shorten log messages

.circleci/config.yml

@@ -11,10 +11,6 @@ jobs:
           name: Build
           command: |
             docker build . -t offen/docker-volume-backup:canary
-      - run:
-          name: Install gnupg
-          command: |
-            sudo apt-get install -y gnupg
       - run:
           name: Run tests
           working_directory: ~/docker-volume-backup/test

NOTICE

@@ -0,0 +1,22 @@
+Copyright 2021 Offen Authors <hioffen@posteo.de>
+
+This project contains software that is Copyright (c) 2018 Futurice
+Licensed under the Terms of the MIT License:
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -2,7 +2,7 @@
 
 Backup Docker volumes locally or to any S3 compatible storage.
 
-The [offen/docker-volume-backup](https://hub.docker.com/r/offen/docker-volume-backup) Docker image can be used as a lightweight (below 15MB) sidecar container to an existing Docker setup. It handles __recurring or one-off backups of Docker volumes__ to a __local directory__ or __any S3 compatible storage__ (or both), and __rotates away old backups__ if configured. It also supports __encrypting your backups using GPG__.
+The [offen/docker-volume-backup](https://hub.docker.com/r/offen/docker-volume-backup) Docker image can be used as a sidecar container to an existing Docker setup. It handles recurring backups of Docker volumes to a local directory or any S3 compatible storage (or both) and rotates away old backups if configured.
 
 ## Configuration
 
@@ -177,8 +177,8 @@ docker exec <container_ref> backup
 This image is heavily inspired by the `futurice/docker-volume-backup`. We decided to publish this image as a simpler and more lightweight alternative because of the following requirements:
 
 - The original image is based on `ubuntu` and additional tools, making it very heavy. This version is roughly 1/25 in compressed size (it's ~12MB).
-- The original image uses a shell script, when this is written in Go, which makes it easier to extend and maintain (more verbose also).
+- The original image uses a shell script, when this is written in Go.
 - The original image proposed to handle backup rotation through AWS S3 lifecycle policies. This image adds the option to rotate away old backups through the same command so this functionality can also be offered for non-AWS storage backends like MinIO. Local copies of backups can also be pruned once they reach a certain age.
-- InfluxDB specific functionality from the original image was removed.
+- InfluxDB specific functionality was removed.
 - `arm64` and `arm/v7` architectures are supported.
 - Docker in Swarm mode is supported.

cmd/backup/main.go

@@ -4,22 +4,25 @@
 package main
 
 import (
+	"bytes"
 	"context"
+	"errors"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"os"
 	"path"
 	"path/filepath"
+	"strconv"
 	"time"
 
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/filters"
 	"github.com/docker/docker/api/types/swarm"
 	"github.com/docker/docker/client"
-	"github.com/gofrs/flock"
-	"github.com/kelseyhightower/envconfig"
+	"github.com/joho/godotenv"
 	"github.com/leekchan/timeutil"
-	"github.com/minio/minio-go/v7"
+	minio "github.com/minio/minio-go/v7"
 	"github.com/minio/minio-go/v7/pkg/credentials"
 	"github.com/sirupsen/logrus"
 	"github.com/walle/targz"
@@ -27,34 +30,19 @@ import (
 )
 
 func main() {
-	unlock := lock("/var/lock/dockervolumebackup.lock")
+	unlock := lock("/var/dockervolumebackup.lock")
 	defer unlock()
 
-	s, err := newScript()
-	if err != nil {
-		panic(err)
-	}
-
-	s.must(func() error {
-		restartContainers, err := s.stopContainers()
-		defer func() {
-			s.must(restartContainers())
-		}()
-		if err != nil {
-			return err
-		}
-		return s.takeBackup()
-	}())
-
+	s := &script{}
+	s.must(s.init())
+	s.must(s.stopContainersAndRun(s.takeBackup))
 	s.must(s.encryptBackup())
 	s.must(s.copyBackup())
-	s.must(s.removeArtifacts())
+	s.must(s.cleanBackup())
 	s.must(s.pruneOldBackups())
 	s.logger.Info("Finished running backup tasks.")
 }
 
-// script holds all the stateful information required to orchestrate a
-// single backup run.
 type script struct {
 	ctx    context.Context
 	cli    *client.Client
@@ -62,98 +50,122 @@ type script struct {
 	logger *logrus.Logger
 
 	start time.Time
-	file  string
 
-	c *config
+	file           string
+	bucket         string
+	archive        string
+	sources        string
+	passphrase     []byte
+	retentionDays  *int
+	leeway         *time.Duration
+	containerLabel string
+	pruningPrefix  string
 }
 
