Allow authentication using connection string when targeting Azure Blob Storage (#383)

* Allow authentication using connection string when targeting Azure Blob Storage

* Bail on ambiguous configuration

.github/workflows/deploy-docs.yml

@@ -3,6 +3,9 @@ name: Deploy Documenation site to GitHub Pages
 on:
   push:
     branches: ['main']
+    paths:
+      - 'docs/**'
+      - '.github/workflows/deploy-docs.yml'
   workflow_dispatch:
 
 permissions:

.github/workflows/golangci-lint.yml

@@ -18,7 +18,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v5
         with:
-          go-version: '1.21'
+          go-version: '1.22'
           cache: false
       - name: golangci-lint
         uses: golangci/golangci-lint-action@v3

.github/workflows/release.yml

@@ -15,6 +15,38 @@ jobs:
       - name: Check out the repo
         uses: actions/checkout@v4
 
+      - name: set Environment Variables
+        id: env
+        run: |
+          echo "NOW=$(date +'%F %Z %T')" >> $GITHUB_ENV
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          # list of Docker images to use as base name for tags
+          images: |
+            offen/docker-volume-backup
+            ghcr.io/offen/docker-volume-backup
+          # define global behaviour for tags
+          flavor: |
+            latest=false
+          # specify one tag which never gets set, to prevent the tag-attribute being empty, as it will fallback to a default
+          tags: |
+            # output v2.42.1-alpha.1 (incl. pre-releases)
+            type=semver,pattern=v{{version}},enable=false
+          labels: |
+            org.opencontainers.image.title=${{github.event.repository.name}}
+            org.opencontainers.image.description=Backup Docker volumes locally or to any S3, WebDAV, Azure Blob Storage, Dropbox or SSH compatible storage
+            org.opencontainers.image.vendor=${{github.repository_owner}}
+            org.opencontainers.image.licenses=MPL-2.0
+            org.opencontainers.image.version=${{github.ref_name}}
+            org.opencontainers.image.created=${{ env.NOW }}
+            org.opencontainers.image.source=${{github.server_url}}/${{github.repository}}
+            org.opencontainers.image.revision=${{github.sha}}
+            org.opencontainers.image.url=https://offen.github.io/docker-volume-backup/
+            org.opencontainers.image.documentation=https://offen.github.io/docker-volume-backup/
+
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v2
 
@@ -35,7 +67,7 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Extract Docker tags
-        id: meta
+        id: tags
         run: |
           version_tag="${{github.ref_name}}"
           tags=($version_tag)
@@ -51,9 +83,10 @@ jobs:
           echo "releases=$releases" >> "$GITHUB_OUTPUT"
 
       - name: Build and push Docker images
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
         with:
           context: .
           push: true
           platforms: linux/amd64,linux/arm64,linux/arm/v7
-          tags: ${{ steps.meta.outputs.releases }}
+          tags: ${{ steps.tags.outputs.releases }}
+          labels: ${{ steps.meta.outputs.labels }}

.github/workflows/unit.yml

@@ -0,0 +1,21 @@
+name: Run Unit Tests
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+jobs:
+  build:
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v4
+      - name: Setup Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: '1.22.x'
+      - name: Install dependencies
+        run: go mod download
+      - name: Test with the Go CLI
+        run: go test -v ./...

Dockerfile

@@ -1,7 +1,7 @@
 # Copyright 2021 - Offen Authors <hioffen@posteo.de>
 # SPDX-License-Identifier: MPL-2.0
 
-FROM golang:1.21-alpine as builder
+FROM golang:1.22-alpine as builder
 
 WORKDIR /app
 COPY . .
@@ -13,7 +13,8 @@ FROM alpine:3.19
 
 WORKDIR /root
 
-RUN apk add --no-cache ca-certificates
+RUN apk add --no-cache ca-certificates && \
+  chmod a+rw /var/lock
 
 COPY --from=builder /app/cmd/backup/backup /usr/bin/backup
 

README.md

@@ -1,5 +1,5 @@
-<a href="https://www.offen.dev/">
+<a href="https://www.offen.software/">
-    <img src="https://offen.github.io/press-kit/offen-material/gfx-GitHub-Offen-logo.svg" alt="Offen logo" title="Offen" width="150px"/>
+    <img src="https://offen.github.io/press-kit/avatars/avatar-OS-header.svg" alt="offen.software logo" title="offen.software" width="60px"/>
 </a>
 
 # docker-volume-backup

cmd/backup/archive.go

@@ -16,23 +16,23 @@ import (
 	"runtime"
 	"strings"
 
-	"github.com/klauspost/pgzip"
-
 	"github.com/klauspost/compress/zstd"
+	"github.com/klauspost/pgzip"
+	"github.com/offen/docker-volume-backup/internal/errwrap"
 )
 
 func createArchive(files []string, inputFilePath, outputFilePath string, compression string, compressionConcurrency int) error {
 	inputFilePath = stripTrailingSlashes(inputFilePath)
 	inputFilePath, outputFilePath, err := makeAbsolute(inputFilePath, outputFilePath)
 	if err != nil {
-		return fmt.Errorf("createArchive: error transposing given file paths: %w", err)
+		return errwrap.Wrap(err, "error transposing given file paths")
 	}
 	if err := os.MkdirAll(filepath.Dir(outputFilePath), 0755); err != nil {
-		return fmt.Errorf("createArchive: error creating output file path: %w", err)
+		return errwrap.Wrap(err, "error creating output file path")
 	}
 
 	if err := compress(files, outputFilePath, filepath.Dir(inputFilePath), compression, compressionConcurrency); err != nil {
-		return fmt.Errorf("createArchive: error creating archive: %w", err)
+		return errwrap.Wrap(err, "error creating archive")
 	}
 
 	return nil
@@ -58,35 +58,35 @@ func makeAbsolute(inputFilePath, outputFilePath string) (string, string, error)
 func compress(paths []string, outFilePath, subPath string, algo string, concurrency int) error {
 	file, err := os.Create(outFilePath)
 	if err != nil {
-		return fmt.Errorf("compress: error creating out file: %w", err)
+		return errwrap.Wrap(err, "error creating out file")
 	}
 
 	prefix := path.Dir(outFilePath)
 	compressWriter, err := getCompressionWriter(file, algo, concurrency)
 	if err != nil {
-		return fmt.Errorf("compress: error getting compression writer: %w", err)
+		return errwrap.Wrap(err, "error getting compression writer")
 	}
 	tarWriter := tar.NewWriter(compressWriter)
 
 	for _, p := range paths {
 		if err := writeTarball(p, tarWriter, prefix); err != nil {
-			return fmt.Errorf("compress: error writing %s to archive: %w", p, err)
+			return errwrap.Wrap(err, fmt.Sprintf("error writing %s to archive", p))
 		}
 	}
 
 	err = tarWriter.Close()
 	if err != nil {
-		return fmt.Errorf("compress: error closing tar writer: %w", err)
+		return errwrap.Wrap(err, "error closing tar writer")
 	}
 
 	err = compressWriter.Close()
 	if err != nil {
-		return fmt.Errorf("compress: error closing compression writer: %w", err)
+		return errwrap.Wrap(err, "error closing compression writer")
 	}
 
 	err = file.Close()
 	if err != nil {
-		return fmt.Errorf("compress: error closing file: %w", err)
+		return errwrap.Wrap(err, "error closing file")
 	}
 
 	return nil
@@ -97,7 +97,7 @@ func getCompressionWriter(file *os.File, algo string, concurrency int) (io.Write
 	case "gz":
 		w, err := pgzip.NewWriterLevel(file, 5)
 		if err != nil {
-			return nil, fmt.Errorf("getCompressionWriter: gzip error: %w", err)
+			return nil, errwrap.Wrap(err, "gzip error")
 		}
 
 		if concurrency == 0 {
@@ -105,25 +105,25 @@ func getCompressionWriter(file *os.File, algo string, concurrency int) (io.Write
 		}
 
 		if err := w.SetConcurrency(1<<20, concurrency); err != nil {
-			return nil, fmt.Errorf("getCompressionWriter: error setting concurrency: %w", err)
+			return nil, errwrap.Wrap(err, "error setting concurrency")
 		}
 
 		return w, nil
 	case "zst":
 		compressWriter, err := zstd.NewWriter(file)
 		if err != nil {
-			return nil, fmt.Errorf("getCompressionWriter: zstd error: %w", err)
+			return nil, errwrap.Wrap(err, "zstd error")
 		}
 		return compressWriter, nil
 	default:
-		return nil, fmt.Errorf("getCompressionWriter: unsupported compression algorithm: %s", algo)
+		return nil, errwrap.Wrap(nil, fmt.Sprintf("unsupported compression algorithm: %s", algo))
 	}
 }
 
 func writeTarball(path string, tarWriter *tar.Writer, prefix string) error {
 	fileInfo, err := os.Lstat(path)
 	if err != nil {
-		return fmt.Errorf("writeTarball: error getting file infor for %s: %w", path, err)
+		return errwrap.Wrap(err, fmt.Sprintf("error getting file info for %s", path))
 	}
 
 	if fileInfo.Mode()&os.ModeSocket == os.ModeSocket {
@@ -134,19 +134,19 @@ func writeTarball(path string, tarWriter *tar.Writer, prefix string) error {
 	if fileInfo.Mode()&os.ModeSymlink == os.ModeSymlink {
 		var err error
 		if link, err = os.Readlink(path); err != nil {
-			return fmt.Errorf("writeTarball: error resolving symlink %s: %w", path, err)
+			return errwrap.Wrap(err, fmt.Sprintf("error resolving symlink %s", path))
 		}
 	}
 
 	header, err := tar.FileInfoHeader(fileInfo, link)
 	if err != nil {
-		return fmt.Errorf("writeTarball: error getting file info header: %w", err)
+		return errwrap.Wrap(err, "error getting file info header")
 	}
 	header.Name = strings.TrimPrefix(path, prefix)
 
 	err = tarWriter.WriteHeader(header)
 	if err != nil {
-		return fmt.Errorf("writeTarball: error writing file info header: %w", err)
+		return errwrap.Wrap(err, "error writing file info header")
 	}
 
 	if !fileInfo.Mode().IsRegular() {
@@ -155,13 +155,13 @@ func writeTarball(path string, tarWriter *tar.Writer, prefix string) error {
 
 	file, err := os.Open(path)
 	if err != nil {
-		return fmt.Errorf("writeTarball: error opening %s: %w", path, err)
+		return errwrap.Wrap(err, fmt.Sprintf("error opening %s", path))
 	}
 	defer file.Close()
 
 	_, err = io.Copy(tarWriter, file)
 	if err != nil {
-		return fmt.Errorf("writeTarball: error copying %s to tar writer: %w", path, err)
+		return errwrap.Wrap(err, fmt.Sprintf("error copying %s to tar writer", path))
 	}
 
 	return nil

cmd/backup/command.go

@@ -0,0 +1,156 @@
+// Copyright 2024 - Offen Authors <hioffen@posteo.de>
+// SPDX-License-Identifier: MPL-2.0
+
+package main
+
+import (
+	"fmt"
+	"log/slog"
+	"os"
+	"os/signal"
+	"syscall"
+
+	"github.com/offen/docker-volume-backup/internal/errwrap"
+	"github.com/robfig/cron/v3"
+)
+
+type command struct {
+	logger    *slog.Logger
+	schedules []cron.EntryID
+	cr        *cron.Cron
+	reload    chan struct{}
+}
+
+func newCommand() *command {
+	return &command{
+		logger: slog.New(slog.NewTextHandler(os.Stdout, nil)),
+	}
+}
+
+// runAsCommand executes a backup run for each configuration that is available
+// and then returns
+func (c *command) runAsCommand() error {
+	configurations, err := sourceConfiguration(configStrategyEnv)
+	if err != nil {
+		return errwrap.Wrap(err, "error loading env vars")
+	}
+
+	for _, config := range configurations {
+		if err := runScript(config); err != nil {
+			return errwrap.Wrap(err, "error running script")
+		}
+	}
+
+	return nil
+}
+
+type foregroundOpts struct {
+	profileCronExpression string
+}
+
+// runInForeground starts the program as a long running process, scheduling
+// a job for each configuration that is available.
+func (c *command) runInForeground(opts foregroundOpts) error {
+	c.cr = cron.New(
+		cron.WithParser(
+			cron.NewParser(
+				cron.SecondOptional | cron.Minute | cron.Hour | cron.Dom | cron.Month | cron.Dow | cron.Descriptor,
+			),
+		),
+	)
+
+	if err := c.schedule(configStrategyConfd); err != nil {
+		return errwrap.Wrap(err, "error scheduling")
+	}
+
+	if opts.profileCronExpression != "" {
+		if _, err := c.cr.AddFunc(opts.profileCronExpression, c.profile); err != nil {
+			return errwrap.Wrap(err, "error adding profiling job")
+		}
+	}
+
+	var quit = make(chan os.Signal, 1)
+	c.reload = make(chan struct{}, 1)
+	signal.Notify(quit, syscall.SIGTERM, syscall.SIGINT)
+	c.cr.Start()
+
+	for {
+		select {
+		case <-quit:
+			ctx := c.cr.Stop()
+			<-ctx.Done()
+			return nil
+		case <-c.reload:
+			if err := c.schedule(configStrategyConfd); err != nil {
+				return errwrap.Wrap(err, "error reloading configuration")
+			}
+		}
+	}
+}
+
+// schedule wipes all existing schedules and enqueues all schedules available
+// using the given configuration strategy
+func (c *command) schedule(strategy configStrategy) error {
+	for _, id := range c.schedules {
+		c.cr.Remove(id)
+	}
+
+	configurations, err := sourceConfiguration(strategy)
+	if err != nil {
+		return errwrap.Wrap(err, "error sourcing configuration")
+	}
+
+	for _, cfg := range configurations {
+		config := cfg
+		id, err := c.cr.AddFunc(config.BackupCronExpression, func() {
+			c.logger.Info(
+				fmt.Sprintf(
+					"Now running script on schedule %s",
+					config.BackupCronExpression,
+				),
+			)
+
+			if err := runScript(config); err != nil {
+				c.logger.Error(
+					fmt.Sprintf(
+						"Unexpected error running schedule %s: %v",
+						config.BackupCronExpression,
+						errwrap.Unwrap(err),
+					),
+					"error",
+					err,
+				)
+			}
+		})
+
+		if err != nil {
+			return errwrap.Wrap(err, fmt.Sprintf("error adding schedule %s", config.BackupCronExpression))
+		}
+		c.logger.Info(fmt.Sprintf("Successfully scheduled backup %s with expression %s", config.source, config.BackupCronExpression))
+		if ok := checkCronSchedule(config.BackupCronExpression); !ok {
+			c.logger.Warn(
+				fmt.Sprintf("Scheduled cron expression %s will never run, is this intentional?", config.BackupCronExpression),
+			)
+
+			if err != nil {
+				return errwrap.Wrap(err, "error scheduling")
+			}
+			c.schedules = append(c.schedules, id)
+		}
+	}
+
+	return nil
+}
+
+// must exits the program when passed an error. It should be the only
+// place where the application exits forcefully.
+func (c *command) must(err error) {
+	if err != nil {
+		c.logger.Error(
+			fmt.Sprintf("Fatal error running command: %v", errwrap.Unwrap(err)),
+			"error",
+			err,
+		)
+		os.Exit(1)
+	}
+}

cmd/backup/config.go

@@ -11,6 +11,8 @@ import (
 	"regexp"
 	"strconv"
 	"time"
+
+	"github.com/offen/docker-volume-backup/internal/errwrap"
 )
 
 // Config holds all configuration values that are expected to be set
@@ -70,6 +72,7 @@ type Config struct {
 	LockTimeout                   time.Duration   `split_words:"true" default:"60m"`
 	AzureStorageAccountName       string          `split_words:"true"`
 	AzureStoragePrimaryAccountKey string          `split_words:"true"`
+	AzureStorageConnectionString  string          `split_words:"true"`
 	AzureStorageContainerName     string          `split_words:"true"`
 	AzureStoragePath              string          `split_words:"true"`
 	AzureStorageEndpoint          string          `split_words:"true" default:"https://{{ .AccountName }}.blob.core.windows.net/"`
@@ -80,6 +83,8 @@ type Config struct {
 	DropboxAppSecret              string          `split_words:"true"`
 	DropboxRemotePath             string          `split_words:"true"`
 	DropboxConcurrencyLevel       NaturalNumber   `split_words:"true" default:"6"`
+	source                        string
+	additionalEnvVars             map[string]string
 }
 
 type CompressionType string
@@ -90,7 +95,7 @@ func (c *CompressionType) Decode(v string) error {
 		*c = CompressionType(v)
 		return nil
 	default:
-		return fmt.Errorf("config: error decoding compression type %s", v)
+		return errwrap.Wrap(nil, fmt.Sprintf("error decoding compression type %s", v))
 	}
 }
 
