Add support for zstd compression (#249)

Co-authored-by: Michal Middleton <jafa81@gmail.com>

.circleci/config.yml

@@ -1,75 +0,0 @@
-version: 2.1
-
-jobs:
-  canary:
-    machine:
-      image: ubuntu-2004:202201-02
-    working_directory: ~/docker-volume-backup
-    resource_class: large
-    steps:
-      - checkout
-      - run:
-          name: Build
-          command: |
-            docker build . -t offen/docker-volume-backup:canary
-      - run:
-          name: Install gnupg
-          command: |
-            sudo apt-get install -y gnupg
-      - run:
-          name: Run tests
-          working_directory: ~/docker-volume-backup/test
-          command: |
-            export GPG_TTY=$(tty)
-            ./test.sh canary
-
-  build:
-    docker:
-      - image: cimg/base:2020.06
-        environment:
-          DOCKER_BUILDKIT: '1'
-          DOCKER_CLI_EXPERIMENTAL: enabled
-    working_directory: ~/docker-volume-backup
-    resource_class: large
-    steps:
-      - checkout
-      - setup_remote_docker:
-          version: 20.10.6
-      - docker/install-docker-credential-helper:
-          release-tag: v0.6.4
-      - docker/configure-docker-credentials-store
-      - run:
-          name: Push to Docker Hub
-          command: |
-            echo "$DOCKER_ACCESSTOKEN" | docker login --username offen --password-stdin
-            # This is required for building ARM: https://gitlab.alpinelinux.org/alpine/aports/-/issues/12406
-            docker run --rm --privileged linuxkit/binfmt:v0.8
-            docker context create docker-volume-backup
-            docker buildx create docker-volume-backup --name docker-volume-backup --use
-            docker buildx inspect --bootstrap
-            tag_args="-t offen/docker-volume-backup:$CIRCLE_TAG"
-            if [[ "$CIRCLE_TAG" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
-              # prerelease tags like `v2.0.0-alpha.1` should not be released as `latest`
-              tag_args="$tag_args -t offen/docker-volume-backup:latest"
-              tag_args="$tag_args -t offen/docker-volume-backup:$(echo "$CIRCLE_TAG" | cut -d. -f1)"
-            fi
-            docker buildx build --platform linux/amd64,linux/arm64,linux/arm/v7 \
-               $tag_args . --push
-
-workflows:
-  version: 2
-  docker_image:
-    jobs:
-      - canary:
-          filters:
-            tags:
-              ignore: /^v.*/
-      - build:
-          filters:
-            branches:
-              ignore: /.*/
-            tags:
-              only: /^v.*/
-
-orbs:
-  docker: circleci/docker@2.1.4

.github/ISSUE_TEMPLATE/bug_report.md

@@ -8,7 +8,9 @@ assignees: ''
 ---
 
 **Describe the bug**
+<!--
 A clear and concise description of what the bug is.
+-->
 
 **To Reproduce**
 Steps to reproduce the behavior:
@@ -17,12 +19,16 @@ Steps to reproduce the behavior:
 3. ...
 
 **Expected behavior**
+<!--
 A clear and concise description of what you expected to happen.
+-->
 
-**Desktop (please complete the following information):**
- - Image Version: [e.g. v2.21.0]
- - Docker Version: [e.g. 20.10.17]
- - Docker Compose Version (if applicable): [e.g. 1.29.2]
+**Version (please complete the following information):**
+ - Image Version: <!-- e.g. v2.21.0 -->
+ - Docker Version: <!-- e.g. 20.10.17 -->
+ - Docker Compose Version (if applicable): <!-- e.g. 1.29.2 -->
 
 **Additional context**
+<!--
 Add any other context about the problem here.
+-->

.github/ISSUE_TEMPLATE/feature_request.md

@@ -8,13 +8,21 @@ assignees: ''
 ---
 
 **Is your feature request related to a problem? Please describe.**
+<!--
 A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+-->
 
 **Describe the solution you'd like**
+<!--
 A clear and concise description of what you want to happen.
+-->
 
 **Describe alternatives you've considered**
+<!--
 A clear and concise description of any alternative solutions or features you've considered.
+-->
 
 **Additional context**
+<!--
 Add any other context or screenshots about the feature request here.
+-->

.github/ISSUE_TEMPLATE/support_request.md

@@ -8,13 +8,21 @@ assignees: ''
 ---
 
 **What are you trying to do?**
+<!--
 A clear and concise description of what you are trying to do, but cannot get working.
+-->
 
 **What is your current configuration?**
+<!--
 Add the full configuration you are using. Please redact out any real-world credentials.
+-->
 
 **Log output**
+<!--
 Provide the full log output of your setup.
+-->
 
 **Additional context**
+<!--
 Add any other context or screenshots about the support request here.
+-->

.github/dependabot.yml

@@ -0,0 +1,10 @@
+version: 2
+updates:
+  - package-ecosystem: docker
+    directory: /
+    schedule:
+      interval: weekly
+  - package-ecosystem: gomod
+    directory: /
+    schedule:
+      interval: weekly

.github/workflows/release.yml

@@ -0,0 +1,59 @@
+name: Release Docker Image
+
+on:
+  push:
+    tags: v**
+
+jobs:
+  push_to_registries:
+    name: Push Docker image to multiple registries
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+      contents: read
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v3
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Log in to GHCR
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract Docker tags
+        id: meta
+        run: |
+          version_tag="${{github.ref_name}}"
+          tags=($version_tag)
+          if [[ "$version_tag" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+            # prerelease tags like `v2.0.0-alpha.1` should not be released as `latest` nor `v2`
+            tags+=("latest")
+            tags+=($(echo "$version_tag" | cut -d. -f1))
+          fi
+          releases=""
+          for tag in "${tags[@]}"; do
+            releases="${releases:+$releases,}offen/docker-volume-backup:$tag,ghcr.io/offen/docker-volume-backup:$tag"
+          done
+          echo "releases=$releases" >> "$GITHUB_OUTPUT"
+
+      - name: Build and push Docker images
+        uses: docker/build-push-action@v4
+        with:
+          context: .
+          push: true
+          platforms: linux/amd64,linux/arm64,linux/arm/v7
+          tags: ${{ steps.meta.outputs.releases }}

.github/workflows/test.yml

@@ -0,0 +1,30 @@
+name: Run Integration Tests
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+jobs:
+  test:
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Build Docker Image
+        env:
+          DOCKER_BUILDKIT: '1'
+        run: docker build . -t offen/docker-volume-backup:test
+
+      - name: Run Tests
+        working-directory: ./test
+        run: |
+          # Stop the buildx container so the tests can make assertions
+          # about the number of running containers
+          docker rm -f $(docker ps -aq)
+          export GPG_TTY=$(tty)
+          ./test.sh test

Dockerfile

@@ -1,7 +1,7 @@
 # Copyright 2021 - Offen Authors <hioffen@posteo.de>
 # SPDX-License-Identifier: MPL-2.0
 
-FROM golang:1.19-alpine as builder
+FROM golang:1.21-alpine as builder
 
 WORKDIR /app
 COPY . .
@@ -9,15 +9,13 @@ RUN go mod download
 WORKDIR /app/cmd/backup
 RUN go build -o backup .
 
-FROM alpine:3.16
+FROM alpine:3.18
 
 WORKDIR /root
 
 RUN apk add --no-cache ca-certificates
 
 COPY --from=builder /app/cmd/backup/backup /usr/bin/backup
-
-COPY ./entrypoint.sh /root/
-RUN chmod +x entrypoint.sh
+COPY --chmod=755 ./entrypoint.sh /root/
 
 ENTRYPOINT ["/root/entrypoint.sh"]

README.md

@@ -4,16 +4,17 @@
 
 # docker-volume-backup
 
-Backup Docker volumes locally or to any S3 compatible storage.
+Backup Docker volumes locally or to any S3, WebDAV, Azure Blob Storage or SSH compatible storage.
 
 The [offen/docker-volume-backup](https://hub.docker.com/r/offen/docker-volume-backup) Docker image can be used as a lightweight (below 15MB) sidecar container to an existing Docker setup.
-It handles __recurring or one-off backups of Docker volumes__ to a __local directory__, __any S3, WebDAV or SSH compatible storage (or any combination) and rotates away old backups__ if configured. It also supports __encrypting your backups using GPG__ and __sending notifications for failed backup runs__.
+It handles __recurring or one-off backups of Docker volumes__ to a __local directory__, __any S3, WebDAV, Azure Blob Storage or SSH compatible storage (or any combination) and rotates away old backups__ if configured. It also supports __encrypting your backups using GPG__ and __sending notifications for failed backup runs__.
 
 <!-- MarkdownTOC -->
 
 - [Quickstart](#quickstart)
   - [Recurring backups in a compose setup](#recurring-backups-in-a-compose-setup)
   - [One-off backups using Docker CLI](#one-off-backups-using-docker-cli)
+  - [Available image registries](#available-image-registries)
 - [Configuration reference](#configuration-reference)
 - [How to](#how-to)
   - [Stop containers during backup](#stop-containers-during-backup)
@@ -30,15 +31,19 @@ It handles __recurring or one-off backups of Docker volumes__ to a __local direc
   - [Replace deprecated `BACKUP_FROM_SNAPSHOT` usage](#replace-deprecated-backup_from_snapshot-usage)
   - [Replace deprecated `exec-pre` and `exec-post` labels](#replace-deprecated-exec-pre-and-exec-post-labels)
   - [Using a custom Docker host](#using-a-custom-docker-host)
+  - [Use with rootless Docker](#use-with-rootless-docker)
   - [Run multiple backup schedules in the same container](#run-multiple-backup-schedules-in-the-same-container)
   - [Define different retention schedules](#define-different-retention-schedules)
   - [Use special characters in notification URLs](#use-special-characters-in-notification-urls)
+  - [Handle file uploads using third party tools](#handle-file-uploads-using-third-party-tools)
 - [Recipes](#recipes)
   - [Backing up to AWS S3](#backing-up-to-aws-s3)
   - [Backing up to Filebase](#backing-up-to-filebase)
   - [Backing up to MinIO](#backing-up-to-minio)
+  - [Backing up to MinIO \(using Docker secrets\)](#backing-up-to-minio-using-docker-secrets)
   - [Backing up to WebDAV](#backing-up-to-webdav)
   - [Backing up to SSH](#backing-up-to-ssh)
+  - [Backing up to Azure Blob Storage](#backing-up-to-azure-blob-storage)
   - [Backing up locally](#backing-up-locally)
   - [Backing up to AWS S3 as well as locally](#backing-up-to-aws-s3-as-well-as-locally)
   - [Running on a custom cron schedule](#running-on-a-custom-cron-schedule)
@@ -117,6 +122,18 @@ docker run --rm \
 
 Alternatively, pass a `--env-file` in order to use a full config as described below.
 
+### Available image registries
+
+This Docker image is published to both Docker Hub and the GitHub container registry.
+Depending on your preferences and needs, you can reference both `offen/docker-volume-backup` as well as `ghcr.io/offen/docker-volume-backup`:
+
+```
+docker pull offen/docker-volume-backup:v2
+docker pull ghcr.io/offen/docker-volume-backup:v2
+```
+
+Documentation references Docker Hub, but all examples will work using ghcr.io just as well.
+
 ## Configuration reference
 
 Backup targets, schedule and retention are configured in environment variables.
@@ -131,13 +148,22 @@ You can populate below template according to your requirements and use it as you
 
 # BACKUP_CRON_EXPRESSION="0 2 * * *"
 
-# The name of the backup file including the `.tar.gz` extension.
+# The compression algorithm used in conjunction with tar.
+# Valid options are: "gz" (Gzip) and "zst" (Zstd).
+# Note that the selection affects the file extension.
+
+# BACKUP_COMPRESSION="gz"
+
+# The name of the backup file including the extension.
 # Format verbs will be replaced as in `strftime`. Omitting them
 # will result in the same filename for every backup run, which means previous
-# versions will be overwritten on subsequent runs. The default results
-# in filenames like `backup-2021-08-29T04-00-00.tar.gz`.
+# versions will be overwritten on subsequent runs.
+# Extension can be defined literally or via "{{ .Extension }}" template,
+# in which case it will become either "tar.gz" or "tar.zst" (depending
+# on your BACKUP_COMPRESSION setting).
+# The default results in filenames like: `backup-2021-08-29T04-00-00.tar.gz`.
 