-type config struct {
-	BackupSources            string        `split_words:"true" default:"/backup"`
-	BackupFilename           string        `split_words:"true" default:"backup-%Y-%m-%dT%H-%M-%S.tar.gz"`
-	BackupArchive            string        `split_words:"true" default:"/archive"`
-	BackupRetentionDays      int32         `split_words:"true" default:"-1"`
-	BackupPruningLeeway      time.Duration `split_words:"true" default:"1m"`
-	BackupPruningPrefix      string        `split_words:"true"`
-	BackupStopContainerLabel string        `split_words:"true" default:"true"`
-	AwsS3BucketName          string        `split_words:"true"`
-	AwsEndpoint              string        `split_words:"true" default:"s3.amazonaws.com"`
-	AwsEndpointProto         string        `split_words:"true" default:"https"`
-	AwsEndpointInsecure      bool          `split_words:"true"`
-	AwsAccessKeyID           string        `envconfig:"AWS_ACCESS_KEY_ID"`
-	AwsSecretAccessKey       string        `split_words:"true"`
-	GpgPassphrase            string        `split_words:"true"`
+// lock opens a lockfile at the given location, keeping it locked until the
+// caller invokes the returned release func. When invoked while the file is
+// still locked the function panics.
+func lock(lockfile string) func() error {
+	lf, err := os.OpenFile(lockfile, os.O_CREATE, os.ModeAppend)
+	if err != nil {
+		panic(err)
+	}
+	return func() error {
+		if err := lf.Close(); err != nil {
+			return fmt.Errorf("lock: error releasing file lock: %w", err)
+		}
+		if err := os.Remove(lockfile); err != nil {
+			return fmt.Errorf("lock: error removing lock file: %w", err)
+		}
+		return nil
+	}
 }
 
-// newScript creates all resources needed for the script to perform actions against
-// remote resources like the Docker engine or remote storage locations. All
-// reading from env vars or other configuration sources is expected to happen
-// in this method.
-func newScript() (*script, error) {
-	s := &script{
-		c:   &config{},
-		ctx: context.Background(),
-		logger: &logrus.Logger{
-			Out:       os.Stdout,
-			Formatter: new(logrus.TextFormatter),
-			Hooks:     make(logrus.LevelHooks),
-			Level:     logrus.InfoLevel,
-		},
-		start: time.Now(),
-	}
+// init creates all resources needed for the script to perform actions against
+// remote resources like the Docker engine or remote storage locations.
+func (s *script) init() error {
+	s.ctx = context.Background()
+	s.logger = logrus.New()
+	s.logger.SetOutput(os.Stdout)
 
-	if err := envconfig.Process("", s.c); err != nil {
-		return nil, fmt.Errorf("newScript: failed to process configuration values: %w", err)
+	if err := godotenv.Load("/etc/backup.env"); err != nil {
+		return fmt.Errorf("init: failed to load env file: %w", err)
 	}
 
-	s.file = path.Join("/tmp", s.c.BackupFilename)
-
 	_, err := os.Stat("/var/run/docker.sock")
 	if !os.IsNotExist(err) {
 		cli, err := client.NewClientWithOpts(client.FromEnv, client.WithAPIVersionNegotiation())
 		if err != nil {
-			return nil, fmt.Errorf("newScript: failed to create docker client")
+			return fmt.Errorf("init: failed to create docker client")
 		}
 		s.cli = cli
 	}
 
-	if s.c.AwsS3BucketName != "" {
-		mc, err := minio.New(s.c.AwsEndpoint, &minio.Options{
+	if bucket := os.Getenv("AWS_S3_BUCKET_NAME"); bucket != "" {
+		s.bucket = bucket
+		mc, err := minio.New(os.Getenv("AWS_ENDPOINT"), &minio.Options{
 			Creds: credentials.NewStaticV4(
-				s.c.AwsAccessKeyID,
-				s.c.AwsSecretAccessKey,
+				os.Getenv("AWS_ACCESS_KEY_ID"),
+				os.Getenv("AWS_SECRET_ACCESS_KEY"),
 				"",
 			),
-			Secure: !s.c.AwsEndpointInsecure && s.c.AwsEndpointProto == "https",
+			Secure: os.Getenv("AWS_ENDPOINT_INSECURE") == "" && os.Getenv("AWS_ENDPOINT_PROTO") == "https",
 		})
 		if err != nil {
-			return nil, fmt.Errorf("newScript: error setting up minio client: %w", err)
+			return fmt.Errorf("init: error setting up minio client: %w", err)
 		}
 		s.mc = mc
 	}
 
