Change default value for SSH identity file (#108 )

* Change default value for SSH identity file * Force remove write protected file in tests
SSH Backup Storage Support (#107 )
2025-12-05 17:18:02 +01:00 · 2022-06-17 11:28:29 +02:00 · 2022-06-17 11:06:15 +02:00 · 2022-06-07 09:21:40 +02:00 · 2022-05-12 08:18:12 +02:00 · 2022-05-08 11:20:38 +02:00
45 changed files with 3033 additions and 1277 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -3,7 +3,7 @@ version: 2.1
 jobs:
  canary:
    machine:
-      image: ubuntu-1604:202007-01
+      image: ubuntu-2004:202201-02
    working_directory: ~/docker-volume-backup
    steps:
      - checkout
@@ -19,6 +19,7 @@ jobs:
          name: Run tests
          working_directory: ~/docker-volume-backup/test
          command: |
            export GPG_TTY=$(tty)
            ./test.sh canary
  build:
@@ -47,6 +48,7 @@ jobs:
            if [[ "$CIRCLE_TAG" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
              # prerelease tags like `v2.0.0-alpha.1` should not be released as `latest`
              tag_args="$tag_args -t offen/docker-volume-backup:latest"
              tag_args="$tag_args -t offen/docker-volume-backup:$(echo "$CIRCLE_TAG" | cut -d. -f1)"
            fi
            docker buildx build --platform linux/amd64,linux/arm64,linux/arm/v7 \
               $tag_args . --push
--- a/.github/ISSUE_TEMPLATE.md
+++ b/.github/ISSUE_TEMPLATE.md
@@ -0,0 +1,20 @@
 * **I'm submitting a ...**
  - [ ] bug report
  - [ ] feature request
  - [ ] support request
 * **What is the current behavior?**
 * **If the current behavior is a bug, please provide the configuration and steps to reproduce and if possible a minimal demo of the problem.**
 * **What is the expected behavior?**
 * **What is the motivation / use case for changing the behavior?**
 * **Please tell us about your environment:**
  - Image version:
  - Docker version: 
  - docker-compose version:
 * **Other information** (e.g. detailed explanation, stacktraces, related issues, suggestions how to fix, links for us to have context, eg. stackoverflow, etc)
--- a/14
+++ b/14
@@ -1,20 +1,22 @@
 # Copyright 2021 - Offen Authors <hioffen@posteo.de>
 # SPDX-License-Identifier: MPL-2.0
-FROM golang:1.17-alpine as builder
+FROM golang:1.18-alpine as builder
 WORKDIR /app
 COPY go.mod go.sum ./
-COPY cmd/backup/main.go ./cmd/backup/main.go
+RUN go mod download
-RUN go build -o backup cmd/backup/main.go
+COPY cmd/backup ./cmd/backup/
 WORKDIR /app/cmd/backup
 RUN go build -o backup .
-FROM alpine:3.14
+FROM alpine:3.15
 WORKDIR /root
-RUN apk add --update ca-certificates
+RUN apk add --no-cache ca-certificates
-COPY --from=builder /app/backup /usr/bin/backup
+COPY --from=builder /app/cmd/backup/backup /usr/bin/backup
 COPY ./entrypoint.sh /root/
 RUN chmod +x entrypoint.sh
--- a/README.md
+++ b/README.md
@@ -1,29 +1,48 @@
 <a href="https://www.offen.dev/">
    <img src="https://offen.github.io/press-kit/offen-material/gfx-GitHub-Offen-logo.svg" alt="Offen logo" title="Offen" width="150px"/>
 </a>
 # docker-volume-backup
 Backup Docker volumes locally or to any S3 compatible storage.
 The [offen/docker-volume-backup](https://hub.docker.com/r/offen/docker-volume-backup) Docker image can be used as a lightweight (below 15MB) sidecar container to an existing Docker setup.
-It handles __recurring or one-off backups of Docker volumes__ to a __local directory__ or __any S3 compatible storage__ (or both), and __rotates away old backups__ if configured. It also supports __encrypting your backups using GPG__.
+It handles __recurring or one-off backups of Docker volumes__ to a __local directory__, __any S3, WebDAV or SSH compatible storage (or any combination) and rotates away old backups__ if configured. It also supports __encrypting your backups using GPG__ and __sending notifications for failed backup runs__.
 <!-- MarkdownTOC -->
 - [Quickstart](#quickstart)
  - [Recurring backups in a compose setup](#recurring-backups-in-a-compose-setup)
  - [One-off backups using Docker CLI](#one-off-backups-using-docker-cli)
 - [Configuration reference](#configuration-reference)
 - [How to](#how-to)
-  - [Stopping containers during backup](#stopping-containers-during-backup)
+  - [Stop containers during backup](#stop-containers-during-backup)
  - [Automatically pruning old backups](#automatically-pruning-old-backups)
  - [Send email notifications on failed backup runs](#send-email-notifications-on-failed-backup-runs)
  - [Customize notifications](#customize-notifications)
  - [Run custom commands before / after backup](#run-custom-commands-before--after-backup)
  - [Encrypting your backup using GPG](#encrypting-your-backup-using-gpg)
  - [Restoring a volume from a backup](#restoring-a-volume-from-a-backup)
  - [Set the timezone the container runs in](#set-the-timezone-the-container-runs-in)
  - [Using with Docker Swarm](#using-with-docker-swarm)
  - [Manually triggering a backup](#manually-triggering-a-backup)
  - [Update deprecated email configuration](#update-deprecated-email-configuration)
  - [Replace deprecated `BACKUP_FROM_SNAPSHOT` usage](#replace-deprecated-backup_from_snapshot-usage)
  - [Using a custom Docker host](#using-a-custom-docker-host)
  - [Run multiple backup schedules in the same container](#run-multiple-backup-schedules-in-the-same-container)
  - [Define different retention schedules](#define-different-retention-schedules)
 - [Recipes](#recipes)
  - [Backing up to AWS S3](#backing-up-to-aws-s3)
  - [Backing up to Filebase](#backing-up-to-filebase)
  - [Backing up to MinIO](#backing-up-to-minio)
  - [Backing up to WebDAV](#backing-up-to-webdav)
  - [Backing up to SSH](#backing-up-to-ssh)
  - [Backing up locally](#backing-up-locally)
  - [Backing up to AWS S3 as well as locally](#backing-up-to-aws-s3-as-well-as-locally)
  - [Running on a custom cron schedule](#running-on-a-custom-cron-schedule)
  - [Rotating away backups that are older than 7 days](#rotating-away-backups-that-are-older-than-7-days)
  - [Encrypting your backups using GPG](#encrypting-your-backups-using-gpg)
  - [Using mysqldump to prepare the backup](#using-mysqldump-to-prepare-the-backup)
  - [Running multiple instances in the same setup](#running-multiple-instances-in-the-same-setup)
 - [Differences to `futurice/docker-volume-backup`](#differences-to-futuricedocker-volume-backup)
@@ -37,6 +56,8 @@ Code and documentation for `v1` versions are found on [this branch][v1-branch].
 ## Quickstart
 ### Recurring backups in a compose setup
 Add a `backup` service to your compose setup and mount the volumes you would like to see backed up:
 ```yml
@@ -55,6 +76,10 @@ services:
      - docker-volume-backup.stop-during-backup=true
  backup:
    # In production, it is advised to lock your image tag to a proper
    # release version instead of using `latest`.
    # Check https://github.com/offen/docker-volume-backup/releases
    # for a list of available releases.
    image: offen/docker-volume-backup:latest
    restart: always
    env_file: ./backup.env # see below for configuration reference
@@ -62,7 +87,8 @@ services:
      - data:/backup/my-app-backup:ro
      # Mounting the Docker socket allows the script to stop and restart
      # the container during backup. You can omit this if you don't want
-      # to stop the container
+      # to stop the container. In case you need to proxy the socket, you can
      # also provide a location by setting `DOCKER_HOST` in the container
      - /var/run/docker.sock:/var/run/docker.sock:ro
      # If you mount a local directory or volume to `/archive` a local
      # copy of the backup will be stored there. You can override the
@@ -73,6 +99,22 @@ volumes:
  data:
 ```
 ### One-off backups using Docker CLI
 To run a one time backup, mount the volume you would like to see backed up into a container and run the `backup` command:
 ```console
 docker run --rm \
  -v data:/backup/data \
  --env AWS_ACCESS_KEY_ID="<xxx>" \
  --env AWS_SECRET_ACCESS_KEY="<xxx>" \
  --env AWS_S3_BUCKET_NAME="<xxx>" \
  --entrypoint backup \
  offen/docker-volume-backup:v2
 ```
 Alternatively, pass a `--env-file` in order to use a full config as described below.
 ## Configuration reference
 Backup targets, schedule and retention are configured in environment variables.
@@ -95,6 +137,44 @@ You can populate below template according to your requirements and use it as you
 # BACKUP_FILENAME="backup-%Y-%m-%dT%H-%M-%S.tar.gz"
 # Setting BACKUP_FILENAME_EXPAND to true allows for environment variable
 # placeholders in BACKUP_FILENAME, BACKUP_LATEST_SYMLINK and in
 # BACKUP_PRUNING_PREFIX that will get expanded at runtime,
 # e.g. `backup-$HOSTNAME-%Y-%m-%dT%H-%M-%S.tar.gz`. Expansion happens before
 # interpolating strftime tokens. It is disabled by default.
 # Please note that you will need to escape the `$` when providing the value
 # in a docker-compose.yml file, i.e. using $$VAR instead of $VAR.
 # BACKUP_FILENAME_EXPAND="true"
 # When storing local backups, a symlink to the latest backup can be created
 # in case a value is given for this key. This has no effect on remote backups.
 # BACKUP_LATEST_SYMLINK="backup.latest.tar.gz"
 # ************************************************************************
 # The BACKUP_FROM_SNAPSHOT option has been deprecated and will be removed
 # in the next major version. Please use exec-pre and exec-post
 # as documented below instead.
 # ************************************************************************
 # Whether to copy the content of backup folder before creating the tar archive.
 # In the rare scenario where the content of the source backup volume is continously
 # updating, but we do not wish to stop the container while performing the backup,
 # this setting can be used to ensure the integrity of the tar.gz file.
 # BACKUP_FROM_SNAPSHOT="false"
 # By default, the `/backup` directory inside the container will be backed up.
 # In case you need to use a custom location, set `BACKUP_SOURCES`.
 # BACKUP_SOURCES="/other/location"
 # When given, all files in BACKUP_SOURCES whose full path matches the given
 # regular expression will be excluded from the archive. Regular Expressions
 # can be used as from the Go standard library https://pkg.go.dev/regexp
 # BACKUP_EXCLUDE_REGEXP="\.log$"
 ########### BACKUP STORAGE
 # The name of the remote bucket that should be used for storing backups. If
@@ -102,6 +182,11 @@ You can populate below template according to your requirements and use it as you
 # AWS_S3_BUCKET_NAME="backup-bucket"
 # If you want to store the backup in a non-root location on your bucket
 # you can provide a path. The path must not contain a leading slash.
 # AWS_S3_PATH="my/backup/location"
 # Define credentials for authenticating against the backup storage and a bucket
 # name. Although all of these keys are `AWS`-prefixed, the setup can be used
 # with any S3 compatible storage.
@@ -109,8 +194,15 @@ You can populate below template according to your requirements and use it as you
 # AWS_ACCESS_KEY_ID="<xxx>"
 # AWS_SECRET_ACCESS_KEY="<xxx>"
 # Instead of providing static credentials, you can also use IAM instance profiles
 # or similar to provide authentication. Some possible configuration options on AWS:
 # - EC2: http://169.254.169.254
 # - ECS: http://169.254.170.2
 # AWS_IAM_ROLE_ENDPOINT="http://169.254.169.254"
 # This is the FQDN of your storage server, e.g. `storage.example.com`.
-# Do not set this when working against AWS S3 (the default value is 
+# Do not set this when working against AWS S3 (the default value is
 # `s3.amazonaws.com`). If you need to set a specific (non-https) protocol, you
 # will need to use the option below.
@@ -123,11 +215,71 @@ You can populate below template according to your requirements and use it as you
 # AWS_ENDPOINT_PROTO="https"
 # Setting this variable to `true` will disable verification of
-# SSL certificates. You shouldn't use this unless you use self-signed
+# SSL certificates for AWS_ENDPOINT. You shouldn't use this unless you use
-# certificates for your remote storage backend.
+# self-signed certificates for your remote storage backend. This can only be
 # used when AWS_ENDPOINT_PROTO is set to `https`.
 # AWS_ENDPOINT_INSECURE="true"
 # You can also backup files to any WebDAV server:
 # The URL of the remote WebDAV server
 # WEBDAV_URL="https://webdav.example.com"
 # The Directory to place the backups to on the WebDAV server.
 # If the path is not present on the server it will be created.
 # WEBDAV_PATH="/my/directory/"
 # The username for the WebDAV server
 # WEBDAV_USERNAME="user"
 # The password for the WebDAV server
 # WEBDAV_PASSWORD="password"
 # Setting this variable to `true` will disable verification of
 # SSL certificates for WEBDAV_URL. You shouldn't use this unless you use
 # self-signed certificates for your remote storage backend.
 # WEBDAV_URL_INSECURE="true"
 # You can also backup files to any SSH server:
 # The URL of the remote SSH server
 # SSH_HOST_NAME="server.local"
 # The port of the remote SSH server
 # Optional variable default value is `22`
 # SSH_PORT=2222
 # The Directory to place the backups to on the SSH server.
 # SSH_REMOTE_PATH="/my/directory/"
 # The username for the SSH server
 # SSH_USER="user"
 # The password for the SSH server
 # SSH_PASSWORD="password"
 # The private key path in container for SSH server
 # Default value: /root/.ssh/id_rsa
 # If file is mounted to /root/.ssh/id_rsa path it will be used. Non-RSA keys will
 # also work.
 # SSH_IDENTITY_FILE="/root/.ssh/id_rsa"
 # The passphrase for the identity file
 # SSH_IDENTITY_PASSPHRASE="pass"
 # In addition to storing backups remotely, you can also keep local copies.
 # Pass a container-local path to store your backups if needed. You also need to
 # mount a local folder or Docker volume into that location (`/archive`
@@ -188,11 +340,104 @@ You can populate below template according to your requirements and use it as you
 # override this default by specifying a different value here.
 # BACKUP_STOP_CONTAINER_LABEL="service1"
 ########### EXECUTING COMMANDS IN CONTAINERS PRE/POST BACKUP
 # It is possible to define commands to be run in any container before and after
 # a backup is conducted. The commands themselves are defined in labels like
 # `docker-volume-backup.exec-pre=/bin/sh -c 'mysqldump [options] > dump.sql'.
 # Several options exist for controlling this feature:
 # By default, any output of such a command is suppressed. If this value
 # is configured to be "true", command execution output will be forwarded to
 # the backup container's stdout and stderr.
 # EXEC_FORWARD_OUTPUT="true"
 # Without any further configuration, all commands defined in labels will be
 # run before and after a backup. If you need more fine grained control, you
 # can use this option to set a label that will be used for narrowing down
 # the set of eligible containers. When set, an eligible container will also need
 # to be labeled as `docker-volume-backup.exec-label=database`.
 # EXEC_LABEL="database"
 ########### NOTIFICATIONS
 # Notifications (email, Slack, etc.) can be sent out when a backup run finishes.
 # Configuration is provided as a comma-separated list of URLs as consumed
 # by `shoutrrr`: https://containrrr.dev/shoutrrr/v0.5/services/overview/
 # The content of such notifications can be customized. Dedicated documentation
 # on how to do this can be found in the README. When providing multiple URLs or
 # an URL that contains a comma, the values can be URL encoded to avoid ambiguities.
 # The below URL demonstrates how to send an email using the provided SMTP
 # configuration and credentials.
 # NOTIFICATION_URLS=smtp://username:password@host:587/?fromAddress=sender@example.com&toAddresses=recipient@example.com
 # By default, notifications would only be sent out when a backup run fails
 # To receive notifications for every run, set `NOTIFICATION_LEVEL` to `info`
 # instead of the default `error`.
 # NOTIFICATION_LEVEL="error"
 ########### DOCKER HOST
 # If you are interfacing with Docker via TCP you can set the Docker host here
 # instead of mounting the Docker socket as a volume. This is unset by default.
 # DOCKER_HOST="tcp://docker_socket_proxy:2375"
 ########### LOCK_TIMEOUT
 # In the case of overlapping cron schedules run by the same container,
 # subsequent invocations will wait for previous runs to finish before starting.
 # By default, this will time out and fail in case the lock could not be acquired
 # after 60 minutes. In case you need to adjust this timeout, supply a duration
 # value as per https://pkg.go.dev/time#ParseDuration to `LOCK_TIMEOUT`
 # LOCK_TIMEOUT="60m"
 ########### EMAIL NOTIFICATIONS
 # ************************************************************************
 # Providing notification configuration like this has been deprecated
 # and will be removed in the next major version. Please use NOTIFICATION_URLS
 # as documented above instead.
 # ************************************************************************
 # In case SMTP credentials are provided, notification emails can be sent out when
 # a backup run finished. These emails will contain the start time, the error
 # message on failure and all prior log output.
 # The recipient(s) of the notification. Supply a comma separated list
 # of adresses if you want to notify multiple recipients. If this is
 # not set, no emails will be sent.
 # EMAIL_NOTIFICATION_RECIPIENT="you@example.com"
 # The "From" header of the sent email. Defaults to `noreply@nohost`.
 # EMAIL_NOTIFICATION_SENDER="no-reply@example.com"
 # Configuration and credentials for the SMTP server to be used.
 # EMAIL_SMTP_PORT defaults to 587.
 # EMAIL_SMTP_HOST="posteo.de"
 # EMAIL_SMTP_PASSWORD="<xxx>"
 # EMAIL_SMTP_USERNAME="no-reply@example.com"
 # EMAIL_SMTP_PORT="<port>"
 ```
 In case you encouter double quoted values in your configuration you might be running an [older version of `docker-compose`][compose-issue].
 You can work around this by either updating `docker-compose` or unquoting your configuration values.
 [compose-issue]: https://github.com/docker/compose/issues/2854
 ## How to
-### Stopping containers during backup
+### Stop containers during backup
 In many cases, it will be desirable to stop the services that are consuming the volume you want to backup in order to ensure data integrity.
 This image can automatically stop and restart containers and services (in case you are running Docker in Swarm mode).
@@ -210,7 +455,7 @@ services:
      - docker-volume-backup.stop-during-backup=service1
  backup:
-    image: offen/docker-volume-backup:latest
+    image: offen/docker-volume-backup:v2
    environment:
      BACKUP_STOP_CONTAINER_LABEL: service1
    volumes:
@@ -233,7 +478,7 @@ version: '3'
 services:
  # ... define other services using the `data` volume here
  backup:
-    image: offen/docker-volume-backup:latest
+    image: offen/docker-volume-backup:v2
    environment:
      BACKUP_FILENAME: backup-%Y-%m-%dT%H-%M-%S.tar.gz
      BACKUP_PRUNING_PREFIX: backup-
@@ -247,6 +492,108 @@ volumes:
  data:
 ```
 ### Send email notifications on failed backup runs
 To send out email notifications on failed backup runs, provide SMTP credentials, a sender and a recipient:
 ```yml
 version: '3'
 services:
  backup:
    image: offen/docker-volume-backup:v2
    environment:
      # ... other configuration values go here
      NOTIFICATION_URLS=smtp://me:secret@smtp.example.com:587/?fromAddress=no-reply@example.com&toAddresses=you@example.com
 ```
 Notification backends other than email are also supported.
 Refer to the documentation of [shoutrrr][shoutrrr-docs] to find out about options and configuration.
 [shoutrrr-docs]: https://containrrr.dev/shoutrrr/v0.5/services/overview/
 ### Customize notifications
 The title and body of the notifications can be easily tailored to your needs using [go templates](https://pkg.go.dev/text/template).
 Templates must be mounted inside the container in `/etc/dockervolumebackup/notifications.d/`: any file inside this directory will be parsed.