@@ -113,7 +118,7 @@ func (c *CertDecoder) Decode(v string) error {
 	block, _ := pem.Decode(content)
 	cert, err := x509.ParseCertificate(block.Bytes)
 	if err != nil {
-		return fmt.Errorf("config: error parsing certificate: %w", err)
+		return errwrap.Wrap(err, "error parsing certificate")
 	}
 	*c = CertDecoder{Cert: cert}
 	return nil
@@ -129,7 +134,7 @@ func (r *RegexpDecoder) Decode(v string) error {
 	}
 	re, err := regexp.Compile(v)
 	if err != nil {
-		return fmt.Errorf("config: error compiling given regexp `%s`: %w", v, err)
+		return errwrap.Wrap(err, fmt.Sprintf("error compiling given regexp `%s`", v))
 	}
 	*r = RegexpDecoder{Re: re}
 	return nil
@@ -141,10 +146,10 @@ type NaturalNumber int
 func (n *NaturalNumber) Decode(v string) error {
 	asInt, err := strconv.Atoi(v)
 	if err != nil {
-		return fmt.Errorf("config: error converting %s to int", v)
+		return errwrap.Wrap(nil, fmt.Sprintf("error converting %s to int", v))
 	}
 	if asInt <= 0 {
-		return fmt.Errorf("config: expected a natural number, got %d", asInt)
+		return errwrap.Wrap(nil, fmt.Sprintf("expected a natural number, got %d", asInt))
 	}
 	*n = NaturalNumber(asInt)
 	return nil
@@ -160,10 +165,10 @@ type WholeNumber int
 func (n *WholeNumber) Decode(v string) error {
 	asInt, err := strconv.Atoi(v)
 	if err != nil {
-		return fmt.Errorf("config: error converting %s to int", v)
+		return errwrap.Wrap(nil, fmt.Sprintf("error converting %s to int", v))
 	}
 	if asInt < 0 {
-		return fmt.Errorf("config: expected a whole, positive number, including zero. Got %d", asInt)
+		return errwrap.Wrap(nil, fmt.Sprintf("expected a whole, positive number, including zero. Got %d", asInt))
 	}
 	*n = WholeNumber(asInt)
 	return nil
@@ -172,3 +177,40 @@ func (n *WholeNumber) Decode(v string) error {
 func (n *WholeNumber) Int() int {
 	return int(*n)
 }
+
+type envVarLookup struct {
+	ok    bool
+	key   string
+	value string
+}
+
+// applyEnv sets the values in `additionalEnvVars` as environment variables.
+// It returns a function that reverts all values that have been set to its
+// previous state.
+func (c *Config) applyEnv() (func() error, error) {
+	lookups := []envVarLookup{}
+
+	unset := func() error {
+		for _, lookup := range lookups {
+			if !lookup.ok {
+				if err := os.Unsetenv(lookup.key); err != nil {
+					return errwrap.Wrap(err, fmt.Sprintf("error unsetting env var %s", lookup.key))
+				}
+				continue
+			}
+			if err := os.Setenv(lookup.key, lookup.value); err != nil {
+				return errwrap.Wrap(err, fmt.Sprintf("error setting back env var %s", lookup.key))
+			}
+		}
+		return nil
+	}
+
+	for key, value := range c.additionalEnvVars {
+		current, ok := os.LookupEnv(key)
+		lookups = append(lookups, envVarLookup{ok: ok, key: key, value: current})
+		if err := os.Setenv(key, value); err != nil {
+			return unset, errwrap.Wrap(err, "error setting env var")
+		}
+	}
+	return unset, nil
+}

cmd/backup/config_provider.go

@@ -1,20 +1,54 @@
-// Copyright 2021-2022 - Offen Authors <hioffen@posteo.de>
+// Copyright 2024 - Offen Authors <hioffen@posteo.de>
 // SPDX-License-Identifier: MPL-2.0
 
 package main
 
 import (
+	"bufio"
 	"fmt"
 	"os"
 	"path/filepath"
+	"strings"
 
 	"github.com/joho/godotenv"
+	"github.com/offen/docker-volume-backup/internal/errwrap"
 	"github.com/offen/envconfig"
+	shell "mvdan.cc/sh/v3/shell"
 )
 
+type configStrategy string
+
+const (
+	configStrategyEnv   configStrategy = "env"
+	configStrategyConfd configStrategy = "confd"
+)
+
+// sourceConfiguration returns a list of config objects using the given
+// strategy. It should be the single entrypoint for retrieving configuration
+// for all consumers.
+func sourceConfiguration(strategy configStrategy) ([]*Config, error) {
+	switch strategy {
+	case configStrategyEnv:
+		c, err := loadConfigFromEnvVars()
+		return []*Config{c}, err
+	case configStrategyConfd:
+		cs, err := loadConfigsFromEnvFiles("/etc/dockervolumebackup/conf.d")
+		if err != nil {
+			if os.IsNotExist(err) {
+				return sourceConfiguration(configStrategyEnv)
+			}
+			return nil, errwrap.Wrap(err, "error loading config files")
+		}
+		return cs, nil
+	default:
+		return nil, errwrap.Wrap(nil, fmt.Sprintf("received unknown config strategy: %v", strategy))
+	}
+}
+
 // envProxy is a function that mimics os.LookupEnv but can read values from any other source
 type envProxy func(string) (string, bool)
 
+// loadConfig creates a config object using the given lookup function
 func loadConfig(lookup envProxy) (*Config, error) {
 	envconfig.Lookup = func(key string) (string, bool) {
 		value, okValue := lookup(key)
@@ -38,50 +72,95 @@ func loadConfig(lookup envProxy) (*Config, error) {
 
 	var c = &Config{}
 	if err := envconfig.Process("", c); err != nil {
-		return nil, fmt.Errorf("loadConfig: failed to process configuration values: %w", err)
+		return nil, errwrap.Wrap(err, "failed to process configuration values")
 	}
 
 	return c, nil
 }
 
-func loadEnvVars() (*Config, error) {
+func loadConfigFromEnvVars() (*Config, error) {
-	return loadConfig(os.LookupEnv)
+	c, err := loadConfig(os.LookupEnv)
+	if err != nil {
+		return nil, errwrap.Wrap(err, "error loading config from environment")
+	}
+	c.source = "from environment"
+	return c, nil
 }
 
-type configFile struct {
+func loadConfigsFromEnvFiles(directory string) ([]*Config, error) {
-	name   string
-	config *Config
-}
-
-func loadEnvFiles(directory string) ([]configFile, error) {
 	items, err := os.ReadDir(directory)
 	if err != nil {
 		if os.IsNotExist(err) {
 			return nil, err
 		}
-		return nil, fmt.Errorf("loadEnvFiles: failed to read files from env directory: %w", err)
+		return nil, errwrap.Wrap(err, "failed to read files from env directory")
 	}
 
-	cs := []configFile{}
+	configs := []*Config{}
 	for _, item := range items {
 		if item.IsDir() {
 			continue
 		}
 		p := filepath.Join(directory, item.Name())
-		envFile, err := godotenv.Read(p)
+		envFile, err := source(p)
 		if err != nil {
-			return nil, fmt.Errorf("loadEnvFiles: error reading config file %s: %w", p, err)
+			return nil, errwrap.Wrap(err, fmt.Sprintf("error reading config file %s", p))
 		}
 		lookup := func(key string) (string, bool) {
 			val, ok := envFile[key]
-			return val, ok
+			if ok {
+				return val, ok
+			}
+			return os.LookupEnv(key)
 		}
 		c, err := loadConfig(lookup)
 		if err != nil {
-			return nil, fmt.Errorf("loadEnvFiles: error loading config from file %s: %w", p, err)
+			return nil, errwrap.Wrap(err, fmt.Sprintf("error loading config from file %s", p))
 		}
-		cs = append(cs, configFile{config: c, name: item.Name()})
+		c.source = item.Name()
+		c.additionalEnvVars = envFile
+		configs = append(configs, c)
 	}
 
-	return cs, nil
+	return configs, nil
+}
+
+// source tries to mimic the pre v2.37.0 behavior of calling
+// `set +a; source $path; set -a` and returns the env vars as a map
+func source(path string) (map[string]string, error) {
+	f, err := os.Open(path)
+	if err != nil {
+		return nil, errwrap.Wrap(err, fmt.Sprintf("error opening %s", path))
+	}
+
+	result := map[string]string{}
+	scanner := bufio.NewScanner(f)
+	for scanner.Scan() {
+		line := scanner.Text()
+		line = strings.TrimSpace(line)
+		if strings.HasPrefix(line, "#") {
+			continue
+		}
+		withExpansion, err := shell.Expand(line, nil)
+		if err != nil {
+			return nil, errwrap.Wrap(err, "error expanding env")
+		}
+		m, err := godotenv.Unmarshal(withExpansion)
+		if err != nil {
+			return nil, errwrap.Wrap(err, fmt.Sprintf("error sourcing %s", path))
+		}
+		for key, value := range m {
+			currentValue, currentOk := os.LookupEnv(key)
+			defer func() {
+				if currentOk {
+					os.Setenv(key, currentValue)
+					return
+				}
+				os.Unsetenv(key)
+			}()
+			result[key] = value
+			os.Setenv(key, value)
+		}
+	}
+	return result, nil
 }

cmd/backup/config_provider_test.go

@@ -0,0 +1,77 @@
+package main
+
+import (
+	"os"
+	"reflect"
+	"testing"
+)
+
+func TestSource(t *testing.T) {
+	tests := []struct {
+		name           string
+		input          string
+		expectError    bool
+		expectedOutput map[string]string
+	}{
+		{
+			"default",
+			"testdata/default.env",
+			false,
+			map[string]string{
+				"FOO": "bar",
+				"BAZ": "qux",
+			},
+		},
+		{
+			"not found",
+			"testdata/nope.env",
+			true,
+			nil,
+		},
+		{
+			"braces",
+			"testdata/braces.env",
+			false,
+			map[string]string{
+				"FOO": "qux",
+				"BAR": "xxx",
+				"BAZ": "",
+			},
+		},
+		{
+			"expansion",
+			"testdata/expansion.env",
+			false,
+			map[string]string{
+				"BAR": "xxx",
+				"FOO": "xxx",
+				"BAZ": "xxx",
+				"QUX": "yyy",
+			},
+		},
+		{
+			"comments",
+			"testdata/comments.env",
+			false,
+			map[string]string{
+				"BAR": "xxx",
+				"BAZ": "yyy",
+			},
+		},
+	}
+
+	os.Setenv("QUX", "yyy")
+	defer os.Unsetenv("QUX")
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			result, err := source(test.input)
+			if (err != nil) != test.expectError {
+				t.Errorf("Unexpected error value %v", err)
+			}
+			if !reflect.DeepEqual(test.expectedOutput, result) {
+				t.Errorf("Expected %v, got %v", test.expectedOutput, result)
+			}
+		})
+	}
+}

cmd/backup/copy_archive.go

@@ -0,0 +1,41 @@
+// Copyright 2024 - Offen Authors <hioffen@posteo.de>
+// SPDX-License-Identifier: MPL-2.0
+
+package main
+
+import (
+	"os"
+	"path"
+
+	"github.com/offen/docker-volume-backup/internal/errwrap"
+	"golang.org/x/sync/errgroup"
+)
+
+// copyArchive makes sure the backup file is copied to both local and remote locations
+// as per the given configuration.
+func (s *script) copyArchive() error {
+	_, name := path.Split(s.file)
+	if stat, err := os.Stat(s.file); err != nil {
+		return errwrap.Wrap(err, "unable to stat backup file")
+	} else {
+		size := stat.Size()
+		s.stats.BackupFile = BackupFileStats{
+			Size:     uint64(size),
+			Name:     name,
+			FullPath: s.file,
+		}
+	}
+
+	eg := errgroup.Group{}
+	for _, backend := range s.storages {
+		b := backend
+		eg.Go(func() error {
+			return b.Copy(s.file)
+		})
+	}
+	if err := eg.Wait(); err != nil {
+		return errwrap.Wrap(err, "error copying archive")
+	}
+
+	return nil
+}

cmd/backup/create_archive.go

@@ -0,0 +1,88 @@
+// Copyright 2024 - Offen Authors <hioffen@posteo.de>
+// SPDX-License-Identifier: MPL-2.0
+
+package main
+
+import (
+	"fmt"
+	"io/fs"
+	"path/filepath"
+
+	"github.com/offen/docker-volume-backup/internal/errwrap"
+	"github.com/otiai10/copy"
+)
+
+// createArchive creates a tar archive of the configured backup location and
+// saves it to disk.
+func (s *script) createArchive() error {
+	backupSources := s.c.BackupSources
+
+	if s.c.BackupFromSnapshot {
+		s.logger.Warn(
+			"Using BACKUP_FROM_SNAPSHOT has been deprecated and will be removed in the next major version.",
+		)
+		s.logger.Warn(
+			"Please use `archive-pre` and `archive-post` commands to prepare your backup sources. Refer to the documentation for an upgrade guide.",
+		)
+		backupSources = filepath.Join("/tmp", s.c.BackupSources)
+		// copy before compressing guard against a situation where backup folder's content are still growing.
+		s.registerHook(hookLevelPlumbing, func(error) error {
+			if err := remove(backupSources); err != nil {
+				return errwrap.Wrap(err, "error removing snapshot")
+			}
+			s.logger.Info(
+				fmt.Sprintf("Removed snapshot `%s`.", backupSources),
+			)
+			return nil
+		})
+		if err := copy.Copy(s.c.BackupSources, backupSources, copy.Options{
+			PreserveTimes: true,
+			PreserveOwner: true,
+		}); err != nil {
+			return errwrap.Wrap(err, "error creating snapshot")
+		}
+		s.logger.Info(
+			fmt.Sprintf("Created snapshot of `%s` at `%s`.", s.c.BackupSources, backupSources),
+		)
+	}
+
+	tarFile := s.file
+	s.registerHook(hookLevelPlumbing, func(error) error {
+		if err := remove(tarFile); err != nil {
+			return errwrap.Wrap(err, "error removing tar file")
+		}
+		s.logger.Info(
+			fmt.Sprintf("Removed tar file `%s`.", tarFile),
+		)
+		return nil
+	})
+
+	backupPath, err := filepath.Abs(stripTrailingSlashes(backupSources))
+	if err != nil {
+		return errwrap.Wrap(err, "error getting absolute path")
+	}
+
+	var filesEligibleForBackup []string
+	if err := filepath.WalkDir(backupPath, func(path string, di fs.DirEntry, err error) error {
+		if err != nil {
+			return err
+		}
+
+		if s.c.BackupExcludeRegexp.Re != nil && s.c.BackupExcludeRegexp.Re.MatchString(path) {
+			return nil
+		}
+		filesEligibleForBackup = append(filesEligibleForBackup, path)
+		return nil
+	}); err != nil {
+		return errwrap.Wrap(err, "error walking filesystem tree")
+	}
+
+	if err := createArchive(filesEligibleForBackup, backupSources, tarFile, s.c.BackupCompression.String(), s.c.GzipParallelism.Int()); err != nil {
+		return errwrap.Wrap(err, "error compressing backup folder")
+	}
+
+	s.logger.Info(
+		fmt.Sprintf("Created backup of `%s` at `%s`.", backupSources, tarFile),
+	)
+	return nil
+}

cmd/backup/cron.go

@@ -1,29 +0,0 @@
-// Copyright 2024 - Offen Authors <hioffen@posteo.de>
-// SPDX-License-Identifier: MPL-2.0
-
-package main
-
-import (
-	"time"
-
-	"github.com/robfig/cron/v3"
-)
-
-// checkCronSchedule detects whether the given cron expression will actually
-// ever be executed or not.
-func checkCronSchedule(expression string) (ok bool) {
-	defer func() {
-		if err := recover(); err != nil {
-			ok = false
-		}
-	}()
-	sched, err := cron.ParseStandard(expression)
-	if err != nil {
-		ok = false
-		return
-	}
-	now := time.Now()
-	sched.Next(now) // panics when the cron would never run
-	ok = true
-	return
-}

cmd/backup/encrypt_archive.go

@@ -0,0 +1,64 @@
+// Copyright 2024 - Offen Authors <hioffen@posteo.de>
+// SPDX-License-Identifier: MPL-2.0
+
+package main
+
+import (
+	"fmt"
+	"io"
+	"os"
+	"path"
+
+	openpgp "github.com/ProtonMail/go-crypto/openpgp/v2"
+	"github.com/offen/docker-volume-backup/internal/errwrap"
+)
+
+// encryptArchive encrypts the backup file using PGP and the configured passphrase.
+// In case no passphrase is given it returns early, leaving the backup file
+// untouched.
+func (s *script) encryptArchive() error {
+	if s.c.GpgPassphrase == "" {
+		return nil
+	}
+
+	gpgFile := fmt.Sprintf("%s.gpg", s.file)
+	s.registerHook(hookLevelPlumbing, func(error) error {
+		if err := remove(gpgFile); err != nil {
+			return errwrap.Wrap(err, "error removing gpg file")
+		}
+		s.logger.Info(
+			fmt.Sprintf("Removed GPG file `%s`.", gpgFile),
+		)
+		return nil
+	})
+
+	outFile, err := os.Create(gpgFile)
+	if err != nil {
+		return errwrap.Wrap(err, "error opening out file")
+	}
+	defer outFile.Close()
+
+	_, name := path.Split(s.file)
+	dst, err := openpgp.SymmetricallyEncrypt(outFile, []byte(s.c.GpgPassphrase), &openpgp.FileHints{
+		FileName: name,
+	}, nil)
+	if err != nil {
+		return errwrap.Wrap(err, "error encrypting backup file")
+	}
+	defer dst.Close()
+
+	src, err := os.Open(s.file)
+	if err != nil {
+		return errwrap.Wrap(err, fmt.Sprintf("error opening backup file `%s`", s.file))
+	}
+
+	if _, err := io.Copy(dst, src); err != nil {
+		return errwrap.Wrap(err, "error writing ciphertext to file")
+	}
+
+	s.file = gpgFile
+	s.logger.Info(
+		fmt.Sprintf("Encrypted backup using given passphrase, saving as `%s`.", s.file),
+	)
+	return nil
+}

cmd/backup/exec.go

@@ -9,6 +9,7 @@ package main
 import (
 	"bytes"
 	"context"
+	"errors"
 	"fmt"
 	"io"
 	"os"
@@ -18,6 +19,7 @@ import (
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/filters"
 	"github.com/docker/docker/pkg/stdcopy"
+	"github.com/offen/docker-volume-backup/internal/errwrap"
 	"golang.org/x/sync/errgroup"
 )
 