-	return s, nil
+	file := os.Getenv("BACKUP_FILENAME")
+	if file == "" {
+		return errors.New("init: BACKUP_FILENAME not given")
+	}
+	s.file = path.Join("/tmp", file)
+	s.archive = os.Getenv("BACKUP_ARCHIVE")
+	s.sources = os.Getenv("BACKUP_SOURCES")
+	if v := os.Getenv("GPG_PASSPHRASE"); v != "" {
+		s.passphrase = []byte(v)
+	}
+	if v := os.Getenv("BACKUP_RETENTION_DAYS"); v != "" {
+		i, err := strconv.Atoi(v)
+		if err != nil {
+			return fmt.Errorf("init: error parsing BACKUP_RETENTION_DAYS as int: %w", err)
+		}
+		s.retentionDays = &i
+	}
+	if v := os.Getenv("BACKUP_PRUNING_LEEWAY"); v != "" {
+		d, err := time.ParseDuration(v)
+		if err != nil {
+			return fmt.Errorf("init: error parsing BACKUP_PRUNING_LEEWAY as duration: %w", err)
+		}
+		s.leeway = &d
+	}
+	s.containerLabel = os.Getenv("BACKUP_STOP_CONTAINER_LABEL")
+	s.pruningPrefix = os.Getenv("BACKUP_PRUNING_PREFIX")
+	s.start = time.Now()
+
+	return nil
 }
 
-var noop = func() error { return nil }
-
-// stopContainers stops all Docker containers that are marked as to being
-// stopped during the backup and returns a function that can be called to
-// restart everything that has been stopped.
-func (s *script) stopContainers() (func() error, error) {
+// stopContainersAndRun stops all Docker containers that are marked as to being
+// stopped during the backup and runs the given thunk. After returning, it makes
+// sure containers are being restarted if required.
+func (s *script) stopContainersAndRun(thunk func() error) error {
 	if s.cli == nil {
-		return noop, nil
+		return thunk()
 	}
 
 	allContainers, err := s.cli.ContainerList(s.ctx, types.ContainerListOptions{
 		Quiet: true,
 	})
 	if err != nil {
-		return noop, fmt.Errorf("stopContainersAndRun: error querying for containers: %w", err)
+		return fmt.Errorf("stopContainersAndRun: error querying for containers: %w", err)
 	}
 
 	containerLabel := fmt.Sprintf(
 		"docker-volume-backup.stop-during-backup=%s",
-		s.c.BackupStopContainerLabel,
+		s.containerLabel,
 	)
 	containersToStop, err := s.cli.ContainerList(s.ctx, types.ContainerListOptions{
 		Quiet: true,
@@ -164,39 +176,28 @@ func (s *script) stopContainers() (func() error, error) {
 	})
 
 	if err != nil {
-		return noop, fmt.Errorf("stopContainersAndRun: error querying for containers to stop: %w", err)
+		return fmt.Errorf("stopContainersAndRun: error querying for containers to stop: %w", err)
 	}
-
-	if len(containersToStop) == 0 {
-		return noop, nil
-	}
-
 	s.logger.Infof(
-		"Stopping %d container(s) labeled `%s` out of %d running container(s).",
+		"Stopping %d containers labeled `%s` out of %d running container(s).",
 		len(containersToStop),
 		containerLabel,
 		len(allContainers),
 	)
 
 	var stoppedContainers []types.Container
-	var stopErrors []error
-	for _, container := range containersToStop {
-		if err := s.cli.ContainerStop(s.ctx, container.ID, nil); err != nil {
-			stopErrors = append(stopErrors, err)
-		} else {
-			stoppedContainers = append(stoppedContainers, container)
+	var errors []error
+	if len(containersToStop) != 0 {
+		for _, container := range containersToStop {
+			if err := s.cli.ContainerStop(s.ctx, container.ID, nil); err != nil {
+				errors = append(errors, err)
+			} else {
+				stoppedContainers = append(stoppedContainers, container)
+			}
 		}
 	}
 