 The files have to define [nested templates](https://pkg.go.dev/text/template#hdr-Nested_template_definitions) in order to override the original values. An example:
 ```
 {{ define "title_success" -}}
 ✅ Successfully ran backup {{ .Config.BackupStopContainerLabel }}
 {{- end }}
 {{ define "body_success" -}}
 ▶️ Start time: {{ .Stats.StartTime | formatTime }}
 ⏹️ End time: {{ .Stats.EndTime | formatTime }}
 ⌛ Took time: {{ .Stats.TookTime }}
 🛑 Stopped containers: {{ .Stats.Containers.Stopped }}/{{ .Stats.Containers.All }} ({{ .Stats.Containers.StopErrors }} errors)
 ⚖️ Backup size: {{ .Stats.BackupFile.Size | formatBytesBin }} / {{ .Stats.BackupFile.Size | formatBytesDec }}
 🗑️ Pruned backups: {{ .Stats.Storages.Local.Pruned }}/{{ .Stats.Storages.Local.Total }} ({{ .Stats.Storages.Local.PruneErrors }} errors)
 {{- end }}
 ```
 Overridable template names are: `title_success`, `body_success`, `title_failure`, `body_failure`.
 For a full list of available variables and functions, see [this page](https://github.com/offen/docker-volume-backup/blob/master/docs/NOTIFICATION-TEMPLATES.md).
 ### Run custom commands before / after backup
 In certain scenarios it can be required to run specific commands before and after a backup is taken (e.g. dumping a database).
 When mounting the Docker socket into the `docker-volume-backup` container, you can define pre- and post-commands that will be run in the context of the target container.
 Such commands are defined by specifying the command in a `docker-volume-backup.exec-[pre|post]` label.
 Taking a database dump using `mysqldump` would look like this:
 ```yml
 version: '3'
 services:
  # ... define other services using the `data` volume here
  database:
    image: mariadb
    volumes:
      - backup_data:/tmp/backups
    labels:
      - docker-volume-backup.exec-pre=/bin/sh -c 'mysqldump --all-databases > /backups/dump.sql'
 volumes:
  backup_data:
 ```
 Due to Docker limitations, you currently cannot use any kind of redirection in these commands unless you pass the command to `/bin/sh -c` or similar.
 I.e. instead of using `echo "ok" > ok.txt` you will need to use `/bin/sh -c 'echo "ok" > ok.txt'`.
 If you need fine grained control about which container's commands are run, you can use the `EXEC_LABEL` configuration on your `docker-volume-backup` container:
 ```yml
 version: '3'
 services:
  database:
    image: mariadb
    volumes:
      - backup_data:/tmp/backups
    labels:
      - docker-volume-backup.exec-pre=/bin/sh -c 'mysqldump --all-databases > /tmp/volume/dump.sql'
      - docker-volume-backup.exec-label=database
  backup:
    image: offen/docker-volume-backup:v2
    environment:
      EXEC_LABEL: database
    volumes:
      - data:/backup/dump:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
 volumes:
  backup_data:
 ```
 The backup procedure is guaranteed to wait for all `pre` commands to finish.
 However there are no guarantees about the order in which they are run, which could also happen concurrently.
 ### Encrypting your backup using GPG
 The image supports encrypting backups using GPG out of the box.
@@ -267,17 +614,58 @@ In case you need to restore a volume from a backup, the most straight forward pr
  ```console
  tar -C /tmp -xvf  backup.tar.gz
  ```
- Using a temporary one-off container, mount the volume (the example assumes it's named `data`) and copy over the backup. Make sure you copy the correct path level (this depends on how you mount your volume into the backup container), you might need to strip some leading elements
+- Using a temporary once-off container, mount the volume (the example assumes it's named `data`) and copy over the backup. Make sure you copy the correct path level (this depends on how you mount your volume into the backup container), you might need to strip some leading elements
  ```console
-  docker run -d --name backup_restore -v data:/backup_restore alpine
+  docker run -d --name temp_restore_container -v data:/backup_restore alpine
-  docker cp /tmp/backup/data-backup backup_restore:/backup_restore
+  docker cp /tmp/backup/data-backup temp_restore_container:/backup_restore
-  docker stop backup_restore
+  docker stop temp_restore_container
-  docker rm backup_restore
+  docker rm temp_restore_container
  ```
- Restart the container(s) that are using the volume 
+- Restart the container(s) that are using the volume
 Depending on your setup and the application(s) you are running, this might involve other steps to be taken still.
 ---
 If you want to rollback an entire volume to an earlier backup snapshot (recommended for database volumes):
 - Trigger a manual backup if necessary (see `Manually triggering a backup`).
 - Stop the container(s) that are using the volume.
 - If volume was initially created using docker-compose, find out exact volume name using:
  ```console
  docker volume ls
  ```
 - Remove existing volume (the example assumes it's named `data`):
  ```console
  docker volume rm data
  ```
 - Create new volume with the same name and restore a snapshot:
  ```console
  docker run --rm -it -v data:/backup/my-app-backup -v /path/to/local_backups:/archive:ro alpine tar -xvzf /archive/full_backup_filename.tar.gz
  ```
 - Restart the container(s) that are using the volume.
 ### Set the timezone the container runs in
 By default a container based on this image will run in the UTC timezone.
 As the image is designed to be as small as possible, additional timezone data is not included.
 In case you want to run your cron rules in your local timezone (respecting DST and similar), you can mount your Docker host's `/etc/timezone` and `/etc/localtime` in read-only mode:
 ```yml
 version: '3'
 services:
  backup:
    image: offen/docker-volume-backup:v2
    volumes:
      - data:/backup/my-app-backup:ro
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
 volumes:
  data:
 ```
 ### Using with Docker Swarm
 By default, Docker Swarm will restart stopped containers automatically, even when manually stopped.
@@ -291,7 +679,7 @@ When running in Swarm mode, it's also advised to set a hard memory limit on your
 ```yml
 services:
  backup:
-    image: offen/docker-volume-backup:latest
+    image: offen/docker-volume-backup:v2
    deployment:
      resources:
        limits:
@@ -306,6 +694,126 @@ You can manually trigger a backup run outside of the defined cron schedule by ex
 docker exec <container_ref> backup
 ```
 ### Update deprecated email configuration
 Starting with version 2.6.0, configuring email notifications using `EMAIL_*` keys has been deprecated.
 Instead of providing multiple values using multiple keys, you can now provide a single URL for `NOTIFICATION_URLS`.
 Before:
 ```ini
 EMAIL_NOTIFICATION_RECIPIENT="you@example.com"
 EMAIL_NOTIFICATION_SENDER="no-reply@example.com"
 EMAIL_SMTP_HOST="posteo.de"
 EMAIL_SMTP_PASSWORD="secret"
 EMAIL_SMTP_USERNAME="me"
 EMAIL_SMTP_PORT="587"
 ```
 After:
 ```ini
 NOTIFICATION_URLS=smtp://me:secret@posteo.de:587/?fromAddress=no-reply@example.com&toAddresses=you@example.com
 ```
 ### Replace deprecated `BACKUP_FROM_SNAPSHOT` usage
 Starting with version 2.15.0, the `BACKUP_FROM_SNAPSHOT` feature has been deprecated.
 If you need to prepare your sources before the backup is taken, use `exec-pre`, `exec-post` and an intermediate volume:
 ```yml
 version: '3'
 services:
  my_app:
    build: .
    volumes:
      - data:/var/my_app
      - backup:/tmp/backup
    labels:
      - docker-volume-backup.exec-pre=cp -r /var/my_app /tmp/backup/my-app
      - docker-volume-backup.exec-post=rm -rf /tmp/backup/my-app
  backup:
    image: offen/docker-volume-backup:latest
    environment:
      BACKUP_SOURCES: /tmp/backup
    volumes:
      - backup:/backup:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
 volumes:
  data:
  backup:
 ```
 ### Using a custom Docker host
 If you are interfacing with Docker via TCP, set `DOCKER_HOST` to the correct URL.
 ```ini
 DOCKER_HOST=tcp://docker_socket_proxy:2375
 ```
 In case you are using a socket proxy, it must support `GET` and `POST` requests to the `/containers` endpoint. If you are using Docker Swarm, it must also support the `/services` endpoint. If you are using pre/post backup commands, it must also support the `/exec` endpoint.
 ### Run multiple backup schedules in the same container
 Multiple backup schedules with different configuration can be configured by mounting an arbitrary number of configuration files (using the `.env` format) into `/etc/dockervolumebackup/conf.d`:
 ```yml
 version: '3'
 services:
  # ... define other services using the `data` volume here
  backup:
    image: offen/docker-volume-backup:v2
    volumes:
      - data:/backup/my-app-backup:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./configuration:/etc/dockervolumebackup/conf.d
 volumes:
  data:
 ```
 A separate cronjob will be created for each config file.
 If a configuration value is set both in the global environment as well as in the config file, the config file will take precedence.
 The `backup` command expects to run on an exclusive lock, so in case you provide the same or overlapping schedules in your cron expressions, the runs will still be executed serially, one after the other.
 The exact order of schedules that use the same cron expression is not specified.
 In case you need your schedules to overlap, you need to create a dedicated container for each schedule instead.
 When changing the configuration, you currently need to manually restart the container for the changes to take effect.
 ### Define different retention schedules
 If you want to manage backup retention on different schedules, the most straight forward approach is to define a dedicated configuration for retention rule using a different prefix in the `BACKUP_FILENAME` parameter and then run them on different cron schedules.
 For example, if you wanted to keep daily backups for 7 days, weekly backups for a month, and retain monthly backups forever, you could create three configuration files and mount them into `/etc/dockervolumebackup.d`:
 ```ini
 # 01daily.conf
 BACKUP_FILENAME="daily-backup-%Y-%m-%dT%H-%M-%S.tar.gz"
 # run every day at 2am
 BACKUP_CRON_EXPRESSION="0 2 * * *"
 BACKUP_PRUNING_PREFIX="daily-backup-"
 BACKUP_RETENTION_DAYS="7"
 ```
 ```ini
 # 02weekly.conf
 BACKUP_FILENAME="weekly-backup-%Y-%m-%dT%H-%M-%S.tar.gz"
 # run every monday at 3am
 BACKUP_CRON_EXPRESSION="0 3 * * 1"
 BACKUP_PRUNING_PREFIX="weekly-backup-"
 BACKUP_RETENTION_DAYS="31"
 ```
 ```ini
 # 03monthly.conf
 BACKUP_FILENAME="monthly-backup-%Y-%m-%dT%H-%M-%S.tar.gz"
 # run every 1st of a month at 4am
 BACKUP_CRON_EXPRESSION="0 4 1 * *"
 ```
 Note that while it's possible to define colliding cron schedules for each of these configurations, you might need to adjust the value for `LOCK_TIMEOUT` in case your backups are large and might take longer than an hour.
 ## Recipes
 This section lists configuration for some real-world use cases that you can mix and match according to your needs.
@@ -318,9 +826,9 @@ version: '3'
 services:
  # ... define other services using the `data` volume here
  backup:
-    image: offen/docker-volume-backup:latest
+    image: offen/docker-volume-backup:v2
    environment:
-      AWS_BUCKET_NAME: backup-bucket
+      AWS_S3_BUCKET_NAME: backup-bucket
      AWS_ACCESS_KEY_ID: AKIAIOSFODNN7EXAMPLE
      AWS_SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
    volumes:
@@ -331,6 +839,28 @@ volumes:
  data:
 ```
 ### Backing up to Filebase
 ```yml
 version: '3'
 services:
  # ... define other services using the `data` volume here
  backup:
    image: offen/docker-volume-backup:v2
    environment:
      AWS_ENDPOINT: s3.filebase.com
      AWS_S3_BUCKET_NAME: filebase-bucket
      AWS_ACCESS_KEY_ID: FILEBASE-ACCESS-KEY
      AWS_SECRET_ACCESS_KEY: FILEBASE-SECRET-KEY
    volumes:
      - data:/backup/my-app-backup:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
 volumes:
  data:
 ```
 ### Backing up to MinIO
 ```yml
@@ -339,10 +869,10 @@ version: '3'
 services:
  # ... define other services using the `data` volume here
  backup:
-    image: offen/docker-volume-backup:latest
+    image: offen/docker-volume-backup:v2
    environment:
      AWS_ENDPOINT: minio.example.com
-      AWS_BUCKET_NAME: backup-bucket
+      AWS_S3_BUCKET_NAME: backup-bucket
      AWS_ACCESS_KEY_ID: MINIOACCESSKEY
      AWS_SECRET_ACCESS_KEY: MINIOSECRETKEY
    volumes:
@@ -353,6 +883,51 @@ volumes:
  data:
 ```
 ### Backing up to WebDAV
 ```yml
 version: '3'
 services:
  # ... define other services using the `data` volume here
  backup:
    image: offen/docker-volume-backup:v2
    environment:
      WEBDAV_URL: https://webdav.mydomain.me
      WEBDAV_PATH: /my/directory/
      WEBDAV_USERNAME: user
      WEBDAV_PASSWORD: password
    volumes:
      - data:/backup/my-app-backup:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
 volumes:
  data:
 ```
 ### Backing up to SSH
 ```yml
 version: '3'
 services:
  # ... define other services using the `data` volume here
  backup:
    image: offen/docker-volume-backup:v2
    environment:
      SSH_HOST_NAME: server.local
      SSH_PORT: 2222
      SSH_USER: user
      SSH_REMOTE_PATH: /data
    volumes:
      - data:/backup/my-app-backup:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /path/to/private_key:/root/.ssh/id
 volumes:
  data:
 ```
 ### Backing up locally
 ```yml
@@ -361,7 +936,10 @@ version: '3'
 services:
  # ... define other services using the `data` volume here
  backup:
-    image: offen/docker-volume-backup:latest
+    image: offen/docker-volume-backup:v2
    environment:
      BACKUP_FILENAME: backup-%Y-%m-%dT%H-%M-%S.tar.gz
      BACKUP_LATEST_SYMLINK: backup-latest.tar.gz
    volumes:
      - data:/backup/my-app-backup:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
@@ -379,9 +957,9 @@ version: '3'
 services:
  # ... define other services using the `data` volume here
  backup:
-    image: offen/docker-volume-backup:latest
+    image: offen/docker-volume-backup:v2
    environment:
-      AWS_BUCKET_NAME: backup-bucket
+      AWS_S3_BUCKET_NAME: backup-bucket
      AWS_ACCESS_KEY_ID: AKIAIOSFODNN7EXAMPLE
      AWS_SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
    volumes:
@@ -401,11 +979,11 @@ version: '3'
 services:
  # ... define other services using the `data` volume here
  backup:
-    image: offen/docker-volume-backup:latest
+    image: offen/docker-volume-backup:v2
    environment:
      # take a backup on every hour
      BACKUP_CRON_EXPRESSION: "0 * * * *"
-      AWS_BUCKET_NAME: backup-bucket
+      AWS_S3_BUCKET_NAME: backup-bucket
      AWS_ACCESS_KEY_ID: AKIAIOSFODNN7EXAMPLE
      AWS_SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
    volumes:
@@ -424,9 +1002,9 @@ version: '3'
 services:
  # ... define other services using the `data` volume here
  backup:
-    image: offen/docker-volume-backup:latest
+    image: offen/docker-volume-backup:v2
    environment:
-      AWS_BUCKET_NAME: backup-bucket
+      AWS_S3_BUCKET_NAME: backup-bucket
      AWS_ACCESS_KEY_ID: AKIAIOSFODNN7EXAMPLE
      AWS_SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
      BACKUP_FILENAME: backup-%Y-%m-%dT%H-%M-%S.tar.gz
@@ -448,9 +1026,9 @@ version: '3'
 services:
  # ... define other services using the `data` volume here
  backup:
-    image: offen/docker-volume-backup:latest
+    image: offen/docker-volume-backup:v2
    environment:
-      AWS_BUCKET_NAME: backup-bucket
+      AWS_S3_BUCKET_NAME: backup-bucket
      AWS_ACCESS_KEY_ID: AKIAIOSFODNN7EXAMPLE
      AWS_SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
      GPG_PASSPHRASE: somesecretstring
@@ -462,6 +1040,32 @@ volumes:
  data:
 ```
 ### Using mysqldump to prepare the backup
 ```yml
 version: '3'
 services:
  database:
    image: mariadb:latest
    labels:
      - docker-volume-backup.exec-pre=/bin/sh -c 'mysqldump -psecret --all-databases > /tmp/dumps/dump.sql'
    volumes:
      - app_data:/tmp/dumps
  backup:
    image: offen/docker-volume-backup:v2
    environment:
      BACKUP_FILENAME: db.tar.gz
      BACKUP_CRON_EXPRESSION: "0 2 * * *"
    volumes:
      - ./local:/archive
      - data:/backup/data:ro
      - /var/run/docker.sock:/var/run/docker.sock
 volumes:
  data:
 ```
 ### Running multiple instances in the same setup
 ```yml
@@ -470,10 +1074,10 @@ version: '3'
 services:
  # ... define other services using the `data_1` and `data_2` volumes here
  backup_1: &backup_service
-    image: offen/docker-volume-backup:latest
+    image: offen/docker-volume-backup:v2
    environment: &backup_environment
      BACKUP_CRON_EXPRESSION: "0 2 * * *"
-      AWS_BUCKET_NAME: backup-bucket
+      AWS_S3_BUCKET_NAME: backup-bucket
      AWS_ACCESS_KEY_ID: AKIAIOSFODNN7EXAMPLE
      AWS_SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
      # Label the container using the `data_1` volume as `docker-volume-backup.stop-during-backup=service1`
@@ -499,14 +1103,16 @@ volumes:
 ## Differences to `futurice/docker-volume-backup`
-This image is heavily inspired by the `futurice/docker-volume-backup`. We decided to publish this image as a simpler and more lightweight alternative because of the following requirements:
+This image is heavily inspired by `futurice/docker-volume-backup`. We decided to publish this image as a simpler and more lightweight alternative because of the following requirements:
 - The original image is based on `ubuntu` and requires additional tools, making it heavy.
 This version is roughly 1/25 in compressed size (it's ~12MB).
- The original image uses a shell script, when this version is written in Go, which makes it easier to extend and maintain (more verbose too).
+- The original image uses a shell script, when this version is written in Go.
 - The original image proposed to handle backup rotation through AWS S3 lifecycle policies.
 This image adds the option to rotate away old backups through the same command so this functionality can also be offered for non-AWS storage backends like MinIO.
 Local copies of backups can also be pruned once they reach a certain age.
 - InfluxDB specific functionality from the original image was removed.
 - `arm64` and `arm/v7` architectures are supported.
 - Docker in Swarm mode is supported.
 - Notifications on finished backups are supported.
 - IAM authentication through instance profiles is supported.