-# BACKUP_FILENAME="backup-%Y-%m-%dT%H-%M-%S.tar.gz"
+# BACKUP_FILENAME="backup-%Y-%m-%dT%H-%M-%S.{{ .Extension }}"
 
 # Setting BACKUP_FILENAME_EXPAND to true allows for environment variable
 # placeholders in BACKUP_FILENAME, BACKUP_LATEST_SYMLINK and in
@@ -231,11 +257,27 @@ You can populate below template according to your requirements and use it as you
 
 # AWS_ENDPOINT_INSECURE="true"
 
+# If you wish to use self signed certificates your S3 server, you can pass
+# the location of a PEM encoded CA certificate and it will be used for
+# validating your certificates.
+# Alternatively, pass a PEM encoded string containing the certificate.
+
+# AWS_ENDPOINT_CA_CERT="/path/to/cert.pem"
+
 # Setting this variable will change the S3 storage class header.
 # Defaults to "STANDARD", you can set this value according to your needs.
 
 # AWS_STORAGE_CLASS="GLACIER"
 
+# Setting this variable will change the S3 default part size for the copy step.
+# This value is useful when you want to upload large files.
+# NB : While using Scaleway as S3 provider, be aware that the parts counter is set to 1.000.
+# While Minio uses a hard coded value to 10.000. As a workaround, try to set a higher value.
+# Defaults to "16" (MB) if unset (from minio), you can set this value according to your needs.
+# The unit is in MB and an integer.
+
+# AWS_PART_SIZE=16
+
 # You can also backup files to any WebDAV server:
 
 # The URL of the remote WebDAV server
@@ -295,6 +337,25 @@ You can populate below template according to your requirements and use it as you
 
 # SSH_IDENTITY_PASSPHRASE="pass"
 
+# The credential's account name when using Azure Blob Storage. This has to be
+# set when using Azure Blob Storage.
+
+# AZURE_STORAGE_ACCOUNT_NAME="account-name"
+
+# The credential's primary account key when using Azure Blob Storage. If this
+# is not given, the command tries to fall back to using a managed identity.
+
+# AZURE_STORAGE_PRIMARY_ACCOUNT_KEY="<xxx>"
+
+# The container name when using Azure Blob Storage.
+
+# AZURE_STORAGE_CONTAINER_NAME="container-name"
+
+# The service endpoint when using Azure Blob Storage. This is a template that
+# can be passed the account name as shown in the default value below.
+
+# AZURE_STORAGE_ENDPOINT="https://{{ .AccountName }}.blob.core.windows.net/"
+
 # In addition to storing backups remotely, you can also keep local copies.
 # Pass a container-local path to store your backups if needed. You also need to
 # mount a local folder or Docker volume into that location (`/archive`
@@ -381,7 +442,7 @@ You can populate below template according to your requirements and use it as you
 
 # Notifications (email, Slack, etc.) can be sent out when a backup run finishes.
 # Configuration is provided as a comma-separated list of URLs as consumed
-# by `shoutrrr`: https://containrrr.dev/shoutrrr/v0.5/services/overview/
+# by `shoutrrr`: https://containrrr.dev/shoutrrr/0.7/services/overview/
 # The content of such notifications can be customized. Dedicated documentation
 # on how to do this can be found in the README. When providing multiple URLs or
 # an URL that contains a comma, the values can be URL encoded to avoid ambiguities.
@@ -525,7 +586,7 @@ services:
 Notification backends other than email are also supported.
 Refer to the documentation of [shoutrrr][shoutrrr-docs] to find out about options and configuration.
 
-[shoutrrr-docs]: https://containrrr.dev/shoutrrr/v0.5/services/overview/
+[shoutrrr-docs]: https://containrrr.dev/shoutrrr/0.7/services/overview/
 
 ### Customize notifications
 
@@ -614,6 +675,24 @@ volumes:
 The backup procedure is guaranteed to wait for all `pre` or `post` commands to finish before proceeding.
 However there are no guarantees about the order in which they are run, which could also happen concurrently.
 
+By default the backup command is executed by the user provided by the container's image.
+It is possible to specify a custom user that is used to run commands in dedicated labels with the format `docker-volume-backup.[step]-[pre|post].user`:
+
+```yml
+version: '3'
+
+services:
+  gitea:
+    image: gitea/gitea
+    volumes:
+      - backup_data:/tmp
+    labels:
+      - docker-volume-backup.archive-pre.user=git
+      - docker-volume-backup.archive-pre=/bin/bash -c 'cd /tmp; /usr/local/bin/gitea dump -c /data/gitea/conf/app.ini -R -f dump.zip'
+```
+
+Make sure the user exists and is present in `passwd` inside the target container.
+
 ### Encrypting your backup using GPG
 
 The image supports encrypting backups using GPG out of the box.
@@ -753,7 +832,7 @@ services:
       - docker-volume-backup.archive-post=rm -rf /tmp/backup/my-app
 
   backup:
-    image: offen/docker-volume-backup:latest
+    image: offen/docker-volume-backup:v2
     environment:
       BACKUP_SOURCES: /tmp/backup
     volumes:
@@ -791,6 +870,23 @@ DOCKER_HOST=tcp://docker_socket_proxy:2375
 
 In case you are using a socket proxy, it must support `GET` and `POST` requests to the `/containers` endpoint. If you are using Docker Swarm, it must also support the `/services` endpoint. If you are using pre/post backup commands, it must also support the `/exec` endpoint.
 
+### Use with rootless Docker
+
+It's also possible to use this image with a [rootless Docker installation][rootless-docker].
+Instead of mounting `/var/run/docker.sock`, mount the user-specific socket into the container:
+
+```yml
+services:
+  backup:
+    image: offen/docker-volume-backup:v2
+    # ... configuration omitted
+    volumes:
+      - backup:/backup:ro
+      - /run/user/1000/docker.sock:/var/run/docker.sock:ro
+```
+
+[rootless-docker]: https://docs.docker.com/engine/security/rootless/
+
 ### Run multiple backup schedules in the same container
 
 Multiple backup schedules with different configuration can be configured by mounting an arbitrary number of configuration files (using the `.env` format) into `/etc/dockervolumebackup/conf.d`:
@@ -841,7 +937,7 @@ BACKUP_SOURCES=/backup/app2_data
 
 If you want to manage backup retention on different schedules, the most straight forward approach is to define a dedicated configuration for retention rule using a different prefix in the `BACKUP_FILENAME` parameter and then run them on different cron schedules.
 
-For example, if you wanted to keep daily backups for 7 days, weekly backups for a month, and retain monthly backups forever, you could create three configuration files and mount them into `/etc/dockervolumebackup.d`:
+For example, if you wanted to keep daily backups for 7 days, weekly backups for a month, and retain monthly backups forever, you could create three configuration files and mount them into `/etc/dockervolumebackup/conf.d`:
 
 ```ini
 # 01daily.conf
@@ -886,6 +982,44 @@ where service is any of the [supported services][shoutrrr-docs], e.g. for SMTP:
 docker run --rm -ti containrrr/shoutrrr generate smtp
 ```
 
+### Handle file uploads using third party tools
+
+If you want to use a non-supported storage backend, or want to use a third party (e.g. rsync, rclone) tool for file uploads, you can build a Docker image containing the required binaries off this one, and call through to these in lifecycle hooks.
+
+For example, if you wanted to use `rsync`, define your Docker image like this:
+
+```Dockerfile
+FROM offen/docker-volume-backup:v2
+
+RUN apk add rsync
+```
+
+Using this image, you can now omit configuring any of the supported storage backends, and instead define your own mechanism in a `docker-volume-backup.copy-post` label:
+
+```yml
+version: '3'
+
+services:
+  backup:
+    image: your-custom-image
+    restart: always
+    environment:
+      BACKUP_FILENAME: "daily-backup-%Y-%m-%dT%H-%M-%S.tar.gz"
+      BACKUP_CRON_EXPRESSION: "0 2 * * *"
+    labels:
+      - docker-volume-backup.copy-post=/bin/sh -c 'rsync $$COMMAND_RUNTIME_ARCHIVE_FILEPATH /destination'
+    volumes:
+      - app_data:/backup/app_data:ro
+      - /var/run/docker.sock:/var/run/docker.sock
+
+  # other services defined here ...
+volumes:
+  app_data:
+```
+
+
+Commands will be invoked with the filepath of the tar archive passed as `COMMAND_RUNTIME_BACKUP_FILEPATH`.
+
 ## Recipes
 
 This section lists configuration for some real-world use cases that you can mix and match according to your needs.
@@ -1032,6 +1166,27 @@ volumes:
   data:
 ```
 
+### Backing up to Azure Blob Storage
+
+```yml
+version: '3'
+
+services:
+  # ... define other services using the `data` volume here
+  backup:
+    image: offen/docker-volume-backup:v2
+    environment:
+      AZURE_STORAGE_CONTAINER_NAME: backup-container
+      AZURE_STORAGE_ACCOUNT_NAME: account-name
+      AZURE_STORAGE_PRIMARY_ACCOUNT_KEY: Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw==
+    volumes:
+      - data:/backup/my-app-backup:ro
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+
+volumes:
+  data:
+```
+
 ### Backing up locally
 
 ```yml

cmd/backup/archive.go

@@ -15,9 +15,11 @@ import (
 	"path"
 	"path/filepath"
 	"strings"
+
+	"github.com/klauspost/compress/zstd"
 )
 
-func createArchive(files []string, inputFilePath, outputFilePath string) error {
+func createArchive(files []string, inputFilePath, outputFilePath string, compression string) error {
 	inputFilePath = stripTrailingSlashes(inputFilePath)
 	inputFilePath, outputFilePath, err := makeAbsolute(inputFilePath, outputFilePath)
 	if err != nil {
@@ -27,7 +29,7 @@ func createArchive(files []string, inputFilePath, outputFilePath string) error {
 		return fmt.Errorf("createArchive: error creating output file path: %w", err)
 	}
 
-	if err := compress(files, outputFilePath, filepath.Dir(inputFilePath)); err != nil {
+	if err := compress(files, outputFilePath, filepath.Dir(inputFilePath), compression); err != nil {
 		return fmt.Errorf("createArchive: error creating archive: %w", err)
 	}
 
@@ -51,18 +53,30 @@ func makeAbsolute(inputFilePath, outputFilePath string) (string, string, error)
 	return inputFilePath, outputFilePath, err
 }
 