-	if len(stopErrors) != 0 {
-		return noop, fmt.Errorf(
-			"stopContainersAndRun: %d error(s) stopping containers: %w",
-			len(stopErrors),
-			err,
-		)
-	}
-
-	return func() error {
+	defer func() error {
 		servicesRequiringUpdate := map[string]struct{}{}
 
 		var restartErrors []error
@@ -221,7 +222,7 @@ func (s *script) stopContainers() (func() error, error) {
 					}
 				}
 				if serviceMatch.ID == "" {
-					return fmt.Errorf("stopContainersAndRun: couldn't find service with name %s", serviceName)
+					return fmt.Errorf("stopContainersAndRun: Couldn't find service with name %s", serviceName)
 				}
 				serviceMatch.Spec.TaskTemplate.ForceUpdate = 1
 				_, err := s.cli.ServiceUpdate(
@@ -241,22 +242,33 @@ func (s *script) stopContainers() (func() error, error) {
 				err,
 			)
 		}
-		s.logger.Infof(
-			"Restarted %d container(s) and the matching service(s).",
-			len(stoppedContainers),
-		)
+		s.logger.Infof("Restarted %d container(s) and the matching service(s).", len(stoppedContainers))
 		return nil
-	}, nil
+	}()
+
+	var stopErr error
+	if len(errors) != 0 {
+		stopErr = fmt.Errorf(
+			"stopContainersAndRun: %d errors stopping containers: %w",
+			len(errors),
+			err,
+		)
+	}
+	if stopErr != nil {
+		return stopErr
+	}
+
+	return thunk()
 }
 
 // takeBackup creates a tar archive of the configured backup location and
 // saves it to disk.
 func (s *script) takeBackup() error {
 	s.file = timeutil.Strftime(&s.start, s.file)
-	if err := targz.Compress(s.c.BackupSources, s.file); err != nil {
+	if err := targz.Compress(s.sources, s.file); err != nil {
 		return fmt.Errorf("takeBackup: error compressing backup folder: %w", err)
 	}
-	s.logger.Infof("Created backup of `%s` at `%s`.", s.c.BackupSources, s.file)
+	s.logger.Infof("Created backup of `%s` at `%s`.", s.sources, s.file)
 	return nil
 }
 
@@ -264,35 +276,39 @@ func (s *script) takeBackup() error {
 // In case no passphrase is given it returns early, leaving the backup file
 //  untouched.
 func (s *script) encryptBackup() error {
-	if s.c.GpgPassphrase == "" {
+	if s.passphrase == nil {
 		return nil
 	}
-	defer os.Remove(s.file)
-
-	gpgFile := fmt.Sprintf("%s.gpg", s.file)
-	outFile, err := os.Create(gpgFile)
-	defer outFile.Close()
-	if err != nil {
-		return fmt.Errorf("encryptBackup: error opening out file: %w", err)
-	}
 
+	buf := bytes.NewBuffer(nil)
 	_, name := path.Split(s.file)
-	dst, err := openpgp.SymmetricallyEncrypt(outFile, []byte(s.c.GpgPassphrase), &openpgp.FileHints{
+	pt, err := openpgp.SymmetricallyEncrypt(buf, []byte(s.passphrase), &openpgp.FileHints{
 		IsBinary: true,
 		FileName: name,
 	}, nil)
-	defer dst.Close()
 	if err != nil {
 		return fmt.Errorf("encryptBackup: error encrypting backup file: %w", err)
 	}
 
-	src, err := os.Open(s.file)
+	unencrypted, err := ioutil.ReadFile(s.file)
 	if err != nil {
-		return fmt.Errorf("encryptBackup: error opening backup file %s: %w", s.file, err)
+		pt.Close()
+		return fmt.Errorf("encryptBackup: error reading unencrypted backup file: %w", err)
+	}
+	_, err = pt.Write(unencrypted)
+	if err != nil {
+		pt.Close()
+		return fmt.Errorf("encryptBackup: error writing backup contents: %w", err)
+	}
+	pt.Close()
+
+	gpgFile := fmt.Sprintf("%s.gpg", s.file)
+	if err := ioutil.WriteFile(gpgFile, buf.Bytes(), os.ModeAppend); err != nil {
+		return fmt.Errorf("encryptBackup: error writing encrypted version of backup: %w", err)
 	}
 