--- a/cmd/backup/archive.go
+++ b/cmd/backup/archive.go
@@ -0,0 +1,133 @@
 // Copyright 2022 - Offen Authors <hioffen@posteo.de>
 // SPDX-License-Identifier: MPL-2.0
 // Portions of this file are taken from package `targz`, Copyright (c) 2014 Fredrik Wallgren
 // Licensed under the MIT License: https://github.com/walle/targz/blob/57fe4206da5abf7dd3901b4af3891ec2f08c7b08/LICENSE
 package main
 import (
 	"archive/tar"
 	"compress/gzip"
 	"fmt"
 	"io"
 	"os"
 	"path"
 	"path/filepath"
 	"strings"
 )
 func createArchive(files []string, inputFilePath, outputFilePath string) error {
 	inputFilePath = stripTrailingSlashes(inputFilePath)
 	inputFilePath, outputFilePath, err := makeAbsolute(inputFilePath, outputFilePath)
 	if err != nil {
 		return fmt.Errorf("createArchive: error transposing given file paths: %w", err)
 	}
 	if err := os.MkdirAll(filepath.Dir(outputFilePath), 0755); err != nil {
 		return fmt.Errorf("createArchive: error creating output file path: %w", err)
 	}
 	if err := compress(files, outputFilePath, filepath.Dir(inputFilePath)); err != nil {
 		return fmt.Errorf("createArchive: error creating archive: %w", err)
 	}
 	return nil
 }
 func stripTrailingSlashes(path string) string {
 	if len(path) > 0 && path[len(path)-1] == '/' {
 		path = path[0 : len(path)-1]
 	}
 	return path
 }
 func makeAbsolute(inputFilePath, outputFilePath string) (string, string, error) {
 	inputFilePath, err := filepath.Abs(inputFilePath)
 	if err == nil {
 		outputFilePath, err = filepath.Abs(outputFilePath)
 	}
 	return inputFilePath, outputFilePath, err
 }
 func compress(paths []string, outFilePath, subPath string) error {
 	file, err := os.Create(outFilePath)
 	if err != nil {
 		return fmt.Errorf("compress: error creating out file: %w", err)
 	}
 	prefix := path.Dir(outFilePath)
 	gzipWriter := gzip.NewWriter(file)
 	tarWriter := tar.NewWriter(gzipWriter)
 	for _, p := range paths {
 		if err := writeTarGz(p, tarWriter, prefix); err != nil {
 			return fmt.Errorf("compress error writing %s to archive: %w", p, err)
 		}
 	}
 	err = tarWriter.Close()
 	if err != nil {
 		return fmt.Errorf("compress: error closing tar writer: %w", err)
 	}
 	err = gzipWriter.Close()
 	if err != nil {
 		return fmt.Errorf("compress: error closing gzip writer: %w", err)
 	}
 	err = file.Close()
 	if err != nil {
 		return fmt.Errorf("compress: error closing file: %w", err)
 	}
 	return nil
 }
 func writeTarGz(path string, tarWriter *tar.Writer, prefix string) error {
 	fileInfo, err := os.Lstat(path)
 	if err != nil {
 		return fmt.Errorf("writeTarGz: error getting file infor for %s: %w", path, err)
 	}
 	if fileInfo.Mode()&os.ModeSocket == os.ModeSocket {
 		return nil
 	}
 	var link string
 	if fileInfo.Mode()&os.ModeSymlink == os.ModeSymlink {
 		var err error
 		if link, err = os.Readlink(path); err != nil {
 			return fmt.Errorf("writeTarGz: error resolving symlink %s: %w", path, err)
 		}
 	}
 	header, err := tar.FileInfoHeader(fileInfo, link)
 	if err != nil {
 		return fmt.Errorf("writeTarGz: error getting file info header: %w", err)
 	}
 	header.Name = strings.TrimPrefix(path, prefix)
 	err = tarWriter.WriteHeader(header)
 	if err != nil {
 		return fmt.Errorf("writeTarGz: error writing file info header: %w", err)
 	}
 	if !fileInfo.Mode().IsRegular() {
 		return nil
 	}
 	file, err := os.Open(path)
 	if err != nil {
 		return fmt.Errorf("writeTarGz: error opening %s: %w", path, err)
 	}
 	defer file.Close()
 	_, err = io.Copy(tarWriter, file)
 	if err != nil {
 		return fmt.Errorf("writeTarGz: error copying %s to tar writer: %w", path, err)
 	}
 	return nil
 }
--- a/cmd/backup/config.go
+++ b/cmd/backup/config.go
@@ -0,0 +1,74 @@
 // Copyright 2022 - Offen Authors <hioffen@posteo.de>
 // SPDX-License-Identifier: MPL-2.0
 package main
 import (
 	"fmt"
 	"regexp"
 	"time"
 )
 // Config holds all configuration values that are expected to be set
 // by users.
 type Config struct {
 	BackupSources              string        `split_words:"true" default:"/backup"`
 	BackupFilename             string        `split_words:"true" default:"backup-%Y-%m-%dT%H-%M-%S.tar.gz"`
 	BackupFilenameExpand       bool          `split_words:"true"`
 	BackupLatestSymlink        string        `split_words:"true"`
 	BackupArchive              string        `split_words:"true" default:"/archive"`
 	BackupRetentionDays        int32         `split_words:"true" default:"-1"`
 	BackupPruningLeeway        time.Duration `split_words:"true" default:"1m"`
 	BackupPruningPrefix        string        `split_words:"true"`
 	BackupStopContainerLabel   string        `split_words:"true" default:"true"`
 	BackupFromSnapshot         bool          `split_words:"true"`
 	BackupExcludeRegexp        RegexpDecoder `split_words:"true"`
 	AwsS3BucketName            string        `split_words:"true"`
 	AwsS3Path                  string        `split_words:"true"`
 	AwsEndpoint                string        `split_words:"true" default:"s3.amazonaws.com"`
 	AwsEndpointProto           string        `split_words:"true" default:"https"`
 	AwsEndpointInsecure        bool          `split_words:"true"`
 	AwsAccessKeyID             string        `envconfig:"AWS_ACCESS_KEY_ID"`
 	AwsSecretAccessKey         string        `split_words:"true"`
 	AwsIamRoleEndpoint         string        `split_words:"true"`
 	GpgPassphrase              string        `split_words:"true"`
 	NotificationURLs           []string      `envconfig:"NOTIFICATION_URLS"`
 	NotificationLevel          string        `split_words:"true" default:"error"`
 	EmailNotificationRecipient string        `split_words:"true"`
 	EmailNotificationSender    string        `split_words:"true" default:"noreply@nohost"`
 	EmailSMTPHost              string        `envconfig:"EMAIL_SMTP_HOST"`
 	EmailSMTPPort              int           `envconfig:"EMAIL_SMTP_PORT" default:"587"`
 	EmailSMTPUsername          string        `envconfig:"EMAIL_SMTP_USERNAME"`
 	EmailSMTPPassword          string        `envconfig:"EMAIL_SMTP_PASSWORD"`
 	WebdavUrl                  string        `split_words:"true"`
 	WebdavUrlInsecure          bool          `split_words:"true"`
 	WebdavPath                 string        `split_words:"true" default:"/"`
 	WebdavUsername             string        `split_words:"true"`
 	WebdavPassword             string        `split_words:"true"`
 	SSHHostName                string        `split_words:"true"`
 	SSHPort                    string        `split_words:"true" default:"22"`
 	SSHUser                    string        `split_words:"true"`
 	SSHPassword                string        `split_words:"true"`
 	SSHIdentityFile            string        `split_words:"true" default:"/root/.ssh/id_rsa"`
 	SSHIdentityPassphrase      string        `split_words:"true"`
 	SSHRemotePath              string        `split_words:"true"`
 	ExecLabel                  string        `split_words:"true"`
 	ExecForwardOutput          bool          `split_words:"true"`
 	LockTimeout                time.Duration `split_words:"true" default:"60m"`
 }
 type RegexpDecoder struct {
 	Re *regexp.Regexp
 }
 func (r *RegexpDecoder) Decode(v string) error {
 	if v == "" {
 		return nil
 	}
 	re, err := regexp.Compile(v)
 	if err != nil {
 		return fmt.Errorf("config: error compiling given regexp `%s`: %w", v, err)
 	}
 	*r = RegexpDecoder{Re: re}
 	return nil
 }
--- a/cmd/backup/exec.go
+++ b/cmd/backup/exec.go
@@ -0,0 +1,123 @@
 // Copyright 2022 - Offen Authors <hioffen@posteo.de>
 // SPDX-License-Identifier: MPL-2.0
 // Portions of this file are taken and adapted from `moby`, Copyright 2012-2017 Docker, Inc.
 // Licensed under the Apache 2.0 License: https://github.com/moby/moby/blob/8e610b2b55bfd1bfa9436ab110d311f5e8a74dcb/LICENSE
 package main
 import (
 	"bytes"
 	"context"
 	"fmt"
 	"io/ioutil"
 	"os"
 	"strings"
 	"github.com/cosiner/argv"
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/filters"
 	"github.com/docker/docker/pkg/stdcopy"
 	"golang.org/x/sync/errgroup"
 )
 func (s *script) exec(containerRef string, command string) ([]byte, []byte, error) {
 	args, _ := argv.Argv(command, nil, nil)
 	execID, err := s.cli.ContainerExecCreate(context.Background(), containerRef, types.ExecConfig{
 		Cmd:          args[0],
 		AttachStdin:  true,
 		AttachStderr: true,
 	})
 	if err != nil {
 		return nil, nil, fmt.Errorf("exec: error creating container exec: %w", err)
 	}
 	resp, err := s.cli.ContainerExecAttach(context.Background(), execID.ID, types.ExecStartCheck{})
 	if err != nil {
 		return nil, nil, fmt.Errorf("exec: error attaching container exec: %w", err)
 	}
 	defer resp.Close()
 	var outBuf, errBuf bytes.Buffer
 	outputDone := make(chan error)
 	go func() {
 		_, err := stdcopy.StdCopy(&outBuf, &errBuf, resp.Reader)
 		outputDone <- err
 	}()
 	select {
 	case err := <-outputDone:
 		if err != nil {
 			return nil, nil, fmt.Errorf("exec: error demultiplexing output: %w", err)
 		}
 		break
 	}
 	stdout, err := ioutil.ReadAll(&outBuf)
 	if err != nil {
 		return nil, nil, fmt.Errorf("exec: error reading stdout: %w", err)
 	}
 	stderr, err := ioutil.ReadAll(&errBuf)
 	if err != nil {
 		return nil, nil, fmt.Errorf("exec: error reading stderr: %w", err)
 	}
 	res, err := s.cli.ContainerExecInspect(context.Background(), execID.ID)
 	if err != nil {
 		return nil, nil, fmt.Errorf("exec: error inspecting container exec: %w", err)
 	}
 	if res.ExitCode > 0 {
 		return stdout, stderr, fmt.Errorf("exec: running command exited %d", res.ExitCode)
 	}
 	return stdout, stderr, nil
 }
 func (s *script) runLabeledCommands(label string) error {
 	f := []filters.KeyValuePair{
 		{Key: "label", Value: label},
 	}
 	if s.c.ExecLabel != "" {
 		f = append(f, filters.KeyValuePair{
 			Key:   "label",
 			Value: fmt.Sprintf("docker-volume-backup.exec-label=%s", s.c.ExecLabel),
 		})
 	}
 	containersWithCommand, err := s.cli.ContainerList(context.Background(), types.ContainerListOptions{
 		Quiet:   true,
 		Filters: filters.NewArgs(f...),
 	})
 	if err != nil {
 		return fmt.Errorf("runLabeledCommands: error querying for containers: %w", err)
 	}
 	if len(containersWithCommand) == 0 {
 		return nil
 	}
 	g := new(errgroup.Group)
 	for _, container := range containersWithCommand {
 		c := container
 		g.Go(func() error {
 			cmd, _ := c.Labels[label]
 			s.logger.Infof("Running %s command %s for container %s", label, cmd, strings.TrimPrefix(c.Names[0], "/"))
 			stdout, stderr, err := s.exec(c.ID, cmd)
 			if s.c.ExecForwardOutput {
 				os.Stderr.Write(stderr)
 				os.Stdout.Write(stdout)
 			}
 			if err != nil {
 				return fmt.Errorf("runLabeledCommands: error executing command: %w", err)
 			}
 			return nil
 		})
 	}
 	if err := g.Wait(); err != nil {
 		return fmt.Errorf("runLabeledCommands: error from errgroup: %w", err)
 	}
 	return nil
 }
--- a/cmd/backup/hooks.go
+++ b/cmd/backup/hooks.go
@@ -0,0 +1,56 @@
 // Copyright 2022 - Offen Authors <hioffen@posteo.de>
 // SPDX-License-Identifier: MPL-2.0
 package main
 import (
 	"fmt"
 	"sort"
 )
 // hook contains a queued action that can be trigger them when the script
 // reaches a certain point (e.g. unsuccessful backup)
 type hook struct {
 	level  hookLevel
 	action func(err error) error
 }
 type hookLevel int
 const (
 	hookLevelPlumbing hookLevel = iota
 	hookLevelError
 	hookLevelInfo
 )
 var hookLevels = map[string]hookLevel{
 	"info":  hookLevelInfo,
 	"error": hookLevelError,
 }
 // registerHook adds the given action at the given level.
 func (s *script) registerHook(level hookLevel, action func(err error) error) {
 	s.hooks = append(s.hooks, hook{level, action})
 }
 // runHooks runs all hooks that have been registered using the
 // given levels in the defined ordering. In case executing a hook returns an
 // error, the following hooks will still be run before the function returns.
 func (s *script) runHooks(err error) error {
 	sort.SliceStable(s.hooks, func(i, j int) bool {
 		return s.hooks[i].level < s.hooks[j].level
 	})
 	var actionErrors []error
 	for _, hook := range s.hooks {
 		if hook.level > s.hookLevel {
 			continue
 		}
 		if actionErr := hook.action(err); actionErr != nil {
 			actionErrors = append(actionErrors, fmt.Errorf("runHooks: error running hook: %w", actionErr))
 		}
 	}
 	if len(actionErrors) != 0 {
 		return join(actionErrors...)
 	}
 	return nil
 }
--- a/cmd/backup/lock.go
+++ b/cmd/backup/lock.go
@@ -0,0 +1,58 @@
 // Copyright 2022 - Offen Authors <hioffen@posteo.de>
 // SPDX-License-Identifier: MPL-2.0
 package main
 import (
 	"errors"
 	"fmt"
 	"time"
 	"github.com/gofrs/flock"
 )
 // lock opens a lockfile at the given location, keeping it locked until the
 // caller invokes the returned release func. In case the lock is currently blocked
 // by another execution, it will repeatedly retry until the lock is available
 // or the given timeout is exceeded.
 func (s *script) lock(lockfile string) (func() error, error) {
 	start := time.Now()
 	defer func() {
 		s.stats.LockedTime = time.Now().Sub(start)
 	}()
 	retry := time.NewTicker(5 * time.Second)
 	defer retry.Stop()
 	deadline := time.NewTimer(s.c.LockTimeout)
 	defer deadline.Stop()
 	fileLock := flock.New(lockfile)
 	for {
 		acquired, err := fileLock.TryLock()
 		if err != nil {
 			return noop, fmt.Errorf("lock: error trying lock: %w", err)
 		}
 		if acquired {
 			if s.encounteredLock {
 				s.logger.Info("Acquired exclusive lock on subsequent attempt, ready to continue.")
 			}
 			return fileLock.Unlock, nil
 		}
 		if !s.encounteredLock {
 			s.logger.Infof(
 				"Exclusive lock was not available on first attempt. Will retry until it becomes available or the timeout of %s is exceeded.",
 				s.c.LockTimeout,
 			)
 			s.encounteredLock = true
 		}
 		select {
 		case <-retry.C:
 			continue
 		case <-deadline.C:
 			return noop, errors.New("lock: timed out waiting for lockfile to become available")
 		}
 	}
 }
--- a/cmd/backup/main.go
+++ b/cmd/backup/main.go
@@ -1,44 +1,55 @@
-// Copyright 2021 - Offen Authors <hioffen@posteo.de>
+// Copyright 2021-2022 - Offen Authors <hioffen@posteo.de>
 // SPDX-License-Identifier: MPL-2.0
 package main
 import (
 	"context"
 	"errors"
 	"fmt"
 	"io"
 	"os"
 	"path"
 	"path/filepath"
 	"strings"
 	"time"
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/filters"
 	"github.com/docker/docker/api/types/swarm"
 	"github.com/docker/docker/client"
 	"github.com/gofrs/flock"
 	"github.com/kelseyhightower/envconfig"
 	"github.com/leekchan/timeutil"
 	"github.com/m90/targz"
 	"github.com/minio/minio-go/v7"
 	"github.com/minio/minio-go/v7/pkg/credentials"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/crypto/openpgp"
 )
 func main() {
 	unlock := lock("/var/lock/dockervolumebackup.lock")
 	defer unlock()
 	s, err := newScript()
 	if err != nil {
 		panic(err)
 	}
 	unlock, err := s.lock("/var/lock/dockervolumebackup.lock")
 	defer unlock()
 	s.must(err)
 	defer func() {
 		if pArg := recover(); pArg != nil {
 			if err, ok := pArg.(error); ok {
 				if hookErr := s.runHooks(err); hookErr != nil {
 					s.logger.Errorf("An error occurred calling the registered hooks: %s", hookErr)
 				}
 				os.Exit(1)
 			}
 			panic(pArg)
 		}
 		if err := s.runHooks(nil); err != nil {
 			s.logger.Errorf(
 				"Backup procedure ran successfully, but an error ocurred calling the registered hooks: %v",
 				err,
 			)
 			os.Exit(1)
 		}
 		s.logger.Info("Finished running backup tasks.")
 	}()
 	s.must(func() error {
 		runPostCommands, err := s.runCommands()
 		defer func() {
 			s.must(runPostCommands())
 		}()
 		if err != nil {
 			return err
 		}
 		restartContainers, err := s.stopContainers()
 		// The mechanism for restarting containers is not using hooks as it
 		// should happen as soon as possible (i.e. before uploading backups or
 		// similar).
 		defer func() {
 			s.must(restartContainers())
 		}()
@@ -50,479 +61,5 @@ func main() {
 	s.must(s.encryptBackup())
 	s.must(s.copyBackup())
-	s.must(s.removeArtifacts())
+	s.must(s.pruneBackups())
 	s.must(s.pruneOldBackups())
 	s.logger.Info("Finished running backup tasks.")
 }
 // script holds all the stateful information required to orchestrate a
 // single backup run.
 type script struct {
 	cli    *client.Client
 	mc     *minio.Client
 	logger *logrus.Logger
 	start time.Time
 	file  string
 	c *config
 }
 type config struct {
 	BackupSources            string        `split_words:"true" default:"/backup"`
 	BackupFilename           string        `split_words:"true" default:"backup-%Y-%m-%dT%H-%M-%S.tar.gz"`
 	BackupArchive            string        `split_words:"true" default:"/archive"`
 	BackupRetentionDays      int32         `split_words:"true" default:"-1"`
 	BackupPruningLeeway      time.Duration `split_words:"true" default:"1m"`
 	BackupPruningPrefix      string        `split_words:"true"`
 	BackupStopContainerLabel string        `split_words:"true" default:"true"`
 	AwsS3BucketName          string        `split_words:"true"`
 	AwsEndpoint              string        `split_words:"true" default:"s3.amazonaws.com"`
 	AwsEndpointProto         string        `split_words:"true" default:"https"`
 	AwsEndpointInsecure      bool          `split_words:"true"`
 	AwsAccessKeyID           string        `envconfig:"AWS_ACCESS_KEY_ID"`
 	AwsSecretAccessKey       string        `split_words:"true"`
 	GpgPassphrase            string        `split_words:"true"`
 }
 // newScript creates all resources needed for the script to perform actions against
 // remote resources like the Docker engine or remote storage locations. All
 // reading from env vars or other configuration sources is expected to happen
 // in this method.
 func newScript() (*script, error) {
 	s := &script{
 		c: &config{},
 		logger: &logrus.Logger{
 			Out:       os.Stdout,
 			Formatter: new(logrus.TextFormatter),
 			Hooks:     make(logrus.LevelHooks),
 			Level:     logrus.InfoLevel,
 		},
 		start: time.Now(),
 	}
 	if err := envconfig.Process("", s.c); err != nil {
 		return nil, fmt.Errorf("newScript: failed to process configuration values: %w", err)
 	}
 	s.file = path.Join("/tmp", s.c.BackupFilename)
 	_, err := os.Stat("/var/run/docker.sock")
 	if !os.IsNotExist(err) {
 		cli, err := client.NewClientWithOpts(client.FromEnv, client.WithAPIVersionNegotiation())
 		if err != nil {
 			return nil, fmt.Errorf("newScript: failed to create docker client")
 		}
 		s.cli = cli
 	}
 	if s.c.AwsS3BucketName != "" {
 		mc, err := minio.New(s.c.AwsEndpoint, &minio.Options{
 			Creds: credentials.NewStaticV4(
 				s.c.AwsAccessKeyID,
 				s.c.AwsSecretAccessKey,
 				"",
 			),
 			Secure: !s.c.AwsEndpointInsecure && s.c.AwsEndpointProto == "https",
 		})
 		if err != nil {
 			return nil, fmt.Errorf("newScript: error setting up minio client: %w", err)
 		}
 		s.mc = mc
 	}
 	return s, nil
 }
 var noop = func() error { return nil }
 // stopContainers stops all Docker containers that are marked as to being
 // stopped during the backup and returns a function that can be called to
 // restart everything that has been stopped.