@@ -34,43 +36,51 @@ func (s *script) exec(containerRef string, command string, user string) ([]byte,
 		User:         user,
 	})
 	if err != nil {
-		return nil, nil, fmt.Errorf("exec: error creating container exec: %w", err)
+		return nil, nil, errwrap.Wrap(err, "error creating container exec")
 	}
 
 	resp, err := s.cli.ContainerExecAttach(context.Background(), execID.ID, types.ExecStartCheck{})
 	if err != nil {
-		return nil, nil, fmt.Errorf("exec: error attaching container exec: %w", err)
+		return nil, nil, errwrap.Wrap(err, "error attaching container exec")
 	}
 	defer resp.Close()
 
-	var outBuf, errBuf bytes.Buffer
+	var outBuf, errBuf, fullRespBuf bytes.Buffer
 	outputDone := make(chan error)
 
+	tee := io.TeeReader(resp.Reader, &fullRespBuf)
+
 	go func() {
-		_, err := stdcopy.StdCopy(&outBuf, &errBuf, resp.Reader)
+		_, err := stdcopy.StdCopy(&outBuf, &errBuf, tee)
 		outputDone <- err
 	}()
 
 	if err := <-outputDone; err != nil {
-		return nil, nil, fmt.Errorf("exec: error demultiplexing output: %w", err)
+		if body, bErr := io.ReadAll(&fullRespBuf); bErr == nil {
+			// if possible, try to append the exec output to the error
+			// as it's likely to be more relevant for users than the error from
+			// calling stdcopy.Copy
+			err = errwrap.Wrap(errors.New(string(body)), err.Error())
+		}
+		return nil, nil, errwrap.Wrap(err, "error demultiplexing output")
 	}
 
 	stdout, err := io.ReadAll(&outBuf)
 	if err != nil {
-		return nil, nil, fmt.Errorf("exec: error reading stdout: %w", err)
+		return nil, nil, errwrap.Wrap(err, "error reading stdout")
 	}
 	stderr, err := io.ReadAll(&errBuf)
 	if err != nil {
-		return nil, nil, fmt.Errorf("exec: error reading stderr: %w", err)
+		return nil, nil, errwrap.Wrap(err, "error reading stderr")
 	}
 
 	res, err := s.cli.ContainerExecInspect(context.Background(), execID.ID)
 	if err != nil {
-		return nil, nil, fmt.Errorf("exec: error inspecting container exec: %w", err)
+		return nil, nil, errwrap.Wrap(err, "error inspecting container exec")
 	}
 
 	if res.ExitCode > 0 {
-		return stdout, stderr, fmt.Errorf("exec: running command exited %d", res.ExitCode)
+		return stdout, stderr, errwrap.Wrap(nil, fmt.Sprintf("running command exited %d", res.ExitCode))
 	}
 
 	return stdout, stderr, nil
@@ -90,7 +100,7 @@ func (s *script) runLabeledCommands(label string) error {
 		Filters: filters.NewArgs(f...),
 	})
 	if err != nil {
-		return fmt.Errorf("runLabeledCommands: error querying for containers: %w", err)
+		return errwrap.Wrap(err, "error querying for containers")
 	}
 
 	var hasDeprecatedContainers bool
@@ -103,7 +113,7 @@ func (s *script) runLabeledCommands(label string) error {
 			Filters: filters.NewArgs(f...),
 		})
 		if err != nil {
-			return fmt.Errorf("runLabeledCommands: error querying for containers: %w", err)
+			return errwrap.Wrap(err, "error querying for containers")
 		}
 		if len(deprecatedContainers) != 0 {
 			hasDeprecatedContainers = true
@@ -120,7 +130,7 @@ func (s *script) runLabeledCommands(label string) error {
 			Filters: filters.NewArgs(f...),
 		})
 		if err != nil {
-			return fmt.Errorf("runLabeledCommands: error querying for containers: %w", err)
+			return errwrap.Wrap(err, "error querying for containers")
 		}
 		if len(deprecatedContainers) != 0 {
 			hasDeprecatedContainers = true
@@ -163,14 +173,14 @@ func (s *script) runLabeledCommands(label string) error {
 				os.Stdout.Write(stdout)
 			}
 			if err != nil {
-				return fmt.Errorf("runLabeledCommands: error executing command: %w", err)
+				return errwrap.Wrap(err, "error executing command")
 			}
 			return nil
 		})
 	}
 
 	if err := g.Wait(); err != nil {
-		return fmt.Errorf("runLabeledCommands: error from errgroup: %w", err)
+		return errwrap.Wrap(err, "error from errgroup")
 	}
 	return nil
 }
@@ -190,13 +200,12 @@ func (s *script) withLabeledCommands(step lifecyclePhase, cb func() error) func(
 	}
 	return func() (err error) {
 		if err = s.runLabeledCommands(fmt.Sprintf("docker-volume-backup.%s-pre", step)); err != nil {
-			err = fmt.Errorf("withLabeledCommands: %s: error running pre commands: %w", step, err)
+			err = errwrap.Wrap(err, fmt.Sprintf("error running %s-pre commands", step))
 			return
 		}
 		defer func() {
-			derr := s.runLabeledCommands(fmt.Sprintf("docker-volume-backup.%s-post", step))
+			if derr := s.runLabeledCommands(fmt.Sprintf("docker-volume-backup.%s-post", step)); derr != nil {
-			if err == nil && derr != nil {
+				err = errors.Join(err, errwrap.Wrap(derr, fmt.Sprintf("error running %s-post commands", step)))
-				err = derr
 			}
 		}()
 		err = cb()

cmd/backup/hooks.go

@@ -5,8 +5,9 @@ package main
 
 import (
 	"errors"
-	"fmt"
 	"sort"
+
+	"github.com/offen/docker-volume-backup/internal/errwrap"
 )
 
 // hook contains a queued action that can be trigger them when the script
@@ -47,7 +48,7 @@ func (s *script) runHooks(err error) error {
 			continue
 		}
 		if actionErr := hook.action(err); actionErr != nil {
-			actionErrors = append(actionErrors, fmt.Errorf("runHooks: error running hook: %w", actionErr))
+			actionErrors = append(actionErrors, errwrap.Wrap(actionErr, "error running hook"))
 		}
 	}
 	if len(actionErrors) != 0 {

cmd/backup/lock.go

@@ -4,11 +4,11 @@
 package main
 
 import (
-	"errors"
 	"fmt"
 	"time"
 
 	"github.com/gofrs/flock"
+	"github.com/offen/docker-volume-backup/internal/errwrap"
 )
 
 // lock opens a lockfile at the given location, keeping it locked until the
@@ -31,7 +31,7 @@ func (s *script) lock(lockfile string) (func() error, error) {
 	for {
 		acquired, err := fileLock.TryLock()
 		if err != nil {
-			return noop, fmt.Errorf("lock: error trying to lock: %w", err)
+			return noop, errwrap.Wrap(err, "error trying to lock")
 		}
 		if acquired {
 			if s.encounteredLock {
@@ -54,7 +54,7 @@ func (s *script) lock(lockfile string) (func() error, error) {
 		case <-retry.C:
 			continue
 		case <-deadline.C:
-			return noop, errors.New("lock: timed out waiting for lockfile to become available")
+			return noop, errwrap.Wrap(nil, "timed out waiting for lockfile to become available")
 		}
 	}
 }

cmd/backup/main.go

@@ -5,236 +5,8 @@ package main
 
 import (
 	"flag"
-	"fmt"
-	"log/slog"
-	"os"
-	"os/signal"
-	"runtime"
-	"syscall"
-
-	"github.com/robfig/cron/v3"
 )
 
-type command struct {
-	logger *slog.Logger
-}
-
-func newCommand() *command {
-	return &command{
-		logger: slog.New(slog.NewTextHandler(os.Stdout, nil)),
-	}
-}
-
-func (c *command) must(err error) {
-	if err != nil {
-		c.logger.Error(
-			fmt.Sprintf("Fatal error running command: %v", err),
-			"error",
-			err,
-		)
-		os.Exit(1)
-	}
-}
-
-func runScript(c *Config) (err error) {
-	defer func() {
-		if derr := recover(); derr != nil {
-			err = fmt.Errorf("runScript: unexpected panic running script: %v", err)
-		}
-	}()
-
-	s, err := newScript(c)
-	if err != nil {
-		err = fmt.Errorf("runScript: error instantiating script: %w", err)
-		return
-	}
-
-	runErr := func() (err error) {
-		unlock, err := s.lock("/var/lock/dockervolumebackup.lock")
-		if err != nil {
-			err = fmt.Errorf("runScript: error acquiring file lock: %w", err)
-			return
-		}
-
-		defer func() {
-			derr := unlock()
-			if err == nil && derr != nil {
-				err = fmt.Errorf("runScript: error releasing file lock: %w", derr)
-			}
-		}()
-
-		scriptErr := func() error {
-			if err := s.withLabeledCommands(lifecyclePhaseArchive, func() (err error) {
-				restartContainersAndServices, err := s.stopContainersAndServices()
-				// The mechanism for restarting containers is not using hooks as it
-				// should happen as soon as possible (i.e. before uploading backups or
-				// similar).
-				defer func() {
-					derr := restartContainersAndServices()
-					if err == nil {
-						err = derr
-					}
-				}()
-				if err != nil {
-					return
-				}
-				err = s.createArchive()
-				return
-			})(); err != nil {
-				return err
-			}
-
-			if err := s.withLabeledCommands(lifecyclePhaseProcess, s.encryptArchive)(); err != nil {
-				return err
-			}
-			if err := s.withLabeledCommands(lifecyclePhaseCopy, s.copyArchive)(); err != nil {
-				return err
-			}
-			if err := s.withLabeledCommands(lifecyclePhasePrune, s.pruneBackups)(); err != nil {
-				return err
-			}
-			return nil
-		}()
-
-		if hookErr := s.runHooks(scriptErr); hookErr != nil {
-			if scriptErr != nil {
-				return fmt.Errorf(
-					"runScript: error %w executing the script followed by %w calling the registered hooks",
-					scriptErr,
-					hookErr,
-				)
-			}
-			return fmt.Errorf(
-				"runScript: the script ran successfully, but an error occurred calling the registered hooks: %w",
-				hookErr,
-			)
-		}
-		if scriptErr != nil {
-			return fmt.Errorf("runScript: error running script: %w", scriptErr)
-		}
-		return nil
-	}()
-
-	if runErr != nil {
-		s.logger.Error(
-			fmt.Sprintf("Script run failed: %v", runErr), "error", runErr,
-		)
-	}
-	return runErr
-}
-
-func (c *command) runInForeground(profileCronExpression string) error {
-	cr := cron.New(
-		cron.WithParser(
-			cron.NewParser(
-				cron.SecondOptional | cron.Minute | cron.Hour | cron.Dom | cron.Month | cron.Dow | cron.Descriptor,
-			),
-		),
-	)
-
-	addJob := func(config *Config, name string) error {
-		if _, err := cr.AddFunc(config.BackupCronExpression, func() {
-			c.logger.Info(
-				fmt.Sprintf(
-					"Now running script on schedule %s",
-					config.BackupCronExpression,
-				),
-			)
-			if err := runScript(config); err != nil {
-				c.logger.Error(
-					fmt.Sprintf(
-						"Unexpected error running schedule %s: %v",
-						config.BackupCronExpression,
-						err,
-					),
-					"error",
-					err,
-				)
-			}
-		}); err != nil {
-			return fmt.Errorf("addJob: error adding schedule %s: %w", config.BackupCronExpression, err)
-		}
-
-		c.logger.Info(fmt.Sprintf("Successfully scheduled backup %s with expression %s", name, config.BackupCronExpression))
-		if ok := checkCronSchedule(config.BackupCronExpression); !ok {
-			c.logger.Warn(
-				fmt.Sprintf("Scheduled cron expression %s will never run, is this intentional?", config.BackupCronExpression),
-			)
-		}
-
-		return nil
-	}
-
-	cs, err := loadEnvFiles("/etc/dockervolumebackup/conf.d")
-	if err != nil {
-		if !os.IsNotExist(err) {
-			return fmt.Errorf("runInForeground: could not load config from environment files: %w", err)
-		}
-
-		c, err := loadEnvVars()
-		if err != nil {
-			return fmt.Errorf("runInForeground: could not load config from environment variables: %w", err)
-		} else {
-			err = addJob(c, "from environment")
-			if err != nil {
-				return fmt.Errorf("runInForeground: error adding job from env: %w", err)
-			}
-		}
-	} else {
-		c.logger.Info("/etc/dockervolumebackup/conf.d was found, using configuration files from this directory.")
-		for _, config := range cs {
-			err = addJob(config.config, config.name)
-			if err != nil {
-				return fmt.Errorf("runInForeground: error adding jobs from conf files: %w", err)
-			}
-		}
-	}
-
-	if profileCronExpression != "" {
-		if _, err := cr.AddFunc(profileCronExpression, func() {
-			memStats := runtime.MemStats{}
-			runtime.ReadMemStats(&memStats)
-			c.logger.Info(
-				"Collecting runtime information",
-				"num_goroutines",
-				runtime.NumGoroutine(),
-				"memory_heap_alloc",
-				formatBytes(memStats.HeapAlloc, false),
-				"memory_heap_inuse",
-				formatBytes(memStats.HeapInuse, false),
-				"memory_heap_sys",
-				formatBytes(memStats.HeapSys, false),
-				"memory_heap_objects",
-				memStats.HeapObjects,
-			)
-		}); err != nil {
-			return fmt.Errorf("runInForeground: error adding profiling job: %w", err)
-		}
-	}
-
-	var quit = make(chan os.Signal, 1)
-	signal.Notify(quit, syscall.SIGTERM, syscall.SIGINT)
-	cr.Start()
-	<-quit
-	ctx := cr.Stop()
-	<-ctx.Done()
-
-	return nil
-}
-
-func (c *command) runAsCommand() error {
-	config, err := loadEnvVars()
-	if err != nil {
-		return fmt.Errorf("runAsCommand: error loading env vars: %w", err)
-	}
-	err = runScript(config)
-	if err != nil {
-		return fmt.Errorf("runAsCommand: error running script: %w", err)
-	}
-
-	return nil
-}
-
 func main() {
 	foreground := flag.Bool("foreground", false, "run the tool in the foreground")
 	profile := flag.String("profile", "", "collect runtime metrics and log them periodically on the given cron expression")
@@ -242,7 +14,10 @@ func main() {
 
 	c := newCommand()
 	if *foreground {
-		c.must(c.runInForeground(*profile))
+		opts := foregroundOpts{
+			profileCronExpression: *profile,
+		}
+		c.must(c.runInForeground(opts))
 	} else {
 		c.must(c.runAsCommand())
 	}

cmd/backup/notifications.go

@@ -14,6 +14,7 @@ import (
 	"time"
 
 	sTypes "github.com/containrrr/shoutrrr/pkg/types"
+	"github.com/offen/docker-volume-backup/internal/errwrap"
 )
 
