Add label to optionally skip container restart after backup (#659)

* Add label to optionally skip container restart after backup

* Add new mutually exclusive label instead

* Simplified `hasLabel`

* removed unnecessary else block

* added new test-case `no-restart` based on test-case `local`

* removed invalid README entry

* added new section to how-tos

* Added configuration reference

.github/FUNDING.yml

@@ -1,3 +0,0 @@
-github: offen
-patreon: offen
-

.github/workflows/deploy-docs.yml

@@ -39,7 +39,7 @@ jobs:
         env:
           JEKYLL_ENV: production
       - name: Upload artifact
-        uses: actions/upload-pages-artifact@v1
+        uses: actions/upload-pages-artifact@v3
         with:
           path: 'docs/_site/'
 
@@ -52,4 +52,4 @@ jobs:
     steps:
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@v1
+        uses: actions/deploy-pages@v4

.github/workflows/golangci-lint.yml

@@ -7,7 +7,6 @@ on:
 
 permissions:
   contents: read
-  # Optional: allow read access to pull request. Use with `only-new-issues` option.
   pull-requests: read
 
 jobs:
@@ -15,40 +14,12 @@ jobs:
     name: lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@v5
+      - uses: actions/setup-go@v6
         with:
-          go-version: '1.22'
-          cache: false
+          go-version: '1.25'
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v3
+        uses: golangci/golangci-lint-action@v8
         with:
-          # Require: The version of golangci-lint to use.
-          # When `install-mode` is `binary` (default) the value can be v1.2 or v1.2.3 or `latest` to use the latest version.
-          # When `install-mode` is `goinstall` the value can be v1.2.3, `latest`, or the hash of a commit.
-          version: v1.54
-
-          # Optional: working directory, useful for monorepos
-          # working-directory: somedir
-
-          # Optional: golangci-lint command line arguments.
-          #
-          # Note: By default, the `.golangci.yml` file should be at the root of the repository.
-          # The location of the configuration file can be changed by using `--config=`
-          # args: --timeout=30m --config=/my/path/.golangci.yml --issues-exit-code=0
-
-          # Optional: show only new issues if it's a pull request. The default value is `false`.
-          # only-new-issues: true
-
-          # Optional: if set to true, then all caching functionality will be completely disabled,
-          #           takes precedence over all other caching options.
-          # skip-cache: true
-
-          # Optional: if set to true, then the action won't cache or restore ~/go/pkg.
-          # skip-pkg-cache: true
-
-          # Optional: if set to true, then the action won't cache or restore ~/.cache/go-build.
-          # skip-build-cache: true
-
-          # Optional: The mode to install golangci-lint. It can be 'binary' or 'goinstall'.
-          # install-mode: "goinstall"
+          version: v2.4
+          args: --timeout 5m

.github/workflows/unit.yml

@@ -14,7 +14,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v4
         with:
-          go-version: '1.22.x'
+          go-version: '1.25.x'
       - name: Install dependencies
         run: go mod download
       - name: Test with the Go CLI

.golangci.yml

@@ -1,8 +1,7 @@
+version: '2'
 linters:
   # Enable specific linter
   # https://golangci-lint.run/usage/linters/#enabled-by-default
   enable:
     - staticcheck
     - govet
-output:
-  format: github-actions

Dockerfile

@@ -1,7 +1,7 @@
 # Copyright 2022 - offen.software <hioffen@posteo.de>
 # SPDX-License-Identifier: MPL-2.0
 
-FROM golang:1.22-alpine as builder
+FROM golang:1.25-alpine AS builder
 
 WORKDIR /app
 COPY . .
@@ -9,7 +9,7 @@ RUN go mod download
 WORKDIR /app/cmd/backup
 RUN go build -o backup .
 
-FROM alpine:3.19
+FROM alpine:3.22
 
 WORKDIR /root
 

README.md

@@ -4,10 +4,10 @@
 
 # docker-volume-backup
 
-Backup Docker volumes locally or to any S3, WebDAV, Azure Blob Storage, Dropbox or SSH compatible storage.
+Backup Docker volumes locally or to any S3, WebDAV, Azure Blob Storage, Dropbox, Google Drive or SSH compatible storage.
 
-The [offen/docker-volume-backup](https://hub.docker.com/r/offen/docker-volume-backup) Docker image can be used as a lightweight (below 15MB) companion container to an existing Docker setup.
-It handles __recurring or one-off backups of Docker volumes__ to a __local directory__, __any S3, WebDAV, Azure Blob Storage, Dropbox or SSH compatible storage (or any combination thereof) and rotates away old backups__ if configured. It also supports __encrypting your backups using GPG__ and __sending notifications for (failed) backup runs__.
+The [offen/docker-volume-backup](https://hub.docker.com/r/offen/docker-volume-backup) Docker image can be used as a lightweight (below 25MB) companion container to an existing Docker setup.
+It handles __recurring or one-off backups of Docker volumes__ to a __local directory__, __any S3, WebDAV, Azure Blob Storage, Dropbox, Google Drive or SSH compatible storage (or any combination thereof) and rotates away old backups__ if configured. It also supports __encrypting your backups using GPG__ and __sending notifications for (failed) backup runs__.
 
 Documentation is found at <https://offen.github.io/docker-volume-backup>
   - [Quickstart](https://offen.github.io/docker-volume-backup)
@@ -24,8 +24,6 @@ Documentation is found at <https://offen.github.io/docker-volume-backup>
 Add a `backup` service to your compose setup and mount the volumes you would like to see backed up:
 
 ```yml
-version: '3'
-
 services:
   volume-consumer:
     build:
@@ -76,7 +74,11 @@ docker run --rm \
   offen/docker-volume-backup:v2
 ```
 
-Alternatively, pass a `--env-file` in order to use a full config as described below.
+Alternatively, pass a `--env-file` in order to use a full config as described [in the docs](https://offen.github.io/docker-volume-backup/reference/).
+
+### Looking for help?
+
+In case your are looking for help or guidance on how to incorporate docker-volume-backup into your existing setup, consider [becoming a sponsor](https://github.com/sponsors/offen?frequency=one-time) and book a one hour consulting session.
 
 ---
 

cmd/backup/archive.go

@@ -22,8 +22,7 @@ import (
 )
 
 func createArchive(files []string, inputFilePath, outputFilePath string, compression string, compressionConcurrency int) error {
-	inputFilePath = stripTrailingSlashes(inputFilePath)
-	inputFilePath, outputFilePath, err := makeAbsolute(inputFilePath, outputFilePath)
+	_, outputFilePath, err := makeAbsolute(stripTrailingSlashes(inputFilePath), outputFilePath)
 	if err != nil {
 		return errwrap.Wrap(err, "error transposing given file paths")
 	}
@@ -31,7 +30,7 @@ func createArchive(files []string, inputFilePath, outputFilePath string, compres
 		return errwrap.Wrap(err, "error creating output file path")
 	}
 
-	if err := compress(files, outputFilePath, filepath.Dir(inputFilePath), compression, compressionConcurrency); err != nil {
+	if err := compress(files, outputFilePath, compression, compressionConcurrency); err != nil {
 		return errwrap.Wrap(err, "error creating archive")
 	}
 
@@ -55,7 +54,7 @@ func makeAbsolute(inputFilePath, outputFilePath string) (string, string, error)
 	return inputFilePath, outputFilePath, err
 }
 
-func compress(paths []string, outFilePath, subPath string, algo string, concurrency int) error {
+func compress(paths []string, outFilePath, algo string, concurrency int) error {
 	file, err := os.Create(outFilePath)
 	if err != nil {
 		return errwrap.Wrap(err, "error creating out file")
@@ -94,6 +93,8 @@ func compress(paths []string, outFilePath, subPath string, algo string, concurre
 
 func getCompressionWriter(file *os.File, algo string, concurrency int) (io.WriteCloser, error) {
 	switch algo {
+	case "none":
+		return &passThroughWriteCloser{file}, nil
 	case "gz":
 		w, err := pgzip.NewWriterLevel(file, 5)
 		if err != nil {
@@ -120,10 +121,11 @@ func getCompressionWriter(file *os.File, algo string, concurrency int) (io.Write
 	}
 }
 
-func writeTarball(path string, tarWriter *tar.Writer, prefix string) error {
+func writeTarball(path string, tarWriter *tar.Writer, prefix string) (returnErr error) {
 	fileInfo, err := os.Lstat(path)
 	if err != nil {
-		return errwrap.Wrap(err, fmt.Sprintf("error getting file info for %s", path))
+		returnErr = errwrap.Wrap(err, fmt.Sprintf("error getting file info for %s", path))
+		return
 	}
 
 	if fileInfo.Mode()&os.ModeSocket == os.ModeSocket {
@@ -134,19 +136,22 @@ func writeTarball(path string, tarWriter *tar.Writer, prefix string) error {
 	if fileInfo.Mode()&os.ModeSymlink == os.ModeSymlink {
 		var err error
 		if link, err = os.Readlink(path); err != nil {
-			return errwrap.Wrap(err, fmt.Sprintf("error resolving symlink %s", path))
+			returnErr = errwrap.Wrap(err, fmt.Sprintf("error resolving symlink %s", path))
+			return
 		}
 	}
 
 	header, err := tar.FileInfoHeader(fileInfo, link)
 	if err != nil {
-		return errwrap.Wrap(err, "error getting file info header")
+		returnErr = errwrap.Wrap(err, "error getting file info header")
+		return
 	}
 	header.Name = strings.TrimPrefix(path, prefix)
 
 	err = tarWriter.WriteHeader(header)
 	if err != nil {
-		return errwrap.Wrap(err, "error writing file info header")
+		returnErr = errwrap.Wrap(err, "error writing file info header")
+		return
 	}
 
 	if !fileInfo.Mode().IsRegular() {
@@ -155,14 +160,30 @@ func writeTarball(path string, tarWriter *tar.Writer, prefix string) error {
 
 	file, err := os.Open(path)
 	if err != nil {
-		return errwrap.Wrap(err, fmt.Sprintf("error opening %s", path))
+		returnErr = errwrap.Wrap(err, fmt.Sprintf("error opening %s", path))
+		return
 	}
-	defer file.Close()
+	defer func() {
+		returnErr = file.Close()
+	}()
 