-	if _, err := io.Copy(dst, src); err != nil {
-		return fmt.Errorf("encryptBackup: error writing ciphertext to file: %w", err)
+	if err := os.Remove(s.file); err != nil {
+		return fmt.Errorf("encryptBackup: error removing unencrpyted backup: %w", err)
 	}
 
 	s.file = gpgFile
@@ -304,31 +320,31 @@ func (s *script) encryptBackup() error {
 // as per the given configuration.
 func (s *script) copyBackup() error {
 	_, name := path.Split(s.file)
-	if s.c.AwsS3BucketName != "" {
-		_, err := s.mc.FPutObject(s.ctx, s.c.AwsS3BucketName, name, s.file, minio.PutObjectOptions{
+	if s.bucket != "" {
+		_, err := s.mc.FPutObject(s.ctx, s.bucket, name, s.file, minio.PutObjectOptions{
 			ContentType: "application/tar+gzip",
 		})
 		if err != nil {
 			return fmt.Errorf("copyBackup: error uploading backup to remote storage: %w", err)
 		}
-		s.logger.Infof("Uploaded a copy of backup `%s` to bucket `%s`", s.file, s.c.AwsS3BucketName)
+		s.logger.Infof("Uploaded a copy of backup `%s` to bucket `%s`", s.file, s.bucket)
 	}
 
-	if _, err := os.Stat(s.c.BackupArchive); !os.IsNotExist(err) {
-		if err := copy(s.file, path.Join(s.c.BackupArchive, name)); err != nil {
+	if _, err := os.Stat(s.archive); !os.IsNotExist(err) {
+		if err := copy(s.file, path.Join(s.archive, name)); err != nil {
 			return fmt.Errorf("copyBackup: error copying file to local archive: %w", err)
 		}
-		s.logger.Infof("Stored copy of backup `%s` in local archive `%s`", s.file, s.c.BackupArchive)
+		s.logger.Infof("Stored copy of backup `%s` in local archive `%s`", s.file, s.archive)
 	}
 	return nil
 }
 
-// removeArtifacts removes the backup file from disk.
-func (s *script) removeArtifacts() error {
+// cleanBackup removes the backup file from disk.
+func (s *script) cleanBackup() error {
 	if err := os.Remove(s.file); err != nil {
-		return fmt.Errorf("removeArtifacts: error removing file: %w", err)
+		return fmt.Errorf("cleanBackup: error removing file: %w", err)
 	}
-	s.logger.Info("Removed local artifacts.")
+	s.logger.Info("Cleaned up local artifacts.")
 	return nil
 }
 
@@ -336,22 +352,22 @@ func (s *script) removeArtifacts() error {
 // the given configuration. In case the given configuration would delete all
 // backups, it does nothing instead.
 func (s *script) pruneOldBackups() error {
-	if s.c.BackupRetentionDays < 0 {
+	if s.retentionDays == nil {
 		return nil
 	}
 
-	if s.c.BackupPruningLeeway != 0 {
-		s.logger.Infof("Sleeping for %s before pruning backups.", s.c.BackupPruningLeeway)
-		time.Sleep(s.c.BackupPruningLeeway)
+	if s.leeway != nil {
+		s.logger.Infof("Sleeping for %s before pruning backups.", s.leeway)
+		time.Sleep(*s.leeway)
 	}
 
-	s.logger.Infof("Trying to prune backups older than %d day(s) now.", s.c.BackupRetentionDays)
-	deadline := time.Now().AddDate(0, 0, -int(s.c.BackupRetentionDays))
+	s.logger.Infof("Trying to prune backups older than %d day(s) now.", *s.retentionDays)
+	deadline := s.start.AddDate(0, 0, -*s.retentionDays)
 
-	if s.c.AwsS3BucketName != "" {
-		candidates := s.mc.ListObjects(s.ctx, s.c.AwsS3BucketName, minio.ListObjectsOptions{
+	if s.bucket != "" {
+		candidates := s.mc.ListObjects(s.ctx, s.bucket, minio.ListObjectsOptions{
 			WithMetadata: true,
-			Prefix:       s.c.BackupPruningPrefix,
+			Prefix:       s.pruningPrefix,
 		})
 