 //go:embed notifications.tmpl
@@ -37,16 +38,16 @@ func (s *script) notify(titleTemplate string, bodyTemplate string, err error) er
 
 	titleBuf := &bytes.Buffer{}
 	if err := s.template.ExecuteTemplate(titleBuf, titleTemplate, params); err != nil {
-		return fmt.Errorf("notify: error executing %s template: %w", titleTemplate, err)
+		return errwrap.Wrap(err, fmt.Sprintf("error executing %s template", titleTemplate))
 	}
 
 	bodyBuf := &bytes.Buffer{}
 	if err := s.template.ExecuteTemplate(bodyBuf, bodyTemplate, params); err != nil {
-		return fmt.Errorf("notify: error executing %s template: %w", bodyTemplate, err)
+		return errwrap.Wrap(err, fmt.Sprintf("error executing %s template", bodyTemplate))
 	}
 
 	if err := s.sendNotification(titleBuf.String(), bodyBuf.String()); err != nil {
-		return fmt.Errorf("notify: error notifying: %w", err)
+		return errwrap.Wrap(err, "error sending notification")
 	}
 	return nil
 }
@@ -70,7 +71,7 @@ func (s *script) sendNotification(title, body string) error {
 		}
 	}
 	if len(errs) != 0 {
-		return fmt.Errorf("sendNotification: error sending message: %w", errors.Join(errs...))
+		return errwrap.Wrap(errors.Join(errs...), "error sending message")
 	}
 	return nil
 }

cmd/backup/profile.go

@@ -0,0 +1,24 @@
+// Copyright 2024 - Offen Authors <hioffen@posteo.de>
+// SPDX-License-Identifier: MPL-2.0
+
+package main
+
+import "runtime"
+
+func (c *command) profile() {
+	memStats := runtime.MemStats{}
+	runtime.ReadMemStats(&memStats)
+	c.logger.Info(
+		"Collecting runtime information",
+		"num_goroutines",
+		runtime.NumGoroutine(),
+		"memory_heap_alloc",
+		formatBytes(memStats.HeapAlloc, false),
+		"memory_heap_inuse",
+		formatBytes(memStats.HeapInuse, false),
+		"memory_heap_sys",
+		formatBytes(memStats.HeapSys, false),
+		"memory_heap_objects",
+		memStats.HeapObjects,
+	)
+}

cmd/backup/prune_backups.go

@@ -0,0 +1,66 @@
+// Copyright 2024 - Offen Authors <hioffen@posteo.de>
+// SPDX-License-Identifier: MPL-2.0
+
+package main
+
+import (
+	"fmt"
+	"slices"
+	"strings"
+	"time"
+
+	"github.com/offen/docker-volume-backup/internal/errwrap"
+	"golang.org/x/sync/errgroup"
+)
+
+// pruneBackups rotates away backups from local and remote storages using
+// the given configuration. In case the given configuration would delete all
+// backups, it does nothing instead and logs a warning.
+func (s *script) pruneBackups() error {
+	if s.c.BackupRetentionDays < 0 {
+		return nil
+	}
+
+	deadline := time.Now().AddDate(0, 0, -int(s.c.BackupRetentionDays)).Add(s.c.BackupPruningLeeway)
+
+	eg := errgroup.Group{}
+	for _, backend := range s.storages {
+		b := backend
+		eg.Go(func() error {
+			if skipPrune(b.Name(), s.c.BackupSkipBackendsFromPrune) {
+				s.logger.Info(
+					fmt.Sprintf("Skipping pruning for backend `%s`.", b.Name()),
+				)
+				return nil
+			}
+			stats, err := b.Prune(deadline, s.c.BackupPruningPrefix)
+			if err != nil {
+				return err
+			}
+			s.stats.Lock()
+			s.stats.Storages[b.Name()] = StorageStats{
+				Total:  stats.Total,
+				Pruned: stats.Pruned,
+			}
+			s.stats.Unlock()
+			return nil
+		})
+	}
+
+	if err := eg.Wait(); err != nil {
+		return errwrap.Wrap(err, "error pruning backups")
+	}
+
+	return nil
+}
+
+// skipPrune returns true if the given backend name is contained in the
+// list of skipped backends.
+func skipPrune(name string, skippedBackends []string) bool {
+	return slices.ContainsFunc(
+		skippedBackends,
+		func(b string) bool {
+			return strings.EqualFold(b, name) // ignore case on both sides
+		},
+	)
+}

cmd/backup/run_script.go

@@ -0,0 +1,111 @@
+// Copyright 2024 - Offen Authors <hioffen@posteo.de>
+// SPDX-License-Identifier: MPL-2.0
+
+package main
+
+import (
+	"errors"
+	"fmt"
+
+	"github.com/offen/docker-volume-backup/internal/errwrap"
+)
+
+// runScript instantiates a new script object and orchestrates a backup run.
+// To ensure it runs mutually exclusive a global file lock is acquired before
+// it starts running. Any panic within the script will be recovered and returned
+// as an error.
+func runScript(c *Config) (err error) {
+	defer func() {
+		if derr := recover(); derr != nil {
+			asErr, ok := derr.(error)
+			if ok {
+				err = errwrap.Wrap(asErr, "unexpected panic running script")
+			} else {
+				err = errwrap.Wrap(nil, fmt.Sprintf("%v", derr))
+			}
+		}
+	}()
+
+	s := newScript(c)
+
+	unlock, lockErr := s.lock("/var/lock/dockervolumebackup.lock")
+	if lockErr != nil {
+		err = errwrap.Wrap(lockErr, "error acquiring file lock")
+		return
+	}
+	defer func() {
+		if derr := unlock(); derr != nil {
+			err = errors.Join(err, errwrap.Wrap(derr, "error releasing file lock"))
+		}
+	}()
+
+	unset, err := s.c.applyEnv()
+	if err != nil {
+		return errwrap.Wrap(err, "error applying env")
+	}
+	defer func() {
+		if derr := unset(); derr != nil {
+			err = errors.Join(err, errwrap.Wrap(derr, "error unsetting environment variables"))
+		}
+	}()
+
+	if initErr := s.init(); initErr != nil {
+		err = errwrap.Wrap(initErr, "error instantiating script")
+		return
+	}
+
+	return func() (err error) {
+		scriptErr := func() error {
+			if err := s.withLabeledCommands(lifecyclePhaseArchive, func() (err error) {
+				restartContainersAndServices, err := s.stopContainersAndServices()
+				// The mechanism for restarting containers is not using hooks as it
+				// should happen as soon as possible (i.e. before uploading backups or
+				// similar).
+				defer func() {
+					if derr := restartContainersAndServices(); derr != nil {
+						err = errors.Join(err, errwrap.Wrap(derr, "error restarting containers and services"))
+					}
+				}()
+				if err != nil {
+					return
+				}
+				err = s.createArchive()
+				return
+			})(); err != nil {
+				return err
+			}
+
+			if err := s.withLabeledCommands(lifecyclePhaseProcess, s.encryptArchive)(); err != nil {
+				return err
+			}
+			if err := s.withLabeledCommands(lifecyclePhaseCopy, s.copyArchive)(); err != nil {
+				return err
+			}
+			if err := s.withLabeledCommands(lifecyclePhasePrune, s.pruneBackups)(); err != nil {
+				return err
+			}
+			return nil
+		}()
+
+		if hookErr := s.runHooks(scriptErr); hookErr != nil {
+			if scriptErr != nil {
+				return errwrap.Wrap(
+					nil,
+					fmt.Sprintf(
+						"error %v executing the script followed by %v calling the registered hooks",
+						scriptErr,
+						hookErr,
+					),
+				)
+			}
+			return errwrap.Wrap(
+				hookErr,
+				"the script ran successfully, but an error occurred calling the registered hooks",
+			)
+		}
+		if scriptErr != nil {
+			return errwrap.Wrap(scriptErr, "error running script")
+		}
+		return nil
+	}()
+}

cmd/backup/script.go

@@ -6,17 +6,13 @@ package main
 import (
 	"bytes"
 	"fmt"
-	"io"
-	"io/fs"
 	"log/slog"
 	"os"
 	"path"
-	"path/filepath"
-	"slices"
-	"strings"
 	"text/template"
 	"time"
 
+	"github.com/offen/docker-volume-backup/internal/errwrap"
 	"github.com/offen/docker-volume-backup/internal/storage"
 	"github.com/offen/docker-volume-backup/internal/storage/azure"
 	"github.com/offen/docker-volume-backup/internal/storage/dropbox"
@@ -25,13 +21,10 @@ import (
 	"github.com/offen/docker-volume-backup/internal/storage/ssh"
 	"github.com/offen/docker-volume-backup/internal/storage/webdav"
 
-	openpgp "github.com/ProtonMail/go-crypto/openpgp/v2"
 	"github.com/containrrr/shoutrrr"
 	"github.com/containrrr/shoutrrr/pkg/router"
 	"github.com/docker/docker/client"
 	"github.com/leekchan/timeutil"
-	"github.com/otiai10/copy"
-	"golang.org/x/sync/errgroup"
 )
 
 // script holds all the stateful information required to orchestrate a
@@ -57,9 +50,9 @@ type script struct {
 // remote resources like the Docker engine or remote storage locations. All
 // reading from env vars or other configuration sources is expected to happen
 // in this method.
-func newScript(c *Config) (*script, error) {
+func newScript(c *Config) *script {
 	stdOut, logBuffer := buffer(os.Stdout)
-	s := &script{
+	return &script{
 		c:      c,
 		logger: slog.New(slog.NewTextHandler(stdOut, nil)),
 		stats: &Stats{
@@ -75,7 +68,9 @@ func newScript(c *Config) (*script, error) {
 			},
 		},
 	}
+}
 
+func (s *script) init() error {
 	s.registerHook(hookLevelPlumbing, func(error) error {
 		s.stats.EndTime = time.Now()
 		s.stats.TookTime = s.stats.EndTime.Sub(s.stats.StartTime)
@@ -86,14 +81,14 @@ func newScript(c *Config) (*script, error) {
 
 	tmplFileName, tErr := template.New("extension").Parse(s.file)
 	if tErr != nil {
-		return nil, fmt.Errorf("newScript: unable to parse backup file extension template: %w", tErr)
+		return errwrap.Wrap(tErr, "unable to parse backup file extension template")
 	}
 
 	var bf bytes.Buffer
 	if tErr := tmplFileName.Execute(&bf, map[string]string{
 		"Extension": fmt.Sprintf("tar.%s", s.c.BackupCompression),
 	}); tErr != nil {
-		return nil, fmt.Errorf("newScript: error executing backup file extension template: %w", tErr)
+		return errwrap.Wrap(tErr, "error executing backup file extension template")
 	}
 	s.file = bf.String()
 
@@ -109,12 +104,12 @@ func newScript(c *Config) (*script, error) {
 	if !os.IsNotExist(err) || dockerHostSet {
 		cli, err := client.NewClientWithOpts(client.FromEnv, client.WithAPIVersionNegotiation())
 		if err != nil {
-			return nil, fmt.Errorf("newScript: failed to create docker client")
+			return errwrap.Wrap(err, "failed to create docker client")
 		}
 		s.cli = cli
 		s.registerHook(hookLevelPlumbing, func(err error) error {
 			if err := s.cli.Close(); err != nil {
-				return fmt.Errorf("newScript: failed to close docker client: %w", err)
+				return errwrap.Wrap(err, "failed to close docker client")
 			}
 			return nil
 		})
@@ -124,8 +119,6 @@ func newScript(c *Config) (*script, error) {
 		switch logType {
 		case storage.LogLevelWarning:
 			s.logger.Warn(fmt.Sprintf(msg, params...), "storage", context)
-		case storage.LogLevelError:
-			s.logger.Error(fmt.Sprintf(msg, params...), "storage", context)
 		default:
 			s.logger.Info(fmt.Sprintf(msg, params...), "storage", context)
 		}
@@ -147,7 +140,7 @@ func newScript(c *Config) (*script, error) {
 		}
 		s3Backend, err := s3.NewStorageBackend(s3Config, logFunc)
 		if err != nil {
-			return nil, fmt.Errorf("newScript: error creating s3 storage backend: %w", err)
+			return errwrap.Wrap(err, "error creating s3 storage backend")
 		}
 		s.storages = append(s.storages, s3Backend)
 	}
@@ -162,7 +155,7 @@ func newScript(c *Config) (*script, error) {
 		}
 		webdavBackend, err := webdav.NewStorageBackend(webDavConfig, logFunc)
 		if err != nil {
-			return nil, fmt.Errorf("newScript: error creating webdav storage backend: %w", err)
+			return errwrap.Wrap(err, "error creating webdav storage backend")
 		}
 		s.storages = append(s.storages, webdavBackend)
 	}
@@ -179,7 +172,7 @@ func newScript(c *Config) (*script, error) {
 		}
 		sshBackend, err := ssh.NewStorageBackend(sshConfig, logFunc)
 		if err != nil {
-			return nil, fmt.Errorf("newScript: error creating ssh storage backend: %w", err)
+			return errwrap.Wrap(err, "error creating ssh storage backend")
 		}
 		s.storages = append(s.storages, sshBackend)
 	}
@@ -200,10 +193,11 @@ func newScript(c *Config) (*script, error) {
 			PrimaryAccountKey: s.c.AzureStoragePrimaryAccountKey,
 			Endpoint:          s.c.AzureStorageEndpoint,
 			RemotePath:        s.c.AzureStoragePath,
+			ConnectionString:  s.c.AzureStorageConnectionString,
 		}
 		azureBackend, err := azure.NewStorageBackend(azureConfig, logFunc)
 		if err != nil {
-			return nil, fmt.Errorf("newScript: error creating azure storage backend: %w", err)
+			return errwrap.Wrap(err, "error creating azure storage backend")
 		}
 		s.storages = append(s.storages, azureBackend)
 	}
@@ -220,7 +214,7 @@ func newScript(c *Config) (*script, error) {
 		}
 		dropboxBackend, err := dropbox.NewStorageBackend(dropboxConfig, logFunc)
 		if err != nil {
-			return nil, fmt.Errorf("newScript: error creating dropbox storage backend: %w", err)
+			return errwrap.Wrap(err, "error creating dropbox storage backend")
 		}
 		s.storages = append(s.storages, dropboxBackend)
 	}
@@ -246,14 +240,14 @@ func newScript(c *Config) (*script, error) {
 
 	hookLevel, ok := hookLevels[s.c.NotificationLevel]
 	if !ok {
-		return nil, fmt.Errorf("newScript: unknown NOTIFICATION_LEVEL %s", s.c.NotificationLevel)
+		return errwrap.Wrap(nil, fmt.Sprintf("unknown NOTIFICATION_LEVEL %s", s.c.NotificationLevel))
 	}
 	s.hookLevel = hookLevel
 
 	if len(s.c.NotificationURLs) > 0 {
 		sender, senderErr := shoutrrr.CreateSender(s.c.NotificationURLs...)
 		if senderErr != nil {
-			return nil, fmt.Errorf("newScript: error creating sender: %w", senderErr)
+			return errwrap.Wrap(senderErr, "error creating sender")
 		}
 		s.sender = sender
 
@@ -261,13 +255,13 @@ func newScript(c *Config) (*script, error) {
 		tmpl.Funcs(templateHelpers)
 		tmpl, err = tmpl.Parse(defaultNotifications)
 		if err != nil {
-			return nil, fmt.Errorf("newScript: unable to parse default notifications templates: %w", err)
+			return errwrap.Wrap(err, "unable to parse default notifications templates")
 		}
 
 		if fi, err := os.Stat("/etc/dockervolumebackup/notifications.d"); err == nil && fi.IsDir() {
 			tmpl, err = tmpl.ParseGlob("/etc/dockervolumebackup/notifications.d/*.*")
 			if err != nil {
-				return nil, fmt.Errorf("newScript: unable to parse user defined notifications templates: %w", err)
+				return errwrap.Wrap(err, "unable to parse user defined notifications templates")
 			}
 		}
 		s.template = tmpl
@@ -288,211 +282,5 @@ func newScript(c *Config) (*script, error) {
 		})
 	}
 
-	return s, nil
-}
-
-// createArchive creates a tar archive of the configured backup location and
-// saves it to disk.
-func (s *script) createArchive() error {
-	backupSources := s.c.BackupSources
-
-	if s.c.BackupFromSnapshot {
-		s.logger.Warn(
-			"Using BACKUP_FROM_SNAPSHOT has been deprecated and will be removed in the next major version.",
-		)
-		s.logger.Warn(
-			"Please use `archive-pre` and `archive-post` commands to prepare your backup sources. Refer to the documentation for an upgrade guide.",
-		)
-		backupSources = filepath.Join("/tmp", s.c.BackupSources)
-		// copy before compressing guard against a situation where backup folder's content are still growing.
-		s.registerHook(hookLevelPlumbing, func(error) error {
-			if err := remove(backupSources); err != nil {
-				return fmt.Errorf("createArchive: error removing snapshot: %w", err)
-			}
-			s.logger.Info(
-				fmt.Sprintf("Removed snapshot `%s`.", backupSources),
-			)
-			return nil
-		})
-		if err := copy.Copy(s.c.BackupSources, backupSources, copy.Options{
-			PreserveTimes: true,
-			PreserveOwner: true,
-		}); err != nil {
-			return fmt.Errorf("createArchive: error creating snapshot: %w", err)
-		}
-		s.logger.Info(
-			fmt.Sprintf("Created snapshot of `%s` at `%s`.", s.c.BackupSources, backupSources),
-		)
-	}
-
-	tarFile := s.file
-	s.registerHook(hookLevelPlumbing, func(error) error {
-		if err := remove(tarFile); err != nil {
-			return fmt.Errorf("createArchive: error removing tar file: %w", err)
-		}
-		s.logger.Info(
-			fmt.Sprintf("Removed tar file `%s`.", tarFile),
-		)
-		return nil
-	})
-
-	backupPath, err := filepath.Abs(stripTrailingSlashes(backupSources))
-	if err != nil {
-		return fmt.Errorf("createArchive: error getting absolute path: %w", err)
-	}
-
-	var filesEligibleForBackup []string
-	if err := filepath.WalkDir(backupPath, func(path string, di fs.DirEntry, err error) error {
-		if err != nil {
-			return err
-		}
-
-		if s.c.BackupExcludeRegexp.Re != nil && s.c.BackupExcludeRegexp.Re.MatchString(path) {
-			return nil
-		}
-		filesEligibleForBackup = append(filesEligibleForBackup, path)
-		return nil
-	}); err != nil {
-		return fmt.Errorf("createArchive: error walking filesystem tree: %w", err)
-	}
-
-	if err := createArchive(filesEligibleForBackup, backupSources, tarFile, s.c.BackupCompression.String(), s.c.GzipParallelism.Int()); err != nil {
-		return fmt.Errorf("createArchive: error compressing backup folder: %w", err)
-	}
-
-	s.logger.Info(
-		fmt.Sprintf("Created backup of `%s` at `%s`.", backupSources, tarFile),
-	)
 	return nil
 }
-
-// encryptArchive encrypts the backup file using PGP and the configured passphrase.
-// In case no passphrase is given it returns early, leaving the backup file
-// untouched.
-func (s *script) encryptArchive() error {
-	if s.c.GpgPassphrase == "" {
-		return nil
-	}
-
-	gpgFile := fmt.Sprintf("%s.gpg", s.file)
-	s.registerHook(hookLevelPlumbing, func(error) error {
-		if err := remove(gpgFile); err != nil {
-			return fmt.Errorf("encryptArchive: error removing gpg file: %w", err)
-		}
-		s.logger.Info(
-			fmt.Sprintf("Removed GPG file `%s`.", gpgFile),
-		)
-		return nil
-	})
-
-	outFile, err := os.Create(gpgFile)
-	if err != nil {
-		return fmt.Errorf("encryptArchive: error opening out file: %w", err)
-	}
-	defer outFile.Close()
-
-	_, name := path.Split(s.file)
-	dst, err := openpgp.SymmetricallyEncrypt(outFile, []byte(s.c.GpgPassphrase), &openpgp.FileHints{
-		FileName: name,
-	}, nil)
-	if err != nil {
-		return fmt.Errorf("encryptArchive: error encrypting backup file: %w", err)
-	}
-	defer dst.Close()
-
-	src, err := os.Open(s.file)
-	if err != nil {
-		return fmt.Errorf("encryptArchive: error opening backup file `%s`: %w", s.file, err)
-	}
-
-	if _, err := io.Copy(dst, src); err != nil {
-		return fmt.Errorf("encryptArchive: error writing ciphertext to file: %w", err)
-	}
-
-	s.file = gpgFile
-	s.logger.Info(
-		fmt.Sprintf("Encrypted backup using given passphrase, saving as `%s`.", s.file),
-	)
-	return nil
-}
-
-// copyArchive makes sure the backup file is copied to both local and remote locations
-// as per the given configuration.
-func (s *script) copyArchive() error {
-	_, name := path.Split(s.file)
-	if stat, err := os.Stat(s.file); err != nil {
-		return fmt.Errorf("copyArchive: unable to stat backup file: %w", err)
-	} else {
-		size := stat.Size()
-		s.stats.BackupFile = BackupFileStats{
-			Size:     uint64(size),
-			Name:     name,
-			FullPath: s.file,
-		}
-	}
-
-	eg := errgroup.Group{}
-	for _, backend := range s.storages {
-		b := backend
-		eg.Go(func() error {
-			return b.Copy(s.file)
-		})
-	}
-	if err := eg.Wait(); err != nil {
-		return fmt.Errorf("copyArchive: error copying archive: %w", err)
-	}
-
-	return nil
-}
-
-// pruneBackups rotates away backups from local and remote storages using
-// the given configuration. In case the given configuration would delete all
-// backups, it does nothing instead and logs a warning.
-func (s *script) pruneBackups() error {
-	if s.c.BackupRetentionDays < 0 {
-		return nil
-	}
-
-	deadline := time.Now().AddDate(0, 0, -int(s.c.BackupRetentionDays)).Add(s.c.BackupPruningLeeway)
-
-	eg := errgroup.Group{}
-	for _, backend := range s.storages {
-		b := backend
-		eg.Go(func() error {
-			if skipPrune(b.Name(), s.c.BackupSkipBackendsFromPrune) {
-				s.logger.Info(
-					fmt.Sprintf("Skipping pruning for backend `%s`.", b.Name()),
-				)
-				return nil
-			}
-			stats, err := b.Prune(deadline, s.c.BackupPruningPrefix)
-			if err != nil {
-				return err
-			}
-			s.stats.Lock()
-			s.stats.Storages[b.Name()] = StorageStats{
-				Total:  stats.Total,
-				Pruned: stats.Pruned,
-			}
-			s.stats.Unlock()
-			return nil
-		})
-	}
-
-	if err := eg.Wait(); err != nil {
-		return fmt.Errorf("pruneBackups: error pruning backups: %w", err)
-	}
-
-	return nil
-}
-
-// skipPrune returns true if the given backend name is contained in the
-// list of skipped backends.
-func skipPrune(name string, skippedBackends []string) bool {
-	return slices.ContainsFunc(
-		skippedBackends,
-		func(b string) bool {
-			return strings.EqualFold(b, name) // ignore case on both sides
-		},
-	)
-}