 	_, err = io.Copy(tarWriter, file)
 	if err != nil {
-		return errwrap.Wrap(err, fmt.Sprintf("error copying %s to tar writer", path))
+		returnErr = errwrap.Wrap(err, fmt.Sprintf("error copying %s to tar writer", path))
+		return
 	}
 
 	return nil
 }
+
+type passThroughWriteCloser struct {
+	target io.WriteCloser
+}
+
+func (p *passThroughWriteCloser) Write(b []byte) (int, error) {
+	return p.target.Write(b)
+}
+
+func (p *passThroughWriteCloser) Close() error {
+	return nil
+}

cmd/backup/command.go

@@ -131,12 +131,8 @@ func (c *command) schedule(strategy configStrategy) error {
 			c.logger.Warn(
 				fmt.Sprintf("Scheduled cron expression %s will never run, is this intentional?", config.BackupCronExpression),
 			)
-
-			if err != nil {
-				return errwrap.Wrap(err, "error scheduling")
-			}
-			c.schedules = append(c.schedules, id)
 		}
+		c.schedules = append(c.schedules, id)
 	}
 
 	return nil

cmd/backup/config.go

@@ -18,80 +18,91 @@ import (
 // Config holds all configuration values that are expected to be set
 // by users.
 type Config struct {
-	AwsS3BucketName               string          `split_words:"true"`
-	AwsS3Path                     string          `split_words:"true"`
-	AwsEndpoint                   string          `split_words:"true" default:"s3.amazonaws.com"`
-	AwsEndpointProto              string          `split_words:"true" default:"https"`
-	AwsEndpointInsecure           bool            `split_words:"true"`
-	AwsEndpointCACert             CertDecoder     `envconfig:"AWS_ENDPOINT_CA_CERT"`
-	AwsStorageClass               string          `split_words:"true"`
-	AwsAccessKeyID                string          `envconfig:"AWS_ACCESS_KEY_ID"`
-	AwsSecretAccessKey            string          `split_words:"true"`
-	AwsIamRoleEndpoint            string          `split_words:"true"`
-	AwsPartSize                   int64           `split_words:"true"`
-	BackupCompression             CompressionType `split_words:"true" default:"gz"`
-	GzipParallelism               WholeNumber     `split_words:"true" default:"1"`
-	BackupSources                 string          `split_words:"true" default:"/backup"`
-	BackupFilename                string          `split_words:"true" default:"backup-%Y-%m-%dT%H-%M-%S.{{ .Extension }}"`
-	BackupFilenameExpand          bool            `split_words:"true"`
-	BackupLatestSymlink           string          `split_words:"true"`
-	BackupArchive                 string          `split_words:"true" default:"/archive"`
-	BackupCronExpression          string          `split_words:"true" default:"@daily"`
-	BackupRetentionDays           int32           `split_words:"true" default:"-1"`
-	BackupPruningLeeway           time.Duration   `split_words:"true" default:"1m"`
-	BackupPruningPrefix           string          `split_words:"true"`
-	BackupStopContainerLabel      string          `split_words:"true"`
-	BackupStopDuringBackupLabel   string          `split_words:"true" default:"true"`
-	BackupStopServiceTimeout      time.Duration   `split_words:"true" default:"5m"`
-	BackupFromSnapshot            bool            `split_words:"true"`
-	BackupExcludeRegexp           RegexpDecoder   `split_words:"true"`
-	BackupSkipBackendsFromPrune   []string        `split_words:"true"`
-	GpgPassphrase                 string          `split_words:"true"`
-	NotificationURLs              []string        `envconfig:"NOTIFICATION_URLS"`
-	NotificationLevel             string          `split_words:"true" default:"error"`
-	EmailNotificationRecipient    string          `split_words:"true"`
-	EmailNotificationSender       string          `split_words:"true" default:"noreply@nohost"`
-	EmailSMTPHost                 string          `envconfig:"EMAIL_SMTP_HOST"`
-	EmailSMTPPort                 int             `envconfig:"EMAIL_SMTP_PORT" default:"587"`
-	EmailSMTPUsername             string          `envconfig:"EMAIL_SMTP_USERNAME"`
-	EmailSMTPPassword             string          `envconfig:"EMAIL_SMTP_PASSWORD"`
-	WebdavUrl                     string          `split_words:"true"`
-	WebdavUrlInsecure             bool            `split_words:"true"`
-	WebdavPath                    string          `split_words:"true" default:"/"`
-	WebdavUsername                string          `split_words:"true"`
-	WebdavPassword                string          `split_words:"true"`
-	SSHHostName                   string          `split_words:"true"`
-	SSHPort                       string          `split_words:"true" default:"22"`
-	SSHUser                       string          `split_words:"true"`
-	SSHPassword                   string          `split_words:"true"`
-	SSHIdentityFile               string          `split_words:"true" default:"/root/.ssh/id_rsa"`
-	SSHIdentityPassphrase         string          `split_words:"true"`
-	SSHRemotePath                 string          `split_words:"true"`
-	ExecLabel                     string          `split_words:"true"`
-	ExecForwardOutput             bool            `split_words:"true"`
-	LockTimeout                   time.Duration   `split_words:"true" default:"60m"`
-	AzureStorageAccountName       string          `split_words:"true"`
-	AzureStoragePrimaryAccountKey string          `split_words:"true"`
-	AzureStorageConnectionString  string          `split_words:"true"`
-	AzureStorageContainerName     string          `split_words:"true"`
-	AzureStoragePath              string          `split_words:"true"`
-	AzureStorageEndpoint          string          `split_words:"true" default:"https://{{ .AccountName }}.blob.core.windows.net/"`
-	DropboxEndpoint               string          `split_words:"true" default:"https://api.dropbox.com/"`
-	DropboxOAuth2Endpoint         string          `envconfig:"DROPBOX_OAUTH2_ENDPOINT" default:"https://api.dropbox.com/"`
-	DropboxRefreshToken           string          `split_words:"true"`
-	DropboxAppKey                 string          `split_words:"true"`
-	DropboxAppSecret              string          `split_words:"true"`
-	DropboxRemotePath             string          `split_words:"true"`
-	DropboxConcurrencyLevel       NaturalNumber   `split_words:"true" default:"6"`
-	source                        string
-	additionalEnvVars             map[string]string
+	AwsS3BucketName                      string          `split_words:"true"`
+	AwsS3Path                            string          `split_words:"true"`
+	AwsEndpoint                          string          `split_words:"true" default:"s3.amazonaws.com"`
+	AwsEndpointProto                     string          `split_words:"true" default:"https"`
+	AwsEndpointInsecure                  bool            `split_words:"true"`
+	AwsEndpointCACert                    CertDecoder     `envconfig:"AWS_ENDPOINT_CA_CERT"`
+	AwsStorageClass                      string          `split_words:"true"`
+	AwsAccessKeyID                       string          `envconfig:"AWS_ACCESS_KEY_ID"`
+	AwsSecretAccessKey                   string          `split_words:"true"`
+	AwsIamRoleEndpoint                   string          `split_words:"true"`
+	AwsPartSize                          int64           `split_words:"true"`
+	BackupCompression                    CompressionType `split_words:"true" default:"gz"`
+	GzipParallelism                      WholeNumber     `split_words:"true" default:"1"`
+	BackupSources                        string          `split_words:"true" default:"/backup"`
+	BackupFilename                       string          `split_words:"true" default:"backup-%Y-%m-%dT%H-%M-%S.{{ .Extension }}"`
+	BackupFilenameExpand                 bool            `split_words:"true"`
+	BackupLatestSymlink                  string          `split_words:"true"`
+	BackupArchive                        string          `split_words:"true" default:"/archive"`
+	BackupCronExpression                 string          `split_words:"true" default:"@daily"`
+	BackupJitter                         time.Duration   `split_words:"true" default:"0s"`
+	BackupRetentionDays                  int32           `split_words:"true" default:"-1"`
+	BackupPruningLeeway                  time.Duration   `split_words:"true" default:"1m"`
+	BackupPruningPrefix                  string          `split_words:"true"`
+	BackupStopContainerLabel             string          `split_words:"true"`
+	BackupStopDuringBackupLabel          string          `split_words:"true" default:"true"`
+	BackupStopDuringBackupNoRestartLabel string          `split_words:"true" default:"true"`
+	BackupStopServiceTimeout             time.Duration   `split_words:"true" default:"5m"`
+	BackupFromSnapshot                   bool            `split_words:"true"`
+	BackupExcludeRegexp                  RegexpDecoder   `split_words:"true"`
+	BackupSkipBackendsFromPrune          []string        `split_words:"true"`
+	GpgPassphrase                        string          `split_words:"true"`
+	GpgPublicKeyRing                     string          `split_words:"true"`
+	AgePassphrase                        string          `split_words:"true"`
+	AgePublicKeys                        []string        `split_words:"true"`
+	NotificationURLs                     []string        `envconfig:"NOTIFICATION_URLS"`
+	NotificationLevel                    string          `split_words:"true" default:"error"`
+	EmailNotificationRecipient           string          `split_words:"true"`
+	EmailNotificationSender              string          `split_words:"true" default:"noreply@nohost"`
+	EmailSMTPHost                        string          `envconfig:"EMAIL_SMTP_HOST"`
+	EmailSMTPPort                        int             `envconfig:"EMAIL_SMTP_PORT" default:"587"`
+	EmailSMTPUsername                    string          `envconfig:"EMAIL_SMTP_USERNAME"`
+	EmailSMTPPassword                    string          `envconfig:"EMAIL_SMTP_PASSWORD"`
+	WebdavUrl                            string          `split_words:"true"`
+	WebdavUrlInsecure                    bool            `split_words:"true"`
+	WebdavPath                           string          `split_words:"true" default:"/"`
+	WebdavUsername                       string          `split_words:"true"`
+	WebdavPassword                       string          `split_words:"true"`
+	SSHHostName                          string          `split_words:"true"`
+	SSHPort                              string          `split_words:"true" default:"22"`
+	SSHUser                              string          `split_words:"true"`
+	SSHPassword                          string          `split_words:"true"`
+	SSHIdentityFile                      string          `split_words:"true" default:"/root/.ssh/id_rsa"`
+	SSHIdentityPassphrase                string          `split_words:"true"`
+	SSHRemotePath                        string          `split_words:"true"`
+	ExecLabel                            string          `split_words:"true"`
+	ExecForwardOutput                    bool            `split_words:"true"`
+	LockTimeout                          time.Duration   `split_words:"true" default:"60m"`
+	AzureStorageAccountName              string          `split_words:"true"`
+	AzureStoragePrimaryAccountKey        string          `split_words:"true"`
+	AzureStorageConnectionString         string          `split_words:"true"`
+	AzureStorageContainerName            string          `split_words:"true"`
+	AzureStoragePath                     string          `split_words:"true"`
+	AzureStorageEndpoint                 string          `split_words:"true" default:"https://{{ .AccountName }}.blob.core.windows.net/"`
+	AzureStorageAccessTier               string          `split_words:"true"`
+	DropboxEndpoint                      string          `split_words:"true" default:"https://api.dropbox.com/"`
+	DropboxOAuth2Endpoint                string          `envconfig:"DROPBOX_OAUTH2_ENDPOINT" default:"https://api.dropbox.com/"`
+	DropboxRefreshToken                  string          `split_words:"true"`
+	DropboxAppKey                        string          `split_words:"true"`
+	DropboxAppSecret                     string          `split_words:"true"`
+	DropboxRemotePath                    string          `split_words:"true"`
+	DropboxConcurrencyLevel              NaturalNumber   `split_words:"true" default:"6"`
+	GoogleDriveCredentialsJSON           string          `split_words:"true"`
+	GoogleDriveFolderID                  string          `split_words:"true"`
+	GoogleDriveImpersonateSubject        string          `split_words:"true"`
+	GoogleDriveEndpoint                  string          `split_words:"true"`
+	GoogleDriveTokenURL                  string          `split_words:"true"`
+	source                               string
+	additionalEnvVars                    map[string]string
 }
 