 		var matches []minio.ObjectInfo
@@ -359,10 +375,7 @@ func (s *script) pruneOldBackups() error {
 		for candidate := range candidates {
 			lenCandidates++
 			if candidate.Err != nil {
-				return fmt.Errorf(
-					"pruneOldBackups: error looking up candidates from remote storage: %w",
-					candidate.Err,
-				)
+				return fmt.Errorf("pruneOldBackups: error looking up candidates from remote storage: %w", candidate.Err)
 			}
 			if candidate.LastModified.Before(deadline) {
 				matches = append(matches, candidate)
@@ -377,7 +390,7 @@ func (s *script) pruneOldBackups() error {
 				}
 				close(objectsCh)
 			}()
-			errChan := s.mc.RemoveObjects(s.ctx, s.c.AwsS3BucketName, objectsCh, minio.RemoveObjectsOptions{})
+			errChan := s.mc.RemoveObjects(s.ctx, s.bucket, objectsCh, minio.RemoveObjectsOptions{})
 			var errors []error
 			for result := range errChan {
 				if result.Err != nil {
@@ -393,25 +406,23 @@ func (s *script) pruneOldBackups() error {
 				)
 			}
 			s.logger.Infof(
-				"Pruned %d out of %d remote backup(s) as their age exceeded the configured retention period of %d days.",
+				"Pruned %d out of %d remote backup(s) as their age exceeded the configured retention period.",
 				len(matches),
 				lenCandidates,
-				s.c.BackupRetentionDays,
 			)
 		} else if len(matches) != 0 && len(matches) == lenCandidates {
 			s.logger.Warnf(
-				"The current configuration would delete all %d remote backup copies.",
+				"The current configuration would delete all %d remote backup copies. Refusing to do so, please check your configuration.",
 				len(matches),
 			)
-			s.logger.Warn("Refusing to do so, please check your configuration.")
 		} else {
 			s.logger.Infof("None of %d remote backup(s) were pruned.", lenCandidates)
 		}
 	}
 
-	if _, err := os.Stat(s.c.BackupArchive); !os.IsNotExist(err) {
+	if _, err := os.Stat(s.archive); !os.IsNotExist(err) {
 		candidates, err := filepath.Glob(
-			path.Join(s.c.BackupArchive, fmt.Sprintf("%s*", s.c.BackupPruningPrefix)),
+			path.Join(s.archive, fmt.Sprintf("%s*", s.pruningPrefix)),
 		)
 		if err != nil {
 			return fmt.Errorf(
@@ -419,7 +430,7 @@ func (s *script) pruneOldBackups() error {
 			)
 		}
 
-		var matches []string
+		var matches []os.FileInfo
 		for _, candidate := range candidates {
 			fi, err := os.Stat(candidate)
 			if err != nil {
@@ -431,14 +442,14 @@ func (s *script) pruneOldBackups() error {
 			}
 
 			if fi.ModTime().Before(deadline) {
-				matches = append(matches, candidate)
+				matches = append(matches, fi)
 			}
 		}
 
 		if len(matches) != 0 && len(matches) != len(candidates) {
 			var errors []error
 			for _, candidate := range matches {
-				if err := os.Remove(candidate); err != nil {
+				if err := os.Remove(candidate.Name()); err != nil {
 					errors = append(errors, err)
 				}
 			}
@@ -450,17 +461,15 @@ func (s *script) pruneOldBackups() error {
 				)
 			}
 			s.logger.Infof(
-				"Pruned %d out of %d local backup(s) as their age exceeded the configured retention period of %d days.",
+				"Pruned %d out of %d local backup(s) as their age exceeded the configured retention period.",
 				len(matches),
 				len(candidates),
-				s.c.BackupRetentionDays,
 			)
 		} else if len(matches) != 0 && len(matches) == len(candidates) {
 			s.logger.Warnf(
-				"The current configuration would delete all %d local backup copies.",
+				"The current configuration would delete all %d local backup copies. Refusing to do so, please check your configuration.",
 				len(matches),
 			)
-			s.logger.Warn("Refusing to do so, please check your configuration.")
 		} else {
 			s.logger.Infof("None of %d local backup(s) were pruned.", len(candidates))
 		}
@@ -470,26 +479,14 @@ func (s *script) pruneOldBackups() error {
 
 func (s *script) must(err error) {
 	if err != nil {
-		s.logger.Fatalf("Fatal error running backup: %s", err)
+		if s.logger == nil {
+			panic(err)
+		}
+		s.logger.Errorf("Fatal error running backup: %s", err)
+		os.Exit(1)
 	}
 }
 