 func (s *script) stopContainers() (func() error, error) {
 	if s.cli == nil {
 		return noop, nil
 	}
 	allContainers, err := s.cli.ContainerList(context.Background(), types.ContainerListOptions{
 		Quiet: true,
 	})
 	if err != nil {
 		return noop, fmt.Errorf("stopContainersAndRun: error querying for containers: %w", err)
 	}
 	containerLabel := fmt.Sprintf(
 		"docker-volume-backup.stop-during-backup=%s",
 		s.c.BackupStopContainerLabel,
 	)
 	containersToStop, err := s.cli.ContainerList(context.Background(), types.ContainerListOptions{
 		Quiet: true,
 		Filters: filters.NewArgs(filters.KeyValuePair{
 			Key:   "label",
 			Value: containerLabel,
 		}),
 	})
 	if err != nil {
 		return noop, fmt.Errorf("stopContainersAndRun: error querying for containers to stop: %w", err)
 	}
 	if len(containersToStop) == 0 {
 		return noop, nil
 	}
 	s.logger.Infof(
 		"Stopping %d container(s) labeled `%s` out of %d running container(s).",
 		len(containersToStop),
 		containerLabel,
 		len(allContainers),
 	)
 	var stoppedContainers []types.Container
 	var stopErrors []error
 	for _, container := range containersToStop {
 		if err := s.cli.ContainerStop(context.Background(), container.ID, nil); err != nil {
 			stopErrors = append(stopErrors, err)
 		} else {
 			stoppedContainers = append(stoppedContainers, container)
 		}
 	}
 	var stopError error
 	if len(stopErrors) != 0 {
 		stopError = fmt.Errorf(
 			"stopContainersAndRun: %d error(s) stopping containers: %w",
 			len(stopErrors),
 			join(stopErrors...),
 		)
 	}
 	return func() error {
 		servicesRequiringUpdate := map[string]struct{}{}
 		var restartErrors []error
 		for _, container := range stoppedContainers {
 			if swarmServiceName, ok := container.Labels["com.docker.swarm.service.name"]; ok {
 				servicesRequiringUpdate[swarmServiceName] = struct{}{}
 				continue
 			}
 			if err := s.cli.ContainerStart(context.Background(), container.ID, types.ContainerStartOptions{}); err != nil {
 				restartErrors = append(restartErrors, err)
 			}
 		}
 		if len(servicesRequiringUpdate) != 0 {
 			services, _ := s.cli.ServiceList(context.Background(), types.ServiceListOptions{})
 			for serviceName := range servicesRequiringUpdate {
 				var serviceMatch swarm.Service
 				for _, service := range services {
 					if service.Spec.Name == serviceName {
 						serviceMatch = service
 						break
 					}
 				}
 				if serviceMatch.ID == "" {
 					return fmt.Errorf("stopContainersAndRun: couldn't find service with name %s", serviceName)
 				}
 				serviceMatch.Spec.TaskTemplate.ForceUpdate = 1
 				_, err := s.cli.ServiceUpdate(
 					context.Background(), serviceMatch.ID,
 					serviceMatch.Version, serviceMatch.Spec, types.ServiceUpdateOptions{},
 				)
 				if err != nil {
 					restartErrors = append(restartErrors, err)
 				}
 			}
 		}
 		if len(restartErrors) != 0 {
 			return fmt.Errorf(
 				"stopContainersAndRun: %d error(s) restarting containers and services: %w",
 				len(restartErrors),
 				join(restartErrors...),
 			)
 		}
 		s.logger.Infof(
 			"Restarted %d container(s) and the matching service(s).",
 			len(stoppedContainers),
 		)
 		return nil
 	}, stopError
 }
 // takeBackup creates a tar archive of the configured backup location and
 // saves it to disk.
 func (s *script) takeBackup() error {
 	s.file = timeutil.Strftime(&s.start, s.file)
 	if err := targz.Compress(s.c.BackupSources, s.file); err != nil {
 		return fmt.Errorf("takeBackup: error compressing backup folder: %w", err)
 	}
 	s.logger.Infof("Created backup of `%s` at `%s`.", s.c.BackupSources, s.file)
 	return nil
 }
 // encryptBackup encrypts the backup file using PGP and the configured passphrase.
 // In case no passphrase is given it returns early, leaving the backup file
 // untouched.
 func (s *script) encryptBackup() error {
 	if s.c.GpgPassphrase == "" {
 		return nil
 	}
 	defer os.Remove(s.file)
 	gpgFile := fmt.Sprintf("%s.gpg", s.file)
 	outFile, err := os.Create(gpgFile)
 	defer outFile.Close()
 	if err != nil {
 		return fmt.Errorf("encryptBackup: error opening out file: %w", err)
 	}
 	_, name := path.Split(s.file)
 	dst, err := openpgp.SymmetricallyEncrypt(outFile, []byte(s.c.GpgPassphrase), &openpgp.FileHints{
 		IsBinary: true,
 		FileName: name,
 	}, nil)
 	defer dst.Close()
 	if err != nil {
 		return fmt.Errorf("encryptBackup: error encrypting backup file: %w", err)
 	}
 	src, err := os.Open(s.file)
 	if err != nil {
 		return fmt.Errorf("encryptBackup: error opening backup file %s: %w", s.file, err)
 	}
 	if _, err := io.Copy(dst, src); err != nil {
 		return fmt.Errorf("encryptBackup: error writing ciphertext to file: %w", err)
 	}
 	s.file = gpgFile
 	s.logger.Infof("Encrypted backup using given passphrase, saving as `%s`.", s.file)
 	return nil
 }
 // copyBackup makes sure the backup file is copied to both local and remote locations
 // as per the given configuration.
 func (s *script) copyBackup() error {
 	_, name := path.Split(s.file)
 	if s.mc != nil {
 		_, err := s.mc.FPutObject(context.Background(), s.c.AwsS3BucketName, name, s.file, minio.PutObjectOptions{
 			ContentType: "application/tar+gzip",
 		})
 		if err != nil {
 			return fmt.Errorf("copyBackup: error uploading backup to remote storage: %w", err)
 		}
 		s.logger.Infof("Uploaded a copy of backup `%s` to bucket `%s`.", s.file, s.c.AwsS3BucketName)
 	}
 	if _, err := os.Stat(s.c.BackupArchive); !os.IsNotExist(err) {
 		if err := copy(s.file, path.Join(s.c.BackupArchive, name)); err != nil {
 			return fmt.Errorf("copyBackup: error copying file to local archive: %w", err)
 		}
 		s.logger.Infof("Stored copy of backup `%s` in local archive `%s`.", s.file, s.c.BackupArchive)
 	}
 	return nil
 }
 // removeArtifacts removes the backup file from disk.
 func (s *script) removeArtifacts() error {
 	if err := os.Remove(s.file); err != nil {
 		return fmt.Errorf("removeArtifacts: error removing file: %w", err)
 	}
 	s.logger.Info("Removed local artifacts.")
 	return nil
 }
 // pruneOldBackups rotates away backups from local and remote storages using
 // the given configuration. In case the given configuration would delete all
 // backups, it does nothing instead.
 func (s *script) pruneOldBackups() error {
 	if s.c.BackupRetentionDays < 0 {
 		return nil
 	}
 	if s.c.BackupPruningLeeway != 0 {
 		s.logger.Infof("Sleeping for %s before pruning backups.", s.c.BackupPruningLeeway)
 		time.Sleep(s.c.BackupPruningLeeway)
 	}
 	deadline := time.Now().AddDate(0, 0, -int(s.c.BackupRetentionDays))
 	if s.mc != nil {
 		candidates := s.mc.ListObjects(context.Background(), s.c.AwsS3BucketName, minio.ListObjectsOptions{
 			WithMetadata: true,
 			Prefix:       s.c.BackupPruningPrefix,
 		})
 		var matches []minio.ObjectInfo
 		var lenCandidates int
 		for candidate := range candidates {
 			lenCandidates++
 			if candidate.Err != nil {
 				return fmt.Errorf(
 					"pruneOldBackups: error looking up candidates from remote storage: %w",
 					candidate.Err,
 				)
 			}
 			if candidate.LastModified.Before(deadline) {
 				matches = append(matches, candidate)
 			}
 		}
 		if len(matches) != 0 && len(matches) != lenCandidates {
 			objectsCh := make(chan minio.ObjectInfo)
 			go func() {
 				for _, match := range matches {
 					objectsCh <- match
 				}
 				close(objectsCh)
 			}()
 			errChan := s.mc.RemoveObjects(context.Background(), s.c.AwsS3BucketName, objectsCh, minio.RemoveObjectsOptions{})
 			var removeErrors []error
 			for result := range errChan {
 				if result.Err != nil {
 					removeErrors = append(removeErrors, result.Err)
 				}
 			}
 			if len(removeErrors) != 0 {
 				return fmt.Errorf(
 					"pruneOldBackups: %d error(s) removing files from remote storage: %w",
 					len(removeErrors),
 					join(removeErrors...),
 				)
 			}
 			s.logger.Infof(
 				"Pruned %d out of %d remote backup(s) as their age exceeded the configured retention period of %d days.",
 				len(matches),
 				lenCandidates,
 				s.c.BackupRetentionDays,
 			)
 		} else if len(matches) != 0 && len(matches) == lenCandidates {
 			s.logger.Warnf(
 				"The current configuration would delete all %d remote backup copies.",
 				len(matches),
 			)
 			s.logger.Warn("Refusing to do so, please check your configuration.")
 		} else {
 			s.logger.Infof("None of %d remote backup(s) were pruned.", lenCandidates)
 		}
 	}
 	if _, err := os.Stat(s.c.BackupArchive); !os.IsNotExist(err) {
 		candidates, err := filepath.Glob(
 			path.Join(s.c.BackupArchive, fmt.Sprintf("%s*", s.c.BackupPruningPrefix)),
 		)
 		if err != nil {
 			return fmt.Errorf(
 				"pruneOldBackups: error looking up matching files, starting with: %w", err,
 			)
 		}
 		var matches []string
 		for _, candidate := range candidates {
 			fi, err := os.Stat(candidate)
 			if err != nil {
 				return fmt.Errorf(
 					"pruneOldBackups: error calling stat on file %s: %w",
 					candidate,
 					err,
 				)
 			}
 			if fi.ModTime().Before(deadline) {
 				matches = append(matches, candidate)
 			}
 		}
 		if len(matches) != 0 && len(matches) != len(candidates) {
 			var removeErrors []error
 			for _, candidate := range matches {
 				if err := os.Remove(candidate); err != nil {
 					removeErrors = append(removeErrors, err)
 				}
 			}
 			if len(removeErrors) != 0 {
 				return fmt.Errorf(
 					"pruneOldBackups: %d error(s) deleting local files, starting with: %w",
 					len(removeErrors),
 					join(removeErrors...),
 				)
 			}
 			s.logger.Infof(
 				"Pruned %d out of %d local backup(s) as their age exceeded the configured retention period of %d days.",
 				len(matches),
 				len(candidates),
 				s.c.BackupRetentionDays,
 			)
 		} else if len(matches) != 0 && len(matches) == len(candidates) {
 			s.logger.Warnf(
 				"The current configuration would delete all %d local backup copies.",
 				len(matches),
 			)
 			s.logger.Warn("Refusing to do so, please check your configuration.")
 		} else {
 			s.logger.Infof("None of %d local backup(s) were pruned.", len(candidates))
 		}
 	}
 	return nil
 }
 // must exits the script run non-zero and prematurely in case the given error
 // is non-nil.
 func (s *script) must(err error) {
 	if err != nil {
 		s.logger.Fatalf("Fatal error running backup: %s", err)
 	}
 }
 // lock opens a lockfile at the given location, keeping it locked until the
 // caller invokes the returned release func. When invoked while the file is
 // still locked the function panics.
 func lock(lockfile string) func() error {
 	fileLock := flock.New(lockfile)
 	acquired, err := fileLock.TryLock()
 	if err != nil {
 		panic(err)
 	}
 	if !acquired {
 		panic("unable to acquire file lock")
 	}
 	return fileLock.Unlock
 }
 // copy creates a copy of the file located at `dst` at `src`.
 func copy(src, dst string) error {
 	in, err := os.Open(src)
 	if err != nil {
 		return err
 	}
 	defer in.Close()
 	out, err := os.Create(dst)
 	if err != nil {
 		return err
 	}
 	_, err = io.Copy(out, in)
 	if err != nil {
 		out.Close()
 		return err
 	}
 	return out.Close()
 }
 // join takes a list of errors and joins them into a single error
 func join(errs ...error) error {
 	if len(errs) == 1 {
 		return errs[0]
 	}
 	var msgs []string
 	for _, err := range errs {
 		if err == nil {
 			continue
 		}
 		msgs = append(msgs, err.Error())
 	}
 	return errors.New("[" + strings.Join(msgs, ", ") + "]")
 }
--- a/cmd/backup/notifications.go
+++ b/cmd/backup/notifications.go
@@ -0,0 +1,105 @@
 // Copyright 2022 - Offen Authors <hioffen@posteo.de>
 // SPDX-License-Identifier: MPL-2.0
 package main
 import (
 	"bytes"
 	_ "embed"
 	"fmt"
 	"text/template"
 	"time"
 	sTypes "github.com/containrrr/shoutrrr/pkg/types"
 )
 //go:embed notifications.tmpl
 var defaultNotifications string
 // NotificationData data to be passed to the notification templates
 type NotificationData struct {
 	Error  error
 	Config *Config
 	Stats  *Stats
 }
 // notify sends a notification using the given title and body templates.
 // Automatically creates notification data, adding the given error
 func (s *script) notify(titleTemplate string, bodyTemplate string, err error) error {
 	params := NotificationData{
 		Error:  err,
 		Stats:  s.stats,
 		Config: s.c,
 	}
 	titleBuf := &bytes.Buffer{}
 	if err := s.template.ExecuteTemplate(titleBuf, titleTemplate, params); err != nil {
 		return fmt.Errorf("notifyFailure: error executing %s template: %w", titleTemplate, err)
 	}
 	bodyBuf := &bytes.Buffer{}
 	if err := s.template.ExecuteTemplate(bodyBuf, bodyTemplate, params); err != nil {
 		return fmt.Errorf("notifyFailure: error executing %s template: %w", bodyTemplate, err)
 	}
 	if err := s.sendNotification(titleBuf.String(), bodyBuf.String()); err != nil {
 		return fmt.Errorf("notifyFailure: error notifying: %w", err)
 	}
 	return nil
 }
 // notifyFailure sends a notification about a failed backup run
 func (s *script) notifyFailure(err error) error {
 	return s.notify("title_failure", "body_failure", err)
 }
 // notifyFailure sends a notification about a successful backup run
 func (s *script) notifySuccess() error {
 	return s.notify("title_success", "body_success", nil)
 }
 // sendNotification sends a notification to all configured third party services
 func (s *script) sendNotification(title, body string) error {
 	var errs []error
 	for _, result := range s.sender.Send(body, &sTypes.Params{"title": title}) {
 		if result != nil {
 			errs = append(errs, result)
 		}
 	}
 	if len(errs) != 0 {
 		return fmt.Errorf("sendNotification: error sending message: %w", join(errs...))
 	}
 	return nil
 }
 var templateHelpers = template.FuncMap{
 	"formatTime": func(t time.Time) string {
 		return t.Format(time.RFC3339)
 	},
 	"formatBytesDec": func(bytes uint64) string {
 		return formatBytes(bytes, true)
 	},
 	"formatBytesBin": func(bytes uint64) string {
 		return formatBytes(bytes, false)
 	},
 }
 // formatBytes converts an amount of bytes in a human-readable representation
 // the decimal parameter specifies if using powers of 1000 (decimal) or powers of 1024 (binary)
 func formatBytes(b uint64, decimal bool) string {
 	unit := uint64(1024)
 	format := "%.1f %ciB"
 	if decimal {
 		unit = uint64(1000)
 		format = "%.1f %cB"
 	}
 	if b < unit {
 		return fmt.Sprintf("%d B", b)
 	}
 	div, exp := unit, 0
 	for n := b / unit; n >= unit; n /= unit {
 		div *= unit
 		exp++
 	}
 	return fmt.Sprintf(format, float64(b)/float64(div), "kMGTPE"[exp])
 }
--- a/cmd/backup/notifications.tmpl
+++ b/cmd/backup/notifications.tmpl
@@ -0,0 +1,26 @@
 {{ define "title_failure" -}}
 Failure running docker-volume-backup at {{ .Stats.StartTime | formatTime }}
 {{- end }}
 {{ define "body_failure" -}}
 Running docker-volume-backup failed with error: {{ .Error }}
 Log output of the failed run was:
 {{ .Stats.LogOutput }}
 {{- end }}
 {{ define "title_success" -}}
 Success running docker-volume-backup at {{ .Stats.StartTime | formatTime }}
 {{- end }}
 {{ define "body_success" -}}
 Running docker-volume-backup succeeded.
 Log output was:
 {{ .Stats.LogOutput }}
 {{- end }}
--- a/cmd/backup/script.go
+++ b/cmd/backup/script.go
@@ -0,0 +1,858 @@
 // Copyright 2022 - Offen Authors <hioffen@posteo.de>
 // SPDX-License-Identifier: MPL-2.0
 package main
 import (
 	"context"
 	"errors"
 	"fmt"
 	"github.com/pkg/sftp"
 	"golang.org/x/crypto/ssh"
 	"io"
 	"io/fs"
 	"io/ioutil"
 	"net/http"
 	"os"
 	"path"
 	"path/filepath"
 	"strings"
 	"text/template"
 	"time"
 	"github.com/containrrr/shoutrrr"
 	"github.com/containrrr/shoutrrr/pkg/router"
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/filters"
 	"github.com/docker/docker/api/types/swarm"
 	"github.com/docker/docker/client"
 	"github.com/kelseyhightower/envconfig"
 	"github.com/leekchan/timeutil"
 	"github.com/minio/minio-go/v7"
 	"github.com/minio/minio-go/v7/pkg/credentials"
 	"github.com/otiai10/copy"
 	"github.com/sirupsen/logrus"
 	"github.com/studio-b12/gowebdav"
 	"golang.org/x/crypto/openpgp"
 )
 // script holds all the stateful information required to orchestrate a
 // single backup run.
 type script struct {
 	cli          *client.Client
 	minioClient  *minio.Client
 	webdavClient *gowebdav.Client
 	sshClient    *ssh.Client
 	sftpClient   *sftp.Client
 	logger       *logrus.Logger
 	sender       *router.ServiceRouter
 	template     *template.Template
 	hooks        []hook
 	hookLevel    hookLevel
 	file  string
 	stats *Stats
 	encounteredLock bool
 	c *Config
 }
 // newScript creates all resources needed for the script to perform actions against
 // remote resources like the Docker engine or remote storage locations. All
 // reading from env vars or other configuration sources is expected to happen
 // in this method.