 type CompressionType string
 
 func (c *CompressionType) Decode(v string) error {
 	switch v {
-	case "gz", "zst":
+	case "none", "gz", "zst":
 		*c = CompressionType(v)
 		return nil
 	default:

cmd/backup/config_provider.go

@@ -153,13 +153,13 @@ func source(path string) (map[string]string, error) {
 			currentValue, currentOk := os.LookupEnv(key)
 			defer func() {
 				if currentOk {
-					os.Setenv(key, currentValue)
+					_ = os.Setenv(key, currentValue)
 					return
 				}
-				os.Unsetenv(key)
+				_ = os.Unsetenv(key)
 			}()
 			result[key] = value
-			os.Setenv(key, value)
+			_ = os.Setenv(key, value)
 		}
 	}
 	return result, nil

cmd/backup/config_provider_test.go

@@ -60,8 +60,10 @@ func TestSource(t *testing.T) {
 		},
 	}
 
-	os.Setenv("QUX", "yyy")
-	defer os.Unsetenv("QUX")
+	_ = os.Setenv("QUX", "yyy")
+	defer func() {
+		_ = os.Unsetenv("QUX")
+	}()
 
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {

cmd/backup/encrypt_archive.go

@@ -4,61 +4,223 @@
 package main
 
 import (
+	"bytes"
+	"errors"
 	"fmt"
 	"io"
 	"os"
 	"path"
+	"strings"
 
+	"filippo.io/age"
+	"filippo.io/age/agessh"
+	"github.com/ProtonMail/go-crypto/openpgp/armor"
 	openpgp "github.com/ProtonMail/go-crypto/openpgp/v2"
 	"github.com/offen/docker-volume-backup/internal/errwrap"
 )
 
-// encryptArchive encrypts the backup file using PGP and the configured passphrase.
-// In case no passphrase is given it returns early, leaving the backup file
+func countTrue(b ...bool) int {
+	c := int(0)
+	for _, v := range b {
+		if v {
+			c++
+		}
+	}
+	return c
+}
+
+// encryptArchive encrypts the backup file using PGP and the configured passphrase or publickey(s).
+// In case no passphrase or publickey is given it returns early, leaving the backup file
 // untouched.
 func (s *script) encryptArchive() error {
-	if s.c.GpgPassphrase == "" {
+	useGPGSymmetric := s.c.GpgPassphrase != ""
+	useGPGAsymmetric := s.c.GpgPublicKeyRing != ""
+	useAgeSymmetric := s.c.AgePassphrase != ""
+	useAgeAsymmetric := len(s.c.AgePublicKeys) > 0
+	switch nconfigured := countTrue(
+		useGPGSymmetric,
+		useGPGAsymmetric,
+		useAgeSymmetric,
+		useAgeAsymmetric,
+	); nconfigured {
+	case 0:
 		return nil
+	case 1:
+		// ok!
+	default:
+		return fmt.Errorf(
+			"error in selecting archive encryption method: expected 0 or 1 to be configured, %d methods are configured",
+			nconfigured,
+		)
 	}
 
-	gpgFile := fmt.Sprintf("%s.gpg", s.file)
+	if useGPGSymmetric {
+		return s.encryptWithGPGSymmetric()
+	} else if useGPGAsymmetric {
+		return s.encryptWithGPGAsymmetric()
+	} else if useAgeSymmetric || useAgeAsymmetric {
+		ar, err := s.getConfiguredAgeRecipients()
+		if err != nil {
+			return errwrap.Wrap(err, "failed to get configured age recipients")
+		}
+		return s.encryptWithAge(ar)
+	}
+	return nil
+}
+
+func (s *script) getConfiguredAgeRecipients() ([]age.Recipient, error) {
+	if s.c.AgePassphrase == "" && len(s.c.AgePublicKeys) == 0 {
+		return nil, fmt.Errorf("no age recipients configured")
+	}
+	recipients := []age.Recipient{}
+	if len(s.c.AgePublicKeys) > 0 {
+		for _, pk := range s.c.AgePublicKeys {
+			pkr, err := parseAgeRecipient(pk)
+			if err != nil {
+				return nil, errwrap.Wrap(err, "failed to parse age public key")
+			}
+			recipients = append(recipients, pkr)
+		}
+	}
+	if s.c.AgePassphrase != "" {
+		if len(recipients) != 0 {
+			return nil, fmt.Errorf("age encryption must only be enabled via passphrase or public key, not both")
+		}
+
+		r, err := age.NewScryptRecipient(s.c.AgePassphrase)
+		if err != nil {
+			return nil, errwrap.Wrap(err, "failed to create scrypt identity from age passphrase")
+		}
+		recipients = append(recipients, r)
+	}
+	return recipients, nil
+}
+
+func parseAgeRecipient(arg string) (age.Recipient, error) {
+	// This logic is adapted from what the age CLI is doing
+	// stripping some special cases
+	switch {
+	case strings.HasPrefix(arg, "age1"):
+		return age.ParseX25519Recipient(arg)
+	case strings.HasPrefix(arg, "ssh-"):
+		return agessh.ParseRecipient(arg)
+	}
+	return nil, fmt.Errorf("unknown recipient type: %q", arg)
+}
+
+func (s *script) encryptWithAge(rec []age.Recipient) error {
+	return s.doEncrypt("age", func(ciphertextWriter io.Writer) (io.WriteCloser, error) {
+		return age.Encrypt(ciphertextWriter, rec...)
+	})
+}
+
+func (s *script) encryptWithGPGSymmetric() error {
+	return s.doEncrypt("gpg", func(ciphertextWriter io.Writer) (io.WriteCloser, error) {
+		_, name := path.Split(s.file)
+		return openpgp.SymmetricallyEncrypt(ciphertextWriter, []byte(s.c.GpgPassphrase), &openpgp.FileHints{
+			FileName: name,
+		}, nil)
+	})
+}
+
+type closeAllWriter struct {
+	io.Writer
+	closers []io.Closer
+}
+
+func (c *closeAllWriter) Close() (err error) {
+	for _, cl := range c.closers {
+		err = errors.Join(err, cl.Close())
+	}
+	return
+}
+
+var _ io.WriteCloser = (*closeAllWriter)(nil)
+
+func (s *script) encryptWithGPGAsymmetric() error {
+	return s.doEncrypt("gpg", func(ciphertextWriter io.Writer) (_ io.WriteCloser, outerr error) {
+		entityList, err := openpgp.ReadArmoredKeyRing(bytes.NewReader([]byte(s.c.GpgPublicKeyRing)))
+		if err != nil {
+			return nil, errwrap.Wrap(err, "error parsing armored keyring")
+		}
+
+		armoredWriter, err := armor.Encode(ciphertextWriter, "PGP MESSAGE", nil)
+		if err != nil {
+			return nil, errwrap.Wrap(err, "error preparing encryption")
+		}
+		defer func() {
+			if outerr != nil {
+				_ = armoredWriter.Close()
+			}
+		}()
+
+		_, name := path.Split(s.file)
+		encWriter, err := openpgp.Encrypt(armoredWriter, entityList, nil, nil, &openpgp.FileHints{
+			FileName: name,
+		}, nil)
+		if err != nil {
+			return nil, err
+		}
+		return &closeAllWriter{
+			Writer:  encWriter,
+			closers: []io.Closer{encWriter, armoredWriter},
+		}, nil
+	})
+}
+
+func (s *script) doEncrypt(
+	extension string,
+	encryptor func(ciphertextWriter io.Writer) (io.WriteCloser, error),
+) (outerr error) {
+	encFile := fmt.Sprintf("%s.%s", s.file, extension)
 	s.registerHook(hookLevelPlumbing, func(error) error {
-		if err := remove(gpgFile); err != nil {
-			return errwrap.Wrap(err, "error removing gpg file")
+		if err := remove(encFile); err != nil {
+			return errwrap.Wrap(err, "error removing encrypted file")
 		}
 		s.logger.Info(
-			fmt.Sprintf("Removed GPG file `%s`.", gpgFile),
+			fmt.Sprintf("Removed encrypted file `%s`.", encFile),
 		)
 		return nil
 	})
 
-	outFile, err := os.Create(gpgFile)
+	outFile, err := os.Create(encFile)
 	if err != nil {
 		return errwrap.Wrap(err, "error opening out file")
 	}
-	defer outFile.Close()
+	defer func() {
+		if err := outFile.Close(); err != nil {
+			outerr = errors.Join(outerr, errwrap.Wrap(err, "error closing out file"))
+		}
+	}()
 
-	_, name := path.Split(s.file)
-	dst, err := openpgp.SymmetricallyEncrypt(outFile, []byte(s.c.GpgPassphrase), &openpgp.FileHints{
-		FileName: name,
-	}, nil)
+	dst, err := encryptor(outFile)
 	if err != nil {
 		return errwrap.Wrap(err, "error encrypting backup file")
 	}
-	defer dst.Close()
+	defer func() {
+		if err := dst.Close(); err != nil {
+			outerr = errors.Join(outerr, errwrap.Wrap(err, "error closing encrypted backup file"))
+		}
+	}()
 
 	src, err := os.Open(s.file)
 	if err != nil {
-		return errwrap.Wrap(err, fmt.Sprintf("error opening backup file `%s`", s.file))
+		return errwrap.Wrap(err, fmt.Sprintf("error opening backup file %q", s.file))
 	}
+	defer func() {
+		if err := src.Close(); err != nil {
+			outerr = errors.Join(outerr, errwrap.Wrap(err, "error closing backup file"))
+		}
+	}()
 
 	if _, err := io.Copy(dst, src); err != nil {
 		return errwrap.Wrap(err, "error writing ciphertext to file")
 	}
 