-// lock opens a lockfile at the given location, keeping it locked until the
-// caller invokes the returned release func. When invoked while the file is
-// still locked the function panics.
-func lock(lockfile string) func() error {
-	fileLock := flock.New(lockfile)
-	acquired, err := fileLock.TryLock()
-	if err != nil {
-		panic(err)
-	}
-	if !acquired {
-		panic("unable to acquire file lock")
-	}
-	return fileLock.Unlock
-}
-
-// copy creates a copy of the file located at `dst` at `src`.
 func copy(src, dst string) error {
 	in, err := os.Open(src)
 	if err != nil {

entrypoint.sh

@@ -3,12 +3,38 @@
 # Copyright 2021 - Offen Authors <hioffen@posteo.de>
 # SPDX-License-Identifier: MPL-2.0
 
+# Portions of this file are taken from github.com/futurice/docker-volume-backup
+# See NOTICE for information about authors and licensing.
+
 set -e
 
+# Write cronjob env to file, fill in sensible defaults, and read them back in
+mkdir -p /etc/backup
+cat <<EOF > /etc/backup.env
+BACKUP_SOURCES="${BACKUP_SOURCES:-/backup}"
 BACKUP_CRON_EXPRESSION="${BACKUP_CRON_EXPRESSION:-@daily}"
+BACKUP_FILENAME="${BACKUP_FILENAME:-backup-%Y-%m-%dT%H-%M-%S.tar.gz}"
+BACKUP_ARCHIVE="${BACKUP_ARCHIVE:-/archive}"
 
+BACKUP_RETENTION_DAYS="${BACKUP_RETENTION_DAYS:-}"
+BACKUP_PRUNING_LEEWAY="${BACKUP_PRUNING_LEEWAY:-1m}"
+BACKUP_PRUNING_PREFIX="${BACKUP_PRUNING_PREFIX:-}"
+BACKUP_STOP_CONTAINER_LABEL="${BACKUP_STOP_CONTAINER_LABEL:-true}"
+
+AWS_S3_BUCKET_NAME="${AWS_S3_BUCKET_NAME:-}"
+AWS_ENDPOINT="${AWS_ENDPOINT:-s3.amazonaws.com}"
+AWS_ENDPOINT_PROTO="${AWS_ENDPOINT_PROTO:-https}"
+AWS_ENDPOINT_INSECURE="${AWS_ENDPOINT_INSECURE:-}"
+
+GPG_PASSPHRASE="${GPG_PASSPHRASE:-}"
+EOF
+chmod a+x /etc/backup.env
+source /etc/backup.env
+
+# Add our cron entry, and direct stdout & stderr to Docker commands stdout
 echo "Installing cron.d entry with expression $BACKUP_CRON_EXPRESSION."
 echo "$BACKUP_CRON_EXPRESSION backup 2>&1" | crontab -
 
+# Let cron take the wheel
 echo "Starting cron in foreground."
 crond -f -l 8

go.mod

@@ -4,8 +4,7 @@ go 1.17
 
 require (
 	github.com/docker/docker v20.10.8+incompatible
-	github.com/gofrs/flock v0.8.1
-	github.com/kelseyhightower/envconfig v1.4.0
+	github.com/joho/godotenv v1.3.0
 	github.com/leekchan/timeutil v0.0.0-20150802142658-28917288c48d
 	github.com/minio/minio-go/v7 v7.0.12
 	github.com/sirupsen/logrus v1.8.1