-func compress(paths []string, outFilePath, subPath string) error {
+func compress(paths []string, outFilePath, subPath string, algo string) error {
 	file, err := os.Create(outFilePath)
+	var compressWriter io.WriteCloser
 	if err != nil {
 		return fmt.Errorf("compress: error creating out file: %w", err)
 	}
 
 	prefix := path.Dir(outFilePath)
-	gzipWriter := gzip.NewWriter(file)
-	tarWriter := tar.NewWriter(gzipWriter)
+	switch algo {
+	case "gz":
+		compressWriter = gzip.NewWriter(file)
+	case "zst":
+		compressWriter, err = zstd.NewWriter(file)
+		if err != nil {
+			return fmt.Errorf("compress: zstd error: %w", err)
+		}
+	default:
+		return fmt.Errorf("compress: unsupported compression algorithm: %s", algo)
+	}
+
+	tarWriter := tar.NewWriter(compressWriter)
 
 	for _, p := range paths {
-		if err := writeTarGz(p, tarWriter, prefix); err != nil {
+		if err := writeTarball(p, tarWriter, prefix); err != nil {
 			return fmt.Errorf("compress: error writing %s to archive: %w", p, err)
 		}
 	}
@@ -72,9 +86,9 @@ func compress(paths []string, outFilePath, subPath string) error {
 		return fmt.Errorf("compress: error closing tar writer: %w", err)
 	}
 
-	err = gzipWriter.Close()
+	err = compressWriter.Close()
 	if err != nil {
-		return fmt.Errorf("compress: error closing gzip writer: %w", err)
+		return fmt.Errorf("compress: error closing compression writer: %w", err)
 	}
 
 	err = file.Close()
@@ -85,10 +99,10 @@ func compress(paths []string, outFilePath, subPath string) error {
 	return nil
 }
 
-func writeTarGz(path string, tarWriter *tar.Writer, prefix string) error {
+func writeTarball(path string, tarWriter *tar.Writer, prefix string) error {
 	fileInfo, err := os.Lstat(path)
 	if err != nil {
-		return fmt.Errorf("writeTarGz: error getting file infor for %s: %w", path, err)
+		return fmt.Errorf("writeTarball: error getting file infor for %s: %w", path, err)
 	}
 
 	if fileInfo.Mode()&os.ModeSocket == os.ModeSocket {
@@ -99,19 +113,19 @@ func writeTarGz(path string, tarWriter *tar.Writer, prefix string) error {
 	if fileInfo.Mode()&os.ModeSymlink == os.ModeSymlink {
 		var err error
 		if link, err = os.Readlink(path); err != nil {
-			return fmt.Errorf("writeTarGz: error resolving symlink %s: %w", path, err)
+			return fmt.Errorf("writeTarball: error resolving symlink %s: %w", path, err)
 		}
 	}
 
 	header, err := tar.FileInfoHeader(fileInfo, link)
 	if err != nil {
-		return fmt.Errorf("writeTarGz: error getting file info header: %w", err)
+		return fmt.Errorf("writeTarball: error getting file info header: %w", err)
 	}
 	header.Name = strings.TrimPrefix(path, prefix)
 
 	err = tarWriter.WriteHeader(header)
 	if err != nil {
-		return fmt.Errorf("writeTarGz: error writing file info header: %w", err)
+		return fmt.Errorf("writeTarball: error writing file info header: %w", err)
 	}
 
 	if !fileInfo.Mode().IsRegular() {
@@ -120,13 +134,13 @@ func writeTarGz(path string, tarWriter *tar.Writer, prefix string) error {
 
 	file, err := os.Open(path)
 	if err != nil {
-		return fmt.Errorf("writeTarGz: error opening %s: %w", path, err)
+		return fmt.Errorf("writeTarball: error opening %s: %w", path, err)
 	}
 	defer file.Close()
 
 	_, err = io.Copy(tarWriter, file)
 	if err != nil {
-		return fmt.Errorf("writeTarGz: error copying %s to tar writer: %w", path, err)
+		return fmt.Errorf("writeTarball: error copying %s to tar writer: %w", path, err)
 	}
 
 	return nil

cmd/backup/config.go

@@ -4,7 +4,10 @@
 package main
 
 import (
+	"crypto/x509"
+	"encoding/pem"
 	"fmt"
+	"io/ioutil"
 	"os"
 	"regexp"
 	"time"
@@ -18,14 +21,17 @@ type Config struct {
 	AwsEndpoint                   string          `split_words:"true" default:"s3.amazonaws.com"`
 	AwsEndpointProto              string          `split_words:"true" default:"https"`
 	AwsEndpointInsecure           bool            `split_words:"true"`
+	AwsEndpointCACert             CertDecoder     `envconfig:"AWS_ENDPOINT_CA_CERT"`
 	AwsStorageClass               string          `split_words:"true"`
 	AwsAccessKeyID                string          `envconfig:"AWS_ACCESS_KEY_ID"`
 	AwsAccessKeyIDFile            string          `envconfig:"AWS_ACCESS_KEY_ID_FILE"`
 	AwsSecretAccessKey            string          `split_words:"true"`
 	AwsSecretAccessKeyFile        string          `split_words:"true"`
 	AwsIamRoleEndpoint            string          `split_words:"true"`
+	AwsPartSize                   int64           `split_words:"true"`
+	BackupCompression             CompressionType `split_words:"true" default:"gz"`
 	BackupSources                 string          `split_words:"true" default:"/backup"`
-	BackupFilename             string        `split_words:"true" default:"backup-%Y-%m-%dT%H-%M-%S.tar.gz"`
+	BackupFilename                string          `split_words:"true" default:"backup-%Y-%m-%dT%H-%M-%S.{{ .Extension }}"`
 	BackupFilenameExpand          bool            `split_words:"true"`
 	BackupLatestSymlink           string          `split_words:"true"`
 	BackupArchive                 string          `split_words:"true" default:"/archive"`
@@ -59,6 +65,11 @@ type Config struct {
 	ExecLabel                     string          `split_words:"true"`
 	ExecForwardOutput             bool            `split_words:"true"`
 	LockTimeout                   time.Duration   `split_words:"true" default:"60m"`
+	AzureStorageAccountName       string          `split_words:"true"`
+	AzureStoragePrimaryAccountKey string          `split_words:"true"`
+	AzureStorageContainerName     string          `split_words:"true"`
+	AzureStoragePath              string          `split_words:"true"`
+	AzureStorageEndpoint          string          `split_words:"true" default:"https://{{ .AccountName }}.blob.core.windows.net/"`
 }
 
 func (c *Config) resolveSecret(envVar string, secretPath string) (string, error) {
@@ -72,6 +83,43 @@ func (c *Config) resolveSecret(envVar string, secretPath string) (string, error)
 	return string(data), nil
 }
 
+type CompressionType string
+
+func (c *CompressionType) Decode(v string) error {
+	switch v {
+	case "gz", "zst":
+		*c = CompressionType(v)
+		return nil
+	default:
+		return fmt.Errorf("config: error decoding compression type %s", v)
+	}
+}
+
+func (c *CompressionType) String() string {
+	return string(*c)
+}
+
+type CertDecoder struct {
+	Cert *x509.Certificate
+}
+
+func (c *CertDecoder) Decode(v string) error {
+	if v == "" {
+		return nil
+	}
+	content, err := ioutil.ReadFile(v)
+	if err != nil {
+		content = []byte(v)
+	}
+	block, _ := pem.Decode(content)
+	cert, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		return fmt.Errorf("config: error parsing certificate: %w", err)
+	}
+	*c = CertDecoder{Cert: cert}
+	return nil
+}
+
 type RegexpDecoder struct {
 	Re *regexp.Regexp
 }

cmd/backup/exec.go

@@ -21,12 +21,17 @@ import (
 	"golang.org/x/sync/errgroup"
 )
 
-func (s *script) exec(containerRef string, command string) ([]byte, []byte, error) {
+func (s *script) exec(containerRef string, command string, user string) ([]byte, []byte, error) {
 	args, _ := argv.Argv(command, nil, nil)
+	commandEnv := []string{
+		fmt.Sprintf("COMMAND_RUNTIME_ARCHIVE_FILEPATH=%s", s.file),
+	}
 	execID, err := s.cli.ContainerExecCreate(context.Background(), containerRef, types.ExecConfig{
 		Cmd:          args[0],
 		AttachStdin:  true,
 		AttachStderr: true,
+		Env:          commandEnv,
+		User:         user,
 	})
 	if err != nil {
 		return nil, nil, fmt.Errorf("exec: error creating container exec: %w", err)
@@ -86,7 +91,6 @@ func (s *script) runLabeledCommands(label string) error {
 		})
 	}
 	containersWithCommand, err := s.cli.ContainerList(context.Background(), types.ContainerListOptions{
-		Quiet:   true,
 		Filters: filters.NewArgs(f...),
 	})
 	if err != nil {
@@ -100,7 +104,6 @@ func (s *script) runLabeledCommands(label string) error {
 			Value: "docker-volume-backup.exec-pre",
 		}
 		deprecatedContainers, err := s.cli.ContainerList(context.Background(), types.ContainerListOptions{
-			Quiet:   true,
 			Filters: filters.NewArgs(f...),
 		})
 		if err != nil {
@@ -118,7 +121,6 @@ func (s *script) runLabeledCommands(label string) error {
 			Value: "docker-volume-backup.exec-post",
 		}
 		deprecatedContainers, err := s.cli.ContainerList(context.Background(), types.ContainerListOptions{
-			Quiet:   true,
 			Filters: filters.NewArgs(f...),
 		})
 		if err != nil {
@@ -155,8 +157,11 @@ func (s *script) runLabeledCommands(label string) error {
 				cmd, _ = c.Labels["docker-volume-backup.exec-post"]
 			}
 
-			s.logger.Infof("Running %s command %s for container %s", label, cmd, strings.TrimPrefix(c.Names[0], "/"))
-			stdout, stderr, err := s.exec(c.ID, cmd)
+			userLabelName := fmt.Sprintf("%s.user", label)
+			user := c.Labels[userLabelName]
+
+			s.logger.Info(fmt.Sprintf("Running %s command %s for container %s", label, cmd, strings.TrimPrefix(c.Names[0], "/")))
+			stdout, stderr, err := s.exec(c.ID, cmd, user)
 			if s.c.ExecForwardOutput {
 				os.Stderr.Write(stderr)
 				os.Stdout.Write(stdout)

cmd/backup/hooks.go

@@ -4,10 +4,9 @@
 package main
 
 import (
+	"errors"
 	"fmt"
 	"sort"
-
-	"github.com/offen/docker-volume-backup/internal/utilities"
 )
 
 // hook contains a queued action that can be trigger them when the script
@@ -52,7 +51,7 @@ func (s *script) runHooks(err error) error {
 		}
 	}
 	if len(actionErrors) != 0 {
-		return utilities.Join(actionErrors...)
+		return errors.Join(actionErrors...)
 	}
 	return nil
 }

cmd/backup/lock.go

@@ -41,9 +41,11 @@ func (s *script) lock(lockfile string) (func() error, error) {
 		}
 
 		if !s.encounteredLock {
-			s.logger.Infof(
+			s.logger.Info(
+				fmt.Sprintf(
 					"Exclusive lock was not available on first attempt. Will retry until it becomes available or the timeout of %s is exceeded.",
 					s.c.LockTimeout,
+				),
 			)
 			s.encounteredLock = true
 		}

cmd/backup/main.go

@@ -4,6 +4,7 @@
 package main
 
 import (
+	"fmt"
 	"os"
 )
 