-	s.file = gpgFile
+	s.file = encFile
 	s.logger.Info(
-		fmt.Sprintf("Encrypted backup using given passphrase, saving as `%s`.", s.file),
+		fmt.Sprintf("Encrypted backup using %q, saving as %q", extension, s.file),
 	)
-	return nil
+
+	return
 }

cmd/backup/exec.go

@@ -16,7 +16,7 @@ import (
 	"strings"
 
 	"github.com/cosiner/argv"
-	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/filters"
 	"github.com/docker/docker/pkg/stdcopy"
 	"github.com/offen/docker-volume-backup/internal/errwrap"
@@ -24,11 +24,19 @@ import (
 )
 
 func (s *script) exec(containerRef string, command string, user string) ([]byte, []byte, error) {
-	args, _ := argv.Argv(command, nil, nil)
+	args, err := argv.Argv(command, nil, nil)
+	if err != nil {
+		return nil, nil, errwrap.Wrap(err, fmt.Sprintf("error parsing argv from '%s'", command))
+	}
+	if len(args) == 0 {
+		return nil, nil, errwrap.Wrap(nil, "received unexpected empty command")
+	}
+
 	commandEnv := []string{
 		fmt.Sprintf("COMMAND_RUNTIME_ARCHIVE_FILEPATH=%s", s.file),
 	}
-	execID, err := s.cli.ContainerExecCreate(context.Background(), containerRef, types.ExecConfig{
+
+	execID, err := s.cli.ContainerExecCreate(context.Background(), containerRef, container.ExecOptions{
 		Cmd:          args[0],
 		AttachStdin:  true,
 		AttachStderr: true,
@@ -39,7 +47,7 @@ func (s *script) exec(containerRef string, command string, user string) ([]byte,
 		return nil, nil, errwrap.Wrap(err, "error creating container exec")
 	}
 
-	resp, err := s.cli.ContainerExecAttach(context.Background(), execID.ID, types.ExecStartCheck{})
+	resp, err := s.cli.ContainerExecAttach(context.Background(), execID.ID, container.ExecStartOptions{})
 	if err != nil {
 		return nil, nil, errwrap.Wrap(err, "error attaching container exec")
 	}
@@ -96,7 +104,7 @@ func (s *script) runLabeledCommands(label string) error {
 			Value: fmt.Sprintf("docker-volume-backup.exec-label=%s", s.c.ExecLabel),
 		})
 	}
-	containersWithCommand, err := s.cli.ContainerList(context.Background(), types.ContainerListOptions{
+	containersWithCommand, err := s.cli.ContainerList(context.Background(), container.ListOptions{
 		Filters: filters.NewArgs(f...),
 	})
 	if err != nil {
@@ -109,7 +117,7 @@ func (s *script) runLabeledCommands(label string) error {
 			Key:   "label",
 			Value: "docker-volume-backup.exec-pre",
 		}
-		deprecatedContainers, err := s.cli.ContainerList(context.Background(), types.ContainerListOptions{
+		deprecatedContainers, err := s.cli.ContainerList(context.Background(), container.ListOptions{
 			Filters: filters.NewArgs(f...),
 		})
 		if err != nil {
@@ -126,7 +134,7 @@ func (s *script) runLabeledCommands(label string) error {
 			Key:   "label",
 			Value: "docker-volume-backup.exec-post",
 		}
-		deprecatedContainers, err := s.cli.ContainerList(context.Background(), types.ContainerListOptions{
+		deprecatedContainers, err := s.cli.ContainerList(context.Background(), container.ListOptions{
 			Filters: filters.NewArgs(f...),
 		})
 		if err != nil {
@@ -169,8 +177,12 @@ func (s *script) runLabeledCommands(label string) error {
 			s.logger.Info(fmt.Sprintf("Running %s command %s for container %s", label, cmd, strings.TrimPrefix(c.Names[0], "/")))
 			stdout, stderr, err := s.exec(c.ID, cmd, user)
 			if s.c.ExecForwardOutput {
-				os.Stderr.Write(stderr)
-				os.Stdout.Write(stdout)
+				if _, err := os.Stderr.Write(stderr); err != nil {
+					return errwrap.Wrap(err, "error writing to stderr")
+				}
+				if _, err := os.Stdout.Write(stdout); err != nil {
+					return errwrap.Wrap(err, "error writing to stdout")
+				}
 			}
 			if err != nil {
 				return errwrap.Wrap(err, "error executing command")

cmd/backup/notifications.go

@@ -13,7 +13,7 @@ import (
 	"text/template"
 	"time"
 
-	sTypes "github.com/containrrr/shoutrrr/pkg/types"
+	sTypes "github.com/nicholas-fedor/shoutrrr/pkg/types"
 	"github.com/offen/docker-volume-backup/internal/errwrap"
 )
 

cmd/backup/run_script.go

@@ -6,7 +6,9 @@ package main
 import (
 	"errors"
 	"fmt"
+	"math/rand"
 	"runtime/debug"
+	"time"
 
 	"github.com/offen/docker-volume-backup/internal/errwrap"
 )
@@ -51,6 +53,15 @@ func runScript(c *Config) (err error) {
 		}
 	}()
 
+	if s.c != nil && s.c.BackupJitter > 0 {
+		max := s.c.BackupJitter
+		delay := time.Duration(rand.Int63n(int64(max) + 1))
+		if delay > 0 {
+			s.logger.Info(fmt.Sprintf("Applying startup jitter of %v", delay))
+			time.Sleep(delay)
+		}
+	}
+
 	if initErr := s.init(); initErr != nil {
 		err = errwrap.Wrap(initErr, "error instantiating script")
 		return

cmd/backup/script.go

@@ -16,15 +16,16 @@ import (
 	"github.com/offen/docker-volume-backup/internal/storage"
 	"github.com/offen/docker-volume-backup/internal/storage/azure"
 	"github.com/offen/docker-volume-backup/internal/storage/dropbox"
+	"github.com/offen/docker-volume-backup/internal/storage/googledrive"
 	"github.com/offen/docker-volume-backup/internal/storage/local"
 	"github.com/offen/docker-volume-backup/internal/storage/s3"
 	"github.com/offen/docker-volume-backup/internal/storage/ssh"
 	"github.com/offen/docker-volume-backup/internal/storage/webdav"
 
-	"github.com/containrrr/shoutrrr"
-	"github.com/containrrr/shoutrrr/pkg/router"
 	"github.com/docker/docker/client"
 	"github.com/leekchan/timeutil"
+	"github.com/nicholas-fedor/shoutrrr"
+	"github.com/nicholas-fedor/shoutrrr/pkg/router"
 )
 
 // script holds all the stateful information required to orchestrate a
@@ -59,12 +60,13 @@ func newScript(c *Config) *script {
 			StartTime: time.Now(),
 			LogOutput: logBuffer,
 			Storages: map[string]StorageStats{
-				"S3":      {},
-				"WebDAV":  {},
-				"SSH":     {},
-				"Local":   {},
-				"Azure":   {},
-				"Dropbox": {},
+				"S3":          {},
+				"WebDAV":      {},
+				"SSH":         {},
+				"Local":       {},
+				"Azure":       {},
+				"Dropbox":     {},
+				"GoogleDrive": {},
 			},
 		},
 	}
@@ -86,7 +88,12 @@ func (s *script) init() error {
 
 	var bf bytes.Buffer
 	if tErr := tmplFileName.Execute(&bf, map[string]string{
-		"Extension": fmt.Sprintf("tar.%s", s.c.BackupCompression),
+		"Extension": func() string {
+			if s.c.BackupCompression == "none" {
+				return "tar"
+			}
+			return fmt.Sprintf("tar.%s", s.c.BackupCompression)
+		}(),
 	}); tErr != nil {
 		return errwrap.Wrap(tErr, "error executing backup file extension template")
 	}
@@ -194,6 +201,7 @@ func (s *script) init() error {
 			Endpoint:          s.c.AzureStorageEndpoint,
 			RemotePath:        s.c.AzureStoragePath,
 			ConnectionString:  s.c.AzureStorageConnectionString,
+			AccessTier:        s.c.AzureStorageAccessTier,
 		}
 		azureBackend, err := azure.NewStorageBackend(azureConfig, logFunc)
 		if err != nil {
@@ -219,6 +227,21 @@ func (s *script) init() error {
 		s.storages = append(s.storages, dropboxBackend)
 	}
 
+	if s.c.GoogleDriveCredentialsJSON != "" {
+		googleDriveConfig := googledrive.Config{
+			CredentialsJSON:    s.c.GoogleDriveCredentialsJSON,
+			FolderID:           s.c.GoogleDriveFolderID,
+			ImpersonateSubject: s.c.GoogleDriveImpersonateSubject,
+			Endpoint:           s.c.GoogleDriveEndpoint,
+			TokenURL:           s.c.GoogleDriveTokenURL,
+		}
+		googleDriveBackend, err := googledrive.NewStorageBackend(googleDriveConfig, logFunc)
+		if err != nil {
+			return errwrap.Wrap(err, "error creating googledrive storage backend")
+		}
+		s.storages = append(s.storages, googleDriveBackend)
+	}
+
 	if s.c.EmailNotificationRecipient != "" {
 		emailURL := fmt.Sprintf(
 			"smtp://%s:%s@%s:%d/?from=%s&to=%s",

cmd/backup/stop_restart.go

@@ -13,16 +13,16 @@ import (
 	"time"
 
 	"github.com/docker/cli/cli/command/service/progress"
-	"github.com/docker/docker/api/types"
 	ctr "github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/filters"
 	"github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/api/types/system"
 	"github.com/docker/docker/client"
 	"github.com/offen/docker-volume-backup/internal/errwrap"
 )
 
 func scaleService(cli *client.Client, serviceID string, replicas uint64) ([]string, error) {
-	service, _, err := cli.ServiceInspectWithRaw(context.Background(), serviceID, types.ServiceInspectOptions{})
+	service, _, err := cli.ServiceInspectWithRaw(context.Background(), serviceID, swarm.ServiceInspectOptions{})
 	if err != nil {
 		return nil, errwrap.Wrap(err, fmt.Sprintf("error inspecting service %s", serviceID))
 	}
@@ -34,7 +34,7 @@ func scaleService(cli *client.Client, serviceID string, replicas uint64) ([]stri
 		return nil, errwrap.Wrap(nil, fmt.Sprintf("service to be scaled %s has to be in replicated mode", service.Spec.Name))
 	}
 