 func newScript() (*script, error) {
 	stdOut, logBuffer := buffer(os.Stdout)
 	s := &script{
 		c: &Config{},
 		logger: &logrus.Logger{
 			Out:       stdOut,
 			Formatter: new(logrus.TextFormatter),
 			Hooks:     make(logrus.LevelHooks),
 			Level:     logrus.InfoLevel,
 		},
 		stats: &Stats{
 			StartTime: time.Now(),
 			LogOutput: logBuffer,
 			Storages:  StoragesStats{},
 		},
 	}
 	s.registerHook(hookLevelPlumbing, func(error) error {
 		s.stats.EndTime = time.Now()
 		s.stats.TookTime = s.stats.EndTime.Sub(s.stats.StartTime)
 		return nil
 	})
 	if err := envconfig.Process("", s.c); err != nil {
 		return nil, fmt.Errorf("newScript: failed to process configuration values: %w", err)
 	}
 	s.file = path.Join("/tmp", s.c.BackupFilename)
 	if s.c.BackupFilenameExpand {
 		s.file = os.ExpandEnv(s.file)
 		s.c.BackupLatestSymlink = os.ExpandEnv(s.c.BackupLatestSymlink)
 		s.c.BackupPruningPrefix = os.ExpandEnv(s.c.BackupPruningPrefix)
 	}
 	s.file = timeutil.Strftime(&s.stats.StartTime, s.file)
 	_, err := os.Stat("/var/run/docker.sock")
 	_, dockerHostSet := os.LookupEnv("DOCKER_HOST")
 	if !os.IsNotExist(err) || dockerHostSet {
 		cli, err := client.NewClientWithOpts(client.FromEnv, client.WithAPIVersionNegotiation())
 		if err != nil {
 			return nil, fmt.Errorf("newScript: failed to create docker client")
 		}
 		s.cli = cli
 	}
 	if s.c.AwsS3BucketName != "" {
 		var creds *credentials.Credentials
 		if s.c.AwsAccessKeyID != "" && s.c.AwsSecretAccessKey != "" {
 			creds = credentials.NewStaticV4(
 				s.c.AwsAccessKeyID,
 				s.c.AwsSecretAccessKey,
 				"",
 			)
 		} else if s.c.AwsIamRoleEndpoint != "" {
 			creds = credentials.NewIAM(s.c.AwsIamRoleEndpoint)
 		} else {
 			return nil, errors.New("newScript: AWS_S3_BUCKET_NAME is defined, but no credentials were provided")
 		}
 		options := minio.Options{
 			Creds:  creds,
 			Secure: s.c.AwsEndpointProto == "https",
 		}
 		if s.c.AwsEndpointInsecure {
 			if !options.Secure {
 				return nil, errors.New("newScript: AWS_ENDPOINT_INSECURE = true is only meaningful for https")
 			}
 			transport, err := minio.DefaultTransport(true)
 			if err != nil {
 				return nil, fmt.Errorf("newScript: failed to create default minio transport")
 			}
 			transport.TLSClientConfig.InsecureSkipVerify = true
 			options.Transport = transport
 		}
 		mc, err := minio.New(s.c.AwsEndpoint, &options)
 		if err != nil {
 			return nil, fmt.Errorf("newScript: error setting up minio client: %w", err)
 		}
 		s.minioClient = mc
 	}
 	if s.c.WebdavUrl != "" {
 		if s.c.WebdavUsername == "" || s.c.WebdavPassword == "" {
 			return nil, errors.New("newScript: WEBDAV_URL is defined, but no credentials were provided")
 		} else {
 			webdavClient := gowebdav.NewClient(s.c.WebdavUrl, s.c.WebdavUsername, s.c.WebdavPassword)
 			s.webdavClient = webdavClient
 			if s.c.WebdavUrlInsecure {
 				defaultTransport, ok := http.DefaultTransport.(*http.Transport)
 				if !ok {
 					return nil, errors.New("newScript: unexpected error when asserting type for http.DefaultTransport")
 				}
 				webdavTransport := defaultTransport.Clone()
 				webdavTransport.TLSClientConfig.InsecureSkipVerify = s.c.WebdavUrlInsecure
 				s.webdavClient.SetTransport(webdavTransport)
 			}
 		}
 	}
 	if s.c.SSHHostName != "" {
 		var authMethods []ssh.AuthMethod
 		if s.c.SSHPassword != "" {
 			authMethods = append(authMethods, ssh.Password(s.c.SSHPassword))
 		}
 		if _, err := os.Stat(s.c.SSHIdentityFile); err == nil {
 			key, err := ioutil.ReadFile(s.c.SSHIdentityFile)
 			if err != nil {
 				return nil, errors.New("newScript: error reading the private key")
 			}
 			var signer ssh.Signer
 			if s.c.SSHIdentityPassphrase != "" {
 				signer, err = ssh.ParsePrivateKeyWithPassphrase(key, []byte(s.c.SSHIdentityPassphrase))
 				if err != nil {
 					return nil, errors.New("newScript: error parsing the encrypted private key")
 				}
 				authMethods = append(authMethods, ssh.PublicKeys(signer))
 			} else {
 				signer, err = ssh.ParsePrivateKey(key)
 				if err != nil {
 					return nil, errors.New("newScript: error parsing the private key")
 				}
 				authMethods = append(authMethods, ssh.PublicKeys(signer))
 			}
 		}
 		sshClientConfig := &ssh.ClientConfig{
 			User:            s.c.SSHUser,
 			Auth:            authMethods,
 			HostKeyCallback: ssh.InsecureIgnoreHostKey(),
 		}
 		sshClient, err := ssh.Dial("tcp", fmt.Sprintf("%s:%s", s.c.SSHHostName, s.c.SSHPort), sshClientConfig)
 		s.sshClient = sshClient
 		if err != nil {
 			return nil, fmt.Errorf("newScript: error creating ssh client: %w", err)
 		}
 		_, _, err = s.sshClient.SendRequest("keepalive", false, nil)
 		if err != nil {
 			return nil, err
 		}
 		sftpClient, err := sftp.NewClient(sshClient)
 		s.sftpClient = sftpClient
 		if err != nil {
 			return nil, fmt.Errorf("newScript: error creating sftp client: %w", err)
 		}
 	}
 	if s.c.EmailNotificationRecipient != "" {
 		emailURL := fmt.Sprintf(
 			"smtp://%s:%s@%s:%d/?from=%s&to=%s",
 			s.c.EmailSMTPUsername,
 			s.c.EmailSMTPPassword,
 			s.c.EmailSMTPHost,
 			s.c.EmailSMTPPort,
 			s.c.EmailNotificationSender,
 			s.c.EmailNotificationRecipient,
 		)
 		s.c.NotificationURLs = append(s.c.NotificationURLs, emailURL)
 		s.logger.Warn(
 			"Using EMAIL_* keys for providing notification configuration has been deprecated and will be removed in the next major version.",
 		)
 		s.logger.Warn(
 			"Please use NOTIFICATION_URLS instead. Refer to the README for an upgrade guide.",
 		)
 	}
 	hookLevel, ok := hookLevels[s.c.NotificationLevel]
 	if !ok {
 		return nil, fmt.Errorf("newScript: unknown NOTIFICATION_LEVEL %s", s.c.NotificationLevel)
 	}
 	s.hookLevel = hookLevel
 	if len(s.c.NotificationURLs) > 0 {
 		sender, senderErr := shoutrrr.CreateSender(s.c.NotificationURLs...)
 		if senderErr != nil {
 			return nil, fmt.Errorf("newScript: error creating sender: %w", senderErr)
 		}
 		s.sender = sender
 		tmpl := template.New("")
 		tmpl.Funcs(templateHelpers)
 		tmpl, err = tmpl.Parse(defaultNotifications)
 		if err != nil {
 			return nil, fmt.Errorf("newScript: unable to parse default notifications templates: %w", err)
 		}
 		if fi, err := os.Stat("/etc/dockervolumebackup/notifications.d"); err == nil && fi.IsDir() {
 			tmpl, err = tmpl.ParseGlob("/etc/dockervolumebackup/notifications.d/*.*")
 			if err != nil {
 				return nil, fmt.Errorf("newScript: unable to parse user defined notifications templates: %w", err)
 			}
 		}
 		s.template = tmpl
 		// To prevent duplicate notifications, ensure the regsistered callbacks
 		// run mutually exclusive.
 		s.registerHook(hookLevelError, func(err error) error {
 			if err == nil {
 				return nil
 			}
 			return s.notifyFailure(err)
 		})
 		s.registerHook(hookLevelInfo, func(err error) error {
 			if err != nil {
 				return nil
 			}
 			return s.notifySuccess()
 		})
 	}
 	return s, nil
 }
 func (s *script) runCommands() (func() error, error) {
 	if s.cli == nil {
 		return noop, nil
 	}
 	if err := s.runLabeledCommands("docker-volume-backup.exec-pre"); err != nil {
 		return noop, fmt.Errorf("runCommands: error running pre commands: %w", err)
 	}
 	return func() error {
 		if err := s.runLabeledCommands("docker-volume-backup.exec-post"); err != nil {
 			return fmt.Errorf("runCommands: error running post commands: %w", err)
 		}
 		return nil
 	}, nil
 }
 // stopContainers stops all Docker containers that are marked as to being
 // stopped during the backup and returns a function that can be called to
 // restart everything that has been stopped.
 func (s *script) stopContainers() (func() error, error) {
 	if s.cli == nil {
 		return noop, nil
 	}
 	allContainers, err := s.cli.ContainerList(context.Background(), types.ContainerListOptions{
 		Quiet: true,
 	})
 	if err != nil {
 		return noop, fmt.Errorf("stopContainersAndRun: error querying for containers: %w", err)
 	}
 	containerLabel := fmt.Sprintf(
 		"docker-volume-backup.stop-during-backup=%s",
 		s.c.BackupStopContainerLabel,
 	)
 	containersToStop, err := s.cli.ContainerList(context.Background(), types.ContainerListOptions{
 		Quiet: true,
 		Filters: filters.NewArgs(filters.KeyValuePair{
 			Key:   "label",
 			Value: containerLabel,
 		}),
 	})
 	if err != nil {
 		return noop, fmt.Errorf("stopContainersAndRun: error querying for containers to stop: %w", err)
 	}
 	if len(containersToStop) == 0 {
 		return noop, nil
 	}
 	s.logger.Infof(
 		"Stopping %d container(s) labeled `%s` out of %d running container(s).",
 		len(containersToStop),
 		containerLabel,
 		len(allContainers),
 	)
 	var stoppedContainers []types.Container
 	var stopErrors []error
 	for _, container := range containersToStop {
 		if err := s.cli.ContainerStop(context.Background(), container.ID, nil); err != nil {
 			stopErrors = append(stopErrors, err)
 		} else {
 			stoppedContainers = append(stoppedContainers, container)
 		}
 	}
 	var stopError error
 	if len(stopErrors) != 0 {
 		stopError = fmt.Errorf(
 			"stopContainersAndRun: %d error(s) stopping containers: %w",
 			len(stopErrors),
 			join(stopErrors...),
 		)
 	}
 	s.stats.Containers = ContainersStats{
 		All:     uint(len(allContainers)),
 		ToStop:  uint(len(containersToStop)),
 		Stopped: uint(len(stoppedContainers)),
 	}
 	return func() error {
 		servicesRequiringUpdate := map[string]struct{}{}
 		var restartErrors []error
 		for _, container := range stoppedContainers {
 			if swarmServiceName, ok := container.Labels["com.docker.swarm.service.name"]; ok {
 				servicesRequiringUpdate[swarmServiceName] = struct{}{}
 				continue
 			}
 			if err := s.cli.ContainerStart(context.Background(), container.ID, types.ContainerStartOptions{}); err != nil {
 				restartErrors = append(restartErrors, err)
 			}
 		}
 		if len(servicesRequiringUpdate) != 0 {
 			services, _ := s.cli.ServiceList(context.Background(), types.ServiceListOptions{})
 			for serviceName := range servicesRequiringUpdate {
 				var serviceMatch swarm.Service
 				for _, service := range services {
 					if service.Spec.Name == serviceName {
 						serviceMatch = service
 						break
 					}
 				}
 				if serviceMatch.ID == "" {
 					return fmt.Errorf("stopContainersAndRun: couldn't find service with name %s", serviceName)
 				}
 				serviceMatch.Spec.TaskTemplate.ForceUpdate = 1
 				if _, err := s.cli.ServiceUpdate(
 					context.Background(), serviceMatch.ID,
 					serviceMatch.Version, serviceMatch.Spec, types.ServiceUpdateOptions{},
 				); err != nil {
 					restartErrors = append(restartErrors, err)
 				}
 			}
 		}
 		if len(restartErrors) != 0 {
 			return fmt.Errorf(
 				"stopContainersAndRun: %d error(s) restarting containers and services: %w",
 				len(restartErrors),
 				join(restartErrors...),
 			)
 		}
 		s.logger.Infof(
 			"Restarted %d container(s) and the matching service(s).",
 			len(stoppedContainers),
 		)
 		return nil
 	}, stopError
 }
 // takeBackup creates a tar archive of the configured backup location and
 // saves it to disk.
 func (s *script) takeBackup() error {
 	backupSources := s.c.BackupSources
 	if s.c.BackupFromSnapshot {
 		s.logger.Warn(
 			"Using BACKUP_FROM_SNAPSHOT has been deprecated and will be removed in the next major version.",
 		)
 		s.logger.Warn(
 			"Please use `exec-pre` and `exec-post` commands to prepare your backup sources. Refer to the README for an upgrade guide.",
 		)
 		backupSources = filepath.Join("/tmp", s.c.BackupSources)
 		// copy before compressing guard against a situation where backup folder's content are still growing.
 		s.registerHook(hookLevelPlumbing, func(error) error {
 			if err := remove(backupSources); err != nil {
 				return fmt.Errorf("takeBackup: error removing snapshot: %w", err)
 			}
 			s.logger.Infof("Removed snapshot `%s`.", backupSources)
 			return nil
 		})
 		if err := copy.Copy(s.c.BackupSources, backupSources, copy.Options{
 			PreserveTimes: true,
 			PreserveOwner: true,
 		}); err != nil {
 			return fmt.Errorf("takeBackup: error creating snapshot: %w", err)
 		}
 		s.logger.Infof("Created snapshot of `%s` at `%s`.", s.c.BackupSources, backupSources)
 	}
 	tarFile := s.file
 	s.registerHook(hookLevelPlumbing, func(error) error {
 		if err := remove(tarFile); err != nil {
 			return fmt.Errorf("takeBackup: error removing tar file: %w", err)
 		}
 		s.logger.Infof("Removed tar file `%s`.", tarFile)
 		return nil
 	})
 	backupPath, err := filepath.Abs(stripTrailingSlashes(backupSources))
 	if err != nil {
 		return fmt.Errorf("takeBackup: error getting absolute path: %w", err)
 	}
 	var filesEligibleForBackup []string
 	if err := filepath.WalkDir(backupPath, func(path string, di fs.DirEntry, err error) error {
 		if err != nil {
 			return err
 		}
 		if s.c.BackupExcludeRegexp.Re != nil && s.c.BackupExcludeRegexp.Re.MatchString(path) {
 			return nil
 		}
 		filesEligibleForBackup = append(filesEligibleForBackup, path)
 		return nil
 	}); err != nil {
 		return fmt.Errorf("compress: error walking filesystem tree: %w", err)
 	}
 	if err := createArchive(filesEligibleForBackup, backupSources, tarFile); err != nil {
 		return fmt.Errorf("takeBackup: error compressing backup folder: %w", err)
 	}
 	s.logger.Infof("Created backup of `%s` at `%s`.", backupSources, tarFile)
 	return nil
 }
 // encryptBackup encrypts the backup file using PGP and the configured passphrase.
 // In case no passphrase is given it returns early, leaving the backup file
 // untouched.
 func (s *script) encryptBackup() error {
 	if s.c.GpgPassphrase == "" {
 		return nil
 	}
 	gpgFile := fmt.Sprintf("%s.gpg", s.file)
 	s.registerHook(hookLevelPlumbing, func(error) error {
 		if err := remove(gpgFile); err != nil {
 			return fmt.Errorf("encryptBackup: error removing gpg file: %w", err)
 		}
 		s.logger.Infof("Removed GPG file `%s`.", gpgFile)
 		return nil
 	})
 	outFile, err := os.Create(gpgFile)
 	defer outFile.Close()
 	if err != nil {
 		return fmt.Errorf("encryptBackup: error opening out file: %w", err)
 	}
 	_, name := path.Split(s.file)
 	dst, err := openpgp.SymmetricallyEncrypt(outFile, []byte(s.c.GpgPassphrase), &openpgp.FileHints{
 		IsBinary: true,
 		FileName: name,
 	}, nil)
 	defer dst.Close()
 	if err != nil {
 		return fmt.Errorf("encryptBackup: error encrypting backup file: %w", err)
 	}
 	src, err := os.Open(s.file)
 	if err != nil {
 		return fmt.Errorf("encryptBackup: error opening backup file `%s`: %w", s.file, err)
 	}
 	if _, err := io.Copy(dst, src); err != nil {
 		return fmt.Errorf("encryptBackup: error writing ciphertext to file: %w", err)
 	}
 	s.file = gpgFile
 	s.logger.Infof("Encrypted backup using given passphrase, saving as `%s`.", s.file)
 	return nil
 }
 // copyBackup makes sure the backup file is copied to both local and remote locations
 // as per the given configuration.
 func (s *script) copyBackup() error {
 	_, name := path.Split(s.file)
 	if stat, err := os.Stat(s.file); err != nil {
 		return fmt.Errorf("copyBackup: unable to stat backup file: %w", err)
 	} else {
 		size := stat.Size()
 		s.stats.BackupFile = BackupFileStats{
 			Size:     uint64(size),
 			Name:     name,
 			FullPath: s.file,
 		}
 	}
 	if s.minioClient != nil {
 		if _, err := s.minioClient.FPutObject(context.Background(), s.c.AwsS3BucketName, filepath.Join(s.c.AwsS3Path, name), s.file, minio.PutObjectOptions{
 			ContentType: "application/tar+gzip",
 		}); err != nil {
 			return fmt.Errorf("copyBackup: error uploading backup to remote storage: %w", err)
 		}
 		s.logger.Infof("Uploaded a copy of backup `%s` to bucket `%s`.", s.file, s.c.AwsS3BucketName)
 	}
 	if s.webdavClient != nil {
 		bytes, err := os.ReadFile(s.file)
 		if err != nil {
 			return fmt.Errorf("copyBackup: error reading the file to be uploaded: %w", err)
 		}
 		if err := s.webdavClient.MkdirAll(s.c.WebdavPath, 0644); err != nil {
 			return fmt.Errorf("copyBackup: error creating directory '%s' on WebDAV server: %w", s.c.WebdavPath, err)
 		}
 		if err := s.webdavClient.Write(filepath.Join(s.c.WebdavPath, name), bytes, 0644); err != nil {
 			return fmt.Errorf("copyBackup: error uploading the file to WebDAV server: %w", err)
 		}
 		s.logger.Infof("Uploaded a copy of backup `%s` to WebDAV-URL '%s' at path '%s'.", s.file, s.c.WebdavUrl, s.c.WebdavPath)
 	}
 	if s.sshClient != nil {
 		source, err := os.Open(s.file)
 		if err != nil {
 			return fmt.Errorf("copyBackup: error reading the file to be uploaded: %w", err)
 		}
 		defer source.Close()
 		destination, err := s.sftpClient.Create(filepath.Join(s.c.SSHRemotePath, name))
 		if err != nil {
 			return fmt.Errorf("copyBackup: error creating file on SSH storage: %w", err)
 		}
 		defer destination.Close()
 		chunk := make([]byte, 1000000)
 		for {
 			num, err := source.Read(chunk)
 			if err == io.EOF {
 				tot, err := destination.Write(chunk[:num])
 				if err != nil {
 					return fmt.Errorf("copyBackup: error uploading the file to SSH storage: %w", err)
 				}
 				if tot != len(chunk[:num]) {
 					return fmt.Errorf("sshClient: failed to write stream")
 				}
 				break
 			}
 			if err != nil {
 				return fmt.Errorf("copyBackup: error uploading the file to SSH storage: %w", err)
 			}
 			tot, err := destination.Write(chunk[:num])
 			if err != nil {
 				return fmt.Errorf("copyBackup: error uploading the file to SSH storage: %w", err)
 			}
 			if tot != len(chunk[:num]) {
 				return fmt.Errorf("sshClient: failed to write stream")
 			}
 		}
 		s.logger.Infof("Uploaded a copy of backup `%s` to SSH storage '%s' at path '%s'.", s.file, s.c.SSHHostName, s.c.SSHRemotePath)
 	}
 	if _, err := os.Stat(s.c.BackupArchive); !os.IsNotExist(err) {
 		if err := copyFile(s.file, path.Join(s.c.BackupArchive, name)); err != nil {
 			return fmt.Errorf("copyBackup: error copying file to local archive: %w", err)
 		}
 		s.logger.Infof("Stored copy of backup `%s` in local archive `%s`.", s.file, s.c.BackupArchive)
 		if s.c.BackupLatestSymlink != "" {
 			symlink := path.Join(s.c.BackupArchive, s.c.BackupLatestSymlink)
 			if _, err := os.Lstat(symlink); err == nil {
 				os.Remove(symlink)
 			}
 			if err := os.Symlink(name, symlink); err != nil {
 				return fmt.Errorf("copyBackup: error creating latest symlink: %w", err)
 			}
 			s.logger.Infof("Created/Updated symlink `%s` for latest backup.", s.c.BackupLatestSymlink)
 		}
 	}
 	return nil
 }
 // pruneBackups rotates away backups from local and remote storages using
 // the given configuration. In case the given configuration would delete all
 // backups, it does nothing instead and logs a warning.
 func (s *script) pruneBackups() error {
 	if s.c.BackupRetentionDays < 0 {
 		return nil
 	}
 	deadline := time.Now().AddDate(0, 0, -int(s.c.BackupRetentionDays)).Add(s.c.BackupPruningLeeway)
 	// doPrune holds general control flow that applies to any kind of storage.