cmd/backup/stop_restart.go

@@ -1,3 +1,6 @@
+// Copyright 2024 - Offen Authors <hioffen@posteo.de>
+// SPDX-License-Identifier: MPL-2.0
+
 package main
 
 import (
@@ -15,24 +18,25 @@ import (
 	"github.com/docker/docker/api/types/filters"
 	"github.com/docker/docker/api/types/swarm"
 	"github.com/docker/docker/client"
+	"github.com/offen/docker-volume-backup/internal/errwrap"
 )
 
 func scaleService(cli *client.Client, serviceID string, replicas uint64) ([]string, error) {
 	service, _, err := cli.ServiceInspectWithRaw(context.Background(), serviceID, types.ServiceInspectOptions{})
 	if err != nil {
-		return nil, fmt.Errorf("scaleService: error inspecting service %s: %w", serviceID, err)
+		return nil, errwrap.Wrap(err, fmt.Sprintf("error inspecting service %s", serviceID))
 	}
 	serviceMode := &service.Spec.Mode
 	switch {
 	case serviceMode.Replicated != nil:
 		serviceMode.Replicated.Replicas = &replicas
 	default:
-		return nil, fmt.Errorf("scaleService: service to be scaled %s has to be in replicated mode", service.Spec.Name)
+		return nil, errwrap.Wrap(nil, fmt.Sprintf("service to be scaled %s has to be in replicated mode", service.Spec.Name))
 	}
 
 	response, err := cli.ServiceUpdate(context.Background(), service.ID, service.Version, service.Spec, types.ServiceUpdateOptions{})
 	if err != nil {
-		return nil, fmt.Errorf("scaleService: error updating service: %w", err)
+		return nil, errwrap.Wrap(err, "error updating service")
 	}
 
 	discardWriter := &noopWriteCloser{io.Discard}
@@ -51,11 +55,14 @@ func awaitContainerCountForService(cli *client.Client, serviceID string, count i
 	for {
 		select {
 		case <-timeout.C:
-			return fmt.Errorf(
+			return errwrap.Wrap(
-				"awaitContainerCount: timed out after waiting %s for service %s to reach desired container count of %d",
+				nil,
-				timeoutAfter,
+				fmt.Sprintf(
-				serviceID,
+					"timed out after waiting %s for service %s to reach desired container count of %d",
-				count,
+					timeoutAfter,
+					serviceID,
+					count,
+				),
 			)
 		case <-poll.C:
 			containers, err := cli.ContainerList(context.Background(), types.ContainerListOptions{
@@ -65,7 +72,7 @@ func awaitContainerCountForService(cli *client.Client, serviceID string, count i
 				}),
 			})
 			if err != nil {
-				return fmt.Errorf("awaitContainerCount: error listing containers: %w", err)
+				return errwrap.Wrap(err, "error listing containers")
 			}
 			if len(containers) == count {
 				return nil
@@ -74,6 +81,16 @@ func awaitContainerCountForService(cli *client.Client, serviceID string, count i
 	}
 }
 
+func isSwarm(c interface {
+	Info(context.Context) (types.Info, error)
+}) (bool, error) {
+	info, err := c.Info(context.Background())
+	if err != nil {
+		return false, errwrap.Wrap(err, "error getting docker info")
+	}
+	return info.Swarm.LocalNodeState != "" && info.Swarm.LocalNodeState != swarm.LocalNodeStateInactive, nil
+}
+
 // stopContainersAndServices stops all Docker containers that are marked as to being
 // stopped during the backup and returns a function that can be called to
 // restart everything that has been stopped.
@@ -82,11 +99,10 @@ func (s *script) stopContainersAndServices() (func() error, error) {
 		return noop, nil
 	}
 
-	dockerInfo, err := s.cli.Info(context.Background())
+	isDockerSwarm, err := isSwarm(s.cli)
 	if err != nil {
-		return noop, fmt.Errorf("(*script).stopContainersAndServices: error getting docker info: %w", err)
+		return noop, errwrap.Wrap(err, "error determining swarm state")
 	}
-	isDockerSwarm := dockerInfo.Swarm.LocalNodeState != "inactive"
 
 	labelValue := s.c.BackupStopDuringBackupLabel
 	if s.c.BackupStopContainerLabel != "" {
@@ -97,7 +113,7 @@ func (s *script) stopContainersAndServices() (func() error, error) {
 			"Please use BACKUP_STOP_DURING_BACKUP_LABEL instead. Refer to the docs for an upgrade guide.",
 		)
 		if _, ok := os.LookupEnv("BACKUP_STOP_DURING_BACKUP_LABEL"); ok {
-			return noop, errors.New("(*script).stopContainersAndServices: both BACKUP_STOP_DURING_BACKUP_LABEL and BACKUP_STOP_CONTAINER_LABEL have been set, cannot continue")
+			return noop, errwrap.Wrap(nil, "both BACKUP_STOP_DURING_BACKUP_LABEL and BACKUP_STOP_CONTAINER_LABEL have been set, cannot continue")
 		}
 		labelValue = s.c.BackupStopContainerLabel
 	}
@@ -109,7 +125,7 @@ func (s *script) stopContainersAndServices() (func() error, error) {
 
 	allContainers, err := s.cli.ContainerList(context.Background(), types.ContainerListOptions{})
 	if err != nil {
-		return noop, fmt.Errorf("(*script).stopContainersAndServices: error querying for containers: %w", err)
+		return noop, errwrap.Wrap(err, "error querying for containers")
 	}
 	containersToStop, err := s.cli.ContainerList(context.Background(), types.ContainerListOptions{
 		Filters: filters.NewArgs(filters.KeyValuePair{
@@ -118,7 +134,7 @@ func (s *script) stopContainersAndServices() (func() error, error) {
 		}),
 	})
 	if err != nil {
-		return noop, fmt.Errorf("(*script).stopContainersAndServices: error querying for containers to stop: %w", err)
+		return noop, errwrap.Wrap(err, "error querying for containers to stop")
 	}
 
 	var allServices []swarm.Service
@@ -126,7 +142,7 @@ func (s *script) stopContainersAndServices() (func() error, error) {
 	if isDockerSwarm {
 		allServices, err = s.cli.ServiceList(context.Background(), types.ServiceListOptions{})
 		if err != nil {
-			return noop, fmt.Errorf("(*script).stopContainersAndServices: error querying for services: %w", err)
+			return noop, errwrap.Wrap(err, "error querying for services")
 		}
 		matchingServices, err := s.cli.ServiceList(context.Background(), types.ServiceListOptions{
 			Filters: filters.NewArgs(filters.KeyValuePair{
@@ -142,7 +158,7 @@ func (s *script) stopContainersAndServices() (func() error, error) {
 			})
 		}
 		if err != nil {
-			return noop, fmt.Errorf("(*script).stopContainersAndServices: error querying for services to scale down: %w", err)
+			return noop, errwrap.Wrap(err, "error querying for services to scale down")
 		}
 	}
 
@@ -155,14 +171,17 @@ func (s *script) stopContainersAndServices() (func() error, error) {
 			if swarmServiceID, ok := container.Labels["com.docker.swarm.service.id"]; ok {
 				parentService, _, err := s.cli.ServiceInspectWithRaw(context.Background(), swarmServiceID, types.ServiceInspectOptions{})
 				if err != nil {
-					return noop, fmt.Errorf("(*script).stopContainersAndServices: error querying for parent service with ID %s: %w", swarmServiceID, err)
+					return noop, errwrap.Wrap(err, fmt.Sprintf("error querying for parent service with ID %s", swarmServiceID))
 				}
 				for label := range parentService.Spec.Labels {
 					if label == "docker-volume-backup.stop-during-backup" {
-						return noop, fmt.Errorf(
+						return noop, errwrap.Wrap(
-							"(*script).stopContainersAndServices: container %s is labeled to stop but has parent service %s which is also labeled, cannot continue",
+							nil,
-							container.Names[0],
+							fmt.Sprintf(
-							parentService.Spec.Name,
+								"container %s is labeled to stop but has parent service %s which is also labeled, cannot continue",
+								container.Names[0],
+								parentService.Spec.Name,
+							),
 						)
 					}
 				}
@@ -245,10 +264,12 @@ func (s *script) stopContainersAndServices() (func() error, error) {
 	var initialErr error
 	allErrors := append(stopErrors, scaleDownErrors.value()...)
 	if len(allErrors) != 0 {
-		initialErr = fmt.Errorf(
+		initialErr = errwrap.Wrap(
-			"(*script).stopContainersAndServices: %d error(s) stopping containers: %w",
-			len(allErrors),
 			errors.Join(allErrors...),
+			fmt.Sprintf(
+				"%d error(s) stopping containers",
+				len(allErrors),
+			),
 		)
 	}
 
@@ -268,7 +289,7 @@ func (s *script) stopContainersAndServices() (func() error, error) {
 				if err != nil {
 					restartErrors = append(
 						restartErrors,
-						fmt.Errorf("(*script).stopContainersAndServices: error looking up parent service: %w", err),
+						errwrap.Wrap(err, "error looking up parent service"),
 					)
 					continue
 				}
@@ -311,10 +332,12 @@ func (s *script) stopContainersAndServices() (func() error, error) {
 
 		allErrors := append(restartErrors, scaleUpErrors.value()...)
 		if len(allErrors) != 0 {
-			return fmt.Errorf(
+			return errwrap.Wrap(
-				"(*script).stopContainersAndServices: %d error(s) restarting containers and services: %w",
-				len(allErrors),
 				errors.Join(allErrors...),
+				fmt.Sprintf(
+					"%d error(s) restarting containers and services",
+					len(allErrors),
+				),
 			)
 		}
 

cmd/backup/stop_restart_test.go

@@ -0,0 +1,85 @@
+package main
+
+import (
+	"context"
+	"errors"
+	"testing"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/swarm"
+)
+
+type mockInfoClient struct {
+	result types.Info
+	err    error
+}
+
+func (m *mockInfoClient) Info(context.Context) (types.Info, error) {
+	return m.result, m.err
+}
+
+func TestIsSwarm(t *testing.T) {
+	tests := []struct {
+		name        string
+		client      *mockInfoClient
+		expected    bool
+		expectError bool
+	}{
+		{
+			"swarm",
+			&mockInfoClient{
+				result: types.Info{
+					Swarm: swarm.Info{
+						LocalNodeState: swarm.LocalNodeStateActive,
+					},
+				},
+			},
+			true,
+			false,
+		},
+		{
+			"compose",
+			&mockInfoClient{
+				result: types.Info{
+					Swarm: swarm.Info{
+						LocalNodeState: swarm.LocalNodeStateInactive,
+					},
+				},
+			},
+			false,
+			false,
+		},
+		{
+			"balena",
+			&mockInfoClient{
+				result: types.Info{
+					Swarm: swarm.Info{
+						LocalNodeState: "",
+					},
+				},
+			},
+			false,
+			false,
+		},
+		{
+			"error",
+			&mockInfoClient{
+				err: errors.New("the dinosaurs escaped"),
+			},
+			false,
+			true,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			result, err := isSwarm(test.client)
+			if (err != nil) != test.expectError {
+				t.Errorf("Unexpected error value %v", err)
+			}
+			if test.expected != result {
+				t.Errorf("Expected %v, got %v", test.expected, result)
+			}
+		})
+	}
+}

cmd/backup/testdata/braces.env

@@ -0,0 +1,3 @@
+FOO=${bar:-qux}
+BAR=xxx
+BAZ=$NOPE

cmd/backup/testdata/comments.env

@@ -0,0 +1,7 @@
+# This is a comment about `why` things are here
+# FOO="${bar:-qux}"
+ # e.g. `backup-$HOSTNAME-%Y-%m-%dT%H-%M-%S.tar.gz`. Expansion happens before`
+
+BAR=xxx
+
+BAZ=$QUX

cmd/backup/testdata/default.env

@@ -0,0 +1,2 @@
+FOO=bar
+BAZ=qux

cmd/backup/testdata/expansion.env

@@ -0,0 +1,4 @@
+BAR=xxx
+FOO=${BAR}
+BAZ=$BAR
+QUX=${QUX}

cmd/backup/util.go

@@ -9,6 +9,10 @@ import (
 	"io"
 	"os"
 	"sync"
+	"time"
+
+	"github.com/offen/docker-volume-backup/internal/errwrap"
+	"github.com/robfig/cron/v3"
 )
 
 var noop = func() error { return nil }
@@ -20,7 +24,7 @@ func remove(location string) error {
 		if os.IsNotExist(err) {
 			return nil
 		}
-		return fmt.Errorf("remove: error checking for existence of `%s`: %w", location, err)
+		return errwrap.Wrap(err, fmt.Sprintf("error checking for existence of `%s`", location))
 	}
 	if fi.IsDir() {
 		err = os.RemoveAll(location)
@@ -28,7 +32,7 @@ func remove(location string) error {
 		err = os.Remove(location)
 	}
 	if err != nil {
-		return fmt.Errorf("remove: error removing `%s`: %w", location, err)
+		return errwrap.Wrap(err, fmt.Sprintf("error removing `%s", location))
 	}
 	return nil
 }
@@ -47,7 +51,7 @@ type bufferingWriter struct {
 
 func (b *bufferingWriter) Write(p []byte) (n int, err error) {
 	if n, err := b.buf.Write(p); err != nil {
-		return n, fmt.Errorf("(*bufferingWriter).Write: error writing to buffer: %w", err)
+		return n, errwrap.Wrap(err, "error writing to buffer")
 	}
 	return b.writer.Write(p)
 }
@@ -79,3 +83,22 @@ func (c *concurrentSlice[T]) append(v T) {
 func (c *concurrentSlice[T]) value() []T {
 	return c.val
 }
+
+// checkCronSchedule detects whether the given cron expression will actually
+// ever be executed or not.
+func checkCronSchedule(expression string) (ok bool) {
+	defer func() {
+		if err := recover(); err != nil {
+			ok = false
+		}
+	}()
+	sched, err := cron.ParseStandard(expression)
+	if err != nil {
+		ok = false
+		return
+	}
+	now := time.Now()
+	sched.Next(now) // panics when the cron would never run
+	ok = true
+	return
+}

docs/how-tos/replace-deprecated-backup-from-snapshot.md

@@ -2,7 +2,7 @@
 title: Replace deprecated BACKUP_FROM_SNAPSHOT usage
 layout: default
 parent: How Tos
-nav_order: 16
+nav_order: 17
 ---
 
 # Replace deprecated `BACKUP_FROM_SNAPSHOT` usage

docs/how-tos/replace-deprecated-backup-stop-container-label.md

@@ -2,7 +2,7 @@
 title: Replace deprecated BACKUP_STOP_CONTAINER_LABEL setting
 layout: default
 parent: How Tos
-nav_order: 19
+nav_order: 20
 ---
 
 # Replace deprecated `BACKUP_STOP_CONTAINER_LABEL` setting

docs/how-tos/replace-deprecated-exec-labels.md

@@ -2,7 +2,7 @@
 title: Replace deprecated exec-pre and exec-post labels
 layout: default
 parent: How Tos
-nav_order: 17
+nav_order: 18
 ---
 
 # Replace deprecated `exec-pre` and `exec-post` labels

docs/how-tos/run-custom-commands.md

@@ -46,6 +46,10 @@ If you have more than one `docker-volume-backup` container (possibly across seve
 multiple backup schedules, you will need to use `EXEC_LABEL` in the configuration and a `docker-volume-backup.exec-label` label on each
 container using custom commands to ensure that the commands are only run by the correct `docker-volume-backup` instance.
 