-	response, err := cli.ServiceUpdate(context.Background(), service.ID, service.Version, service.Spec, types.ServiceUpdateOptions{})
+	response, err := cli.ServiceUpdate(context.Background(), service.ID, service.Version, service.Spec, swarm.ServiceUpdateOptions{})
 	if err != nil {
 		return nil, errwrap.Wrap(err, "error updating service")
 	}
@@ -65,7 +65,7 @@ func awaitContainerCountForService(cli *client.Client, serviceID string, count i
 				),
 			)
 		case <-poll.C:
-			containers, err := cli.ContainerList(context.Background(), types.ContainerListOptions{
+			containers, err := cli.ContainerList(context.Background(), ctr.ListOptions{
 				Filters: filters.NewArgs(filters.KeyValuePair{
 					Key:   "label",
 					Value: fmt.Sprintf("com.docker.swarm.service.id=%s", serviceID),
@@ -82,13 +82,28 @@ func awaitContainerCountForService(cli *client.Client, serviceID string, count i
 }
 
 func isSwarm(c interface {
-	Info(context.Context) (types.Info, error)
+	Info(context.Context) (system.Info, error)
 }) (bool, error) {
 	info, err := c.Info(context.Background())
 	if err != nil {
 		return false, errwrap.Wrap(err, "error getting docker info")
 	}
-	return info.Swarm.LocalNodeState != "" && info.Swarm.LocalNodeState != swarm.LocalNodeStateInactive, nil
+	return info.Swarm.LocalNodeState != "" && info.Swarm.LocalNodeState != swarm.LocalNodeStateInactive && info.Swarm.ControlAvailable, nil
+}
+
+func hasLabel(labels map[string]string, key, value string) bool {
+	val, ok := labels[key]
+	return ok && val == value
+}
+
+func checkStopLabels(labels map[string]string, stopDuringBackupLabelValue string, stopDuringBackupNoRestartLabelValue string) (bool, bool, error) {
+	hasStopDuringBackupLabel := hasLabel(labels, "docker-volume-backup.stop-during-backup", stopDuringBackupLabelValue)
+	hasStopDuringBackupNoRestartLabel := hasLabel(labels, "docker-volume-backup.stop-during-backup-no-restart", stopDuringBackupNoRestartLabelValue)
+	if hasStopDuringBackupLabel && hasStopDuringBackupNoRestartLabel {
+		return hasStopDuringBackupLabel, hasStopDuringBackupNoRestartLabel, errwrap.Wrap(nil, "both docker-volume-backup.stop-during-backup and docker-volume-backup.stop-during-backup-no-restart have been set, cannot continue")
+	}
+
+	return hasStopDuringBackupLabel, hasStopDuringBackupNoRestartLabel, nil
 }
 
 // stopContainersAndServices stops all Docker containers that are marked as to being
@@ -118,52 +133,67 @@ func (s *script) stopContainersAndServices() (func() error, error) {
 		labelValue = s.c.BackupStopContainerLabel
 	}
 
-	filterMatchLabel := fmt.Sprintf(
+	stopDuringBackupLabel := fmt.Sprintf(
 		"docker-volume-backup.stop-during-backup=%s",
 		labelValue,
 	)
 
-	allContainers, err := s.cli.ContainerList(context.Background(), types.ContainerListOptions{})
+	stopDuringBackupNoRestartLabel := fmt.Sprintf(
+		"docker-volume-backup.stop-during-backup-no-restart=%s",
+		s.c.BackupStopDuringBackupNoRestartLabel,
+	)
+
+	allContainers, err := s.cli.ContainerList(context.Background(), ctr.ListOptions{})
 	if err != nil {
 		return noop, errwrap.Wrap(err, "error querying for containers")
 	}
-	containersToStop, err := s.cli.ContainerList(context.Background(), types.ContainerListOptions{
-		Filters: filters.NewArgs(filters.KeyValuePair{
-			Key:   "label",
-			Value: filterMatchLabel,
-		}),
-	})
-	if err != nil {
-		return noop, errwrap.Wrap(err, "error querying for containers to stop")
+
+	var containersToStop []handledContainer
+	for _, c := range allContainers {
+		hasStopDuringBackupLabel, hasStopDuringBackupNoRestartLabel, err := checkStopLabels(c.Labels, labelValue, s.c.BackupStopDuringBackupNoRestartLabel)
+		if err != nil {
+			return noop, errwrap.Wrap(err, "error querying for containers to stop")
+		}
+
+		if !hasStopDuringBackupLabel && !hasStopDuringBackupNoRestartLabel {
+			continue
+		}
+
+		containersToStop = append(containersToStop, handledContainer{
+			summary: c,
+			restart: !hasStopDuringBackupNoRestartLabel,
+		})
 	}
 
 	var allServices []swarm.Service
 	var servicesToScaleDown []handledSwarmService
 	if isDockerSwarm {
-		allServices, err = s.cli.ServiceList(context.Background(), types.ServiceListOptions{})
+		allServices, err = s.cli.ServiceList(context.Background(), swarm.ServiceListOptions{Status: true})
 		if err != nil {
 			return noop, errwrap.Wrap(err, "error querying for services")
 		}
-		matchingServices, err := s.cli.ServiceList(context.Background(), types.ServiceListOptions{
-			Filters: filters.NewArgs(filters.KeyValuePair{
-				Key:   "label",
-				Value: filterMatchLabel,
-			}),
-			Status: true,
-		})
-		if err != nil {
-			return noop, errwrap.Wrap(err, "error querying for services to scale down")
-		}
-		for _, s := range matchingServices {
-			if s.Spec.Mode.Replicated == nil {
+
+		for _, service := range allServices {
+			hasStopDuringBackupLabel, hasStopDuringBackupNoRestartLabel, err := checkStopLabels(service.Spec.Labels, labelValue, s.c.BackupStopDuringBackupNoRestartLabel)
+			if err != nil {
+				return noop, errwrap.Wrap(err, "error querying for services to scale down")
+			}
+
+			if !hasStopDuringBackupLabel && !hasStopDuringBackupNoRestartLabel {
+				continue
+			}
+
+			if service.Spec.Mode.Replicated == nil {
 				return noop, errwrap.Wrap(
 					nil,
-					fmt.Sprintf("only replicated services can be restarted, but found a label on service %s", s.Spec.Name),
+					fmt.Sprintf("only replicated services can be restarted, but found a label on service %s", service.Spec.Name),
 				)
 			}
+
 			servicesToScaleDown = append(servicesToScaleDown, handledSwarmService{
-				serviceID:           s.ID,
-				initialReplicaCount: *s.Spec.Mode.Replicated.Replicas,
+				serviceID:           service.ID,
+				initialReplicaCount: *service.Spec.Mode.Replicated.Replicas,
+				restart:             !hasStopDuringBackupNoRestartLabel,
 			})
 		}
 	}
@@ -174,8 +204,8 @@ func (s *script) stopContainersAndServices() (func() error, error) {
 
 	if isDockerSwarm {
 		for _, container := range containersToStop {
-			if swarmServiceID, ok := container.Labels["com.docker.swarm.service.id"]; ok {
-				parentService, _, err := s.cli.ServiceInspectWithRaw(context.Background(), swarmServiceID, types.ServiceInspectOptions{})
+			if swarmServiceID, ok := container.summary.Labels["com.docker.swarm.service.id"]; ok {
+				parentService, _, err := s.cli.ServiceInspectWithRaw(context.Background(), swarmServiceID, swarm.ServiceInspectOptions{})
 				if err != nil {
 					return noop, errwrap.Wrap(err, fmt.Sprintf("error querying for parent service with ID %s", swarmServiceID))
 				}
@@ -185,7 +215,7 @@ func (s *script) stopContainersAndServices() (func() error, error) {
 							nil,
 							fmt.Sprintf(
 								"container %s is labeled to stop but has parent service %s which is also labeled, cannot continue",
-								container.Names[0],
+								container.summary.Names[0],
 								parentService.Spec.Name,
 							),
 						)
@@ -197,27 +227,29 @@ func (s *script) stopContainersAndServices() (func() error, error) {
 
 	s.logger.Info(
 		fmt.Sprintf(
-			"Stopping %d out of %d running container(s) as they were labeled %s.",
+			"Stopping %d out of %d running container(s) as they were labeled %s or %s.",
 			len(containersToStop),
 			len(allContainers),
-			filterMatchLabel,
+			stopDuringBackupLabel,
+			stopDuringBackupNoRestartLabel,
 		),
 	)
 	if isDockerSwarm {
 		s.logger.Info(
 			fmt.Sprintf(
-				"Scaling down %d out of %d active service(s) as they were labeled %s.",
+				"Scaling down %d out of %d active service(s) as they were labeled %s or %s.",
 				len(servicesToScaleDown),
 				len(allServices),
-				filterMatchLabel,
+				stopDuringBackupLabel,
+				stopDuringBackupNoRestartLabel,
 			),
 		)
 	}
 
-	var stoppedContainers []types.Container
+	var stoppedContainers []handledContainer
 	var stopErrors []error
 	for _, container := range containersToStop {
-		if err := s.cli.ContainerStop(context.Background(), container.ID, ctr.StopOptions{}); err != nil {
+		if err := s.cli.ContainerStop(context.Background(), container.summary.ID, ctr.StopOptions{}); err != nil {
 			stopErrors = append(stopErrors, err)
 		} else {
 			stoppedContainers = append(stoppedContainers, container)
@@ -281,9 +313,14 @@ func (s *script) stopContainersAndServices() (func() error, error) {
 
 	return func() error {
 		var restartErrors []error
+		var restartedContainers []handledContainer
 		matchedServices := map[string]bool{}
 		for _, container := range stoppedContainers {
-			if swarmServiceID, ok := container.Labels["com.docker.swarm.service.id"]; ok && isDockerSwarm {
+			if !container.restart {
+				continue
+			}
+
+			if swarmServiceID, ok := container.summary.Labels["com.docker.swarm.service.id"]; ok && isDockerSwarm {
 				if _, ok := matchedServices[swarmServiceID]; ok {
 					continue
 				}
@@ -291,7 +328,7 @@ func (s *script) stopContainersAndServices() (func() error, error) {
 				// in case a container was part of a swarm service, the service requires to
 				// be force updated instead of restarting the container as it would otherwise
 				// remain in a "completed" state
-				service, _, err := s.cli.ServiceInspectWithRaw(context.Background(), swarmServiceID, types.ServiceInspectOptions{})
+				service, _, err := s.cli.ServiceInspectWithRaw(context.Background(), swarmServiceID, swarm.ServiceInspectOptions{})
 				if err != nil {
 					restartErrors = append(
 						restartErrors,
@@ -302,22 +339,29 @@ func (s *script) stopContainersAndServices() (func() error, error) {
 				service.Spec.TaskTemplate.ForceUpdate += 1
 				if _, err := s.cli.ServiceUpdate(
 					context.Background(), service.ID,
-					service.Version, service.Spec, types.ServiceUpdateOptions{},
+					service.Version, service.Spec, swarm.ServiceUpdateOptions{},
 				); err != nil {
 					restartErrors = append(restartErrors, err)
 				}
 				continue
 			}
 