@@ -21,7 +22,9 @@ func main() {
 		if pArg := recover(); pArg != nil {
 			if err, ok := pArg.(error); ok {
 				if hookErr := s.runHooks(err); hookErr != nil {
-					s.logger.Errorf("An error occurred calling the registered hooks: %s", hookErr)
+					s.logger.Error(
+						fmt.Sprintf("An error occurred calling the registered hooks: %s", hookErr),
+					)
 				}
 				os.Exit(1)
 			}
@@ -29,9 +32,12 @@ func main() {
 		}
 
 		if err := s.runHooks(nil); err != nil {
-			s.logger.Errorf(
+			s.logger.Error(
+				fmt.Sprintf(
+
 					"Backup procedure ran successfully, but an error ocurred calling the registered hooks: %v",
 					err,
+				),
 			)
 			os.Exit(1)
 		}

cmd/backup/notifications.go

@@ -6,13 +6,13 @@ package main
 import (
 	"bytes"
 	_ "embed"
+	"errors"
 	"fmt"
 	"os"
 	"text/template"
 	"time"
 
 	sTypes "github.com/containrrr/shoutrrr/pkg/types"
-	"github.com/offen/docker-volume-backup/internal/utilities"
 )
 
 //go:embed notifications.tmpl
@@ -69,7 +69,7 @@ func (s *script) sendNotification(title, body string) error {
 		}
 	}
 	if len(errs) != 0 {
-		return fmt.Errorf("sendNotification: error sending message: %w", utilities.Join(errs...))
+		return fmt.Errorf("sendNotification: error sending message: %w", errors.Join(errs...))
 	}
 	return nil
 }

cmd/backup/script.go

@@ -4,10 +4,13 @@
 package main
 
 import (
+	"bytes"
 	"context"
+	"errors"
 	"fmt"
 	"io"
 	"io/fs"
+	"log/slog"
 	"os"
 	"path"
 	"path/filepath"
@@ -15,22 +18,22 @@ import (
 	"time"
 
 	"github.com/offen/docker-volume-backup/internal/storage"
+	"github.com/offen/docker-volume-backup/internal/storage/azure"
 	"github.com/offen/docker-volume-backup/internal/storage/local"
 	"github.com/offen/docker-volume-backup/internal/storage/s3"
 	"github.com/offen/docker-volume-backup/internal/storage/ssh"
 	"github.com/offen/docker-volume-backup/internal/storage/webdav"
-	"github.com/offen/docker-volume-backup/internal/utilities"
 
 	"github.com/containrrr/shoutrrr"
 	"github.com/containrrr/shoutrrr/pkg/router"
 	"github.com/docker/docker/api/types"
+	ctr "github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/filters"
 	"github.com/docker/docker/api/types/swarm"
 	"github.com/docker/docker/client"
 	"github.com/kelseyhightower/envconfig"
 	"github.com/leekchan/timeutil"
 	"github.com/otiai10/copy"
-	"github.com/sirupsen/logrus"
 	"golang.org/x/crypto/openpgp"
 	"golang.org/x/sync/errgroup"
 )
@@ -40,7 +43,7 @@ import (
 type script struct {
 	cli       *client.Client
 	storages  []storage.Backend
-	logger    *logrus.Logger
+	logger    *slog.Logger
 	sender    *router.ServiceRouter
 	template  *template.Template
 	hooks     []hook
@@ -62,12 +65,7 @@ func newScript() (*script, error) {
 	stdOut, logBuffer := buffer(os.Stdout)
 	s := &script{
 		c:      &Config{},
-		logger: &logrus.Logger{
-			Out:       stdOut,
-			Formatter: new(logrus.TextFormatter),
-			Hooks:     make(logrus.LevelHooks),
-			Level:     logrus.InfoLevel,
-		},
+		logger: slog.New(slog.NewTextHandler(stdOut, nil)),
 		stats: &Stats{
 			StartTime: time.Now(),
 			LogOutput: logBuffer,
@@ -76,6 +74,7 @@ func newScript() (*script, error) {
 				"WebDAV": {},
 				"SSH":    {},
 				"Local":  {},
+				"Azure":  {},
 			},
 		},
 	}
@@ -91,6 +90,20 @@ func newScript() (*script, error) {
 	}
 
 	s.file = path.Join("/tmp", s.c.BackupFilename)
+
+	tmplFileName, tErr := template.New("extension").Parse(s.file)
+	if tErr != nil {
+		return nil, fmt.Errorf("newScript: unable to parse backup file extension template: %w", tErr)
+	}
+
+	var bf bytes.Buffer
+	if tErr := tmplFileName.Execute(&bf, map[string]string{
+		"Extension": fmt.Sprintf("tar.%s", s.c.BackupCompression),
+	}); tErr != nil {
+		return nil, fmt.Errorf("newScript: error executing backup file extension template: %w", tErr)
+	}
+	s.file = bf.String()
+
 	if s.c.BackupFilenameExpand {
 		s.file = os.ExpandEnv(s.file)
 		s.c.BackupLatestSymlink = os.ExpandEnv(s.c.BackupLatestSymlink)
@@ -108,15 +121,15 @@ func newScript() (*script, error) {
 		s.cli = cli
 	}
 
-	logFunc := func(logType storage.LogLevel, context string, msg string, params ...interface{}) {
+	logFunc := func(logType storage.LogLevel, context string, msg string, params ...any) {
 		switch logType {
 		case storage.LogLevelWarning:
-			s.logger.Warnf("["+context+"] "+msg, params...)
+			s.logger.Warn(fmt.Sprintf("["+context+"] "+msg, params...))
 		case storage.LogLevelError:
-			s.logger.Errorf("["+context+"] "+msg, params...)
+			s.logger.Error(fmt.Sprintf("["+context+"] "+msg, params...))
 		case storage.LogLevelInfo:
 		default:
-			s.logger.Infof("["+context+"] "+msg, params...)
+			s.logger.Info(fmt.Sprintf("["+context+"] "+msg, params...))
 		}
 	}
 
@@ -139,6 +152,8 @@ func newScript() (*script, error) {
 			RemotePath:       s.c.AwsS3Path,
 			BucketName:       s.c.AwsS3BucketName,
 			StorageClass:     s.c.AwsStorageClass,
+			CACert:           s.c.AwsEndpointCACert.Cert,
+			PartSize:         s.c.AwsPartSize,
 		}
 		if s3Backend, err := s3.NewStorageBackend(s3Config, logFunc); err != nil {
 			return nil, err
@@ -188,6 +203,21 @@ func newScript() (*script, error) {
 		s.storages = append(s.storages, localBackend)
 	}
 
+	if s.c.AzureStorageAccountName != "" {
+		azureConfig := azure.Config{
+			ContainerName:     s.c.AzureStorageContainerName,
+			AccountName:       s.c.AzureStorageAccountName,
+			PrimaryAccountKey: s.c.AzureStoragePrimaryAccountKey,
+			Endpoint:          s.c.AzureStorageEndpoint,
+			RemotePath:        s.c.AzureStoragePath,
+		}
+		azureBackend, err := azure.NewStorageBackend(azureConfig, logFunc)
+		if err != nil {
+			return nil, err
+		}
+		s.storages = append(s.storages, azureBackend)
+	}
+
 	if s.c.EmailNotificationRecipient != "" {
 		emailURL := fmt.Sprintf(
 			"smtp://%s:%s@%s:%d/?from=%s&to=%s",
@@ -262,9 +292,7 @@ func (s *script) stopContainers() (func() error, error) {
 		return noop, nil
 	}
 
-	allContainers, err := s.cli.ContainerList(context.Background(), types.ContainerListOptions{
-		Quiet: true,
-	})
+	allContainers, err := s.cli.ContainerList(context.Background(), types.ContainerListOptions{})
 	if err != nil {
 		return noop, fmt.Errorf("stopContainers: error querying for containers: %w", err)
 	}
@@ -274,7 +302,6 @@ func (s *script) stopContainers() (func() error, error) {
 		s.c.BackupStopContainerLabel,
 	)
 	containersToStop, err := s.cli.ContainerList(context.Background(), types.ContainerListOptions{
-		Quiet: true,
 		Filters: filters.NewArgs(filters.KeyValuePair{
 			Key:   "label",
 			Value: containerLabel,
@@ -289,17 +316,19 @@ func (s *script) stopContainers() (func() error, error) {
 		return noop, nil
 	}
 
-	s.logger.Infof(
+	s.logger.Info(
+		fmt.Sprintf(
 			"Stopping %d container(s) labeled `%s` out of %d running container(s).",
 			len(containersToStop),
 			containerLabel,
 			len(allContainers),
+		),
 	)
 
 	var stoppedContainers []types.Container
 	var stopErrors []error
 	for _, container := range containersToStop {
-		if err := s.cli.ContainerStop(context.Background(), container.ID, nil); err != nil {
+		if err := s.cli.ContainerStop(context.Background(), container.ID, ctr.StopOptions{}); err != nil {
 			stopErrors = append(stopErrors, err)
 		} else {
 			stoppedContainers = append(stoppedContainers, container)
@@ -311,7 +340,7 @@ func (s *script) stopContainers() (func() error, error) {
 		stopError = fmt.Errorf(
 			"stopContainers: %d error(s) stopping containers: %w",
 			len(stopErrors),
-			utilities.Join(stopErrors...),
+			errors.Join(stopErrors...),
 		)
 	}
 
@@ -348,7 +377,7 @@ func (s *script) stopContainers() (func() error, error) {
 				if serviceMatch.ID == "" {
 					return fmt.Errorf("stopContainers: couldn't find service with name %s", serviceName)
 				}
-				serviceMatch.Spec.TaskTemplate.ForceUpdate = 1
+				serviceMatch.Spec.TaskTemplate.ForceUpdate += 1
 				if _, err := s.cli.ServiceUpdate(
 					context.Background(), serviceMatch.ID,
 					serviceMatch.Version, serviceMatch.Spec, types.ServiceUpdateOptions{},
@@ -362,12 +391,14 @@ func (s *script) stopContainers() (func() error, error) {
 			return fmt.Errorf(
 				"stopContainers: %d error(s) restarting containers and services: %w",
 				len(restartErrors),
-				utilities.Join(restartErrors...),
+				errors.Join(restartErrors...),
 			)
 		}
-		s.logger.Infof(
+		s.logger.Info(
+			fmt.Sprintf(
 				"Restarted %d container(s) and the matching service(s).",
 				len(stoppedContainers),
+			),
 		)
 		return nil
 	}, stopError
@@ -391,7 +422,9 @@ func (s *script) createArchive() error {
 			if err := remove(backupSources); err != nil {
 				return fmt.Errorf("createArchive: error removing snapshot: %w", err)
 			}
-			s.logger.Infof("Removed snapshot `%s`.", backupSources)
+			s.logger.Info(
+				fmt.Sprintf("Removed snapshot `%s`.", backupSources),
+			)
 			return nil
 		})
 		if err := copy.Copy(s.c.BackupSources, backupSources, copy.Options{
@@ -400,7 +433,9 @@ func (s *script) createArchive() error {
 		}); err != nil {
 			return fmt.Errorf("createArchive: error creating snapshot: %w", err)
 		}
-		s.logger.Infof("Created snapshot of `%s` at `%s`.", s.c.BackupSources, backupSources)
+		s.logger.Info(
+			fmt.Sprintf("Created snapshot of `%s` at `%s`.", s.c.BackupSources, backupSources),
+		)
 	}
 
 	tarFile := s.file
@@ -408,7 +443,9 @@ func (s *script) createArchive() error {
 		if err := remove(tarFile); err != nil {
 			return fmt.Errorf("createArchive: error removing tar file: %w", err)
 		}
-		s.logger.Infof("Removed tar file `%s`.", tarFile)
+		s.logger.Info(
+			fmt.Sprintf("Removed tar file `%s`.", tarFile),
+		)
 		return nil
 	})
 
@@ -432,11 +469,13 @@ func (s *script) createArchive() error {
 		return fmt.Errorf("createArchive: error walking filesystem tree: %w", err)
 	}
 
-	if err := createArchive(filesEligibleForBackup, backupSources, tarFile); err != nil {
+	if err := createArchive(filesEligibleForBackup, backupSources, tarFile, s.c.BackupCompression.String()); err != nil {
 		return fmt.Errorf("createArchive: error compressing backup folder: %w", err)
 	}
 