+{: .important }
+In case you use `EXEC_LABEL` together with configuration mounted from `conf.d` it's important to understand that a distinct `EXEC_LABEL` __should be set in each configuration__.
+Else, schedules that do not specify an `EXEC_LABEL` will still trigger commands on all containers with such labels, no matter whether they specify `docker-volume-backup.exec-label` or not.
+
 ```yml
 version: '3'
 

docs/how-tos/update-deprecated-email-config.md

@@ -2,7 +2,7 @@
 title: Update deprecated email configuration
 layout: default
 parent: How Tos
-nav_order: 18
+nav_order: 19
 ---
 
 # Update deprecated email configuration

docs/how-tos/use-as-non-root.md

@@ -0,0 +1,36 @@
+---
+title: Use the image as a non-root user
+layout: default
+parent: How Tos
+nav_order: 16
+---
+
+# Use the image as a non-root user
+
+{: .important }
+Running as a non-root user limits interaction with the Docker Daemon.
+If you want to stop and restart containers and services during backup, and the host's Docker daemon is running as root, you will also need to run this tool as root.
+
+By default, this image executes backups using the `root` user.
+In case you prefer to use a different user, you can use Docker's [`user`](https://docs.docker.com/engine/reference/run/#user) option, passing the user and group id:
+
+```console
+docker run --rm \
+  -v data:/backup/data \
+  --env AWS_ACCESS_KEY_ID="<xxx>" \
+  --env AWS_SECRET_ACCESS_KEY="<xxx>" \
+  --env AWS_S3_BUCKET_NAME="<xxx>" \
+  --entrypoint backup \
+  --user 1000:1000 \
+  offen/docker-volume-backup:v2
+```
+
+or in a compose file:
+
+```yml
+services:
+  backup:
+    image: offen/docker-volume-backup:v2
+    user: 1000:1000
+    # further configuration omitted ...
+```

docs/index.md

@@ -88,7 +88,7 @@ docker run --rm \
 
 Alternatively, pass a `--env-file` in order to use a full config as described below.
 
-### Available image registries
+## Available image registries
 
 This Docker image is published to both Docker Hub and the GitHub container registry.
 Depending on your preferences and needs, you can reference both `offen/docker-volume-backup` as well as `ghcr.io/offen/docker-volume-backup`:
@@ -100,6 +100,11 @@ docker pull ghcr.io/offen/docker-volume-backup:v2
 
 Documentation references Docker Hub, but all examples will work using ghcr.io just as well.
 
+## Supported Engines
+
+This tool is developed and tested against the Docker CE engine exclusively.
+While it may work against different implementations (e.g. Balena Engine), there are no guarantees about support for non-Docker engines.
+
 ## Differences to `jareware/docker-volume-backup`
 
 This image is heavily inspired by `jareware/docker-volume-backup`. We decided to publish this image as a simpler and more lightweight alternative because of the following requirements:

docs/recipes/index.md

@@ -371,3 +371,24 @@ volumes:
   data_1:
   data_2:
 ```
+
+## Running as a non-root user
+
+```yml
+version: '3'
+
+services:
+  # ... define other services using the `data` volume here
+  backup:
+    image: offen/docker-volume-backup:v2
+    user: 1000:1000
+    environment:
+      AWS_S3_BUCKET_NAME: backup-bucket
+      AWS_ACCESS_KEY_ID: AKIAIOSFODNN7EXAMPLE
+      AWS_SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
+    volumes:
+      - data:/backup/my-app-backup:ro
+
+volumes:
+  data:
+```

docs/reference/index.md

@@ -245,10 +245,17 @@ You can populate below template according to your requirements and use it as you
 # AZURE_STORAGE_ACCOUNT_NAME="account-name"
 
 # The credential's primary account key when using Azure Blob Storage. If this
-# is not given, the command tries to fall back to using a managed identity.
+# is not given, the command tries to fall back to using a connection string
+# (if given) or a managed identity (if nothing is given).
 
 # AZURE_STORAGE_PRIMARY_ACCOUNT_KEY="<xxx>"
 
+# A connection string for accessing Azure Blob Storage. If this
+# is not given, the command tries to fall back to using a primary account key
+# (if given) or a managed identity (if nothing is given).
+
+# AZURE_STORAGE_CONNECTION_STRING="<xxx>"
+
 # The container name when using Azure Blob Storage.
 
 # AZURE_STORAGE_CONTAINER_NAME="container-name"

go.mod

@@ -1,27 +1,28 @@
 module github.com/offen/docker-volume-backup
 
-go 1.21
+go 1.22
 
 require (
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1
 	github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.2.1
 	github.com/containrrr/shoutrrr v0.7.1
 	github.com/cosiner/argv v0.1.0
-	github.com/docker/cli v24.0.1+incompatible
+	github.com/docker/cli v24.0.9+incompatible
 	github.com/docker/docker v24.0.7+incompatible
 	github.com/gofrs/flock v0.8.1
 	github.com/joho/godotenv v1.5.1
-	github.com/klauspost/compress v1.17.6
+	github.com/klauspost/compress v1.17.7
 	github.com/leekchan/timeutil v0.0.0-20150802142658-28917288c48d
-	github.com/minio/minio-go/v7 v7.0.66
+	github.com/minio/minio-go/v7 v7.0.68
 	github.com/offen/envconfig v1.5.0
 	github.com/otiai10/copy v1.14.0
 	github.com/pkg/sftp v1.13.6
-	github.com/robfig/cron/v3 v3.0.0
+	github.com/robfig/cron/v3 v3.0.1
 	github.com/studio-b12/gowebdav v0.9.0
-	golang.org/x/crypto v0.18.0
+	golang.org/x/crypto v0.19.0
-	golang.org/x/oauth2 v0.16.0
+	golang.org/x/oauth2 v0.17.0
 	golang.org/x/sync v0.6.0
+	mvdan.cc/sh/v3 v3.8.0
 )
 
 require (
@@ -39,7 +40,7 @@ require (
 	github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.1 // indirect
 	github.com/AzureAD/microsoft-authentication-library-for-go v1.2.1 // indirect
 	github.com/Microsoft/go-winio v0.5.2 // indirect
-	github.com/ProtonMail/go-crypto v1.1.0-alpha.0
+	github.com/ProtonMail/go-crypto v1.1.0-alpha.1
 	github.com/docker/distribution v2.8.2+incompatible // indirect
 	github.com/docker/go-connections v0.4.0 // indirect
 	github.com/docker/go-units v0.4.0 // indirect
@@ -47,7 +48,7 @@ require (
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/fatih/color v1.13.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/google/uuid v1.5.0 // indirect
+	github.com/google/uuid v1.6.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.6 // indirect
 	github.com/klauspost/pgzip v1.2.6
@@ -68,8 +69,8 @@ require (
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/rs/xid v1.5.0 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
-	golang.org/x/net v0.20.0 // indirect
+	golang.org/x/net v0.21.0 // indirect
-	golang.org/x/sys v0.16.0 // indirect
+	golang.org/x/sys v0.17.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
 	gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect

go.sum

@@ -201,8 +201,8 @@ github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3
 github.com/Microsoft/go-winio v0.5.2 h1:a9IhgEQBCUEk6QCdml9CiJGhAws+YwffDHEMp1VMrpA=
 github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
 github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
-github.com/ProtonMail/go-crypto v1.1.0-alpha.0 h1:nHGfwXmFvJrSR9xu8qL7BkO4DqTHXE9N5vPhgY2I+j0=
+github.com/ProtonMail/go-crypto v1.1.0-alpha.1 h1:iKLDnKGL+3u4Q5OjYgixAxWdkkGBPidCQumqVryUgtY=
-github.com/ProtonMail/go-crypto v1.1.0-alpha.0/go.mod h1:rA3QumHc/FZ8pAHreoekgiAbzpNsfQAosU5td4SnOrE=
+github.com/ProtonMail/go-crypto v1.1.0-alpha.1/go.mod h1:rA3QumHc/FZ8pAHreoekgiAbzpNsfQAosU5td4SnOrE=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
@@ -253,8 +253,8 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI=
 github.com/dnaeon/go-vcr v1.2.0/go.mod h1:R4UdLID7HZT3taECzJs4YgbbH6PIGXB6W/sc5OLb6RQ=
-github.com/docker/cli v24.0.1+incompatible h1:uVl5Xv/39kZJpDo9VaktTOYBc702sdYYF33FqwUG/dM=
+github.com/docker/cli v24.0.9+incompatible h1:OxbimnP/z+qVjDLpq9wbeFU3Nc30XhSe+LkwYQisD50=
-github.com/docker/cli v24.0.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/cli v24.0.9+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/distribution v2.8.2+incompatible h1:T3de5rq0dB1j30rp0sA2rER+m322EBzniBPB6ZIzuh8=
 github.com/docker/distribution v2.8.2+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
 github.com/docker/docker v24.0.7+incompatible h1:Wo6l37AuwP3JaMnZa226lzVXGA3F9Ig1seQen0cKYlM=
@@ -283,6 +283,8 @@ github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL
 github.com/fatih/color v1.13.0 h1:8LOYc1KYPPmyKMuN8QV2DNRWNbLo6LZ0iLs8+mlH53w=
 github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk=
 github.com/frankban/quicktest v1.14.3/go.mod h1:mgiwOwqx65TmIk1wJ6Q7wvnVMocbUorkibMOrVTHZps=
+github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
+github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
 github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw=
@@ -358,8 +360,9 @@ github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE=
 github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
 github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
@@ -384,8 +387,8 @@ github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLe
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/google/uuid v1.5.0 h1:1p67kYwdtXjb0gL0BPiP1Av9wiZPo5A8z2cWkTZ+eyU=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
-github.com/google/uuid v1.5.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/enterprise-certificate-proxy v0.0.0-20220520183353-fd19c99a87aa/go.mod h1:17drOmN3MwGY7t0e+Ei9b45FFGA3fBs3x36SsCg1hq8=
 github.com/googleapis/enterprise-certificate-proxy v0.1.0/go.mod h1:17drOmN3MwGY7t0e+Ei9b45FFGA3fBs3x36SsCg1hq8=
 github.com/googleapis/enterprise-certificate-proxy v0.2.0/go.mod h1:8C0jb7/mgJe/9KK8Lm7X9ctZC2t60YyIpYEI16jx0Qg=
@@ -458,8 +461,8 @@ github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7V
 github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/klauspost/compress v1.17.6 h1:60eq2E/jlfwQXtvZEeBUYADs+BwKBWURIY+Gj2eRGjI=
+github.com/klauspost/compress v1.17.7 h1:ehO88t2UGzQK66LMdE8tibEd1ErmzZjNEqWkjLAKQQg=
-github.com/klauspost/compress v1.17.6/go.mod h1:/dCuZOvVtNoHsyb+cuJD3itjs3NbnF6KH9zAO4BDxPM=
+github.com/klauspost/compress v1.17.7/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw=
 github.com/klauspost/cpuid/v2 v2.0.1/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
 github.com/klauspost/cpuid/v2 v2.2.6 h1:ndNyv040zDGIDh8thGkXYjnFtiN02M1PVVF+JE/48xc=
 github.com/klauspost/cpuid/v2 v2.2.6/go.mod h1:Lcz8mBdAVJIBVzewtcLocK12l3Y+JytZYpaMropDUws=
@@ -474,6 +477,8 @@ github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORN
 github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
@@ -504,8 +509,8 @@ github.com/miekg/dns v1.1.26/go.mod h1:bPDLeHnStXmXAq1m/Ch/hvfNHr14JKNPMBo3VZKju
 github.com/miekg/dns v1.1.41/go.mod h1:p6aan82bvRIyn+zDIv9xYNUpwa73JcSh9BKwknJysuI=
 github.com/minio/md5-simd v1.1.2 h1:Gdi1DZK69+ZVMoNHRXJyNcxrMA4dSxoYHZSQbirFg34=
 github.com/minio/md5-simd v1.1.2/go.mod h1:MzdKDxYpY2BT9XQFocsiZf/NKVtR7nkE4RoEpN+20RM=
-github.com/minio/minio-go/v7 v7.0.66 h1:bnTOXOHjOqv/gcMuiVbN9o2ngRItvqE774dG9nq0Dzw=
+github.com/minio/minio-go/v7 v7.0.68 h1:hTqSIfLlpXaKuNy4baAp4Jjy2sqZEN9hRxD0M4aOfrQ=
-github.com/minio/minio-go/v7 v7.0.66/go.mod h1:DHAgmyQEGdW3Cif0UooKOyrT3Vxs82zNdV6tkKhRtbs=
+github.com/minio/minio-go/v7 v7.0.68/go.mod h1:XAvOPJQ5Xlzk5o3o/ArO2NMbhSGkimC+bpW/ngRKDmQ=
 github.com/minio/sha256-simd v1.0.1 h1:6kaan5IFmwTNynnKKpDHe6FWHohJOHhCPchzK49dzMM=
 github.com/minio/sha256-simd v1.0.1/go.mod h1:Pz6AKMiUdngCLpeTL/RJY1M9rUuPMYujV5xJjtbRSN8=
 github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc=
@@ -595,11 +600,13 @@ github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsT
 github.com/prometheus/procfs v0.0.8/go.mod h1:7Qr8sr6344vo1JqZ6HhLceV9o3AJ1Ff+GxbHq6oeK9A=
 github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU=
 github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA=
-github.com/robfig/cron/v3 v3.0.0 h1:kQ6Cb7aHOHTSzNVNEhmp8EcWKLb4CbiMW9h9VyIhO4E=
+github.com/robfig/cron/v3 v3.0.1 h1:WdRxkvbJztn8LMz/QEvLN5sBU+xKpSqwwUO1Pjr4qDs=
-github.com/robfig/cron/v3 v3.0.0/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro=
+github.com/robfig/cron/v3 v3.0.1/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro=
 github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
+github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
+github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
 github.com/rs/xid v1.5.0 h1:mKX4bl4iPYJtEIxp6CYiUuLQ/8DYMoz0PUdtGgMFRVc=
 github.com/rs/xid v1.5.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
@@ -679,8 +686,8 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw=
-golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc=
+golang.org/x/crypto v0.19.0 h1:ENy+Az/9Y1vSrlrvBSyna3PITt4tiZLf7sgCjZBX7Wo=
-golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg=
+golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -777,8 +784,8 @@ golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug
 golang.org/x/net v0.0.0-20220909164309-bea034e7d591/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
 golang.org/x/net v0.0.0-20221014081412-f15817d10f9b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
 golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco=
-golang.org/x/net v0.20.0 h1:aCL9BSgETF1k+blQaYUBx9hJ9LOGP3gAVemcZlf1Kpo=
+golang.org/x/net v0.21.0 h1:AQyQV4dYCvJ7vGmJyKki9+PBdyvhkSd8EIx/qb0AYv4=
-golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY=
+golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -803,8 +810,8 @@ golang.org/x/oauth2 v0.0.0-20220622183110-fd043fe589d2/go.mod h1:jaDAt6Dkxork7Lm
 golang.org/x/oauth2 v0.0.0-20220822191816-0ebed06d0094/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg=
 golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg=
 golang.org/x/oauth2 v0.0.0-20221014153046-6fdb5e3db783/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg=
-golang.org/x/oauth2 v0.16.0 h1:aDkGMBSYxElaoP81NpoUoz2oo2R2wHdZpGToUxfyQrQ=
+golang.org/x/oauth2 v0.17.0 h1:6m3ZPmLEFdVxKKWnKq4VqZ60gutO35zm+zrAHVmHyDQ=
-golang.org/x/oauth2 v0.16.0/go.mod h1:hqZ+0LWXsiVoZpeld6jVt06P3adbS2Uu911W1SsJv2o=
+golang.org/x/oauth2 v0.17.0/go.mod h1:OzPDGQiuQMguemayvdylqddI7qcD9lnSDb+1FiwQ5HA=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -917,13 +924,13 @@ golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU=
+golang.org/x/sys v0.17.0 h1:25cE3gD+tdBA7lp7QfhuV+rJiE9YXTcS3VG1SqssI/Y=
-golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.16.0 h1:m+B6fahuftsE9qjo0VWp2FW0mB3MTJvR0BaMQrq0pmE=
+golang.org/x/term v0.17.0 h1:mkTF7LCd6WGJNL3K1Ad7kwxNfYAW6a8a8QqtMblp/4U=
-golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY=
+golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -1259,6 +1266,8 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
+mvdan.cc/sh/v3 v3.8.0 h1:ZxuJipLZwr/HLbASonmXtcvvC9HXY9d2lXZHnKGjFc8=
+mvdan.cc/sh/v3 v3.8.0/go.mod h1:w04623xkgBVo7/IUK89E0g8hBykgEpN0vgOj3RJr6MY=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=

internal/errwrap/wrap.go

@@ -0,0 +1,43 @@
+// Copyright 2024 - Offen Authors <hioffen@posteo.de>
+// SPDX-License-Identifier: MPL-2.0
+
+package errwrap
+
+import (
+	"errors"
+	"fmt"
+	"runtime"
+	"strings"
+)
+
+// Wrap wraps the given error using the given message while prepending
+// the name of the calling function, creating a poor man's stack trace
+func Wrap(err error, msg string) error {
+	pc := make([]uintptr, 15)
+	n := runtime.Callers(2, pc)
+	frames := runtime.CallersFrames(pc[:n])
+	frame, _ := frames.Next()
+	// strip full import paths and just use the package name
+	chunks := strings.Split(frame.Function, "/")
+	withCaller := fmt.Sprintf("%s: %s", chunks[len(chunks)-1], msg)
+	if err == nil {
+		return fmt.Errorf(withCaller)
+	}
+	return fmt.Errorf("%s: %w", withCaller, err)
+}
+
+// Unwrap receives an error and returns the last error in the chain of
+// wrapped errors
+func Unwrap(err error) error {
+	if err == nil {
+		return nil
+	}
+	for {
+		u := errors.Unwrap(err)
+		if u == nil {
+			break
+		}
+		err = u
+	}
+	return err
+}

internal/storage/azure/azure.go

@@ -18,6 +18,7 @@ import (
 	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
 	"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob"
 	"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/container"
+	"github.com/offen/docker-volume-backup/internal/errwrap"
 	"github.com/offen/docker-volume-backup/internal/storage"
 )
 