 	// Callers can pass in a thunk that performs the actual deletion of files.
 	var doPrune = func(lenMatches, lenCandidates int, description string, doRemoveFiles func() error) error {
 		if lenMatches != 0 && lenMatches != lenCandidates {
 			if err := doRemoveFiles(); err != nil {
 				return err
 			}
 			s.logger.Infof(
 				"Pruned %d out of %d %s as their age exceeded the configured retention period of %d days.",
 				lenMatches,
 				lenCandidates,
 				description,
 				s.c.BackupRetentionDays,
 			)
 		} else if lenMatches != 0 && lenMatches == lenCandidates {
 			s.logger.Warnf("The current configuration would delete all %d existing %s.", lenMatches, description)
 			s.logger.Warn("Refusing to do so, please check your configuration.")
 		} else {
 			s.logger.Infof("None of %d existing %s were pruned.", lenCandidates, description)
 		}
 		return nil
 	}
 	if s.minioClient != nil {
 		candidates := s.minioClient.ListObjects(context.Background(), s.c.AwsS3BucketName, minio.ListObjectsOptions{
 			WithMetadata: true,
 			Prefix:       filepath.Join(s.c.AwsS3Path, s.c.BackupPruningPrefix),
 			Recursive:    true,
 		})
 		var matches []minio.ObjectInfo
 		var lenCandidates int
 		for candidate := range candidates {
 			lenCandidates++
 			if candidate.Err != nil {
 				return fmt.Errorf(
 					"pruneBackups: error looking up candidates from remote storage: %w",
 					candidate.Err,
 				)
 			}
 			if candidate.LastModified.Before(deadline) {
 				matches = append(matches, candidate)
 			}
 		}
 		s.stats.Storages.S3 = StorageStats{
 			Total:  uint(lenCandidates),
 			Pruned: uint(len(matches)),
 		}
 		doPrune(len(matches), lenCandidates, "remote backup(s)", func() error {
 			objectsCh := make(chan minio.ObjectInfo)
 			go func() {
 				for _, match := range matches {
 					objectsCh <- match
 				}
 				close(objectsCh)
 			}()
 			errChan := s.minioClient.RemoveObjects(context.Background(), s.c.AwsS3BucketName, objectsCh, minio.RemoveObjectsOptions{})
 			var removeErrors []error
 			for result := range errChan {
 				if result.Err != nil {
 					removeErrors = append(removeErrors, result.Err)
 				}
 			}
 			if len(removeErrors) != 0 {
 				return join(removeErrors...)
 			}
 			return nil
 		})
 	}
 	if s.webdavClient != nil {
 		candidates, err := s.webdavClient.ReadDir(s.c.WebdavPath)
 		if err != nil {
 			return fmt.Errorf("pruneBackups: error looking up candidates from remote storage: %w", err)
 		}
 		var matches []fs.FileInfo
 		var lenCandidates int
 		for _, candidate := range candidates {
 			if !strings.HasPrefix(candidate.Name(), s.c.BackupPruningPrefix) {
 				continue
 			}
 			lenCandidates++
 			if candidate.ModTime().Before(deadline) {
 				matches = append(matches, candidate)
 			}
 		}
 		s.stats.Storages.WebDAV = StorageStats{
 			Total:  uint(lenCandidates),
 			Pruned: uint(len(matches)),
 		}
 		doPrune(len(matches), lenCandidates, "WebDAV backup(s)", func() error {
 			for _, match := range matches {
 				if err := s.webdavClient.Remove(filepath.Join(s.c.WebdavPath, match.Name())); err != nil {
 					return fmt.Errorf("pruneBackups: error removing file from WebDAV storage: %w", err)
 				}
 			}
 			return nil
 		})
 	}
 	if s.sshClient != nil {
 		candidates, err := s.sftpClient.ReadDir(s.c.SSHRemotePath)
 		if err != nil {
 			return fmt.Errorf("pruneBackups: error reading directory from SSH storage: %w", err)
 		}
 		var matches []string
 		for _, candidate := range candidates {
 			if !strings.HasPrefix(candidate.Name(), s.c.BackupPruningPrefix) {
 				continue
 			}
 			if candidate.ModTime().Before(deadline) {
 				matches = append(matches, candidate.Name())
 			}
 		}
 		s.stats.Storages.SSH = StorageStats{
 			Total:  uint(len(candidates)),
 			Pruned: uint(len(matches)),
 		}
 		doPrune(len(matches), len(candidates), "SSH backup(s)", func() error {
 			for _, match := range matches {
 				if err := s.sftpClient.Remove(filepath.Join(s.c.SSHRemotePath, match)); err != nil {
 					return fmt.Errorf("pruneBackups: error removing file from SSH storage: %w", err)
 				}
 			}
 			return nil
 		})
 	}
 	if _, err := os.Stat(s.c.BackupArchive); !os.IsNotExist(err) {
 		globPattern := path.Join(
 			s.c.BackupArchive,
 			fmt.Sprintf("%s*", s.c.BackupPruningPrefix),
 		)
 		globMatches, err := filepath.Glob(globPattern)
 		if err != nil {
 			return fmt.Errorf(
 				"pruneBackups: error looking up matching files using pattern %s: %w",
 				globPattern,
 				err,
 			)
 		}
 		var candidates []string
 		for _, candidate := range globMatches {
 			fi, err := os.Lstat(candidate)
 			if err != nil {
 				return fmt.Errorf(
 					"pruneBackups: error calling Lstat on file %s: %w",
 					candidate,
 					err,
 				)
 			}
 			if fi.Mode()&os.ModeSymlink != os.ModeSymlink {
 				candidates = append(candidates, candidate)
 			}
 		}
 		var matches []string
 		for _, candidate := range candidates {
 			fi, err := os.Stat(candidate)
 			if err != nil {
 				return fmt.Errorf(
 					"pruneBackups: error calling stat on file %s: %w",
 					candidate,
 					err,
 				)
 			}
 			if fi.ModTime().Before(deadline) {
 				matches = append(matches, candidate)
 			}
 		}
 		s.stats.Storages.Local = StorageStats{
 			Total:  uint(len(candidates)),
 			Pruned: uint(len(matches)),
 		}
 		doPrune(len(matches), len(candidates), "local backup(s)", func() error {
 			var removeErrors []error
 			for _, match := range matches {
 				if err := os.Remove(match); err != nil {
 					removeErrors = append(removeErrors, err)
 				}
 			}
 			if len(removeErrors) != 0 {
 				return fmt.Errorf(
 					"pruneBackups: %d error(s) deleting local files, starting with: %w",
 					len(removeErrors),
 					join(removeErrors...),
 				)
 			}
 			return nil
 		})
 	}
 	return nil
 }
 // must exits the script run prematurely in case the given error
 // is non-nil.
 func (s *script) must(err error) {
 	if err != nil {
 		s.logger.Errorf("Fatal error running backup: %s", err)
 		panic(err)
 	}
 }
--- a/cmd/backup/stats.go
+++ b/cmd/backup/stats.go
@@ -0,0 +1,51 @@
 // Copyright 2022 - Offen Authors <hioffen@posteo.de>
 // SPDX-License-Identifier: MPL-2.0
 package main
 import (
 	"bytes"
 	"time"
 )
 // ContainersStats stats about the docker containers
 type ContainersStats struct {
 	All        uint
 	ToStop     uint
 	Stopped    uint
 	StopErrors uint
 }
 // BackupFileStats stats about the created backup file
 type BackupFileStats struct {
 	Name     string
 	FullPath string
 	Size     uint64
 }
 // StorageStats stats about the status of an archival directory
 type StorageStats struct {
 	Total       uint
 	Pruned      uint
 	PruneErrors uint
 }
 // StoragesStats stats about each possible archival location (Local, WebDAV, SSH, S3)
 type StoragesStats struct {
 	Local  StorageStats
 	WebDAV StorageStats
 	SSH    StorageStats
 	S3     StorageStats
 }
 // Stats global stats regarding script execution
 type Stats struct {
 	StartTime  time.Time
 	EndTime    time.Time
 	TookTime   time.Duration
 	LockedTime time.Duration
 	LogOutput  *bytes.Buffer
 	Containers ContainersStats
 	BackupFile BackupFileStats
 	Storages   StoragesStats
 }
--- a/cmd/backup/util.go
+++ b/cmd/backup/util.go
@@ -0,0 +1,90 @@
 // Copyright 2022 - Offen Authors <hioffen@posteo.de>
 // SPDX-License-Identifier: MPL-2.0
 package main
 import (
 	"bytes"
 	"errors"
 	"fmt"
 	"io"
 	"os"
 	"strings"
 )
 var noop = func() error { return nil }
 // copy creates a copy of the file located at `dst` at `src`.
 func copyFile(src, dst string) error {
 	in, err := os.Open(src)
 	if err != nil {
 		return err
 	}
 	defer in.Close()
 	out, err := os.Create(dst)
 	if err != nil {
 		return err
 	}
 	_, err = io.Copy(out, in)
 	if err != nil {
 		out.Close()
 		return err
 	}
 	return out.Close()
 }
 // join takes a list of errors and joins them into a single error
 func join(errs ...error) error {
 	if len(errs) == 1 {
 		return errs[0]
 	}
 	var msgs []string
 	for _, err := range errs {
 		if err == nil {
 			continue
 		}
 		msgs = append(msgs, err.Error())
 	}
 	return errors.New("[" + strings.Join(msgs, ", ") + "]")
 }
 // remove removes the given file or directory from disk.
 func remove(location string) error {
 	fi, err := os.Lstat(location)
 	if err != nil {
 		if os.IsNotExist(err) {
 			return nil
 		}
 		return fmt.Errorf("remove: error checking for existence of `%s`: %w", location, err)
 	}
 	if fi.IsDir() {
 		err = os.RemoveAll(location)
 	} else {
 		err = os.Remove(location)
 	}
 	if err != nil {
 		return fmt.Errorf("remove: error removing `%s`: %w", location, err)
 	}
 	return nil
 }
 // buffer takes an io.Writer and returns a wrapped version of the
 // writer that writes to both the original target as well as the returned buffer
 func buffer(w io.Writer) (io.Writer, *bytes.Buffer) {
 	buffering := &bufferingWriter{buf: bytes.Buffer{}, writer: w}
 	return buffering, &buffering.buf
 }
 type bufferingWriter struct {
 	buf    bytes.Buffer
 	writer io.Writer
 }
 func (b *bufferingWriter) Write(p []byte) (n int, err error) {
 	if n, err := b.buf.Write(p); err != nil {
 		return n, fmt.Errorf("bufferingWriter: error writing to buffer: %w", err)
 	}
 	return b.writer.Write(p)
 }
--- a/docs/NOTIFICATION-TEMPLATES.md
+++ b/docs/NOTIFICATION-TEMPLATES.md
@@ -0,0 +1,39 @@
 # Notification templates reference
 In order to customize title and body of notifications you'll have to write a [go template](https://pkg.go.dev/text/template) and mount it inside the `/etc/dockervolumebackup/notifications.d/` directory.
 Configuration, data about the backup run and helper functions will be passed to this template, this page documents them fully.
 ## Data
 Here is a list of all data passed to the template:
 * `Config`: this object holds the configuration that has been passed to the script. The field names are the name of the recognized environment variables converted in PascalCase. (e.g. `BACKUP_STOP_CONTAINER_LABEL` becomes `BackupStopContainerLabel`)
 * `Error`: the error that made the backup fail. Only available in the `title_failure` and `body_failure` templates
 * `Stats`: objects that holds stats regarding script execution. In case of an unsuccessful run, some information may not be available.
  * `StartTime`: time when the script started execution
  * `EndTime`: time when the backup has completed successfully (after pruning)
  * `TookTime`: amount of time it took for the backup to run. (equal to `EndTime - StartTime`)
  * `LockedTime`: amount of time it took for the backup to acquire the exclusive lock
  * `LogOutput`: full log of the application
  * `Containers`: object containing stats about the docker containers
    * `All`: total number of containers
    * `ToStop`: number of containers matched by the stop rule
    * `Stopped`: number of containers successfully stopped
    * `StopErrors`: number of containers that were unable to be stopped (equal to `ToStop - Stopped`)
  * `BackupFile`: object containing information about the backup file
    * `Name`: name of the backup file (e.g. `backup-2022-02-11T01-00-00.tar.gz`)
    * `FullPath`: full path of the backup file (e.g. `/archive/backup-2022-02-11T01-00-00.tar.gz`)
    * `Size`: size in bytes of the backup file
  * `Storages`: object that holds stats about each storage
    * `Local`, `S3`, `WebDAV` or `SSH`:
      * `Total`: total number of backup files
      * `Pruned`: number of backup files that were deleted due to pruning rule
      * `PruneErrors`: number of backup files that were unable to be pruned
 ## Functions
 Some formatting functions are also available:
 * `formatTime`: formats a time object using [RFC3339](https://datatracker.ietf.org/doc/html/rfc3339) format (e.g. `2022-02-11T01:00:00Z`)
 * `formatBytesBin`: formats an amount of bytes using powers of 1024 (e.g. `7055258` bytes will be `6.7 MiB`) 
 * `formatBytesDec`: formats an amount of bytes using powers of 1000 (e.g. `7055258` bytes will be `7.1 MB`)
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -5,10 +5,21 @@
 set -e
-BACKUP_CRON_EXPRESSION="${BACKUP_CRON_EXPRESSION:-@daily}"
+if [ ! -d "/etc/dockervolumebackup/conf.d" ]; then
  BACKUP_CRON_EXPRESSION="${BACKUP_CRON_EXPRESSION:-@daily}"
-echo "Installing cron.d entry with expression $BACKUP_CRON_EXPRESSION."
+  echo "Installing cron.d entry with expression $BACKUP_CRON_EXPRESSION."
-echo "$BACKUP_CRON_EXPRESSION backup 2>&1" | crontab -
+  echo "$BACKUP_CRON_EXPRESSION backup 2>&1" | crontab -
 else
  echo "/etc/dockervolumebackup/conf.d was found, using configuration files from this directory."
  for file in /etc/dockervolumebackup/conf.d/*; do
    source $file
    BACKUP_CRON_EXPRESSION="${BACKUP_CRON_EXPRESSION:-@daily}"
    echo "Appending cron.d entry with expression $BACKUP_CRON_EXPRESSION and configuration file $file"
    (crontab -l; echo "$BACKUP_CRON_EXPRESSION /bin/sh -c 'set -a; source $file; set +a && backup' 2>&1") | crontab -
  done
 fi
 echo "Starting cron in foreground."
 crond -f -l 8
--- a/go.mod
+++ b/go.mod
@@ -1,45 +1,67 @@
 module github.com/offen/docker-volume-backup
-go 1.17
+go 1.18
 require (
-	github.com/docker/docker v20.10.8+incompatible
+	github.com/containrrr/shoutrrr v0.5.2
 	github.com/cosiner/argv v0.1.0
 	github.com/docker/docker v20.10.11+incompatible
 	github.com/gofrs/flock v0.8.1
 	github.com/kelseyhightower/envconfig v1.4.0
 	github.com/leekchan/timeutil v0.0.0-20150802142658-28917288c48d
-	github.com/m90/targz v0.0.0-20210904082215-2e9a4529a615
+	github.com/minio/minio-go/v7 v7.0.16
-	github.com/minio/minio-go/v7 v7.0.12
+	github.com/otiai10/copy v1.7.0
 	github.com/pkg/sftp v1.13.5
 	github.com/sirupsen/logrus v1.8.1
-	golang.org/x/crypto v0.0.0-20210817164053-32db794688a5
+	github.com/studio-b12/gowebdav v0.0.0-20220128162035-c7b1ff8a5e62
 	golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3
 	golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f
 )
 require (
-	github.com/Microsoft/go-winio v0.4.17 // indirect
+	github.com/Microsoft/go-winio v0.5.2 // indirect
-	github.com/containerd/containerd v1.5.5 // indirect
+	github.com/containerd/containerd v1.6.6 // indirect
 	github.com/docker/distribution v2.7.1+incompatible // indirect
 	github.com/docker/go-connections v0.4.0 // indirect
 	github.com/docker/go-units v0.4.0 // indirect
 	github.com/dustin/go-humanize v1.0.0 // indirect
 	github.com/fatih/color v1.10.0 // indirect
 	github.com/fsnotify/fsnotify v1.4.9 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang/protobuf v1.5.0 // indirect
+	github.com/golang/protobuf v1.5.2 // indirect
-	github.com/google/uuid v1.2.0 // indirect
+	github.com/google/uuid v1.3.0 // indirect
-	github.com/json-iterator/go v1.1.10 // indirect
+	github.com/gorilla/mux v1.7.3 // indirect
-	github.com/klauspost/cpuid v1.3.1 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/minio/md5-simd v1.1.0 // indirect
+	github.com/klauspost/compress v1.15.6 // indirect
-	github.com/minio/sha256-simd v0.1.1 // indirect
+	github.com/klauspost/cpuid/v2 v2.0.9 // indirect
 	github.com/kr/fs v0.1.0 // indirect
 	github.com/kr/text v0.2.0 // indirect
 	github.com/mattn/go-colorable v0.1.8 // indirect
 	github.com/mattn/go-isatty v0.0.12 // indirect
 	github.com/minio/md5-simd v1.1.2 // indirect
 	github.com/minio/sha256-simd v1.0.0 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/moby/term v0.0.0-20200312100748-672ec06f55cd // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
-	github.com/modern-go/reflect2 v1.0.1 // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e // indirect
 	github.com/nxadm/tail v1.4.6 // indirect
 	github.com/onsi/ginkgo v1.14.2 // indirect
 	github.com/onsi/gomega v1.10.3 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.0.1 // indirect
+	github.com/opencontainers/image-spec v1.0.3-0.20211202183452-c5a74bcca799 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
-	github.com/rs/xid v1.2.1 // indirect
+	github.com/rs/xid v1.3.0 // indirect
-	golang.org/x/net v0.0.0-20210226172049-e18ecbb05110 // indirect
+	golang.org/x/net v0.0.0-20220607020251-c690dde0001d // indirect
-	golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1 // indirect
+	golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a // indirect
-	golang.org/x/text v0.3.4 // indirect
+	golang.org/x/text v0.3.7 // indirect
-	google.golang.org/genproto v0.0.0-20201110150050-8816d57aaa9a // indirect
+	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
-	google.golang.org/grpc v1.33.2 // indirect
+	google.golang.org/genproto v0.0.0-20220602131408-e326c6e8e9c8 // indirect
-	google.golang.org/protobuf v1.26.0 // indirect
+	google.golang.org/grpc v1.47.0 // indirect
-	gopkg.in/ini.v1 v1.57.0 // indirect
+	google.golang.org/protobuf v1.28.0 // indirect
 	gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect
 	gopkg.in/ini.v1 v1.65.0 // indirect
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 )
--- a/go.sum
+++ b/go.sum
--- a/test/cli/run.sh
+++ b/test/cli/run.sh
@@ -7,6 +7,9 @@ cd $(dirname $0)
 docker network create test_network
 docker volume create backup_data
 docker volume create app_data
 # This volume is created to test whether empty directories are handled
 # correctly. It is not supposed to hold any data.
 docker volume create empty_data
 docker run -d \
  --name minio \
@@ -23,16 +26,15 @@ docker exec minio mkdir -p /data/backup
 docker run -d \
  --name offen \
  --network test_network \
  --label "docker-volume-backup.stop-during-backup=true" \
  -v app_data:/var/opt/offen/ \
  offen/offen:latest
 sleep 10
-docker run -d \
+docker run --rm \
  --name backup \
  --network test_network \
  -v app_data:/backup/app_data \
  -v empty_data:/backup/empty_data \
  -v /var/run/docker.sock:/var/run/docker.sock \
  --env AWS_ACCESS_KEY_ID=test \
  --env AWS_SECRET_ACCESS_KEY=GMusLtUmILge2by+z890kQ \
@@ -40,18 +42,19 @@ docker run -d \
  --env AWS_ENDPOINT_PROTO=http \
  --env AWS_S3_BUCKET_NAME=backup \
  --env BACKUP_FILENAME=test.tar.gz \
-  --env BACKUP_CRON_EXPRESSION="0 0 5 31 2 ?" \
+  --env "BACKUP_FROM_SNAPSHOT=true" \
-  offen/docker-volume-backup:$TEST_VERSION
+  --entrypoint backup \
-
+  offen/docker-volume-backup:${TEST_VERSION:-canary}
 docker exec backup backup
 docker run --rm -it \
  -v backup_data:/data alpine \
-  ash -c 'tar -xvf /data/backup/test.tar.gz && test -f /backup/app_data/offen.db'
+  ash -c 'tar -xvf /data/backup/test.tar.gz && test -f /backup/app_data/offen.db && test -d /backup/empty_data'
-echo "[TEST:PASS] Found relevant files in untared backup."