-			if err := s.cli.ContainerStart(context.Background(), container.ID, types.ContainerStartOptions{}); err != nil {
+			if err := s.cli.ContainerStart(context.Background(), container.summary.ID, ctr.StartOptions{}); err != nil {
 				restartErrors = append(restartErrors, err)
+			} else {
+				restartedContainers = append(restartedContainers, container)
 			}
 		}
 
 		var scaleUpErrors concurrentSlice[error]
+		var scaledUpServices []handledSwarmService
 		if isDockerSwarm {
 			wg := &sync.WaitGroup{}
 			for _, svc := range servicesToScaleDown {
+				if !svc.restart {
+					continue
+				}
+
 				wg.Add(1)
 				go func(svc handledSwarmService) {
 					defer wg.Done()
@@ -326,6 +370,9 @@ func (s *script) stopContainersAndServices() (func() error, error) {
 						scaleDownErrors.append(err)
 						return
 					}
+
+					scaledUpServices = append(scaledUpServices, svc)
+
 					for _, warning := range warnings {
 						s.logger.Warn(
 							fmt.Sprintf("The Docker API returned a warning when scaling up service %s: %s", svc.serviceID, warning),
@@ -349,14 +396,16 @@ func (s *script) stopContainersAndServices() (func() error, error) {
 
 		s.logger.Info(
 			fmt.Sprintf(
-				"Restarted %d container(s).",
+				"Restarted %d out of %d stopped container(s).",
+				len(restartedContainers),
 				len(stoppedContainers),
 			),
 		)
 		if isDockerSwarm {
 			s.logger.Info(
 				fmt.Sprintf(
-					"Scaled %d service(s) back up.",
+					"Scaled %d out of %d scaled down service(s) back up.",
+					len(scaledUpServices),
 					len(scaledDownServices),
 				),
 			)

cmd/backup/stop_restart_test.go

@@ -5,16 +5,16 @@ import (
 	"errors"
 	"testing"
 
-	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/swarm"
+	"github.com/docker/docker/api/types/system"
 )
 
 type mockInfoClient struct {
-	result types.Info
+	result system.Info
 	err    error
 }
 
-func (m *mockInfoClient) Info(context.Context) (types.Info, error) {
+func (m *mockInfoClient) Info(context.Context) (system.Info, error) {
 	return m.result, m.err
 }
 
@@ -28,19 +28,32 @@ func TestIsSwarm(t *testing.T) {
 		{
 			"swarm",
 			&mockInfoClient{
-				result: types.Info{
+				result: system.Info{
 					Swarm: swarm.Info{
-						LocalNodeState: swarm.LocalNodeStateActive,
+						LocalNodeState:   swarm.LocalNodeStateActive,
+						ControlAvailable: true,
 					},
 				},
 			},
 			true,
 			false,
 		},
+		{
+			"worker",
+			&mockInfoClient{
+				result: system.Info{
+					Swarm: swarm.Info{
+						LocalNodeState: swarm.LocalNodeStateActive,
+					},
+				},
+			},
+			false,
+			false,
+		},
 		{
 			"compose",
 			&mockInfoClient{
-				result: types.Info{
+				result: system.Info{
 					Swarm: swarm.Info{
 						LocalNodeState: swarm.LocalNodeStateInactive,
 					},
@@ -52,7 +65,7 @@ func TestIsSwarm(t *testing.T) {
 		{
 			"balena",
 			&mockInfoClient{
-				result: types.Info{
+				result: system.Info{
 					Swarm: swarm.Info{
 						LocalNodeState: "",
 					},

cmd/backup/util.go

@@ -11,6 +11,7 @@ import (
 	"sync"
 	"time"
 
+	ctr "github.com/docker/docker/api/types/container"
 	"github.com/offen/docker-volume-backup/internal/errwrap"
 	"github.com/robfig/cron/v3"
 )
@@ -64,9 +65,15 @@ func (noopWriteCloser) Close() error {
 	return nil
 }
 
+type handledContainer struct {
+	summary ctr.Summary
+	restart bool
+}
+
 type handledSwarmService struct {
 	serviceID           string
 	initialReplicaCount uint64
+	restart             bool
 }
 
 type concurrentSlice[T any] struct {

docs/Gemfile.lock

@@ -59,7 +59,7 @@ GEM
     rb-fsevent (0.11.2)
     rb-inotify (0.10.1)
       ffi (~> 1.0)
-    rexml (3.2.6)
+    rexml (3.4.2)
     rouge (3.30.0)
     safe_yaml (1.0.5)
     sassc (2.4.0)
@@ -67,7 +67,7 @@ GEM
     terminal-table (3.0.2)
       unicode-display_width (>= 1.1.1, < 3)
     unicode-display_width (2.4.2)
-    webrick (1.8.1)
+    webrick (1.8.2)
 
 PLATFORMS
   ruby

docs/how-tos/automatically-prune-old-backups.md

@@ -14,8 +14,6 @@ Be aware that this mechanism looks at __all files in the target bucket or archiv
 In case you need to use a target that cannot be used exclusively for your backups, you can configure `BACKUP_PRUNING_PREFIX` to limit which files are considered eligible for deletion:
 
 ```yml
-version: '3'
-
 services:
   # ... define other services using the `data` volume here
   backup:

docs/how-tos/encrypt-backups-using-gpg.md

@@ -3,15 +3,7 @@ title: Encrypt backups using GPG
 layout: default
 parent: How Tos
 nav_order: 7
+nav_exclude: true
 ---
 
-# Encrypt backups using GPG
-
-The image supports encrypting backups using GPG out of the box.
-In case a `GPG_PASSPHRASE` environment variable is set, the backup archive will be encrypted using the given key and saved as a `.gpg` file instead.
-
-Assuming you have `gpg` installed, you can decrypt such a backup using (your OS will prompt for the passphrase before decryption can happen):
-
-```console
-gpg -o backup.tar.gz -d backup.tar.gz.gpg
-```
+See: [Encrypt Backups](encrypt-backups)

docs/how-tos/encrypt-backups.md

@@ -0,0 +1,30 @@
+---
+title: Encrypting backups
+layout: default
+parent: How Tos
+nav_order: 7
+---
+
+# Encrypting backups
+
+The image supports encrypting backups using one of two available methods: **GPG** or **[age](https://age-encryption.org/)**
+
+## Using GPG encryption
+
+In case a `GPG_PASSPHRASE` or `GPG_PUBLIC_KEY_RING` environment variable is set, the backup archive will be encrypted using the given key and saved as a `.gpg` file instead.
+
+Assuming you have `gpg` installed, you can decrypt such a backup using (your OS will prompt for the passphrase before decryption can happen):
+
+```console
+gpg -o backup.tar.gz -d backup.tar.gz.gpg
+```
+
+## Using age encryption
+
+age allows backups to be encrypted with either a symmetric key (password) or a public key. One of those options are available for use.
+
+Given `AGE_PASSPHRASE` being provided, the backup archive will be encrypted with the passphrase and saved as a `.age` file instead. Refer to age documentation for how to properly decrypt.
+
+Given `AGE_PUBLIC_KEYS` being provided (allowing multiple by separating each public key with `,`), the backup archive will be encrypted with the provided public keys. It will also result in the archive being saved as a `.age` file.
+
+You can use SSH keys in addition to `age` keys for encryption; `AGE_PUBLIC_KEYS` accepts both.

docs/how-tos/handle-file-uploads-using-third-party-tools.md

@@ -20,8 +20,6 @@ RUN apk add rsync
 Using this image, you can now omit configuring any of the supported storage backends, and instead define your own mechanism in a `docker-volume-backup.copy-post` label:
 
 ```yml
-version: '3'
-
 services:
   backup:
     image: your-custom-image
@@ -33,7 +31,7 @@ services:
       - docker-volume-backup.copy-post=/bin/sh -c 'rsync $$COMMAND_RUNTIME_ARCHIVE_FILEPATH /destination'
     volumes:
       - app_data:/backup/app_data:ro
-      - /var/run/docker.sock:/var/run/docker.sock
+      - /var/run/docker.sock:/var/run/docker.sock:ro
 
   # other services defined here ...
 volumes:

docs/how-tos/replace-deprecated-backup-from-snapshot.md

@@ -11,8 +11,6 @@ Starting with version 2.15.0, the `BACKUP_FROM_SNAPSHOT` feature has been deprec
 If you need to prepare your sources before the backup is taken, use `archive-pre`, `archive-post` and an intermediate volume:
 
 ```yml
-version: '3'
-
 services:
   my_app:
     build: .

docs/how-tos/run-custom-commands.md

@@ -9,6 +9,11 @@ parent: How Tos
 
 In certain scenarios it can be required to run specific commands before and after a backup is taken (e.g. dumping a database).
 When mounting the Docker socket into the `docker-volume-backup` container, you can define pre- and post-commands that will be run in the context of the target container (it is also possible to run commands inside the `docker-volume-backup` container itself using this feature).
+
+{: .important }
+In a multi-node Swarm setup, commands can currently only be run on the node the `offen/docker-volume-backup` container is running on.
+Labeled containers on other nodes are not visible to the backup command.
+
 Such commands are defined by specifying the command in a `docker-volume-backup.[step]-[pre|post]` label where `step` can be any of the following phases of a backup lifecycle:
 
 - `archive` (the tar archive is created)
@@ -23,8 +28,6 @@ the `docker-volume-backup` container as shown in the Quickstart example.
 Taking a database dump using `mysqldump` would look like this:
 
 ```yml
-version: '3'
-
 services:
   # ... define other services using the `data` volume here
   database:
@@ -51,8 +54,6 @@ In case you use `EXEC_LABEL` together with configuration mounted from `conf.d` i
 Else, schedules that do not specify an `EXEC_LABEL` will still trigger commands on all containers with such labels, no matter whether they specify `docker-volume-backup.exec-label` or not.
 
 ```yml
-version: '3'
-
 services:
   database:
     image: mariadb
@@ -82,8 +83,6 @@ By default the backup command is executed by the user provided by the container'
 It is possible to specify a custom user that is used to run commands in dedicated labels with the format `docker-volume-backup.[step]-[pre|post].user`:
 