-	s.logger.Infof("Created backup of `%s` at `%s`.", backupSources, tarFile)
+	s.logger.Info(
+		fmt.Sprintf("Created backup of `%s` at `%s`.", backupSources, tarFile),
+	)
 	return nil
 }
 
@@ -453,7 +492,9 @@ func (s *script) encryptArchive() error {
 		if err := remove(gpgFile); err != nil {
 			return fmt.Errorf("encryptArchive: error removing gpg file: %w", err)
 		}
-		s.logger.Infof("Removed GPG file `%s`.", gpgFile)
+		s.logger.Info(
+			fmt.Sprintf("Removed GPG file `%s`.", gpgFile),
+		)
 		return nil
 	})
 
@@ -483,7 +524,9 @@ func (s *script) encryptArchive() error {
 	}
 
 	s.file = gpgFile
-	s.logger.Infof("Encrypted backup using given passphrase, saving as `%s`.", s.file)
+	s.logger.Info(
+		fmt.Sprintf("Encrypted backup using given passphrase, saving as `%s`.", s.file),
+	)
 	return nil
 }
 
@@ -555,7 +598,9 @@ func (s *script) pruneBackups() error {
 // is non-nil.
 func (s *script) must(err error) {
 	if err != nil {
-		s.logger.Errorf("Fatal error running backup: %s", err)
+		s.logger.Error(
+			fmt.Sprintf("Fatal error running backup: %s", err),
+		)
 		panic(err)
 	}
 }

docs/NOTIFICATION-TEMPLATES.md

@@ -25,7 +25,7 @@ Here is a list of all data passed to the template:
     * `FullPath`: full path of the backup file (e.g. `/archive/backup-2022-02-11T01-00-00.tar.gz`)
     * `Size`: size in bytes of the backup file
   * `Storages`: object that holds stats about each storage
-    * `Local`, `S3`, `WebDAV` or `SSH`:
+    * `Local`, `S3`, `WebDAV`, `Azure` or `SSH`:
       * `Total`: total number of backup files
       * `Pruned`: number of backup files that were deleted due to pruning rule
       * `PruneErrors`: number of backup files that were unable to be pruned

go.mod

@@ -1,67 +1,61 @@
 module github.com/offen/docker-volume-backup
 
-go 1.19
+go 1.21
 
 require (
-	github.com/containrrr/shoutrrr v0.5.2
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0
+	github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.1.0
+	github.com/containrrr/shoutrrr v0.7.1
 	github.com/cosiner/argv v0.1.0
-	github.com/docker/docker v20.10.11+incompatible
+	github.com/docker/docker v24.0.5+incompatible
 	github.com/gofrs/flock v0.8.1
 	github.com/kelseyhightower/envconfig v1.4.0
+	github.com/klauspost/compress v1.16.7
 	github.com/leekchan/timeutil v0.0.0-20150802142658-28917288c48d
-	github.com/minio/minio-go/v7 v7.0.16
-	github.com/otiai10/copy v1.7.0
-	github.com/pkg/sftp v1.13.5
-	github.com/sirupsen/logrus v1.8.1
-	github.com/studio-b12/gowebdav v0.0.0-20220128162035-c7b1ff8a5e62
-	golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3
-	golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f
+	github.com/minio/minio-go/v7 v7.0.61
+	github.com/otiai10/copy v1.11.0
+	github.com/pkg/sftp v1.13.6
+	github.com/studio-b12/gowebdav v0.9.0
+	golang.org/x/crypto v0.11.0
+	golang.org/x/sync v0.3.0
 )
 
 require (
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.6.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 // indirect
+	github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0 // indirect
 	github.com/Microsoft/go-winio v0.5.2 // indirect
-	github.com/containerd/containerd v1.6.6 // indirect
-	github.com/docker/distribution v2.7.1+incompatible // indirect
+	github.com/docker/distribution v2.8.2+incompatible // indirect
 	github.com/docker/go-connections v0.4.0 // indirect
 	github.com/docker/go-units v0.4.0 // indirect
-	github.com/dustin/go-humanize v1.0.0 // indirect
-	github.com/fatih/color v1.10.0 // indirect
-	github.com/fsnotify/fsnotify v1.4.9 // indirect
+	github.com/dustin/go-humanize v1.0.1 // indirect
+	github.com/fatih/color v1.13.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
 	github.com/google/uuid v1.3.0 // indirect
-	github.com/gorilla/mux v1.7.3 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/klauspost/compress v1.15.6 // indirect
-	github.com/klauspost/cpuid/v2 v2.0.9 // indirect
+	github.com/klauspost/cpuid/v2 v2.2.5 // indirect
 	github.com/kr/fs v0.1.0 // indirect
-	github.com/kr/text v0.2.0 // indirect
-	github.com/mattn/go-colorable v0.1.8 // indirect
-	github.com/mattn/go-isatty v0.0.12 // indirect
+	github.com/kylelemons/godebug v1.1.0 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-isatty v0.0.16 // indirect
 	github.com/minio/md5-simd v1.1.2 // indirect
-	github.com/minio/sha256-simd v1.0.0 // indirect
-	github.com/mitchellh/go-homedir v1.1.0 // indirect
+	github.com/minio/sha256-simd v1.0.1 // indirect
 	github.com/moby/term v0.0.0-20200312100748-672ec06f55cd // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e // indirect
-	github.com/nxadm/tail v1.4.6 // indirect
-	github.com/onsi/ginkgo v1.14.2 // indirect
-	github.com/onsi/gomega v1.10.3 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.0.3-0.20211202183452-c5a74bcca799 // indirect
+	github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
-	github.com/rs/xid v1.3.0 // indirect
-	golang.org/x/net v0.0.0-20220607020251-c690dde0001d // indirect
-	golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a // indirect
-	golang.org/x/text v0.3.7 // indirect
-	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
-	google.golang.org/genproto v0.0.0-20220602131408-e326c6e8e9c8 // indirect
-	google.golang.org/grpc v1.47.0 // indirect
-	google.golang.org/protobuf v1.28.0 // indirect
+	github.com/rs/xid v1.5.0 // indirect
+	github.com/sirupsen/logrus v1.9.3 // indirect
+	golang.org/x/net v0.12.0 // indirect
+	golang.org/x/sys v0.10.0 // indirect
+	golang.org/x/text v0.11.0 // indirect
 	gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect
-	gopkg.in/ini.v1 v1.65.0 // indirect
-	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
-	gopkg.in/yaml.v2 v2.4.0 // indirect
+	gopkg.in/ini.v1 v1.67.0 // indirect
+	gotest.tools/v3 v3.0.3 // indirect
 )

internal/storage/azure/azure.go

@@ -0,0 +1,160 @@
+// Copyright 2022 - Offen Authors <hioffen@posteo.de>
+// SPDX-License-Identifier: MPL-2.0
+
+package azure
+
+import (
+	"bytes"
+	"context"
+	"errors"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+	"sync"
+	"text/template"
+	"time"
+
+	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
+	"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob"
+	"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/container"
+	"github.com/offen/docker-volume-backup/internal/storage"
+)
+
+type azureBlobStorage struct {
+	*storage.StorageBackend
+	client        *azblob.Client
+	containerName string
+}
+
+// Config contains values that define the configuration of an Azure Blob Storage.
+type Config struct {
+	AccountName       string
+	ContainerName     string
+	PrimaryAccountKey string
+	Endpoint          string
+	RemotePath        string
+}
+
+// NewStorageBackend creates and initializes a new Azure Blob Storage backend.
+func NewStorageBackend(opts Config, logFunc storage.Log) (storage.Backend, error) {
+	endpointTemplate, err := template.New("endpoint").Parse(opts.Endpoint)
+	if err != nil {
+		return nil, fmt.Errorf("NewStorageBackend: error parsing endpoint template: %w", err)
+	}
+	var ep bytes.Buffer
+	if err := endpointTemplate.Execute(&ep, opts); err != nil {
+		return nil, fmt.Errorf("NewStorageBackend: error executing endpoint template: %w", err)
+	}
+	normalizedEndpoint := fmt.Sprintf("%s/", strings.TrimSuffix(ep.String(), "/"))
+
+	var client *azblob.Client
+	if opts.PrimaryAccountKey != "" {
+		cred, err := azblob.NewSharedKeyCredential(opts.AccountName, opts.PrimaryAccountKey)
+		if err != nil {
+			return nil, fmt.Errorf("NewStorageBackend: error creating shared key Azure credential: %w", err)
+		}
+
+		client, err = azblob.NewClientWithSharedKeyCredential(normalizedEndpoint, cred, nil)
+		if err != nil {
+			return nil, fmt.Errorf("NewStorageBackend: error creating Azure client: %w", err)
+		}
+	} else {
+		cred, err := azidentity.NewManagedIdentityCredential(nil)
+		if err != nil {
+			return nil, fmt.Errorf("NewStorageBackend: error creating managed identity credential: %w", err)
+		}
+		client, err = azblob.NewClient(normalizedEndpoint, cred, nil)
+		if err != nil {
+			return nil, fmt.Errorf("NewStorageBackend: error creating Azure client: %w", err)
+		}
+	}
+
+	storage := azureBlobStorage{
+		client:        client,
+		containerName: opts.ContainerName,
+		StorageBackend: &storage.StorageBackend{
+			DestinationPath: opts.RemotePath,
+			Log:             logFunc,
+		},
+	}
+	return &storage, nil
+}
+
+// Name returns the name of the storage backend
+func (b *azureBlobStorage) Name() string {
+	return "Azure"
+}
+
+// Copy copies the given file to the storage backend.
+func (b *azureBlobStorage) Copy(file string) error {
+	fileReader, err := os.Open(file)
+	if err != nil {
+		return fmt.Errorf("(*azureBlobStorage).Copy: error opening file %s: %w", file, err)
+	}
+	_, err = b.client.UploadStream(
+		context.Background(),
+		b.containerName,
+		filepath.Join(b.DestinationPath, filepath.Base(file)),
+		fileReader,
+		nil,
+	)
+	if err != nil {
+		return fmt.Errorf("(*azureBlobStorage).Copy: error uploading file %s: %w", file, err)
+	}
+	return nil
+}
+
+// Prune rotates away backups according to the configuration and provided
+// deadline for the Azure Blob storage backend.
+func (b *azureBlobStorage) Prune(deadline time.Time, pruningPrefix string) (*storage.PruneStats, error) {
+	lookupPrefix := filepath.Join(b.DestinationPath, pruningPrefix)
+	pager := b.client.NewListBlobsFlatPager(b.containerName, &container.ListBlobsFlatOptions{
+		Prefix: &lookupPrefix,
+	})
+	var matches []string
+	var totalCount uint
+	for pager.More() {
+		resp, err := pager.NextPage(context.Background())
+		if err != nil {
+			return nil, fmt.Errorf("(*azureBlobStorage).Prune: error paging over blobs: %w", err)
+		}
+		for _, v := range resp.Segment.BlobItems {
+			totalCount++
+			if v.Properties.LastModified.Before(deadline) {
+				matches = append(matches, *v.Name)
+			}
+		}
+	}
+
+	stats := storage.PruneStats{
+		Total:  totalCount,
+		Pruned: uint(len(matches)),
+	}
+
+	if err := b.DoPrune(b.Name(), len(matches), int(totalCount), "Azure Blob Storage backup(s)", func() error {
+		wg := sync.WaitGroup{}
+		wg.Add(len(matches))
+		var errs []error
+
+		for _, match := range matches {
+			name := match
+			go func() {
+				_, err := b.client.DeleteBlob(context.Background(), b.containerName, name, nil)
+				if err != nil {
+					errs = append(errs, err)
+				}
+				wg.Done()
+			}()
+		}
+		wg.Wait()
+		if len(errs) != 0 {
+			return errors.Join(errs...)
+		}
+		return nil
+	}); err != nil {
+		return &stats, err
+	}
+
+	return &stats, nil
+}

internal/storage/local/local.go

@@ -4,6 +4,7 @@
 package local
 
 import (
+	"errors"
 	"fmt"
 	"io"
 	"os"
@@ -12,7 +13,6 @@ import (
 	"time"
 