+echo "[TEST:PASS] Found relevant files in untared remote backup."
-if [ "$(docker ps -q | wc -l)" != "3" ]; then
+# This test does not stop containers during backup. This is happening on
 # purpose in order to cover this setup as well.
 if [ "$(docker ps -q | wc -l)" != "2" ]; then
  echo "[TEST:FAIL] Expected all containers to be running post backup, instead seen:"
  docker ps
  exit 1
@@ -59,6 +62,6 @@ fi
 echo "[TEST:PASS] All containers running post backup."
-docker rm $(docker stop minio offen backup)
+docker rm $(docker stop minio offen)
 docker volume rm backup_data app_data
 docker network rm test_network
--- a/test/commands/.gitignore
+++ b/test/commands/.gitignore
@@ -0,0 +1 @@
 local
--- a/test/commands/docker-compose.yml
+++ b/test/commands/docker-compose.yml
@@ -0,0 +1,36 @@
 version: '3.8'
 services:
  database:
    image: mariadb:10.7
    deploy:
      restart_policy:
        condition: on-failure
    environment:
      MARIADB_ROOT_PASSWORD: test
      MARIADB_DATABASE: backup
    labels:
      - docker-volume-backup.exec-pre=/bin/sh -c 'mysqldump -ptest --all-databases > /tmp/volume/dump.sql'
      - docker-volume-backup.exec-post=/bin/sh -c 'echo "post" > /tmp/volume/post.txt'
      - docker-volume-backup.exec-label=test
    volumes:
      - app_data:/tmp/volume
  backup:
    image: offen/docker-volume-backup:${TEST_VERSION:-canary}
    deploy:
      restart_policy:
        condition: on-failure
    environment:
      BACKUP_FILENAME: test.tar.gz
      BACKUP_CRON_EXPRESSION: 0 0 5 31 2 ?
      EXEC_LABEL: test
      EXEC_FORWARD_OUTPUT: "true"
    volumes:
      - archive:/archive
      - app_data:/backup/data:ro
      - /var/run/docker.sock:/var/run/docker.sock
 volumes:
  app_data:
  archive:
--- a/test/commands/run.sh
+++ b/test/commands/run.sh
@@ -0,0 +1,62 @@
 #!/bin/sh
 set -e
 cd $(dirname $0)
 docker-compose up -d
 sleep 30 # mariadb likes to take a bit before responding
 docker-compose exec backup backup
 sudo cp -r $(docker volume inspect --format='{{ .Mountpoint }}' commands_archive) ./local
 tar -xvf ./local/test.tar.gz
 if [ ! -f ./backup/data/dump.sql ]; then
  echo "[TEST:FAIL] Could not find file written by pre command."
  exit 1
 fi
 echo "[TEST:PASS] Found expected file."
 if [ -f ./backup/data/post.txt ]; then
  echo "[TEST:FAIL] File created in post command was present in backup."
  exit 1
 fi
 echo "[TEST:PASS] Did not find unexpected file."
 docker-compose down --volumes
 sudo rm -rf ./local
 echo "[TEST:INFO] Running commands test in swarm mode next."
 docker swarm init
 docker stack deploy --compose-file=docker-compose.yml test_stack
 while [ -z $(docker ps -q -f name=backup) ]; do
  echo "[TEST:INFO] Backup container not ready yet. Retrying."
  sleep 1
 done
 sleep 20
 docker exec $(docker ps -q -f name=backup) backup
 sudo cp -r $(docker volume inspect --format='{{ .Mountpoint }}' test_stack_archive) ./local
 tar -xvf ./local/test.tar.gz
 if [ ! -f ./backup/data/dump.sql ]; then
  echo "[TEST:FAIL] Could not find file written by pre command."
  exit 1
 fi
 echo "[TEST:PASS] Found expected file."
 if [ -f ./backup/data/post.txt ]; then
  echo "[TEST:FAIL] File created in post command was present in backup."
  exit 1
 fi
 echo "[TEST:PASS] Did not find unexpected file."
 docker stack rm test_stack
 docker swarm leave --force
--- a/test/compose/docker-compose.yml
+++ b/test/compose/docker-compose.yml
@@ -10,12 +10,35 @@ services:
      MINIO_SECRET_KEY: GMusLtUmILge2by+z890kQ
    entrypoint: /bin/ash -c 'mkdir -p /data/backup && minio server /data'
    volumes:
-      - backup_data:/data
+      - minio_backup_data:/data
-  backup: &default_backup_service
+  webdav:
-    image: offen/docker-volume-backup:${TEST_VERSION}
+    image: bytemark/webdav:2.4
    environment:
      AUTH_TYPE: Digest
      USERNAME: test
      PASSWORD: test
    volumes:
      - webdav_backup_data:/var/lib/dav
  ssh:
    image: linuxserver/openssh-server:version-8.6_p1-r3
    environment:
      - PUID=1000
      - PGID=1000
      - USER_NAME=test
    volumes:
      - ./id_rsa.pub:/config/.ssh/authorized_keys
      - ssh_backup_data:/tmp
      - ssh_config:/config
  backup:
    image: offen/docker-volume-backup:${TEST_VERSION:-canary}
    hostname: hostnametoken
    depends_on:
      - minio
      - webdav
      - ssh
    restart: always
    environment:
      AWS_ACCESS_KEY_ID: test
@@ -23,14 +46,27 @@ services:
      AWS_ENDPOINT: minio:9000
      AWS_ENDPOINT_PROTO: http
      AWS_S3_BUCKET_NAME: backup
-      BACKUP_FILENAME: test.tar.gz
+      BACKUP_FILENAME_EXPAND: 'true'
      BACKUP_FILENAME: test-$$HOSTNAME.tar.gz
      BACKUP_LATEST_SYMLINK: test-$$HOSTNAME.latest.tar.gz.gpg
      BACKUP_CRON_EXPRESSION: 0 0 5 31 2 ?
      BACKUP_RETENTION_DAYS: ${BACKUP_RETENTION_DAYS:-7}
      BACKUP_PRUNING_LEEWAY: 5s
      BACKUP_PRUNING_PREFIX: test
      GPG_PASSPHRASE: 1234secret
      WEBDAV_URL: http://webdav/
      WEBDAV_URL_INSECURE: 'true'
      WEBDAV_PATH: /my/new/path/
      WEBDAV_USERNAME: test
      WEBDAV_PASSWORD: test
      SSH_HOST_NAME: ssh
      SSH_PORT: 2222
      SSH_USER: test
      SSH_REMOTE_PATH: /tmp
      SSH_IDENTITY_PASSPHRASE: test1234
    volumes:
      - ./local:/archive
      - ./id_rsa:/root/.ssh/id_rsa
      - app_data:/backup/app_data:ro
      - /var/run/docker.sock:/var/run/docker.sock
@@ -42,5 +78,8 @@ services:
      - app_data:/var/opt/offen
 volumes:
-  backup_data:
+  minio_backup_data:
  webdav_backup_data:
  ssh_backup_data:
  ssh_config:
  app_data:
--- a/test/compose/run.sh
+++ b/test/compose/run.sh
@@ -2,37 +2,49 @@
 set -e
-cd $(dirname $0)
+cd "$(dirname "$0")"
 mkdir -p local
 ssh-keygen -t rsa -m pem -b 4096 -N "test1234" -f id_rsa -C "docker-volume-backup@local"
 docker-compose up -d
 sleep 5
 # A symlink for a known file in the volume is created so the test can check
 # whether symlinks are preserved on backup.
 docker-compose exec offen ln -s /var/opt/offen/offen.db /var/opt/offen/db.link
 docker-compose exec backup backup
-docker run --rm -it \
+sleep 5
-  -v compose_backup_data:/data alpine \
+if [ "$(docker-compose ps -q | wc -l)" != "5" ]; then
  ash -c 'apk add gnupg && echo 1234secret | gpg -d --pinentry-mode loopback --passphrase-fd 0 --yes /data/backup/test.tar.gz.gpg > /tmp/test.tar.gz && tar -xf /tmp/test.tar.gz -C /tmp && test -f /tmp/backup/app_data/offen.db'
 echo "[TEST:PASS] Found relevant files in untared remote backup."
 echo 1234secret | gpg -d --yes --passphrase-fd 0 ./local/test.tar.gz.gpg > ./local/decrypted.tar.gz
 tar -xf ./local/decrypted.tar.gz -C /tmp && test -f /tmp/backup/app_data/offen.db
 rm ./local/decrypted.tar.gz
 test -L /tmp/backup/app_data/db.link
 echo "[TEST:PASS] Found relevant files in untared local backup."
 if [ "$(docker-compose ps -q | wc -l)" != "3" ]; then
  echo "[TEST:FAIL] Expected all containers to be running post backup, instead seen:"
  docker-compose ps
  exit 1
 fi
 echo "[TEST:PASS] All containers running post backup."
 docker run --rm -it \
  -v compose_minio_backup_data:/minio_data \
  -v compose_webdav_backup_data:/webdav_data \
  -v compose_ssh_backup_data:/ssh_data alpine \
  ash -c 'apk add gnupg && \
          echo 1234secret | gpg -d --pinentry-mode loopback --passphrase-fd 0 --yes /minio_data/backup/test-hostnametoken.tar.gz.gpg > /tmp/test-hostnametoken.tar.gz && tar -xvf /tmp/test-hostnametoken.tar.gz -C /tmp && test -f /tmp/backup/app_data/offen.db && \
          echo 1234secret | gpg -d --pinentry-mode loopback --passphrase-fd 0 --yes /webdav_data/data/my/new/path/test-hostnametoken.tar.gz.gpg > /tmp/test-hostnametoken.tar.gz && tar -xvf /tmp/test-hostnametoken.tar.gz -C /tmp && test -f /tmp/backup/app_data/offen.db && \
          echo 1234secret | gpg -d --pinentry-mode loopback --passphrase-fd 0 --yes /ssh_data/test-hostnametoken.tar.gz.gpg > /tmp/test-hostnametoken.tar.gz && tar -xvf /tmp/test-hostnametoken.tar.gz -C /tmp && test -f /tmp/backup/app_data/offen.db'
 echo "[TEST:PASS] Found relevant files in decrypted and untared remote backups."
 echo 1234secret | gpg -d --pinentry-mode loopback --yes --passphrase-fd 0 ./local/test-hostnametoken.tar.gz.gpg > ./local/decrypted.tar.gz
 tar -xf ./local/decrypted.tar.gz -C /tmp && test -f /tmp/backup/app_data/offen.db
 rm ./local/decrypted.tar.gz
 test -L /tmp/backup/app_data/db.link
 echo "[TEST:PASS] Found relevant files in decrypted and untared local backup."
 test -L ./local/test-hostnametoken.latest.tar.gz.gpg
 echo "[TEST:PASS] Found symlink to latest version in local backup."
 # The second part of this test checks if backups get deleted when the retention
 # is set to 0 days (which it should not as it would mean all backups get deleted)
 # TODO: find out if we can test actual deletion without having to wait for a day
@@ -42,16 +54,21 @@ sleep 5
 docker-compose exec backup backup
 docker run --rm -it \
-  -v compose_backup_data:/data alpine \
+  -v compose_minio_backup_data:/minio_data \
-  ash -c '[ $(find /data/backup/ -type f | wc -l) = "1" ]'
+  -v compose_webdav_backup_data:/webdav_data \
  -v compose_ssh_backup_data:/ssh_data alpine \
  ash -c '[ $(find /minio_data/backup/ -type f | wc -l) = "1" ] && \
          [ $(find /webdav_data/data/my/new/path/ -type f | wc -l) = "1" ] && \
          [ $(find /ssh_data/ -type f | wc -l) = "1" ]'
 echo "[TEST:PASS] Remote backups have not been deleted."
 if [ "$(find ./local -type f | wc -l)" != "1" ]; then
  echo "[TEST:FAIL] Backups should not have been deleted, instead seen:"
  find ./local -type f
  exit 1
 fi
 echo "[TEST:PASS] Local backups have not been deleted."
 docker-compose down --volumes
 rm -f id_rsa id_rsa.pub
--- a/test/confd/.gitignore
+++ b/test/confd/.gitignore
@@ -0,0 +1 @@
 local
--- a/test/confd/01backup.env
+++ b/test/confd/01backup.env
@@ -0,0 +1,2 @@
 BACKUP_FILENAME="conf.tar.gz"
 BACKUP_CRON_EXPRESSION="*/1 * * * *"
--- a/test/confd/02backup.env
+++ b/test/confd/02backup.env
@@ -0,0 +1,2 @@
 BACKUP_FILENAME="other.tar.gz"
 BACKUP_CRON_EXPRESSION="*/1 * * * *"
--- a/test/confd/03never.env
+++ b/test/confd/03never.env
@@ -0,0 +1,2 @@
 BACKUP_FILENAME="never.tar.gz"
 BACKUP_CRON_EXPRESSION="0 0 5 31 2 ?"
--- a/test/confd/docker-compose.yml
+++ b/test/confd/docker-compose.yml
@@ -0,0 +1,23 @@
 version: '3'
 services:
  backup:
    image: offen/docker-volume-backup:${TEST_VERSION:-canary}
    restart: always
    volumes:
      - ./local:/archive
      - app_data:/backup/app_data:ro
      - ./01backup.env:/etc/dockervolumebackup/conf.d/01backup.env
      - ./02backup.env:/etc/dockervolumebackup/conf.d/02backup.env
      - ./03never.env:/etc/dockervolumebackup/conf.d/03never.env
      - /var/run/docker.sock:/var/run/docker.sock
  offen:
    image: offen/offen:latest
    labels:
      - docker-volume-backup.stop-during-backup=true
    volumes:
      - app_data:/var/opt/offen
 volumes:
  app_data:
--- a/test/confd/run.sh
+++ b/test/confd/run.sh
@@ -0,0 +1,32 @@
 #!/bin/sh
 set -e
 cd $(dirname $0)
 mkdir -p local
 docker-compose up -d
 # sleep until a backup is guaranteed to have happened on the 1 minute schedule
 sleep 100
 docker-compose down --volumes
 if [ ! -f ./local/conf.tar.gz ]; then
  echo "[TEST:FAIL] Config from file was not used."
  exit 1
 fi
 echo "[TEST:PASS] Config from file was used."
 if [ ! -f ./local/other.tar.gz ]; then
  echo "[TEST:FAIL] Run on same schedule did not succeed."
  exit 1
 fi
 echo "[TEST:PASS] Run on same schedule succeeded."
 if [ -f ./local/never.tar.gz ]; then
  echo "[TEST:FAIL] Unexpected file was found."
  exit 1
 fi
 echo "[TEST:PASS] Unexpected cron did not run."
--- a/test/ignore/.gitignore
+++ b/test/ignore/.gitignore
@@ -0,0 +1 @@
 local
--- a/test/ignore/docker-compose.yml
+++ b/test/ignore/docker-compose.yml
@@ -0,0 +1,15 @@
 version: '3.8'
 services:
  backup:
    image: offen/docker-volume-backup:${TEST_VERSION:-canary}
    deploy:
      restart_policy:
        condition: on-failure
    environment:
      BACKUP_FILENAME: test.tar.gz
      BACKUP_CRON_EXPRESSION: 0 0 5 31 2 ?
      BACKUP_EXCLUDE_REGEXP: '\.(me|you)$$'
    volumes:
      - ./local:/archive
      - ./sources:/backup/data:ro
--- a/test/ignore/run.sh
+++ b/test/ignore/run.sh
@@ -0,0 +1,27 @@
 #!/bin/sh
 set -e
 cd $(dirname $0)
 mkdir -p local
 docker-compose up -d
 sleep 5
 docker-compose exec backup backup
 docker-compose down --volumes
 out=$(mktemp -d)
 sudo tar --same-owner -xvf ./local/test.tar.gz -C "$out"
 if [ ! -f "$out/backup/data/me.txt" ]; then
  echo "[TEST:FAIL] Expected file was not found."
  exit 1
 fi
 echo "[TEST:PASS] Expected file was found."
 if [ -f "$out/backup/data/skip.me" ]; then
  echo "[TEST:FAIL] Ignored file was found."
  exit 1
 fi
 echo "[TEST:PASS] Ignored file was not found."
--- a/test/ignore/sources/me.txt
+++ b/test/ignore/sources/me.txt
--- a/test/ignore/sources/skip.me
+++ b/test/ignore/sources/skip.me
--- a/test/notifications/.gitignore
+++ b/test/notifications/.gitignore
@@ -0,0 +1 @@
 local
--- a/test/notifications/docker-compose.yml
+++ b/test/notifications/docker-compose.yml
@@ -0,0 +1,36 @@
 version: '3'
 services:
  backup:
    image: offen/docker-volume-backup:${TEST_VERSION:-canary}
    restart: always
    environment:
      BACKUP_FILENAME: test.tar.gz
      BACKUP_CRON_EXPRESSION: 0 0 5 31 2 ?
      BACKUP_PRUNING_PREFIX: test
      NOTIFICATION_LEVEL: info
      NOTIFICATION_URLS: ${NOTIFICATION_URLS}
    volumes:
      - ./local:/archive
      - app_data:/backup/app_data:ro
      - ./notifications.tmpl:/etc/dockervolumebackup/notifications.d/notifications.tmpl
  offen:
    image: offen/offen:latest
    labels:
      - docker-volume-backup.stop-during-backup=true
    volumes:
      - app_data:/var/opt/offen
  gotify:
    image: gotify/server
    ports:
      - 8080:80
    environment:
      - GOTIFY_DEFAULTUSER_PASS=custom
    volumes:
      - gotify_data:/app/data
 volumes:
  app_data:
  gotify_data:
--- a/test/notifications/notifications.tmpl
+++ b/test/notifications/notifications.tmpl
@@ -0,0 +1,7 @@
 {{ define "title_success" -}}
 Successful test run, yay!
 {{- end }}
 {{ define "body_success" -}}
 Backing up {{ .Stats.BackupFile.FullPath }} succeeded.
 {{- end }}
--- a/test/notifications/run.sh
+++ b/test/notifications/run.sh
@@ -0,0 +1,52 @@
 #!/bin/sh
 set -e
 cd $(dirname $0)
 mkdir -p local
 docker-compose up -d
 sleep 5
 GOTIFY_TOKEN=$(curl -sSLX POST -H 'Content-Type: application/json' -d '{"name":"test"}' http://admin:custom@localhost:8080/application | jq -r '.token')
 echo "[TEST:INFO] Set up Gotify application using token $GOTIFY_TOKEN"
 docker-compose exec backup backup
 NUM_MESSAGES=$(curl -sSL http://admin:custom@localhost:8080/message | jq -r '.messages | length')
 if [ "$NUM_MESSAGES" != 0 ]; then
  echo "[TEST:FAIL] Expected no notifications to be sent when not configured"
  exit 1
 fi
 echo "[TEST:PASS] No notifications were sent when not configured."
 docker-compose down
 NOTIFICATION_URLS="gotify://gotify/${GOTIFY_TOKEN}?disableTLS=true" docker-compose up -d
 docker-compose exec backup backup
 NUM_MESSAGES=$(curl -sSL http://admin:custom@localhost:8080/message | jq -r '.messages | length')
 if [ "$NUM_MESSAGES" != 1 ]; then
  echo "[TEST:FAIL] Expected one notifications to be sent when configured"
  exit 1
 fi
 echo "[TEST:PASS] Correct number of notifications were sent when configured."