 ```yml
-version: '3'
-
 services:
   gitea:
     image: gitea/gitea

docs/how-tos/run-multiple-schedules.md

@@ -10,8 +10,6 @@ nav_order: 11
 Multiple backup schedules with different configuration can be configured by mounting an arbitrary number of configuration files (using the `.env` format) into `/etc/dockervolumebackup/conf.d`:
 
 ```yml
-version: '3'
-
 services:
   # ... define other services using the `data` volume here
   backup:

docs/how-tos/set-container-timezone.md

@@ -12,8 +12,6 @@ As the image is designed to be as small as possible, additional timezone data is
 In case you want to run your cron rules in your local timezone (respecting DST and similar), you can mount your Docker host's `/etc/timezone` and `/etc/localtime` in read-only mode:
 
 ```yml
-version: '3'
-
 services:
   backup:
     image: offen/docker-volume-backup:v2

docs/how-tos/set-up-dropbox.md

@@ -33,5 +33,7 @@ Note: Using the "Generated access token" in the app console is not supported, as
 
 ## Other parameters
 
-Important: If you chose `App folder` access during the creation of your Dropbox app in step 1 above, you can only write in the app's directory!
-This means, that `DROPBOX_REMOTE_PATH` must start with e.g. `/Apps/YOUR_APP_NAME` or `/Apps/YOUR_APP_NAME/some_sub_dir`
+Important: If you chose `App folder` access during the creation of your Dropbox app in step 1 above, `DROPBOX_REMOTE_PATH` will be a relative path under the App folder!
+(_For example, DROPBOX_REMOTE_PATH=/somedir means the backup file will be uploaded to /Apps/myapp/somedir_)
+On the other hand if you chose `Full Dropbox` access, the value for `DROPBOX_REMOTE_PATH` will represent an absolute path inside your Dropbox storage area.
+(_Still considering the same example above, the backup file will be uploaded to /somedir in your Dropbox root_)

docs/how-tos/set-up-notifications.md

@@ -12,8 +12,6 @@ parent: How Tos
 To send out email notifications on failed backup runs, provide SMTP credentials, a sender and a recipient:
 
 ```yml
-version: '3'
-
 services:
   backup:
     image: offen/docker-volume-backup:v2
@@ -25,7 +23,7 @@ services:
 Notification backends other than email are also supported.
 Refer to the documentation of [shoutrrr][shoutrrr-docs] to find out about options and configuration.
 
-[shoutrrr-docs]: https://containrrr.dev/shoutrrr/0.7/services/overview/
+[shoutrrr-docs]: https://shoutrrr.nickfedor.com/v0.10.3/services/overview/
 
 {: .note }
 If you also want notifications on successful executions, set `NOTIFICATION_LEVEL` to `info`.
@@ -48,7 +46,7 @@ The files have to define [nested templates](https://pkg.go.dev/text/template#hdr
 {% raw %}
 ```
 {{ define "title_success" -}}
-✅ Successfully ran backup {{ .Config.BackupStopContainerLabel }}
+✅ Successfully ran backup {{ .Config.BackupStopDuringBackupLabel }}
 {{- end }}
 
 {{ define "body_success" -}}
@@ -122,11 +120,11 @@ If such a URL contains special characters (e.g. commas) these need to be URL enc
 To obtain an encoded version of your URL, you can use the CLI tool provided by `shoutrrr` (which is the library used for sending notifications):
 
 ```
-docker run --rm -ti containrrr/shoutrrr generate [service]
+docker run --rm -ti ghcr.io/nicholas-fedor/shoutrrr generate [service]
 ```
 
 where service is any of the [supported services][shoutrrr-docs], e.g. for SMTP:
 
 ```
-docker run --rm -ti containrrr/shoutrrr generate smtp
+docker run --rm -ti ghcr.io/nicholas-fedor/shoutrrr generate smtp
 ```

docs/how-tos/stop-containers-during-backup.md

@@ -17,8 +17,6 @@ By default, any container that is labeled `docker-volume-backup.stop-during-back
 In case you need more fine grained control about which containers should be stopped (e.g. when backing up multiple volumes on different schedules), you can set the `BACKUP_STOP_DURING_BACKUP_LABEL` environment variable and then use the same value for labeling:
 
 ```yml
-version: '3'
-
 services:
   app:
     # definition for app ...
@@ -36,3 +34,29 @@ services:
 volumes:
   data:
 ```
+
+## Stop containers during backup without restarting
+
+Sometimes you might want to stop containers for the backup but not have them start again automatically, for example if they are normally started by an external process or scheduler.
+
+For this use case, you can use the label `docker-volume-backup.stop-during-backup-no-restart`.  
+This label is **mutually exclusive** with `docker-volume-backup.stop-during-backup` and performs the same stop operation but skips restarting the container after the backup has finished.
+
+```yml
+services:
+  app:
+    # definition for app ...
+    labels:
+      - docker-volume-backup.stop-during-backup-no-restart=service2
+
+  backup:
+    image: offen/docker-volume-backup:v2
+    environment:
+      BACKUP_STOP_DURING_BACKUP__NO_RESTART_LABEL: service2
+    volumes:
+      - data:/backup/my-app-backup:ro
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+
+volumes:
+  data:
+```

docs/how-tos/use-with-docker-swarm.md

@@ -8,7 +8,8 @@ nav_order: 13
 # Use with Docker Swarm
 
 {: .note }
-The mechanisms described in this page __do only apply when Docker is running in [Swarm mode][swarm]__.
+The mechanisms described in this page __do only apply when Docker is running in [Swarm mode][swarm]__ and __when placing the `docker-volume-backup` container on a manager node__.
+Containers that are placed on worker nodes function as if the Docker engine is not running in Swarm mode, i.e. there is no access to services and there is no way to interact with resources that are running on different host nodes.
 
 [swarm]: https://docs.docker.com/engine/swarm/
 

docs/index.md

@@ -7,13 +7,13 @@ nav_order: 1
 # offen/docker-volume-backup
 {:.no_toc}
 
-Backup Docker volumes locally or to any S3, WebDAV, Azure Blob Storage, Dropbox or SSH compatible storage.
+Backup Docker volumes locally or to any S3, WebDAV, Azure Blob Storage, Dropbox, Google Drive or SSH compatible storage.
 {: .fs-6 .fw-300 }
 
 ---
 
 The [offen/docker-volume-backup](https://hub.docker.com/r/offen/docker-volume-backup) Docker image can be used as a lightweight (below 15MB) companion container to an existing Docker setup.
-It handles __recurring or one-off backups of Docker volumes__ to a __local directory__, __any S3, WebDAV, Azure Blob Storage, Dropbox or SSH compatible storage (or any combination thereof) and rotates away old backups__ if configured. It also supports __encrypting your backups using GPG__ and __sending notifications for (failed) backup runs__.
+It handles __recurring or one-off backups of Docker volumes__ to a __local directory__, __any S3, WebDAV, Azure Blob Storage, Dropbox, Google Drive or SSH compatible storage (or any combination thereof) and rotates away old backups__ if configured. It also supports __encrypting your backups using GPG__ and __sending notifications for (failed) backup runs__.
 
 {: .note }
 Code and documentation for `v1` versions are found on [this branch][v1-branch].
@@ -32,8 +32,6 @@ Code and documentation for `v1` versions are found on [this branch][v1-branch].
 Add a `backup` service to your compose setup and mount the volumes you would like to see backed up:
 
 ```yml
-version: '3'
-
 services:
   volume-consumer:
     build:
@@ -110,7 +108,7 @@ While it may work against different implementations (e.g. Balena Engine), there
 This image is heavily inspired by `jareware/docker-volume-backup`. We decided to publish this image as a simpler and more lightweight alternative because of the following requirements:
 
 - The original image is based on `ubuntu` and requires additional tools, making it heavy.
-This version is roughly 1/25 in compressed size (it's ~15MB).
+This version is roughly 1/20 in compressed size (it's ~25MB).
 - The original image uses a shell script, when this version is written in Go.
 - The original image proposed to handle backup rotation through AWS S3 lifecycle policies.
 This image adds the option to rotate away old backups through the same command so this functionality can also be offered for non-AWS storage backends like MinIO.

docs/recipes/index.md

@@ -15,8 +15,6 @@ This doc lists configuration for some real-world use cases that you can copy and
 ## Backing up to AWS S3
 
 ```yml
-version: '3'
-
 services:
   # ... define other services using the `data` volume here
   backup:
@@ -36,8 +34,6 @@ volumes:
 ## Backing up to Filebase
 
 ```yml
-version: '3'
-
 services:
   # ... define other services using the `data` volume here
   backup:
@@ -58,8 +54,6 @@ volumes:
 ## Backing up to MinIO
 
 ```yml
-version: '3'
-
 services:
   # ... define other services using the `data` volume here
   backup:
@@ -81,8 +75,6 @@ volumes:
 ## Backing up to MinIO (using Docker secrets)
 
 ```yml
-version: '3'
-
 services:
   # ... define other services using the `data` volume here
   backup:
@@ -112,8 +104,6 @@ secrets:
 ## Backing up to WebDAV
 
 ```yml
-version: '3'
-
 services:
   # ... define other services using the `data` volume here
   backup:
@@ -134,8 +124,6 @@ volumes:
 ## Backing up to SSH
 
 ```yml
-version: '3'
-
 services:
   # ... define other services using the `data` volume here
   backup:
@@ -157,8 +145,6 @@ volumes:
 ## Backing up to Azure Blob Storage
 
 ```yml
-version: '3'
-
 services:
   # ... define other services using the `data` volume here
   backup:
@@ -180,8 +166,6 @@ volumes:
 See [Dropbox Setup](../how-tos/set-up-dropbox.md) on how to get the appropriate environment values.
 
 ```yml
-version: '3'
-
 services:
   # ... define other services using the `data` volume here
   backup:
@@ -190,7 +174,7 @@ services:
       DROPBOX_REFRESH_TOKEN: REFRESH_KEY  # replace
       DROPBOX_APP_KEY: APP_KEY  # replace
       DROPBOX_APP_SECRET: APP_SECRET  # replace
-      DROPBOX_REMOTE_PATH: /Apps/my-test-app/some_subdir  # replace
+      DROPBOX_REMOTE_PATH: /somedir  # replace
     volumes:
       - data:/backup/my-app-backup:ro
       - /var/run/docker.sock:/var/run/docker.sock:ro
@@ -202,8 +186,6 @@ volumes:
 ## Backing up locally
 