 	"github.com/offen/docker-volume-backup/internal/storage"
-	"github.com/offen/docker-volume-backup/internal/utilities"
 )
 
 type localStorage struct {
@@ -127,7 +127,7 @@ func (b *localStorage) Prune(deadline time.Time, pruningPrefix string) (*storage
 			return fmt.Errorf(
 				"(*localStorage).Prune: %d error(s) deleting local files, starting with: %w",
 				len(removeErrors),
-				utilities.Join(removeErrors...),
+				errors.Join(removeErrors...),
 			)
 		}
 		return nil

internal/storage/s3/s3.go

@@ -5,8 +5,10 @@ package s3
 
 import (
 	"context"
+	"crypto/x509"
 	"errors"
 	"fmt"
+	"os"
 	"path"
 	"path/filepath"
 	"time"
@@ -14,7 +16,6 @@ import (
 	"github.com/minio/minio-go/v7"
 	"github.com/minio/minio-go/v7/pkg/credentials"
 	"github.com/offen/docker-volume-backup/internal/storage"
-	"github.com/offen/docker-volume-backup/internal/utilities"
 )
 
 type s3Storage struct {
@@ -22,6 +23,7 @@ type s3Storage struct {
 	client       *minio.Client
 	bucket       string
 	storageClass string
+	partSize     int64
 }
 
 // Config contains values that define the configuration of a S3 backend.
@@ -35,11 +37,12 @@ type Config struct {
 	RemotePath       string
 	BucketName       string
 	StorageClass     string
+	PartSize         int64
+	CACert           *x509.Certificate
 }
 
 // NewStorageBackend creates and initializes a new S3/Minio storage backend.
 func NewStorageBackend(opts Config, logFunc storage.Log) (storage.Backend, error) {
-
 	var creds *credentials.Credentials
 	if opts.AccessKeyID != "" && opts.SecretAccessKey != "" {
 		creds = credentials.NewStaticV4(
@@ -58,18 +61,23 @@ func NewStorageBackend(opts Config, logFunc storage.Log) (storage.Backend, error
 		Secure: opts.EndpointProto == "https",
 	}
 
-	if opts.EndpointInsecure {
-		if !options.Secure {
-			return nil, errors.New("NewStorageBackend: AWS_ENDPOINT_INSECURE = true is only meaningful for https")
-		}
-
 	transport, err := minio.DefaultTransport(true)
 	if err != nil {
 		return nil, fmt.Errorf("NewStorageBackend: failed to create default minio transport: %w", err)
 	}
-		transport.TLSClientConfig.InsecureSkipVerify = true
-		options.Transport = transport
+
+	if opts.EndpointInsecure {
+		if !options.Secure {
+			return nil, errors.New("NewStorageBackend: AWS_ENDPOINT_INSECURE = true is only meaningful for https")
 		}
+		transport.TLSClientConfig.InsecureSkipVerify = true
+	} else if opts.CACert != nil {
+		if transport.TLSClientConfig.RootCAs == nil {
+			transport.TLSClientConfig.RootCAs = x509.NewCertPool()
+		}
+		transport.TLSClientConfig.RootCAs.AddCert(opts.CACert)
+	}
+	options.Transport = transport
 
 	mc, err := minio.New(opts.Endpoint, &options)
 	if err != nil {
@@ -84,6 +92,7 @@ func NewStorageBackend(opts Config, logFunc storage.Log) (storage.Backend, error
 		client:       mc,
 		bucket:       opts.BucketName,
 		storageClass: opts.StorageClass,
+		partSize:     opts.PartSize,
 	}, nil
 }
 
@@ -95,16 +104,32 @@ func (v *s3Storage) Name() string {
 // Copy copies the given file to the S3/Minio storage backend.
 func (b *s3Storage) Copy(file string) error {
 	_, name := path.Split(file)
-
-	if _, err := b.client.FPutObject(context.Background(), b.bucket, filepath.Join(b.DestinationPath, name), file, minio.PutObjectOptions{
+	putObjectOptions := minio.PutObjectOptions{
 		ContentType:  "application/tar+gzip",
 		StorageClass: b.storageClass,
-	}); err != nil {
+	}
+
+	if b.partSize > 0 {
+		srcFileInfo, err := os.Stat(file)
+		if err != nil {
+			return fmt.Errorf("(*s3Storage).Copy: error reading the local file: %w", err)
+		}
+
+		_, partSize, _, err := minio.OptimalPartInfo(srcFileInfo.Size(), uint64(b.partSize*1024*1024))
+		if err != nil {
+			return fmt.Errorf("(*s3Storage).Copy: error computing the optimal s3 part size: %w", err)
+		}
+
+		putObjectOptions.PartSize = uint64(partSize)
+	}
+
+	if _, err := b.client.FPutObject(context.Background(), b.bucket, filepath.Join(b.DestinationPath, name), file, putObjectOptions); err != nil {
 		if errResp := minio.ToErrorResponse(err); errResp.Message != "" {
 			return fmt.Errorf("(*s3Storage).Copy: error uploading backup to remote storage: [Message]: '%s', [Code]: %s, [StatusCode]: %d", errResp.Message, errResp.Code, errResp.StatusCode)
 		}
 		return fmt.Errorf("(*s3Storage).Copy: error uploading backup to remote storage: %w", err)
 	}
+
 	b.Log(storage.LogLevelInfo, b.Name(), "Uploaded a copy of backup `%s` to bucket `%s`.", file, b.bucket)
 
 	return nil
@@ -153,7 +178,7 @@ func (b *s3Storage) Prune(deadline time.Time, pruningPrefix string) (*storage.Pr
 			}
 		}
 		if len(removeErrors) != 0 {
-			return utilities.Join(removeErrors...)
+			return errors.Join(removeErrors...)
 		}
 		return nil
 	}); err != nil {

internal/storage/storage.go

@@ -29,7 +29,7 @@ const (
 	LogLevelError
 )
 
-type Log func(logType LogLevel, context string, msg string, params ...interface{})
+type Log func(logType LogLevel, context string, msg string, params ...any)
 
 // PruneStats is a wrapper struct for returning stats after pruning
 type PruneStats struct {

internal/storage/webdav/webdav.go

@@ -67,15 +67,17 @@ func (b *webDavStorage) Name() string {
 
 // Copy copies the given file to the WebDav storage backend.
 func (b *webDavStorage) Copy(file string) error {
-	bytes, err := os.ReadFile(file)
 	_, name := path.Split(file)
-	if err != nil {
-		return fmt.Errorf("(*webDavStorage).Copy: Error reading the file to be uploaded: %w", err)
-	}
 	if err := b.client.MkdirAll(b.DestinationPath, 0644); err != nil {
 		return fmt.Errorf("(*webDavStorage).Copy: Error creating directory '%s' on WebDAV server: %w", b.DestinationPath, err)
 	}
-	if err := b.client.Write(filepath.Join(b.DestinationPath, name), bytes, 0644); err != nil {
+
+	r, err := os.Open(file)
+	if err != nil {
+		return fmt.Errorf("(*webDavStorage).Copy: Error opening the file to be uploaded: %w", err)
+	}
+
+	if err := b.client.WriteStream(filepath.Join(b.DestinationPath, name), r, 0644); err != nil {
 		return fmt.Errorf("(*webDavStorage).Copy: Error uploading the file to WebDAV server: %w", err)
 	}
 	b.Log(storage.LogLevelInfo, b.Name(), "Uploaded a copy of backup '%s' to WebDAV URL '%s' at path '%s'.", file, b.url, b.DestinationPath)

internal/utilities/util.go

@@ -1,24 +0,0 @@
-// Copyright 2022 - Offen Authors <hioffen@posteo.de>
-// SPDX-License-Identifier: MPL-2.0
-
-package utilities
-
-import (
-	"errors"
-	"strings"
-)
-
-// Join takes a list of errors and joins them into a single error
-func Join(errs ...error) error {
-	if len(errs) == 1 {
-		return errs[0]
-	}
-	var msgs []string
-	for _, err := range errs {
-		if err == nil {
-			continue
-		}
-		msgs = append(msgs, err.Error())
-	}
-	return errors.New("[" + strings.Join(msgs, ", ") + "]")
-}

test/azure/docker-compose.yml

@@ -0,0 +1,58 @@
+version: '3'
+
+services:
+  storage:
+    image: mcr.microsoft.com/azure-storage/azurite
+    volumes:
+      - azurite_backup_data:/data
+    command: azurite-blob --blobHost 0.0.0.0 --blobPort 10000 --location /data
+    healthcheck:
+        test: nc 127.0.0.1 10000 -z
+        interval: 1s
+        retries: 30
+
+  az_cli:
+    image: mcr.microsoft.com/azure-cli
+    volumes:
+      - ./local:/dump
+    command:
+      - /bin/sh
+      - -c
+      - |
+          az storage container create --name test-container
+    depends_on:
+      storage:
+        condition: service_healthy
+    environment:
+      AZURE_STORAGE_CONNECTION_STRING: DefaultEndpointsProtocol=http;AccountName=devstoreaccount1;AccountKey=Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw==;BlobEndpoint=http://storage:10000/devstoreaccount1;
+
+  backup:
+    image: offen/docker-volume-backup:${TEST_VERSION:-canary}
+    hostname: hostnametoken
+    restart: always
+    environment:
+      AZURE_STORAGE_ACCOUNT_NAME: devstoreaccount1
+      AZURE_STORAGE_PRIMARY_ACCOUNT_KEY: Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw==
+      AZURE_STORAGE_CONTAINER_NAME: test-container
+      AZURE_STORAGE_ENDPOINT: http://storage:10000/{{ .AccountName }}/
+      AZURE_STORAGE_PATH: 'path/to/backup'
+      BACKUP_FILENAME: test.tar.gz
+      BACKUP_CRON_EXPRESSION: 0 0 5 31 2 ?
+      BACKUP_RETENTION_DAYS: ${BACKUP_RETENTION_DAYS:-7}
+      BACKUP_PRUNING_LEEWAY: 5s
+      BACKUP_PRUNING_PREFIX: test
+    volumes:
+      - app_data:/backup/app_data:ro
+      - /var/run/docker.sock:/var/run/docker.sock
+
+  offen:
+    image: offen/offen:latest
+    labels:
+      - docker-volume-backup.stop-during-backup=true
+    volumes:
+      - app_data:/var/opt/offen
+
+volumes:
+  azurite_backup_data:
+    name: azurite_backup_data
+  app_data:

