders without using ~, e.g., /home/user/.
This command copies all contents from your local folder to the bucket using the folder mounted with GeeseFS. It only moves new and modified files.
The GeeseFS folder is not a proper POSIX-compliant file system, so ownership, permissions, and timestamps are not copied.
For a one-off synchronization, use the command line (CMD) to run the following:
robocopy "<local_folder_path>" "<mount_folder_path>" /MIR
Where /MIR indicates full folder synchronization, including deletion of missing files.
Note
Specify the full absolute path to folders without using ~, e.g., /home/user/.
Result:
-------------------------------------------------------------------------------
ROBOCOPY :: Robust File Copy for Windows
-------------------------------------------------------------------------------
Start : October 6, 2025, 21:16:36
Source : C:\Users\username\geesefs\local\
Target : C:\Users\username\geesefs\mount\
Files: *.*
Parameters: *.* /S /E /DCOPY:DA /COPY:DAT /PURGE /MIR /R:1000000 /W:30
------------------------------------------------------------------------------
1 C:\Users\username\geesefs\local\
100% New file 13793 image.PNG
------------------------------------------------------------------------------
TotalCopied SkippedMismatch FAILEDExtras
Folders : 1 0 1 0 0 0
Files : 1 1 0 0 0 0
Bytes : 13.4 k 13.4 k 0 0 0 0
Time : 0:00:00 0:00:00 0:00:00 0:00:00
Speed : 13793000 Bytes/sec.
Speed : 789.241 MB/min.
Ended : October 6, 2025, 21:16:36
Tip
To avoid running the command manually each time, you can create a BAT file:
-
Open Notepad and add the following contents:
@echo off robocopy "<local_folder_path>" "<mount_folder_path>" /MIR -
Save the file, e.g., as
sync_to_s3.bat. -
To synchronize folders, run the BAT file.
Automatic synchronization
To automatically synchronize your local folder with the GeeseFS folder:
-
Make sure the user who will schedule the
cronjob has access to both folders. -
Open the current user's scheduler file by running this command:
crontab -e -
Add a line to the file to trigger autosync, e.g., every 10 minutes:
*/10 * * * * rsync -av --no-owner --no-group --no-perms --no-times --delete <local_folder_path>/ <mount_folder_path>/ --log-file=<log_file_path>Where:
--delete: Flag to delete files from the bucket when they are deleted from the local folder.--log-file: Optional parameter for writing logs. Specify the full path.
Note
Specify the full absolute path to folders without using
~, e.g.,/home/user/.
The job will run at the specified frequency and synchronize the folders.
The command in the cron job copies all contents from your local folder to the bucket using the folder mounted with GeeseFS. It only moves new and modified files.
The GeeseFS folder is not a proper POSIX-compliant file system, so ownership, permissions, and timestamps are not copied.
For auto sync, set up a task in the Task scheduler:
-
Open the Windows Task Scheduler:
- Start Menu → Task Scheduler.
- Or start it in Run →
taskschd.msc.
-
Click Create task....
-
In the Actions tab, add a new action by specifying the absolute path to the executable script, e.g., a BAT file, under Program or script.
-
In the Triggers tab, add a schedule.
-
Click OK.
How to delete the resources you created
To stop paying for the resources you created:
- Delete the objects from the bucket.
- Delete the bucket.