 MESSAGE_TITLE=$(curl -sSL http://admin:custom@localhost:8080/message | jq -r '.messages[0].title')
 MESSAGE_BODY=$(curl -sSL http://admin:custom@localhost:8080/message | jq -r '.messages[0].message')
 if [ "$MESSAGE_TITLE" != "Successful test run, yay!" ]; then
  echo "[TEST:FAIL] Unexpected notification title $MESSAGE_TITLE"
  exit 1
 fi
 echo "[TEST:PASS] Custom notification title was used."
 if [ "$MESSAGE_BODY" != "Backing up /tmp/test.tar.gz succeeded." ]; then
  echo "[TEST:FAIL] Unexpected notification body $MESSAGE_BODY"
  exit 1
 fi
 echo "[TEST:PASS] Custom notification body was used."
 docker-compose down --volumes
--- a/test/ownership/.gitignore
+++ b/test/ownership/.gitignore
@@ -0,0 +1 @@
 local
--- a/test/ownership/docker-compose.yml
+++ b/test/ownership/docker-compose.yml
@@ -0,0 +1,27 @@
 version: '3'
 services:
  db:
    image: postgres:14-alpine
    restart: unless-stopped
    labels:
      - docker-volume-backup.stop-during-backup=true
    volumes:
      - postgres_data:/var/lib/postgresql/data
    environment:
      - POSTGRES_PASSWORD=1FHJMSwt0yhIN1zS7I4DilGUhThBKq0x
      - POSTGRES_USER=test
      - POSTGRES_DB=test
  backup:
    image: offen/docker-volume-backup:${TEST_VERSION}
    restart: always
    environment:
      BACKUP_FILENAME: backup.tar.gz
    volumes:
      - postgres_data:/backup/postgres:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./local:/archive
 volumes:
  postgres_data:
--- a/test/ownership/run.sh
+++ b/test/ownership/run.sh
@@ -0,0 +1,28 @@
 #!/bin/sh
 # This test refers to https://github.com/offen/docker-volume-backup/issues/71
 set -e
 cd $(dirname $0)
 mkdir -p local
 docker-compose up -d
 sleep 5
 docker-compose exec backup backup
 sudo tar --same-owner -xvf ./local/backup.tar.gz -C /tmp
 sudo find /tmp/backup/postgres > /dev/null
 echo "[TEST:PASS] Backup contains files at expected location"
 for file in $(sudo find /tmp/backup/postgres); do
  if [ "$(sudo stat -c '%u:%g' $file)" != "70:70" ]; then
    echo "[TEST:FAIL] Unexpected file ownership for $file: $(sudo stat -c '%u:%g' $file)"
    exit 1
  fi
 done
 echo "[TEST:PASS] All files and directories in backup preserved their ownership."
 docker-compose down --volumes
--- a/test/swarm/docker-compose.yml
+++ b/test/swarm/docker-compose.yml
@@ -18,8 +18,8 @@ services:
    volumes:
      - backup_data:/data
-  backup: &default_backup_service
+  backup:
-    image: offen/docker-volume-backup:${TEST_VERSION}
+    image: offen/docker-volume-backup:${TEST_VERSION:-canary}
    depends_on:
      - minio
    deploy:
@@ -43,13 +43,15 @@ services:
    image: offen/offen:latest
    labels:
      - docker-volume-backup.stop-during-backup=true
    healthcheck:
      disable: true
    deploy:
      replicas: 2
      restart_policy:
        condition: on-failure
  pg:
-    image: postgres:12.2-alpine
+    image: postgres:14-alpine
    environment:
      POSTGRES_PASSWORD: example
    labels:
--- a/test/swarm/run.sh
+++ b/test/swarm/run.sh
@@ -23,14 +23,13 @@ docker run --rm -it \
 echo "[TEST:PASS] Found relevant files in untared backup."
 sleep 5
 if [ "$(docker ps -q | wc -l)" != "5" ]; then
  echo "[TEST:FAIL] Expected all containers to be running post backup, instead seen:"
  docker ps -a
  exit 1
 fi
 echo "[TEST:PASS] All containers running post backup."
 docker stack rm test_stack
 docker swarm leave --force
Author	SHA1	Message	Date
Frederik Ring	1892d56ff6	Change default value for SSH identity file (#108 ) * Change default value for SSH identity file * Force remove write protected file in tests	2022-06-17 11:28:29 +02:00
İbrahim Akyel	0b205fe6dc	SSH Backup Storage Support (#107 ) * SSH Client implemented * Private key auth implemented Code refactoring * Refactoring * Passphrase renamed to IdentityPassphrase Default private key location changed to .ssh/id	2022-06-17 11:06:15 +02:00
Frederik Ring	8c8a2fa088	Update vulnerable containerd dependency (#104 )	2022-06-07 09:21:40 +02:00
Frederik Ring	a850bf13fe	Fix broken link in README	2022-05-12 08:18:12 +02:00
Frederik Ring	b52b271bac	Allow for the exclusion of files from backups (#100 ) * Hoist walking of files so it can be used for features other than archive creation * Add option to ignore files from backup using glob patterns * Use Regexp instead of glob for exclusion * Ignore artifacts * Add teardown to test * Allow single Re for filtering only * Add documentation * Use MatchString on re, add bad input to message in case of error	2022-05-08 11:20:38 +02:00
Frederik Ring	cac5777e79	Add documentation on using multiple configs for complex retention schemes	2022-04-20 18:01:41 +02:00
Frederik Ring	94a1edc4ad	Allow disabling of certificate verification for WebDAV (#98 )	2022-04-20 14:16:59 +02:00
Frederik Ring	a654097e59	Update webdav client library (#97 )	2022-04-20 10:56:26 +02:00
Frederik Ring	1b1fc4856c	List objects recursively when selecting candidates from S3 (#92 )	2022-04-15 11:05:52 +02:00
Frederik Ring	e81c34b8fc	Consider S3 Path when selecting candidates for pruning (#91 )	2022-04-13 17:09:37 +02:00
Simon Dünhöft	9c23767fce	Fixed wrong env name for S3 bucket in README (#89 ) The README was using `AWS_BUCKET_NAME` instead of `AWS_S3_BUCKET_NAME` in the recipes. This resulted in no data being uploaded to S3.	2022-04-12 19:38:15 +02:00
Frederik Ring	51af8c3c77	Deprecate BACKUP_FROM_SNAPSHOT (#81 )	2022-03-25 18:28:58 +01:00
Frederik Ring	1ea0b51b23	Tag releases with major version too (#82 )	2022-03-25 18:27:00 +01:00
Frederik Ring	da8c63f755	Support identical cron schedule (#87 ) * Retry on lock being unavailable * Refactor locking to return plain error * Collect LockedTime in stats * Add test case * Add documentation for LOCK_TIMEOUT * Log in case lock needs to be awaited * Release resources created for awaiting lock	2022-03-25 18:26:34 +01:00
Frederik Ring	9bc8db0f7c	Build using Go 1.18 (#86 )	2022-03-17 11:22:41 +01:00
Frederik Ring	508bc07b4f	Disable healthcheck in swarm test (#85 )	2022-03-17 11:13:07 +01:00
Frederik Ring	b8f71b04a1	Use errgroup for running commands in parallel (#83 )	2022-03-10 11:09:39 +01:00
Frederik Ring	5f3832d621	Consider prefix rules when pruning WebDAV storages (#79 )	2022-03-05 13:33:15 +01:00
Frederik Ring	4b1127b8c4	Document BACKUP_SOURCES	2022-03-04 19:57:32 +01:00
Frederik Ring	ae50a3ac4f	Add attribution to code taken from moby repository	2022-03-04 16:40:34 +01:00
Frederik Ring	bad22eee93	Fix syntax highlighting in container	2022-03-04 14:08:31 +01:00
Frederik Ring	c9ebb9e14e	Allow multiple schedules in the same container (#78 ) * Allow mounting of config directory for multiple schedules * Add docs for conf.d feature * Fix behavior on multiple files * Define default case first in entrypoint script	2022-03-04 13:51:26 +01:00
Frederik Ring	6e1b8553e6	Remove superfluous --update flag from cert install	2022-02-26 16:45:29 +01:00
Frederik Ring	5ec2b2c3ff	Install ca-certs with --no-cache to reduce image size	2022-02-25 08:54:07 +01:00
Rajan Patel	3bbeba5b83	update custom docker host documentation for pre/post commands (#77 )	2022-02-24 05:31:36 +01:00
Frederik Ring	9155b4d130	Add missing print directive, fix go.mod	2022-02-23 10:12:57 +01:00
Kazi	2a17e84ab6	snapshot-style restore example (#76 ) * snapshot-style restore example * manual backup recommendation	2022-02-23 07:58:09 +01:00
Rajan Patel	00f2359461	Add DOCKER_HOST documentation (#74 ) * add DOCKER_HOST documentation * add which endpoints are required for DOCKER_HOST * Update README.md Co-authored-by: Frederik Ring <frederik.ring@gmail.com>	2022-02-22 08:00:26 +01:00
Frederik Ring	0504a92a1f	Add option to run pre/post commands for any container (#73 ) * Add option to run pre commands on arbitrary container * Correctly handle quoted args in commands * Provide defaults for test version arg * Allow filtering of target containers * Add documentation on exec commands * Use mysqldump in exec test * Add mysqldump section to recipes * Also run commands test in swarm mode * Use name instead of id * Add syntax highlighting * Add missing license headers	2022-02-22 07:53:33 +01:00
Frederik Ring	3ded77448c	Do not skip directories when creating tar archive (#72 ) * Update targz library to include potential ownership fix * Move archive logic to main repo * Remove assertions for debugging * Use relative path in assertion * Strip local part from archive location * Log when extracting in tests * Fix trimming of prfix * Add license info to archive.go file * Undo change in test assertion * Add test checking for preserved file ownership * use same postgres version in tests * Wrap errors when archiving, handle deletion at script layer	2022-02-22 07:49:24 +01:00
Frederik Ring	58b42b9036	Supporting proxied Docker APIs through DOCKER_HOST (#70 )	2022-02-18 09:08:21 +01:00
Frederik Ring	180438f1fc	Update ubuntu image used for running integration tests (#67 )	2022-02-15 21:05:03 +01:00
Mauro Molin	30265c14ba	Fixed TookTime (#66 )	2022-02-14 17:32:05 +01:00
Frederik Ring	a57e93d01e	Split source into multiple files, deduplicate pruning logic, do not parse templates when notifications are not used (#63 ) * Split code into multiple files * Deduplicate logic for pruning backups against different storages * Only parse templates when notifications are enabled * Use better description	2022-02-13 10:52:19 +01:00
Frederik Ring	3e17d1b123	Ensure end time is recorded for unsuccessful runs too (#62 ) * Ensure end time is also recorded for unsuccessful runs * Clean up integration tests	2022-02-13 09:41:36 +01:00
Frederik Ring	0e248010a8	Add note about how notifications can be customized to config reference	2022-02-12 20:34:51 +01:00
Frederik Ring	e6af6efd8a	Add test setup for notification feature (#61 ) * Add test case for notification feature * Fix template data * bash is needed to interpret test * Do not use bashisms in test * Only print FullPath * Fix assertion	2022-02-12 20:28:38 +01:00
Frederik Ring	34d04211eb	Update README TOC	2022-02-11 20:06:23 +01:00
Mauro Molin	8dfdd14527	Added custom notification messages using text/template (#60 ) * Added custom notification messages using text/template * Change notification template path and removed automatic newline trim * Added stats and changed structure of template params * Stat file hotfix * Embedded and fixed default notification templates Fix * Changed Output to LogOutput * Changed stats integer to unsigned * Bytes formatting in template func fix * Changed Archives to Storages * Removed unecessary sleep for pruning leeway * Set EndTime after pruning is completed * Added custom notifications documentation * Added 5s sleep in swarm test * Fixed documentation * Dockerfile copies all files in cmd/backup	2022-02-11 20:05:16 +01:00
Frederik Ring	3bb99a7117	Update package targz	2022-02-08 15:12:46 +01:00
Fridgemagnet	ddc34be55d	Updated README.md "Restoring..." section example (#56 ) Edited the "Restoring a volume from a backup" section example to be able to better differentiate between the names of the temporary restore container and the name of the mounted restore volume. New example container name: temp_restore_container The restore volume name remains the same: backup_restore Also changed "one-off container" to "once-off container".	2022-02-04 11:52:59 +01:00
Joshua Noble	cb9b4bfcff	Add support for Filebase (#54 )	2022-02-02 17:22:42 +01:00
Frederik Ring	62bd2f4a5a	Update base docker image to alpine 3.15 (#53 )	2022-01-27 14:40:56 +01:00
Frederik Ring	6fe629ce87	Allow path to be set for bucket storage (#52 )	2022-01-25 21:16:16 +01:00
Frederik Ring	1db896f7cf	Tweak README, improve client naming, tidy go.mod file	2022-01-22 13:35:13 +01:00
Kaerbr	6ded00aa06	Support Nextcloud / WebDav (#48 ) * add studio-b12/gowebdav to be able to upload to webdav server * make sure all env variables are present for webdav upload * implement file upload to WebDav server directory defaults to the base directory * docs: add the new feature to the documentation * if no WebDav env variable are given throw no error * docs: use more elegant english :D Co-authored-by: Frederik Ring <frederik.ring@gmail.com> * docs: use official spelling of "WebDAV" * perf: golang likes to return early instead of having an else block * use WEBDAV_PATH instead of WEBDAV_DIRECTORY * use split_words for more convenience like shown here: https://github.com/kelseyhightower/envconfig#struct-tag-support * simplify * feat: add pruning of files in WebDAV remote Based on / Inspired by the minio/S3 implementation of pruning remote files. * remove logging from the development * test: first try implementing tests Sandly I have to use the remote pipeline -- local wont work for me. * test: adapt used volume names * test: specify image only once! * test: minio AND webdav data should be present * test: backups on WebDAV remote are laying in the root directory * test: the webdav server stores date in /var/lib/dav * trying with data subfolder * test: 1 container was added so the number raised from 3 to 4 * webdav subfolder is "data" not "backup" * fix: password AND username must be defined not password OR username * improve logging * feat: if the given path on the server isnt preset it will be created * test: add creation of new folder for webdav to tests Co-authored-by: Frederik Ring <frederik.ring@gmail.com>	2022-01-22 13:29:21 +01:00
Hendrik Niefeld	6b79f1914b	Update README.md	2022-01-06 16:09:33 +01:00
Hendrik Niefeld	40ff2e00c9	Update README.md	2022-01-06 16:07:00 +01:00
Frederik Ring	760cc9cebc	Add issue template	2021-12-29 13:10:43 +01:00
Frederik Ring	1f9582df51	Fix handling of empty directories (#44 ) * Add test checking whether empty directories are included in backups * Update targz library to include fix	2021-12-29 10:10:12 +01:00
Frederik Ring	32575c831e	Also expand env vars in pruning prefix if configured	2021-12-23 09:22:56 +01:00
Frederik Ring	c062710ce8	Allow for env substitution in backup filename (#39 )	2021-12-22 14:39:46 +01:00
Frederik Ring	3a7dfe8e60	Add note about double quoting issue in older compose versions	2021-12-18 13:24:14 +01:00
Frederik Ring	9ec33510e7	Extend docs on notifications	2021-12-18 10:31:12 +01:00
Frederik Ring	4207146fb6	Refactor calling of hooks on exit	2021-12-18 10:31:12 +01:00
Frederik Ring	1f727f698f	Run hooks in order of severity	2021-12-18 10:31:12 +01:00
Frederik Ring	88c90a206c	Use int comparison for checking hooks	2021-12-18 10:31:12 +01:00
Frederik Ring	8bad0656b3	Enable notifications on multiple levels	2021-12-18 10:31:12 +01:00
Frederik Ring	08d78a0bd6	allow sending notifications to multiple channels	2021-12-18 10:31:12 +01:00
Frederik Ring	5a6ce81b58	update github.com/otai/copy, use PreserveOwner option	2021-11-29 08:40:55 +01:00
Frederik Ring	dfd0d617e4	install bugfix releases where available	2021-11-28 20:12:23 +01:00
Frederik Ring	7bc5b2ccef	fix minor error scoping mistakes	2021-11-28 20:06:24 +01:00
Frederik Ring	b6ad624115	leverage docker cache for downloading go deps	2021-11-23 08:04:48 +01:00
Frederik Ring	210c7d4540	Reuse hook mechanism for scheduling clean up tasks (#33 ) * reuse hook mechanism for scheduling clean up tasks * register hooks before creating files or dirs * fix logging order * use typed hook levels	2021-11-08 19:10:10 +01:00
Frederik Ring	3c06bf8102	run cli test using BACKUP_FROM_SNAPSHOT	2021-11-08 08:44:59 +01:00
schwannden	411c39ee72	create a snapshot before creating tar archive (#32 ) * create a snapshot before creating tar archive * safeguard snapshot removal and make snapshot optional * fix typo, make sure remove snapshot failure triggers failure hook Co-authored-by: Schwannden Kuo <schwannden@mobagel.com>	2021-11-08 08:39:18 +01:00
Frederik Ring	0c666d0c88	use lstat when checking whether file is a symlink	2021-11-03 18:07:55 +01:00
Frederik Ring	a0402b407d	fix fileinfo mode comparison when checking for symlinks	2021-11-03 18:03:44 +01:00
Frederik Ring	3193e88fc0	os.FileInfo cannot be used for deleting files as it does not contain a full path	2021-11-02 06:40:37 +01:00
Frederik Ring	c391230be6	Merge pull request #31 from offen/exclude-symlink-candidates Exclude symlinks from candidates when pruning local files	2021-10-31 20:07:51 +01:00
Frederik Ring	f946f36fb0	exclude symlinks from candidates when pruning local files Previously, symlinks would be included in the set of candidates, but would be skipped when pruning. This could lead to a wrong number of candidates being printed in the log messages.	2021-10-29 09:00:37 +02:00
Frederik Ring	5245b5882f	update README, save some indentation	2021-10-28 19:55:39 +02:00
schwannden	7f0f173115	adding option to skip tls verification error (#30 ) * adding option to skip tls verification error * merge options * removed merged option from README Co-authored-by: Schwannden Kuo <schwannden@mobagel.com>	2021-10-28 19:51:35 +02:00
Frederik Ring	ad7ec58322	add syntax highlighting	2021-10-23 17:45:57 +02:00
Frederik Ring	b7ab2fbacc	add section about container timezones to the README	2021-10-23 17:44:30 +02:00
Frederik Ring	789fc656e8	Merge pull request #27 from offen/latest-symlink Automatically create symlink to latest local backup if configured	2021-10-01 18:47:16 +02:00
Frederik Ring	c59b40f2df	automatically create symlink to latest local backup if configured	2021-10-01 18:19:24 +02:00
Frederik Ring	cff418e735	fix README grammar	2021-10-01 08:48:20 +02:00
Frederik Ring	d7ccdd79fc	Merge pull request #26 from offen/instance-profile Allow s3 authentication via IAM role	2021-09-30 19:32:54 +02:00
Frederik Ring	bd73a2b5e4	allow s3 authentication via IAM role	2021-09-30 19:24:43 +02:00
Frederik Ring	6cf5cf47e7	Merge pull request #25 from offen/delete-on-failure Ensure script always tries to remove local artifacts even when backup failed	2021-09-13 09:33:12 +02:00
Frederik Ring	53c257065e	ensure script always tries to remove local artifacts even when backup failed	2021-09-12 10:48:19 +02:00
Frederik Ring	184b7a1e18	add docs on one off backups using docker cli	2021-09-11 11:21:48 +02:00
Frederik Ring	69a94f226b	tweak configuration reference for email settings	2021-09-10 11:58:33 +02:00
Frederik Ring	160a47e90b	allow registering hooks at different levels	2021-09-09 16:55:49 +02:00
Frederik Ring	59660ec5c7	include exit log message in notification	2021-09-09 11:08:05 +02:00
Frederik Ring	af3e69b7a8	fix typo in README	2021-09-09 09:19:37 +02:00
Frederik Ring	5d400cb943	Merge pull request #24 from offen/failure-email Enable sending out email notifications on failed backups	2021-09-09 09:10:20 +02:00
Frederik Ring	88368197c1	implement email notifications on failed backup runs	2021-09-09 09:00:23 +02:00
Frederik Ring	e46968ed79	call error hooks on script failure	2021-09-09 08:12:07 +02:00
Frederik Ring	2c06f81503	collect all log output in buffer so it could be used in notifications	2021-09-09 07:24:18 +02:00
		`@@ -0,0 +1,2 @@`
							`BACKUP_FILENAME="conf.tar.gz"`
							`BACKUP_CRON_EXPRESSION="/1 * * *"`
		`@@ -0,0 +1,2 @@`
							`BACKUP_FILENAME="other.tar.gz"`
							`BACKUP_CRON_EXPRESSION="/1 * * *"`
		`@@ -0,0 +1,2 @@`
							`BACKUP_FILENAME="never.tar.gz"`
							`BACKUP_CRON_EXPRESSION="0 0 5 31 2 ?"`