test/azure/run.sh

@@ -0,0 +1,40 @@
+#!/bin/sh
+
+set -e
+
+cd "$(dirname "$0")"
+. ../util.sh
+current_test=$(basename $(pwd))
+
+docker compose up -d
+sleep 5
+
+# A symlink for a known file in the volume is created so the test can check
+# whether symlinks are preserved on backup.
+docker compose exec backup backup
+
+sleep 5
+
+expect_running_containers "3"
+
+docker compose run --rm az_cli \
+  az storage blob download -f /dump/test.tar.gz -c test-container -n path/to/backup/test.tar.gz
+tar -xvf ./local/test.tar.gz -C /tmp && test -f /tmp/backup/app_data/offen.db
+
+pass "Found relevant files in untared remote backups."
+
+# The second part of this test checks if backups get deleted when the retention
+# is set to 0 days (which it should not as it would mean all backups get deleted)
+# TODO: find out if we can test actual deletion without having to wait for a day
+BACKUP_RETENTION_DAYS="0" docker compose up -d
+sleep 5
+
+docker compose exec backup backup
+
+docker compose run --rm az_cli \
+  az storage blob download -f /dump/test.tar.gz -c test-container -n path/to/backup/test.tar.gz
+test -f ./local/test.tar.gz
+
+pass "Remote backups have not been deleted."
+
+docker compose down --volumes

test/certs/docker-compose.yml

@@ -0,0 +1,48 @@
+version: '3'
+
+services:
+  minio:
+    hostname: minio.local
+    image: minio/minio:RELEASE.2020-08-04T23-10-51Z
+    environment:
+      MINIO_ROOT_USER: test
+      MINIO_ROOT_PASSWORD: test
+      MINIO_ACCESS_KEY: test
+      MINIO_SECRET_KEY: GMusLtUmILge2by+z890kQ
+    entrypoint: /bin/ash -c 'mkdir -p /data/backup && minio server --certs-dir "/certs" --address ":443" /data'
+    volumes:
+      - minio_backup_data:/data
+      - ./minio.crt:/certs/public.crt
+      - ./minio.key:/certs/private.key
+
+  backup:
+    image: offen/docker-volume-backup:${TEST_VERSION:-canary}
+    depends_on:
+      - minio
+    restart: always
+    environment:
+      BACKUP_FILENAME: test.tar.gz
+      AWS_ACCESS_KEY_ID: test
+      AWS_SECRET_ACCESS_KEY: GMusLtUmILge2by+z890kQ
+      AWS_ENDPOINT: minio.local:443
+      AWS_ENDPOINT_CA_CERT: /root/minio-rootCA.crt
+      AWS_S3_BUCKET_NAME: backup
+      BACKUP_CRON_EXPRESSION: 0 0 5 31 2 ?
+      BACKUP_RETENTION_DAYS: ${BACKUP_RETENTION_DAYS:-7}
+      BACKUP_PRUNING_LEEWAY: 5s
+    volumes:
+      - app_data:/backup/app_data:ro
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ./rootCA.crt:/root/minio-rootCA.crt
+
+  offen:
+    image: offen/offen:latest
+    labels:
+      - docker-volume-backup.stop-during-backup=true
+    volumes:
+      - app_data:/var/opt/offen
+
+volumes:
+  minio_backup_data:
+    name: minio_backup_data
+  app_data:

test/certs/run.sh

@@ -0,0 +1,43 @@
+#!/bin/sh
+
+set -e
+
+cd "$(dirname "$0")"
+. ../util.sh
+current_test=$(basename $(pwd))
+
+openssl genrsa -des3 -passout pass:test -out rootCA.key 4096
+openssl req -passin pass:test \
+  -subj "/C=DE/ST=BE/O=IntegrationTest, Inc." \
+  -x509 -new -key rootCA.key -sha256 -days 1 -out rootCA.crt
+
+openssl genrsa -out minio.key 4096
+openssl req -new -sha256 -key minio.key \
+  -subj "/C=DE/ST=BE/O=IntegrationTest, Inc./CN=minio" \
+  -out minio.csr
+
+openssl x509 -req -passin pass:test \
+  -in minio.csr \
+  -CA rootCA.crt -CAkey rootCA.key -CAcreateserial \
+  -extfile san.cnf \
+  -out minio.crt -days 1 -sha256
+
+openssl x509 -in minio.crt -noout -text
+
+docker compose up -d
+sleep 5
+
+docker compose exec backup backup
+
+sleep 5
+
+expect_running_containers "3"
+
+docker run --rm \
+  -v minio_backup_data:/minio_data \
+  alpine \
+  ash -c 'tar -xvf /minio_data/backup/test.tar.gz -C /tmp && test -f /tmp/backup/app_data/offen.db'
+
+pass "Found relevant files in untared remote backups."
+
+docker compose down --volumes

test/certs/san.cnf

@@ -0,0 +1 @@
+subjectAltName = DNS:minio.local

test/cli-zstd/run.sh

@@ -0,0 +1,66 @@
+#!/bin/sh
+
+set -e
+
+cd $(dirname $0)
+. ../util.sh
+current_test=$(basename $(pwd))
+
+docker network create test_network
+docker volume create backup_data
+docker volume create app_data
+# This volume is created to test whether empty directories are handled
+# correctly. It is not supposed to hold any data.
+docker volume create empty_data
+
+docker run -d \
+  --name minio \
+  --network test_network \
+  --env MINIO_ROOT_USER=test \
+  --env MINIO_ROOT_PASSWORD=test \
+  --env MINIO_ACCESS_KEY=test \
+  --env MINIO_SECRET_KEY=GMusLtUmILge2by+z890kQ \
+  -v backup_data:/data \
+  minio/minio:RELEASE.2020-08-04T23-10-51Z server /data
+
+docker exec minio mkdir -p /data/backup
+
+docker run -d \
+  --name offen \
+  --network test_network \
+  -v app_data:/var/opt/offen/ \
+  offen/offen:latest
+
+sleep 10
+
+docker run --rm \
+  --network test_network \
+  -v app_data:/backup/app_data \
+  -v empty_data:/backup/empty_data \
+  -v /var/run/docker.sock:/var/run/docker.sock \
+  --env AWS_ACCESS_KEY_ID=test \
+  --env AWS_SECRET_ACCESS_KEY=GMusLtUmILge2by+z890kQ \
+  --env AWS_ENDPOINT=minio:9000 \
+  --env AWS_ENDPOINT_PROTO=http \
+  --env AWS_S3_BUCKET_NAME=backup \
+  --env BACKUP_COMPRESSION=zst \
+  --env BACKUP_FILENAME='test.{{ .Extension }}' \
+  --env "BACKUP_FROM_SNAPSHOT=true" \
+  --entrypoint backup \
+  offen/docker-volume-backup:${TEST_VERSION:-canary}
+
+# Have to install tar and zstd on Alpine because the plain image comes with very
+# basic tar from busybox and it does not seem to support zstd
+docker run --rm \
+  -v backup_data:/data alpine \
+  ash -c 'apk add --no-cache zstd tar && tar -xvf /data/backup/test.tar.zst --zstd && test -f /backup/app_data/offen.db && test -d /backup/empty_data'
+
+pass "Found relevant files in untared remote backup."
+
+# This test does not stop containers during backup. This is happening on
+# purpose in order to cover this setup as well.
+expect_running_containers "2"
+
+docker rm $(docker stop minio offen)
+docker volume rm backup_data app_data
+docker network rm test_network

test/cli/run.sh

@@ -48,7 +48,7 @@ docker run --rm \
   --entrypoint backup \
   offen/docker-volume-backup:${TEST_VERSION:-canary}
 
-docker run --rm -it \
+docker run --rm \
   -v backup_data:/data alpine \
   ash -c 'tar -xvf /data/backup/test.tar.gz && test -f /backup/app_data/offen.db && test -d /backup/empty_data'
 

test/commands/docker-compose.yml

@@ -42,10 +42,9 @@ services:
       EXEC_LABEL: test
       EXEC_FORWARD_OUTPUT: "true"
     volumes:
-      - archive:/archive
+      - ./local:/archive
       - app_data:/backup/data:ro
       - /var/run/docker.sock:/var/run/docker.sock
 
 volumes:
   app_data:
-  archive:

test/commands/run.sh

@@ -6,11 +6,12 @@ cd $(dirname $0)
 . ../util.sh
 current_test=$(basename $(pwd))
 
-docker-compose up -d
+mkdir -p ./local
+
+docker compose up -d
 sleep 30 # mariadb likes to take a bit before responding
 
-docker-compose exec backup backup
-sudo cp -r $(docker volume inspect --format='{{ .Mountpoint }}' commands_archive) ./local
+docker compose exec backup backup
 
 tar -xvf ./local/test.tar.gz
 if [ ! -f ./backup/data/dump.sql ]; then
@@ -28,12 +29,13 @@ if [ -f ./backup/data/post.txt ]; then
 fi
 pass "Did not find unexpected file."
 
-docker-compose down --volumes
+docker compose down --volumes
 sudo rm -rf ./local
 
 
 info "Running commands test in swarm mode next."
 
+mkdir -p ./local
 docker swarm init
 
 docker stack deploy --compose-file=docker-compose.yml test_stack
@@ -47,8 +49,6 @@ sleep 20
 
 docker exec $(docker ps -q -f name=backup) backup
 
-sudo cp -r $(docker volume inspect --format='{{ .Mountpoint }}' test_stack_archive) ./local
-
 tar -xvf ./local/test.tar.gz
 if [ ! -f ./backup/data/dump.sql ]; then
   fail "Could not find file written by pre command."

test/confd/run.sh

@@ -8,12 +8,12 @@ current_test=$(basename $(pwd))
 
 mkdir -p local
 
-docker-compose up -d
+docker compose up -d
 
 # sleep until a backup is guaranteed to have happened on the 1 minute schedule
 sleep 100
 
-docker-compose down --volumes
+docker compose down --volumes
 
 if [ ! -f ./local/conf.tar.gz ]; then
   fail "Config from file was not used."

test/extend/Dockerfile

@@ -0,0 +1,4 @@
+ARG version=canary
+FROM offen/docker-volume-backup:$version
+
+RUN apk add rsync

test/extend/docker-compose.yml

@@ -0,0 +1,26 @@
+version: '3'
+
+services:
+  backup:
+    image: offen/docker-volume-backup:${TEST_VERSION:-canary}
+    restart: always
+    labels:
+      - docker-volume-backup.copy-post=/bin/sh -c 'mkdir -p /tmp/unpack && tar -xvf $$COMMAND_RUNTIME_ARCHIVE_FILEPATH -C /tmp/unpack && rsync -r /tmp/unpack/backup/app_data /local'
+    environment:
+      BACKUP_FILENAME: test.tar.gz
+      BACKUP_CRON_EXPRESSION: 0 0 5 31 2 ?
+      EXEC_FORWARD_OUTPUT: "true"
+    volumes:
+      - ./local:/local
+      - app_data:/backup/app_data:ro
+      - /var/run/docker.sock:/var/run/docker.sock
+
+  offen:
+    image: offen/offen:latest
+    labels:
+      - docker-volume-backup.stop-during-backup=true
+    volumes:
+      - app_data:/var/opt/offen
+
+volumes:
+  app_data:

test/extend/run.sh

@@ -0,0 +1,29 @@
+#!/bin/sh
+
+set -e
+
+cd "$(dirname "$0")"
+. ../util.sh
+current_test=$(basename $(pwd))
+
+mkdir -p local
+
+export BASE_VERSION="${TEST_VERSION:-canary}"
+export TEST_VERSION="${TEST_VERSION:-canary}-with-rsync"
+
+docker build . -t offen/docker-volume-backup:$TEST_VERSION --build-arg version=$BASE_VERSION
+
+docker compose up -d
+sleep 5
+
+docker compose exec backup backup
+
+sleep 5
+
+expect_running_containers "2"
+
+if [ ! -f "./local/app_data/offen.db" ]; then
+  fail "Could not find expected file in untared archive."
+fi
+
+docker compose down --volumes

test/gpg/run.sh

@@ -8,10 +8,10 @@ current_test=$(basename $(pwd))
 
 mkdir -p local
 
-docker-compose up -d
+docker compose up -d
 sleep 5
 
-docker-compose exec backup backup
+docker compose exec backup backup
 
 expect_running_containers "2"
 