@@ -32,19 +33,24 @@ type Config struct {
 	AccountName       string
 	ContainerName     string
 	PrimaryAccountKey string
+	ConnectionString  string
 	Endpoint          string
 	RemotePath        string
 }
 
 // NewStorageBackend creates and initializes a new Azure Blob Storage backend.
 func NewStorageBackend(opts Config, logFunc storage.Log) (storage.Backend, error) {
+	if opts.PrimaryAccountKey != "" && opts.ConnectionString != "" {
+		return nil, errwrap.Wrap(nil, "using primary account key and connection string are mutually exclusive")
+	}
+
 	endpointTemplate, err := template.New("endpoint").Parse(opts.Endpoint)
 	if err != nil {
-		return nil, fmt.Errorf("NewStorageBackend: error parsing endpoint template: %w", err)
+		return nil, errwrap.Wrap(err, "error parsing endpoint template")
 	}
 	var ep bytes.Buffer
 	if err := endpointTemplate.Execute(&ep, opts); err != nil {
-		return nil, fmt.Errorf("NewStorageBackend: error executing endpoint template: %w", err)
+		return nil, errwrap.Wrap(err, "error executing endpoint template")
 	}
 	normalizedEndpoint := fmt.Sprintf("%s/", strings.TrimSuffix(ep.String(), "/"))
 
@@ -52,21 +58,26 @@ func NewStorageBackend(opts Config, logFunc storage.Log) (storage.Backend, error
 	if opts.PrimaryAccountKey != "" {
 		cred, err := azblob.NewSharedKeyCredential(opts.AccountName, opts.PrimaryAccountKey)
 		if err != nil {
-			return nil, fmt.Errorf("NewStorageBackend: error creating shared key Azure credential: %w", err)
+			return nil, errwrap.Wrap(err, "error creating shared key Azure credential")
 		}
 
 		client, err = azblob.NewClientWithSharedKeyCredential(normalizedEndpoint, cred, nil)
 		if err != nil {
-			return nil, fmt.Errorf("NewStorageBackend: error creating Azure client: %w", err)
+			return nil, errwrap.Wrap(err, "error creating azure client from primary account key")
+		}
+	} else if opts.ConnectionString != "" {
+		client, err = azblob.NewClientFromConnectionString(opts.ConnectionString, nil)
+		if err != nil {
+			return nil, errwrap.Wrap(err, "error creating azure client from connection string")
 		}
 	} else {
 		cred, err := azidentity.NewManagedIdentityCredential(nil)
 		if err != nil {
-			return nil, fmt.Errorf("NewStorageBackend: error creating managed identity credential: %w", err)
+			return nil, errwrap.Wrap(err, "error creating managed identity credential")
 		}
 		client, err = azblob.NewClient(normalizedEndpoint, cred, nil)
 		if err != nil {
-			return nil, fmt.Errorf("NewStorageBackend: error creating Azure client: %w", err)
+			return nil, errwrap.Wrap(err, "error creating azure client from managed identity")
 		}
 	}
 
@@ -90,7 +101,7 @@ func (b *azureBlobStorage) Name() string {
 func (b *azureBlobStorage) Copy(file string) error {
 	fileReader, err := os.Open(file)
 	if err != nil {
-		return fmt.Errorf("(*azureBlobStorage).Copy: error opening file %s: %w", file, err)
+		return errwrap.Wrap(err, fmt.Sprintf("error opening file %s", file))
 	}
 	_, err = b.client.UploadStream(
 		context.Background(),
@@ -100,7 +111,7 @@ func (b *azureBlobStorage) Copy(file string) error {
 		nil,
 	)
 	if err != nil {
-		return fmt.Errorf("(*azureBlobStorage).Copy: error uploading file %s: %w", file, err)
+		return errwrap.Wrap(err, fmt.Sprintf("error uploading file %s", file))
 	}
 	return nil
 }
@@ -117,7 +128,7 @@ func (b *azureBlobStorage) Prune(deadline time.Time, pruningPrefix string) (*sto
 	for pager.More() {
 		resp, err := pager.NextPage(context.Background())
 		if err != nil {
-			return nil, fmt.Errorf("(*azureBlobStorage).Prune: error paging over blobs: %w", err)
+			return nil, errwrap.Wrap(err, "error paging over blobs")
 		}
 		for _, v := range resp.Segment.BlobItems {
 			totalCount++

internal/storage/dropbox/dropbox.go

@@ -14,6 +14,7 @@ import (
 
 	"github.com/dropbox/dropbox-sdk-go-unofficial/v6/dropbox"
 	"github.com/dropbox/dropbox-sdk-go-unofficial/v6/dropbox/files"
+	"github.com/offen/docker-volume-backup/internal/errwrap"
 	"github.com/offen/docker-volume-backup/internal/storage"
 	"golang.org/x/oauth2"
 )
@@ -51,7 +52,7 @@ func NewStorageBackend(opts Config, logFunc storage.Log) (storage.Backend, error
 	tkSource := conf.TokenSource(context.Background(), &oauth2.Token{RefreshToken: opts.RefreshToken})
 	token, err := tkSource.Token()
 	if err != nil {
-		return nil, fmt.Errorf("(*dropboxStorage).NewStorageBackend: Error refreshing token: %w", err)
+		return nil, errwrap.Wrap(err, "error refreshing token")
 	}
 
 	dbxConfig := dropbox.Config{
@@ -95,29 +96,28 @@ func (b *dropboxStorage) Copy(file string) error {
 		switch err := err.(type) {
 		case files.CreateFolderV2APIError:
 			if err.EndpointError.Path.Tag != files.WriteErrorConflict {
-				return fmt.Errorf("(*dropboxStorage).Copy: Error creating directory '%s': %w", b.DestinationPath, err)
+				return errwrap.Wrap(err, fmt.Sprintf("error creating directory '%s'", b.DestinationPath))
 			}
 			b.Log(storage.LogLevelInfo, b.Name(), "Destination path '%s' already exists, no new directory required.", b.DestinationPath)
 		default:
-			return fmt.Errorf("(*dropboxStorage).Copy: Error creating directory '%s': %w", b.DestinationPath, err)
+			return errwrap.Wrap(err, fmt.Sprintf("error creating directory '%s'", b.DestinationPath))
 		}
 	}
 
 	r, err := os.Open(file)
 	if err != nil {
-		return fmt.Errorf("(*dropboxStorage).Copy: Error opening the file to be uploaded: %w", err)
+		return errwrap.Wrap(err, "error opening the file to be uploaded")
 	}
 	defer r.Close()
 
 	// Start new upload session and get session id
-
 	b.Log(storage.LogLevelInfo, b.Name(), "Starting upload session for backup '%s' at path '%s'.", file, b.DestinationPath)
 
 	var sessionId string
 	uploadSessionStartArg := files.NewUploadSessionStartArg()
 	uploadSessionStartArg.SessionType = &files.UploadSessionType{Tagged: dropbox.Tagged{Tag: files.UploadSessionTypeConcurrent}}
 	if res, err := b.client.UploadSessionStart(uploadSessionStartArg, nil); err != nil {
-		return fmt.Errorf("(*dropboxStorage).Copy: Error starting the upload session: %w", err)
+		return errwrap.Wrap(err, "error starting the upload session")
 	} else {
 		sessionId = res.SessionId
 	}
@@ -165,7 +165,7 @@ loop:
 
 			bytesRead, err := r.Read(chunk)
 			if err != nil {
-				errorChn <- fmt.Errorf("(*dropboxStorage).Copy: Error reading the file to be uploaded: %w", err)
+				errorChn <- errwrap.Wrap(err, "error reading the file to be uploaded")
 				mu.Unlock()
 				return
 			}
@@ -184,7 +184,7 @@ loop:
 			mu.Unlock()
 
 			if err := b.client.UploadSessionAppendV2(uploadSessionAppendArg, bytes.NewReader(chunk)); err != nil {
-				errorChn <- fmt.Errorf("(*dropboxStorage).Copy: Error appending the file to the upload session: %w", err)
+				errorChn <- errwrap.Wrap(err, "error appending the file to the upload session")
 				return
 			}
 		}()
@@ -198,7 +198,7 @@ loop:
 			files.NewCommitInfo(filepath.Join(b.DestinationPath, name)),
 		), nil)
 	if err != nil {
-		return fmt.Errorf("(*dropboxStorage).Copy: Error finishing the upload session: %w", err)
+		return errwrap.Wrap(err, "error finishing the upload session")
 	}
 
 	b.Log(storage.LogLevelInfo, b.Name(), "Uploaded a copy of backup '%s' at path '%s'.", file, b.DestinationPath)
@@ -211,14 +211,14 @@ func (b *dropboxStorage) Prune(deadline time.Time, pruningPrefix string) (*stora
 	var entries []files.IsMetadata
 	res, err := b.client.ListFolder(files.NewListFolderArg(b.DestinationPath))
 	if err != nil {
-		return nil, fmt.Errorf("(*webDavStorage).Prune: Error looking up candidates from remote storage: %w", err)
+		return nil, errwrap.Wrap(err, "error looking up candidates from remote storage")
 	}
 	entries = append(entries, res.Entries...)
 
 	for res.HasMore {
 		res, err = b.client.ListFolderContinue(files.NewListFolderContinueArg(res.Cursor))
 		if err != nil {
-			return nil, fmt.Errorf("(*webDavStorage).Prune: Error looking up candidates from remote storage: %w", err)
+			return nil, errwrap.Wrap(err, "error looking up candidates from remote storage")
 		}
 		entries = append(entries, res.Entries...)
 	}
@@ -248,7 +248,7 @@ func (b *dropboxStorage) Prune(deadline time.Time, pruningPrefix string) (*stora
 	pruneErr := b.DoPrune(b.Name(), len(matches), lenCandidates, deadline, func() error {
 		for _, match := range matches {
 			if _, err := b.client.DeleteV2(files.NewDeleteArg(filepath.Join(b.DestinationPath, match.Name))); err != nil {
-				return fmt.Errorf("(*dropboxStorage).Prune: Error removing file from Dropbox storage: %w", err)
+				return errwrap.Wrap(err, "error removing file from Dropbox storage")
 			}
 		}
 		return nil

internal/storage/local/local.go

@@ -12,6 +12,7 @@ import (
 	"path/filepath"
 	"time"
 
+	"github.com/offen/docker-volume-backup/internal/errwrap"
 	"github.com/offen/docker-volume-backup/internal/storage"
 )
 
@@ -47,7 +48,7 @@ func (b *localStorage) Copy(file string) error {
 	_, name := path.Split(file)
 
 	if err := copyFile(file, path.Join(b.DestinationPath, name)); err != nil {
-		return fmt.Errorf("(*localStorage).Copy: Error copying file to archive: %w", err)
+		return errwrap.Wrap(err, "error copying file to archive")
 	}
 	b.Log(storage.LogLevelInfo, b.Name(), "Stored copy of backup `%s` in `%s`.", file, b.DestinationPath)
 
@@ -57,7 +58,7 @@ func (b *localStorage) Copy(file string) error {
 			os.Remove(symlink)
 		}
 		if err := os.Symlink(name, symlink); err != nil {
-			return fmt.Errorf("(*localStorage).Copy: error creating latest symlink: %w", err)
+			return errwrap.Wrap(err, "error creating latest symlink")
 		}
 		b.Log(storage.LogLevelInfo, b.Name(), "Created/Updated symlink `%s` for latest backup.", b.latestSymlink)
 	}
@@ -73,10 +74,12 @@ func (b *localStorage) Prune(deadline time.Time, pruningPrefix string) (*storage
 	)
 	globMatches, err := filepath.Glob(globPattern)
 	if err != nil {
-		return nil, fmt.Errorf(
+		return nil, errwrap.Wrap(
-			"(*localStorage).Prune: Error looking up matching files using pattern %s: %w",
-			globPattern,
 			err,
+			fmt.Sprintf(
+				"error looking up matching files using pattern %s",
+				globPattern,
+			),
 		)
 	}
 
@@ -84,10 +87,12 @@ func (b *localStorage) Prune(deadline time.Time, pruningPrefix string) (*storage
 	for _, candidate := range globMatches {
 		fi, err := os.Lstat(candidate)
 		if err != nil {
-			return nil, fmt.Errorf(
+			return nil, errwrap.Wrap(
-				"(*localStorage).Prune: Error calling Lstat on file %s: %w",
-				candidate,
 				err,
+				fmt.Sprintf(
+					"error calling Lstat on file %s",
+					candidate,
+				),
 			)
 		}
 
@@ -100,10 +105,12 @@ func (b *localStorage) Prune(deadline time.Time, pruningPrefix string) (*storage
 	for _, candidate := range candidates {
 		fi, err := os.Stat(candidate)
 		if err != nil {
-			return nil, fmt.Errorf(
+			return nil, errwrap.Wrap(
-				"(*localStorage).Prune: Error calling stat on file %s: %w",
-				candidate,
 				err,
+				fmt.Sprintf(
+					"error calling stat on file %s",
+					candidate,
+				),
 			)
 		}
 		if fi.ModTime().Before(deadline) {
@@ -124,10 +131,12 @@ func (b *localStorage) Prune(deadline time.Time, pruningPrefix string) (*storage
 			}
 		}
 		if len(removeErrors) != 0 {
-			return fmt.Errorf(
+			return errwrap.Wrap(
-				"(*localStorage).Prune: %d error(s) deleting files, starting with: %w",
-				len(removeErrors),
 				errors.Join(removeErrors...),
+				fmt.Sprintf(
+					"%d error(s) deleting files",
+					len(removeErrors),
+				),
 			)
 		}
 		return nil

internal/storage/s3/s3.go

@@ -15,6 +15,7 @@ import (
 
 	"github.com/minio/minio-go/v7"
 	"github.com/minio/minio-go/v7/pkg/credentials"
+	"github.com/offen/docker-volume-backup/internal/errwrap"
 	"github.com/offen/docker-volume-backup/internal/storage"
 )
 
@@ -53,7 +54,7 @@ func NewStorageBackend(opts Config, logFunc storage.Log) (storage.Backend, error
 	} else if opts.IamRoleEndpoint != "" {
 		creds = credentials.NewIAM(opts.IamRoleEndpoint)
 	} else {
-		return nil, errors.New("NewStorageBackend: AWS_S3_BUCKET_NAME is defined, but no credentials were provided")
+		return nil, errwrap.Wrap(nil, "AWS_S3_BUCKET_NAME is defined, but no credentials were provided")
 	}
 
 	options := minio.Options{
@@ -63,12 +64,12 @@ func NewStorageBackend(opts Config, logFunc storage.Log) (storage.Backend, error
 
 	transport, err := minio.DefaultTransport(true)
 	if err != nil {
-		return nil, fmt.Errorf("NewStorageBackend: failed to create default minio transport: %w", err)
+		return nil, errwrap.Wrap(err, "failed to create default minio transport")
 	}
 
 	if opts.EndpointInsecure {
 		if !options.Secure {
-			return nil, errors.New("NewStorageBackend: AWS_ENDPOINT_INSECURE = true is only meaningful for https")
+			return nil, errwrap.Wrap(nil, "AWS_ENDPOINT_INSECURE = true is only meaningful for https")
 		}
 		transport.TLSClientConfig.InsecureSkipVerify = true
 	} else if opts.CACert != nil {
@@ -81,7 +82,7 @@ func NewStorageBackend(opts Config, logFunc storage.Log) (storage.Backend, error
 
 	mc, err := minio.New(opts.Endpoint, &options)
 	if err != nil {
-		return nil, fmt.Errorf("NewStorageBackend: error setting up minio client: %w", err)
+		return nil, errwrap.Wrap(err, "error setting up minio client")
 	}
 
 	return &s3Storage{
@@ -112,12 +113,12 @@ func (b *s3Storage) Copy(file string) error {
 	if b.partSize > 0 {
 		srcFileInfo, err := os.Stat(file)
 		if err != nil {
-			return fmt.Errorf("(*s3Storage).Copy: error reading the local file: %w", err)
+			return errwrap.Wrap(err, "error reading the local file")
 		}
 