go.sum

@@ -274,8 +274,6 @@ github.com/godbus/dbus v0.0.0-20180201030542-885f9cc04c9c/go.mod h1:/YcGZj5zSblf
 github.com/godbus/dbus v0.0.0-20190422162347-ade71ed3457e/go.mod h1:bBOAhwG1umN6/6ZUMtDFBMQR8jRg9O75tm9K00oMsK4=
 github.com/godbus/dbus/v5 v5.0.3/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
-github.com/gofrs/flock v0.8.1 h1:+gYjHKf32LDeiEEFhQaotPbLuUXjY5ZqxKgXy7n59aw=
-github.com/gofrs/flock v0.8.1/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU=
 github.com/gogo/googleapis v1.2.0/go.mod h1:Njal3psf3qN6dwBtQfUmBZh2ybovJ0tlu3o/AC7HYjU=
 github.com/gogo/googleapis v1.4.0/go.mod h1:5YRNX2z1oM5gXdAkurHa942MDgEJyk02w4OecKY87+c=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
@@ -372,6 +370,8 @@ github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANyt
 github.com/j-keck/arping v0.0.0-20160618110441-2cf9dc699c56/go.mod h1:ymszkNOg6tORTn+6F6j+Jc8TOr5osrynvN6ivFWZ2GA=
 github.com/jmespath/go-jmespath v0.0.0-20160202185014-0b12d6b521d8/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
 github.com/jmespath/go-jmespath v0.0.0-20160803190731-bd40a432e4c7/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
+github.com/joho/godotenv v1.3.0 h1:Zjp+RcGpHhGlrMbJzXTrZZPrWj+1vfm90La1wgB6Bhc=
+github.com/joho/godotenv v1.3.0/go.mod h1:7hK45KPybAkOC6peb+G5yklZfMxEjkZhHbwpqxOKXbg=
 github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
 github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
@@ -382,8 +382,6 @@ github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/X
 github.com/jtolds/gls v4.20.0+incompatible h1:xdiiI2gbIgH/gLH7ADydsJ1uDOEzR8yvV7C0MuV77Wo=
 github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
 github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
-github.com/kelseyhightower/envconfig v1.4.0 h1:Im6hONhd3pLkfDFsbRgu68RDNkGF1r3dvMUtDTo2cv8=
-github.com/kelseyhightower/envconfig v1.4.0/go.mod h1:cccZRl6mQpaq41TPp5QxidR+Sa3axMbJDNb//FQX6Gg=
 github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
 github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
@@ -399,11 +397,9 @@ github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxv
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
-github.com/kr/pretty v0.2.1 h1:Fmg33tUaq4/8ym9TJN1x7sLJnHVwhP33CNkpYV/7rwI=
 github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/pty v1.1.5/go.mod h1:9r2w37qlBe7rQ6e1fg1S/9xpWHSnaqNdHD3WcMdbPDA=
-github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/leekchan/timeutil v0.0.0-20150802142658-28917288c48d h1:2puqoOQwi3Ai1oznMOsFIbifm6kIfJaLLyYzWD4IzTs=
 github.com/leekchan/timeutil v0.0.0-20150802142658-28917288c48d/go.mod h1:hO90vCP2x3exaSH58BIAowSKvV+0OsY21TtzuFGHON4=
@@ -911,7 +907,6 @@ gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLks
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20141024133853-64131543e789/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/cheggaaa/pb.v1 v1.0.25/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=

test/compose/docker-compose.yml

@@ -28,7 +28,6 @@ services:
       BACKUP_RETENTION_DAYS: ${BACKUP_RETENTION_DAYS:-7}
       BACKUP_PRUNING_LEEWAY: 5s
       BACKUP_PRUNING_PREFIX: test
-      GPG_PASSPHRASE: 1234secret
     volumes:
       - ./local:/archive
       - app_data:/backup/app_data:ro
@@ -41,6 +40,7 @@ services:
     volumes:
       - app_data:/var/opt/offen
 
+
 volumes:
   backup_data:
   app_data:

test/compose/run.sh

@@ -13,13 +13,11 @@ docker-compose exec backup backup
 
 docker run --rm -it \
   -v compose_backup_data:/data alpine \
-  ash -c 'apk add gnupg && echo 1234secret | gpg -d --pinentry-mode loopback --passphrase-fd 0 --yes /data/backup/test.tar.gz.gpg > /tmp/test.tar.gz && tar -xf /tmp/test.tar.gz -C /tmp && test -f /tmp/backup/app_data/offen.db'
+  ash -c 'tar -xf /data/backup/test.tar.gz && test -f /backup/app_data/offen.db'
 
 echo "[TEST:PASS] Found relevant files in untared remote backup."
 
-echo 1234secret | gpg -d --yes --passphrase-fd 0 ./local/test.tar.gz.gpg > ./local/decrypted.tar.gz
-tar -xf ./local/decrypted.tar.gz -C /tmp && test -f /tmp/backup/app_data/offen.db
-rm ./local/decrypted.tar.gz
+tar -xf ./local/test.tar.gz -C /tmp && test -f /tmp/backup/app_data/offen.db
 
 echo "[TEST:PASS] Found relevant files in untared local backup."
 
@@ -31,6 +29,8 @@ fi
 
 echo "[TEST:PASS] All containers running post backup."
 
+docker-compose down
+
 # The second part of this test checks if backups get deleted when the retention
 # is set to 0 days (which it should not as it would mean all backups get deleted)
 # TODO: find out if we can test actual deletion without having to wait for a day