@@ -30,4 +30,4 @@ if [ ! -L ./local/test-latest.tar.gz.gpg ]; then
   fail "Could not find local symlink to latest encrypted backup."
 fi
 
-docker-compose down --volumes
+docker compose down --volumes

test/ignore/run.sh

@@ -8,11 +8,11 @@ current_test=$(basename $(pwd))
 
 mkdir -p local
 
-docker-compose up -d
+docker compose up -d
 sleep 5
-docker-compose exec backup backup
+docker compose exec backup backup
 
-docker-compose down --volumes
+docker compose down --volumes
 
 out=$(mktemp -d)
 sudo tar --same-owner -xvf ./local/test.tar.gz -C "$out"

test/local/run.sh

@@ -8,13 +8,13 @@ current_test=$(basename $(pwd))
 
 mkdir -p local
 
-docker-compose up -d
+docker compose up -d
 sleep 5
 
 # A symlink for a known file in the volume is created so the test can check
 # whether symlinks are preserved on backup.
-docker-compose exec offen ln -s /var/opt/offen/offen.db /var/opt/offen/db.link
-docker-compose exec backup backup
+docker compose exec offen ln -s /var/opt/offen/offen.db /var/opt/offen/db.link
+docker compose exec backup backup
 
 sleep 5
 
@@ -42,14 +42,14 @@ pass "Found symlink to latest version in local backup."
 # The second part of this test checks if backups get deleted when the retention
 # is set to 0 days (which it should not as it would mean all backups get deleted)
 # TODO: find out if we can test actual deletion without having to wait for a day
-BACKUP_RETENTION_DAYS="0" docker-compose up -d
+BACKUP_RETENTION_DAYS="0" docker compose up -d
 sleep 5
 
-docker-compose exec backup backup
+docker compose exec backup backup
 
 if [ "$(find ./local -type f | wc -l)" != "1" ]; then
   fail "Backups should not have been deleted, instead seen: "$(find ./local -type f)""
 fi
 pass "Local backups have not been deleted."
 
-docker-compose down --volumes
+docker compose down --volumes

test/notifications/run.sh

@@ -8,13 +8,13 @@ current_test=$(basename $(pwd))
 
 mkdir -p local
 
-docker-compose up -d
+docker compose up -d
 sleep 5
 
 GOTIFY_TOKEN=$(curl -sSLX POST -H 'Content-Type: application/json' -d '{"name":"test"}' http://admin:custom@localhost:8080/application | jq -r '.token')
 info "Set up Gotify application using token $GOTIFY_TOKEN"
 
-docker-compose exec backup backup
+docker compose exec backup backup
 
 NUM_MESSAGES=$(curl -sSL http://admin:custom@localhost:8080/message | jq -r '.messages | length')
 if [ "$NUM_MESSAGES" != 0 ]; then
@@ -22,11 +22,11 @@ if [ "$NUM_MESSAGES" != 0 ]; then
 fi
 pass "No notifications were sent when not configured."
 
-docker-compose down
+docker compose down
 
-NOTIFICATION_URLS="gotify://gotify/${GOTIFY_TOKEN}?disableTLS=true" docker-compose up -d
+NOTIFICATION_URLS="gotify://gotify/${GOTIFY_TOKEN}?disableTLS=true" docker compose up -d
 
-docker-compose exec backup backup
+docker compose exec backup backup
 
 NUM_MESSAGES=$(curl -sSL http://admin:custom@localhost:8080/message | jq -r '.messages | length')
 if [ "$NUM_MESSAGES" != 1 ]; then
@@ -47,4 +47,4 @@ if [ "$MESSAGE_BODY" != "Backing up /tmp/test.tar.gz succeeded." ]; then
 fi
 pass "Custom notification body was used."
 
-docker-compose down --volumes
+docker compose down --volumes

test/ownership/run.sh

@@ -9,10 +9,10 @@ current_test=$(basename $(pwd))
 
 mkdir -p local
 
-docker-compose up -d
+docker compose up -d
 sleep 5
 
-docker-compose exec backup backup
+docker compose exec backup backup
 
 tmp_dir=$(mktemp -d)
 sudo tar --same-owner -xvf ./local/backup.tar.gz -C $tmp_dir
@@ -27,4 +27,4 @@ for file in $(sudo find $tmp_dir/backup/postgres); do
 done
 pass "All files and directories in backup preserved their ownership."
 
-docker-compose down --volumes
+docker compose down --volumes

test/s3/run.sh

@@ -6,18 +6,18 @@ cd "$(dirname "$0")"
 . ../util.sh
 current_test=$(basename $(pwd))
 
-docker-compose up -d
+docker compose up -d
 sleep 5
 
 # A symlink for a known file in the volume is created so the test can check
 # whether symlinks are preserved on backup.
-docker-compose exec backup backup
+docker compose exec backup backup
 
 sleep 5
 
 expect_running_containers "3"
 
-docker run --rm -it \
+docker run --rm \
   -v minio_backup_data:/minio_data \
   alpine \
   ash -c 'tar -xvf /minio_data/backup/test-hostnametoken.tar.gz -C /tmp && test -f /tmp/backup/app_data/offen.db'
@@ -27,16 +27,16 @@ pass "Found relevant files in untared remote backups."
 # The second part of this test checks if backups get deleted when the retention
 # is set to 0 days (which it should not as it would mean all backups get deleted)
 # TODO: find out if we can test actual deletion without having to wait for a day
-BACKUP_RETENTION_DAYS="0" docker-compose up -d
+BACKUP_RETENTION_DAYS="0" docker compose up -d
 sleep 5
 
-docker-compose exec backup backup
+docker compose exec backup backup
 
-docker run --rm -it \
+docker run --rm \
   -v minio_backup_data:/minio_data \
   alpine \
   ash -c '[ $(find /minio_data/backup/ -type f | wc -l) = "1" ]'
 
 pass "Remote backups have not been deleted."
 
-docker-compose down --volumes
+docker compose down --volumes

test/secrets/run.sh

@@ -22,7 +22,7 @@ sleep 20
 
 docker exec $(docker ps -q -f name=backup) backup
 
-docker run --rm -it \
+docker run --rm \
   -v backup_data:/data alpine \
   ash -c 'tar -xf /data/backup/test.tar.gz && test -f /backup/pg_data/PG_VERSION'
 

test/ssh/run.sh

@@ -8,16 +8,16 @@ current_test=$(basename $(pwd))
 
 ssh-keygen -t rsa -m pem -b 4096 -N "test1234" -f id_rsa -C "docker-volume-backup@local"
 
-docker-compose up -d
+docker compose up -d
 sleep 5
 
-docker-compose exec backup backup
+docker compose exec backup backup
 
 sleep 5
 
 expect_running_containers 3
 
-docker run --rm -it \
+docker run --rm \
   -v ssh_backup_data:/ssh_data \
   alpine \
   ash -c 'tar -xvf /ssh_data/test-hostnametoken.tar.gz -C /tmp && test -f /tmp/backup/app_data/offen.db'
@@ -27,17 +27,17 @@ pass "Found relevant files in decrypted and untared remote backups."
 # The second part of this test checks if backups get deleted when the retention
 # is set to 0 days (which it should not as it would mean all backups get deleted)
 # TODO: find out if we can test actual deletion without having to wait for a day
-BACKUP_RETENTION_DAYS="0" docker-compose up -d
+BACKUP_RETENTION_DAYS="0" docker compose up -d
 sleep 5
 
-docker-compose exec backup backup
+docker compose exec backup backup
 
-docker run --rm -it \
+docker run --rm \
   -v ssh_backup_data:/ssh_data \
   alpine \
   ash -c '[ $(find /ssh_data/ -type f | wc -l) = "1" ]'
 
 pass "Remote backups have not been deleted."
 
-docker-compose down --volumes
+docker compose down --volumes
 rm -f id_rsa id_rsa.pub

test/swarm/run.sh

@@ -19,7 +19,7 @@ sleep 20
 
 docker exec $(docker ps -q -f name=backup) backup
 
-docker run --rm -it \
+docker run --rm \
   -v backup_data:/data alpine \
   ash -c 'tar -xf /data/backup/test.tar.gz && test -f /backup/pg_data/PG_VERSION'
 

test/user/.gitignore

@@ -0,0 +1,2 @@
+local
+backup

test/user/docker-compose.yml

@@ -0,0 +1,30 @@
+version: '2.4'
+
+services:
+  alpine:
+    image: alpine:3.17.3
+    tty: true 
+    volumes:
+      - app_data:/tmp
+    labels:
+      - docker-volume-backup.archive-pre.user=testuser
+      - docker-volume-backup.archive-pre=/bin/sh -c 'whoami > /tmp/whoami.txt'
+
+
+  backup:
+    image: offen/docker-volume-backup:${TEST_VERSION:-canary}
+    deploy:
+      restart_policy:
+        condition: on-failure
+    environment:
+      BACKUP_FILENAME: test.tar.gz
+      BACKUP_CRON_EXPRESSION: 0 0 5 31 2 ?
+      EXEC_FORWARD_OUTPUT: "true"
+    volumes:
+      - ./local:/archive
+      - app_data:/backup/data:ro
+      - /var/run/docker.sock:/var/run/docker.sock
+
+volumes:
+  app_data:
+  archive:

test/user/run.sh

@@ -0,0 +1,30 @@
+#!/bin/sh
+
+set -e
+
+cd $(dirname $0)
+. ../util.sh
+current_test=$(basename $(pwd))
+
+docker compose up -d
+
+user_name=testuser
+docker exec user-alpine-1 adduser --disabled-password "$user_name"
+
+docker compose exec backup backup
+
+tar -xvf ./local/test.tar.gz
+if [ ! -f ./backup/data/whoami.txt ]; then
+  fail "Could not find file written by pre command."
+fi
+pass "Found expected file."
+
+tar -xvf ./local/test.tar.gz
+if [ "$(cat ./backup/data/whoami.txt)" != "$user_name" ]; then
+  fail "Could not find expected user name."
+fi
+pass "Found expected user."
+
+docker compose down --volumes
+sudo rm -rf ./local
+

test/webdav/run.sh

@@ -6,16 +6,16 @@ cd "$(dirname "$0")"
 . ../util.sh
 current_test=$(basename $(pwd))
 
-docker-compose up -d
+docker compose up -d
 sleep 5
 
-docker-compose exec backup backup
+docker compose exec backup backup
 
 sleep 5
 
 expect_running_containers "3"
 
-docker run --rm -it \
+docker run --rm \
   -v webdav_backup_data:/webdav_data \
   alpine \
   ash -c 'tar -xvf /webdav_data/data/my/new/path/test-hostnametoken.tar.gz -C /tmp && test -f /tmp/backup/app_data/offen.db'
@@ -25,16 +25,16 @@ pass "Found relevant files in untared remote backup."
 # The second part of this test checks if backups get deleted when the retention
 # is set to 0 days (which it should not as it would mean all backups get deleted)
 # TODO: find out if we can test actual deletion without having to wait for a day
-BACKUP_RETENTION_DAYS="0" docker-compose up -d
+BACKUP_RETENTION_DAYS="0" docker compose up -d
 sleep 5
 
-docker-compose exec backup backup
+docker compose exec backup backup
 
-docker run --rm -it \
+docker run --rm \
   -v webdav_backup_data:/webdav_data \
   alpine \
   ash -c '[ $(find /webdav_data/data/my/new/path/ -type f | wc -l) = "1" ]'
 
 pass "Remote backups have not been deleted."
 
-docker-compose down --volumes
+docker compose down --volumes