 		_, partSize, _, err := minio.OptimalPartInfo(srcFileInfo.Size(), uint64(b.partSize*1024*1024))
 		if err != nil {
-			return fmt.Errorf("(*s3Storage).Copy: error computing the optimal s3 part size: %w", err)
+			return errwrap.Wrap(err, "error computing the optimal s3 part size")
 		}
 
 		putObjectOptions.PartSize = uint64(partSize)
@@ -125,14 +126,17 @@ func (b *s3Storage) Copy(file string) error {
 
 	if _, err := b.client.FPutObject(context.Background(), b.bucket, filepath.Join(b.DestinationPath, name), file, putObjectOptions); err != nil {
 		if errResp := minio.ToErrorResponse(err); errResp.Message != "" {
-			return fmt.Errorf(
+			return errwrap.Wrap(
-				"(*s3Storage).Copy: error uploading backup to remote storage: [Message]: '%s', [Code]: %s, [StatusCode]: %d",
+				nil,
-				errResp.Message,
+				fmt.Sprintf(
-				errResp.Code,
+					"error uploading backup to remote storage: [Message]: '%s', [Code]: %s, [StatusCode]: %d",
-				errResp.StatusCode,
+					errResp.Message,
+					errResp.Code,
+					errResp.StatusCode,
+				),
 			)
 		}
-		return fmt.Errorf("(*s3Storage).Copy: error uploading backup to remote storage: %w", err)
+		return errwrap.Wrap(err, "error uploading backup to remote storage")
 	}
 
 	b.Log(storage.LogLevelInfo, b.Name(), "Uploaded a copy of backup `%s` to bucket `%s`.", file, b.bucket)
@@ -152,9 +156,9 @@ func (b *s3Storage) Prune(deadline time.Time, pruningPrefix string) (*storage.Pr
 	for candidate := range candidates {
 		lenCandidates++
 		if candidate.Err != nil {
-			return nil, fmt.Errorf(
+			return nil, errwrap.Wrap(
-				"(*s3Storage).Prune: error looking up candidates from remote storage! %w",
 				candidate.Err,
+				"error looking up candidates from remote storage",
 			)
 		}
 		if candidate.LastModified.Before(deadline) {

internal/storage/ssh/ssh.go

@@ -4,7 +4,6 @@
 package ssh
 
 import (
-	"errors"
 	"fmt"
 	"io"
 	"os"
@@ -13,6 +12,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/offen/docker-volume-backup/internal/errwrap"
 	"github.com/offen/docker-volume-backup/internal/storage"
 	"github.com/pkg/sftp"
 	"golang.org/x/crypto/ssh"
@@ -47,20 +47,20 @@ func NewStorageBackend(opts Config, logFunc storage.Log) (storage.Backend, error
 	if _, err := os.Stat(opts.IdentityFile); err == nil {
 		key, err := os.ReadFile(opts.IdentityFile)
 		if err != nil {
-			return nil, errors.New("NewStorageBackend: error reading the private key")
+			return nil, errwrap.Wrap(nil, "error reading the private key")
 		}
 
 		var signer ssh.Signer
 		if opts.IdentityPassphrase != "" {
 			signer, err = ssh.ParsePrivateKeyWithPassphrase(key, []byte(opts.IdentityPassphrase))
 			if err != nil {
-				return nil, errors.New("NewStorageBackend: error parsing the encrypted private key")
+				return nil, errwrap.Wrap(nil, "error parsing the encrypted private key")
 			}
 			authMethods = append(authMethods, ssh.PublicKeys(signer))
 		} else {
 			signer, err = ssh.ParsePrivateKey(key)
 			if err != nil {
-				return nil, errors.New("NewStorageBackend: error parsing the private key")
+				return nil, errwrap.Wrap(nil, "error parsing the private key")
 			}
 			authMethods = append(authMethods, ssh.PublicKeys(signer))
 		}
@@ -74,7 +74,7 @@ func NewStorageBackend(opts Config, logFunc storage.Log) (storage.Backend, error
 	sshClient, err := ssh.Dial("tcp", fmt.Sprintf("%s:%s", opts.HostName, opts.Port), sshClientConfig)
 
 	if err != nil {
-		return nil, fmt.Errorf("NewStorageBackend: error creating ssh client: %w", err)
+		return nil, errwrap.Wrap(err, "error creating ssh client")
 	}
 	_, _, err = sshClient.SendRequest("keepalive", false, nil)
 	if err != nil {
@@ -87,7 +87,7 @@ func NewStorageBackend(opts Config, logFunc storage.Log) (storage.Backend, error
 		sftp.MaxConcurrentRequestsPerFile(64),
 	)
 	if err != nil {
-		return nil, fmt.Errorf("NewStorageBackend: error creating sftp client: %w", err)
+		return nil, errwrap.Wrap(err, "error creating sftp client")
 	}
 
 	return &sshStorage{
@@ -111,13 +111,13 @@ func (b *sshStorage) Copy(file string) error {
 	source, err := os.Open(file)
 	_, name := path.Split(file)
 	if err != nil {
-		return fmt.Errorf("(*sshStorage).Copy: error reading the file to be uploaded: %w", err)
+		return errwrap.Wrap(err, " error reading the file to be uploaded")
 	}
 	defer source.Close()
 
 	destination, err := b.sftpClient.Create(filepath.Join(b.DestinationPath, name))
 	if err != nil {
-		return fmt.Errorf("(*sshStorage).Copy: error creating file: %w", err)
+		return errwrap.Wrap(err, "error creating file")
 	}
 	defer destination.Close()
 
@@ -127,27 +127,27 @@ func (b *sshStorage) Copy(file string) error {
 		if err == io.EOF {
 			tot, err := destination.Write(chunk[:num])
 			if err != nil {
-				return fmt.Errorf("(*sshStorage).Copy: error uploading the file: %w", err)
+				return errwrap.Wrap(err, "error uploading the file")
 			}
 
 			if tot != len(chunk[:num]) {
-				return errors.New("(*sshStorage).Copy: failed to write stream")
+				return errwrap.Wrap(nil, "failed to write stream")
 			}
 
 			break
 		}
 
 		if err != nil {
-			return fmt.Errorf("(*sshStorage).Copy: error uploading the file: %w", err)
+			return errwrap.Wrap(err, "error uploading the file")
 		}
 
 		tot, err := destination.Write(chunk[:num])
 		if err != nil {
-			return fmt.Errorf("(*sshStorage).Copy: error uploading the file: %w", err)
+			return errwrap.Wrap(err, "error uploading the file")
 		}
 
 		if tot != len(chunk[:num]) {
-			return fmt.Errorf("(*sshStorage).Copy: failed to write stream")
+			return errwrap.Wrap(nil, "failed to write stream")
 		}
 	}
 
@@ -160,7 +160,7 @@ func (b *sshStorage) Copy(file string) error {
 func (b *sshStorage) Prune(deadline time.Time, pruningPrefix string) (*storage.PruneStats, error) {
 	candidates, err := b.sftpClient.ReadDir(b.DestinationPath)
 	if err != nil {
-		return nil, fmt.Errorf("(*sshStorage).Prune: error reading directory: %w", err)
+		return nil, errwrap.Wrap(err, "error reading directory")
 	}
 
 	var matches []string
@@ -181,7 +181,7 @@ func (b *sshStorage) Prune(deadline time.Time, pruningPrefix string) (*storage.P
 	pruneErr := b.DoPrune(b.Name(), len(matches), len(candidates), deadline, func() error {
 		for _, match := range matches {
 			if err := b.sftpClient.Remove(filepath.Join(b.DestinationPath, match)); err != nil {
-				return fmt.Errorf("(*sshStorage).Prune: error removing file: %w", err)
+				return errwrap.Wrap(err, "error removing file")
 			}
 		}
 		return nil

internal/storage/storage.go

@@ -4,8 +4,9 @@
 package storage
 
 import (
-	"fmt"
 	"time"
+
+	"github.com/offen/docker-volume-backup/internal/errwrap"
 )
 
 // Backend is an interface for defining functions which all storage providers support.
@@ -26,7 +27,6 @@ type LogLevel int
 const (
 	LogLevelInfo LogLevel = iota
 	LogLevelWarning
-	LogLevelError
 )
 
 type Log func(logType LogLevel, context string, msg string, params ...any)
@@ -47,7 +47,7 @@ func (b *StorageBackend) DoPrune(context string, lenMatches, lenCandidates int,
 
 		formattedDeadline, err := deadline.Local().MarshalText()
 		if err != nil {
-			return fmt.Errorf("(*StorageBackend).DoPrune: error marshaling deadline: %w", err)
+			return errwrap.Wrap(err, "error marshaling deadline")
 		}
 		b.Log(LogLevelInfo, context,
 			"Pruned %d out of %d backups as they were older than the given deadline of %s.",

internal/storage/webdav/webdav.go

@@ -4,7 +4,6 @@
 package webdav
 
 import (
-	"errors"
 	"fmt"
 	"io/fs"
 	"net/http"
@@ -14,6 +13,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/offen/docker-volume-backup/internal/errwrap"
 	"github.com/offen/docker-volume-backup/internal/storage"
 	"github.com/studio-b12/gowebdav"
 )
@@ -36,14 +36,14 @@ type Config struct {
 // NewStorageBackend creates and initializes a new WebDav storage backend.
 func NewStorageBackend(opts Config, logFunc storage.Log) (storage.Backend, error) {
 	if opts.Username == "" || opts.Password == "" {
-		return nil, errors.New("NewStorageBackend: WEBDAV_URL is defined, but no credentials were provided")
+		return nil, errwrap.Wrap(nil, "WEBDAV_URL is defined, but no credentials were provided")
 	} else {
 		webdavClient := gowebdav.NewClient(opts.URL, opts.Username, opts.Password)
 
 		if opts.URLInsecure {
 			defaultTransport, ok := http.DefaultTransport.(*http.Transport)
 			if !ok {
-				return nil, errors.New("NewStorageBackend: unexpected error when asserting type for http.DefaultTransport")
+				return nil, errwrap.Wrap(nil, "unexpected error when asserting type for http.DefaultTransport")
 			}
 			webdavTransport := defaultTransport.Clone()
 			webdavTransport.TLSClientConfig.InsecureSkipVerify = opts.URLInsecure
@@ -69,16 +69,16 @@ func (b *webDavStorage) Name() string {
 func (b *webDavStorage) Copy(file string) error {
 	_, name := path.Split(file)
 	if err := b.client.MkdirAll(b.DestinationPath, 0644); err != nil {
-		return fmt.Errorf("(*webDavStorage).Copy: error creating directory '%s' on server: %w", b.DestinationPath, err)
+		return errwrap.Wrap(err, fmt.Sprintf("error creating directory '%s' on server", b.DestinationPath))
 	}
 
 	r, err := os.Open(file)
 	if err != nil {
-		return fmt.Errorf("(*webDavStorage).Copy: error opening the file to be uploaded: %w", err)
+		return errwrap.Wrap(err, "error opening the file to be uploaded")
 	}
 
 	if err := b.client.WriteStream(filepath.Join(b.DestinationPath, name), r, 0644); err != nil {
-		return fmt.Errorf("(*webDavStorage).Copy: error uploading the file: %w", err)
+		return errwrap.Wrap(err, "error uploading the file")
 	}
 	b.Log(storage.LogLevelInfo, b.Name(), "Uploaded a copy of backup '%s' to '%s' at path '%s'.", file, b.url, b.DestinationPath)
 
@@ -89,7 +89,7 @@ func (b *webDavStorage) Copy(file string) error {
 func (b *webDavStorage) Prune(deadline time.Time, pruningPrefix string) (*storage.PruneStats, error) {
 	candidates, err := b.client.ReadDir(b.DestinationPath)
 	if err != nil {
-		return nil, fmt.Errorf("(*webDavStorage).Prune: error looking up candidates from remote storage: %w", err)
+		return nil, errwrap.Wrap(err, "error looking up candidates from remote storage")
 	}
 	var matches []fs.FileInfo
 	var lenCandidates int
@@ -111,7 +111,7 @@ func (b *webDavStorage) Prune(deadline time.Time, pruningPrefix string) (*storag
 	pruneErr := b.DoPrune(b.Name(), len(matches), lenCandidates, deadline, func() error {
 		for _, match := range matches {
 			if err := b.client.Remove(filepath.Join(b.DestinationPath, match.Name())); err != nil {
-				return fmt.Errorf("(*webDavStorage).Prune: error removing file: %w", err)
+				return errwrap.Wrap(err, "error removing file")
 			}
 		}
 		return nil

test/confd/01backup.env

@@ -1,2 +1,6 @@
-BACKUP_FILENAME="conf.tar.gz"
+# This is a comment
+# NOT=$(docker ps -aq)
+# e.g. `backup-$HOSTNAME-%Y-%m-%dT%H-%M-%S.tar.gz`. Expansion happens before`
+
+NAME="$EXPANSION_VALUE"
 BACKUP_CRON_EXPRESSION="*/1 * * * *"

test/confd/02backup.env

@@ -1,2 +1,3 @@
-BACKUP_FILENAME="other.tar.gz"
+NAME="other"
 BACKUP_CRON_EXPRESSION="*/1 * * * *"
+BACKUP_FILENAME="override-$NAME.tar.gz"

test/confd/03never.env

@@ -1,2 +1,2 @@
-BACKUP_FILENAME="never.tar.gz"
+NAME="never"
 BACKUP_CRON_EXPRESSION="0 0 5 31 2 ?"

test/confd/docker-compose.yml

@@ -4,6 +4,10 @@ services:
   backup:
     image: offen/docker-volume-backup:${TEST_VERSION:-canary}
     restart: always
+    environment:
+      BACKUP_FILENAME: $$NAME.tar.gz
+      BACKUP_FILENAME_EXPAND: 'true'
+      EXPANSION_VALUE: conf
     volumes:
       - ${LOCAL_DIR:-./local}:/archive
       - app_data:/backup/app_data:ro

test/confd/run.sh

@@ -20,7 +20,7 @@ if [ ! -f "$LOCAL_DIR/conf.tar.gz" ]; then
 fi
 pass "Config from file was used."
 
-if [ ! -f "$LOCAL_DIR/other.tar.gz" ]; then
+if [ ! -f "$LOCAL_DIR/override-other.tar.gz" ]; then
   fail "Run on same schedule did not succeed."
 fi
 pass "Run on same schedule succeeded."

test/nonroot/01conf.env

@@ -0,0 +1,7 @@
+AWS_ACCESS_KEY_ID="test"
+AWS_SECRET_ACCESS_KEY="GMusLtUmILge2by+z890kQ"
+AWS_ENDPOINT="minio:9000"
+AWS_ENDPOINT_PROTO="http"
+AWS_S3_BUCKET_NAME="backup"
+BACKUP_CRON_EXPRESSION="0 0 5 31 2 ?"
+BACKUP_FILENAME="test.tar.gz"

test/nonroot/docker-compose.yml

@@ -0,0 +1,33 @@
+version: '3'
+
+services:
+  minio:
+    image: minio/minio:RELEASE.2020-08-04T23-10-51Z
+    environment:
+      MINIO_ROOT_USER: test
+      MINIO_ROOT_PASSWORD: test
+      MINIO_ACCESS_KEY: test
+      MINIO_SECRET_KEY: GMusLtUmILge2by+z890kQ
+    entrypoint: /bin/ash -c 'mkdir -p /data/backup && minio server /data'
+    volumes:
+      - ${LOCAL_DIR:-local}:/data
+
+  backup:
+    image: offen/docker-volume-backup:${TEST_VERSION:-canary}
+    user: 1000:1000
+    depends_on:
+      - minio
+    restart: always
+    volumes:
+      - app_data:/backup/app_data:ro
+      - ./01conf.env:/etc/dockervolumebackup/conf.d/01conf.env
+
+  offen:
+    image: offen/offen:latest
+    labels:
+      - docker-volume-backup.stop-during-backup=true
+    volumes:
+      - app_data:/var/opt/offen
+
+volumes:
+  app_data:

test/nonroot/run.sh

@@ -0,0 +1,27 @@
+#!/bin/sh
+
+set -e
+
+cd "$(dirname "$0")"
+. ../util.sh
+current_test=$(basename $(pwd))
+
+export LOCAL_DIR=$(mktemp -d)
+
+docker compose up -d --quiet-pull
+sleep 5
+
+docker compose logs backup
+
+# conf.d is used to confirm /etc files are also accessible for non-root users
+docker compose exec backup /bin/sh -c 'set -a; source /etc/dockervolumebackup/conf.d/01conf.env; set +a && backup'
+
+sleep 5
+
+expect_running_containers "3"
+
+if [ ! -f "$LOCAL_DIR/backup/test.tar.gz" ]; then
+  fail "Could not find archive."
+fi
+pass "Archive was created."
+

test/util.sh

@@ -22,7 +22,7 @@ skip () {
 
 expect_running_containers () {
   if [ "$(docker ps -q | wc -l)" != "$1" ]; then
-    fail "Expected $1 containers to be running, instead seen: "$(docker ps -a | wc -l)""
+    fail "Expected $1 containers to be running, instead seen: "$(docker ps -q | wc -l)""
   fi
   pass "$1 containers running."
 }