 ```yml
-version: '3'
-
 services:
   # ... define other services using the `data` volume here
   backup:
@@ -223,8 +205,6 @@ volumes:
 ## Backing up to AWS S3 as well as locally
 
 ```yml
-version: '3'
-
 services:
   # ... define other services using the `data` volume here
   backup:
@@ -245,8 +225,6 @@ volumes:
 ## Running on a custom cron schedule
 
 ```yml
-version: '3'
-
 services:
   # ... define other services using the `data` volume here
   backup:
@@ -268,8 +246,6 @@ volumes:
 ## Rotating away backups that are older than 7 days
 
 ```yml
-version: '3'
-
 services:
   # ... define other services using the `data` volume here
   backup:
@@ -289,11 +265,9 @@ volumes:
   data:
 ```
 
-## Encrypting your backups using GPG
+## Encrypting your backups symmetrically using GPG
 
 ```yml
-version: '3'
-
 services:
   # ... define other services using the `data` volume here
   backup:
@@ -311,16 +285,39 @@ volumes:
   data:
 ```
 
-## Using mysqldump to prepare the backup
+## Encrypting your backups asymmetrically using GPG
 
 ```yml
-version: '3'
+services:
+  # ... define other services using the `data` volume here
+  backup:
+    image: offen/docker-volume-backup:v2
+    environment:
+      AWS_S3_BUCKET_NAME: backup-bucket
+      AWS_ACCESS_KEY_ID: AKIAIOSFODNN7EXAMPLE
+      AWS_SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
+      GPG_PUBLIC_KEY_RING: | 
+        -----BEGIN PGP PUBLIC KEY BLOCK-----
 
+        D/cIHu6GH/0ghlcUVSbgMg5RRI5QKNNKh04uLAPxr75mKwUg0xPUaWgyyrAChVBi
+        ...
+        -----END PGP PUBLIC KEY BLOCK-----
+    volumes:
+      - data:/backup/my-app-backup:ro
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+
+volumes:
+  data:
+```
+
+## Using mariadb-dump/mysqldump to prepare the backup
+
+```yml
 services:
   database:
     image: mariadb:latest
     labels:
-      - docker-volume-backup.archive-pre=/bin/sh -c 'mysqldump -psecret --all-databases > /tmp/dumps/dump.sql'
+      - docker-volume-backup.archive-pre=/bin/sh -c 'mariadb-dump -psecret --all-databases > /tmp/dumps/dump.sql'
     volumes:
       - data:/tmp/dumps
   backup:
@@ -331,7 +328,7 @@ services:
     volumes:
       - ./local:/archive
       - data:/backup/data:ro
-      - /var/run/docker.sock:/var/run/docker.sock
+      - /var/run/docker.sock:/var/run/docker.sock:ro
 
 volumes:
   data:
@@ -340,8 +337,6 @@ volumes:
 ## Running multiple instances in the same setup
 
 ```yml
-version: '3'
-
 services:
   # ... define other services using the `data_1` and `data_2` volumes here
   backup_1: &backup_service
@@ -375,8 +370,6 @@ volumes:
 ## Running as a non-root user
 
 ```yml
-version: '3'
-
 services:
   # ... define other services using the `data` volume here
   backup:

docs/reference/index.md

@@ -9,7 +9,7 @@ nav_order: 2
 Backup targets, schedule and retention are configured using environment variables.
 
 {: .note }
-You can use any environment variable from below also with a `_FILE` suffix to be able to load the value from a file.
+As per established convention, you can use any environment variable key from below with a `_FILE` suffix in order to load the value from a file instead.
 This is typically useful when using [Docker Secrets](https://docs.docker.com/engine/swarm/secrets/) or similar.
 Note that secrets will not be trimmed of leading or trailing whitespace.
 
@@ -17,13 +17,14 @@ Note that secrets will not be trimmed of leading or trailing whitespace.
 In case you encounter double quoted values in your runtime configuration you might still be using an [older version of `docker-compose`][compose-issue].
 You can work around this by either updating `docker-compose` or unquoting your configuration values.
 
-You can populate below template according to your requirements and use it as your `env_file`:
+You can populate below template according to your requirements and use it as your `env_file`.
+The values for each key currently match its default.
 
 {% raw %}
 ```
 ########### BACKUP SCHEDULE
 
-
+# Backups can be run on fixed scheduled that are defined as a cron expression.
 # A cron expression represents a set of times, using 5 or 6 space-separated fields.
 #
 # Field name   | Mandatory? | Allowed values  | Allowed special characters
@@ -37,35 +38,56 @@ You can populate below template according to your requirements and use it as you
 #
 # Month and Day-of-week field values are case insensitive.
 # "SUN", "Sun", and "sun" are equally accepted.
-# If no value is set, `@daily` will be used.
 # If you do not want the cron to ever run, use `0 0 5 31 2 ?`.
+# Refer to sites like <https://crontab.guru> for help.
+# If no value is set, `@daily` will be used, which runs every
+# day at midnight.
 
-# BACKUP_CRON_EXPRESSION="0 2 * * *"
+# BACKUP_CRON_EXPRESSION="@daily"
+
+# ---
+
+# Optional startup delay ("jitter") applied before each backup run.
+# The jitter introduces a random delay between 0 and the given duration,
+#
+# Set to "0s" or omit the variable to disable jitter completely.
+# Default = "0s". In case you need to adjust this value, supply a duration
+# value as per https://pkg.go.dev/time#ParseDuration to `BACKUP_JITTER`.
+#
+# BACKUP_JITTER="0s"
+
+# ---
 
 # The compression algorithm used in conjunction with tar.
-# Valid options are: "gz" (Gzip) and "zst" (Zstd).
-# Note that the selection affects the file extension.
+# Valid options are: "gz" (Gzip), "zst" (Zstd) or "none" (tar only).
+# Default is "gz". Note that the selection affects the file extension.
 
 # BACKUP_COMPRESSION="gz"
 
+# ---
+
 # Parallelism level for "gz" (Gzip) compression.
 # Defines how many blocks of data are concurrently processed.
 # Higher values result in faster compression. No effect on decompression
 # Default = 1. Setting this to 0 will use all available threads.
 
-# GZIP_PARALLELISM=1
+# GZIP_PARALLELISM="1"
 
-# The name of the backup file including the extension.
-# Format verbs will be replaced as in `strftime`. Omitting them
+# ---
+
+# The desired name of the backup file including the extension.
+# Format verbs will be replaced as in `strftime`. Omitting all verbs
 # will result in the same filename for every backup run, which means previous
 # versions will be overwritten on subsequent runs.
 # Extension can be defined literally or via "{{ .Extension }}" template,
-# in which case it will become either "tar.gz" or "tar.zst" (depending
+# in which case it will become either "tar.gz", "tar.zst" or ".tar" (depending
 # on your BACKUP_COMPRESSION setting).
 # The default results in filenames like: `backup-2021-08-29T04-00-00.tar.gz`.
 
 # BACKUP_FILENAME="backup-%Y-%m-%dT%H-%M-%S.{{ .Extension }}"
 
+# ---
+
 # Setting BACKUP_FILENAME_EXPAND to true allows for environment variable
 # placeholders in BACKUP_FILENAME, BACKUP_LATEST_SYMLINK and in
 # BACKUP_PRUNING_PREFIX that will get expanded at runtime,
@@ -76,10 +98,15 @@ You can populate below template according to your requirements and use it as you
 
 # BACKUP_FILENAME_EXPAND="true"
 
+# ---
+
 # When storing local backups, a symlink to the latest backup can be created
 # in case a value is given for this key. This has no effect on remote backups.
+# Example: "backup.latest.tar.gz"
 
-# BACKUP_LATEST_SYMLINK="backup.latest.tar.gz"
+# BACKUP_LATEST_SYMLINK=""
+
+# ---
 
 # ************************************************************************
 # The BACKUP_FROM_SNAPSHOT option has been deprecated and will be removed
@@ -93,198 +120,337 @@ You can populate below template according to your requirements and use it as you
 
 # BACKUP_FROM_SNAPSHOT="false"
 
-# By default, the `/backup` directory inside the container will be backed up.
-# In case you need to use a custom location, set `BACKUP_SOURCES`.
+# ---
 
-# BACKUP_SOURCES="/other/location"
+# By default, the contents of the `/backup` directory inside the container
+# will be backed up. In case you need to use a custom location, set `BACKUP_SOURCES`.
+# Example: "/other/location"
 
-# When given, all files in BACKUP_SOURCES whose full path matches the given
+# BACKUP_SOURCES="/backup"
+
+# ---
+
+# When a value is given, all files in BACKUP_SOURCES whose full path matches the
 # regular expression will be excluded from the archive. Regular Expressions
 # can be used as from the Go standard library https://pkg.go.dev/regexp
+# Example: "\.log$"
 
-# BACKUP_EXCLUDE_REGEXP="\.log$"
+# BACKUP_EXCLUDE_REGEXP=""
+
+# ---
 
 # Exclude one or many storage backends from the pruning process.
+# Available backends are: S3, WebDAV, SSH, Local, Dropbox, Azure
 # E.g. with one backend excluded: BACKUP_SKIP_BACKENDS_FROM_PRUNE=s3
 # E.g. with multiple backends excluded: BACKUP_SKIP_BACKENDS_FROM_PRUNE=s3,webdav
-# Available backends are: S3, WebDAV, SSH, Local, Dropbox, Azure
-# Note: The name of the backends is case insensitive. 
+# Note: The names of the backends are case insensitive. 
 # Default: All backends get pruned.
 
-# BACKUP_SKIP_BACKENDS_FROM_PRUNE=
+# BACKUP_SKIP_BACKENDS_FROM_PRUNE=""
 
-########### BACKUP STORAGE
+########### S3 COMPATIBLE STORAGE
 
 # The name of the remote bucket that should be used for storing backups. If
 # this is not set, no remote backups will be stored.
+# Example: "backup-bucket"
 
-# AWS_S3_BUCKET_NAME="backup-bucket"
+# AWS_S3_BUCKET_NAME=""
+
+# ---
 
 # If you want to store the backup in a non-root location on your bucket
 # you can provide a path. The path must not contain a leading slash.
+# Example: "my/backup/location"
 
-# AWS_S3_PATH="my/backup/location"
+# AWS_S3_PATH=""
+
+# ---
 
 # Define credentials for authenticating against the backup storage and a bucket
 # name. Although all of these keys are `AWS`-prefixed, the setup can be used
 # with any S3 compatible storage.
 
-# AWS_ACCESS_KEY_ID="<xxx>"
-# AWS_SECRET_ACCESS_KEY="<xxx>"
+# AWS_ACCESS_KEY_ID=""
+# AWS_SECRET_ACCESS_KEY=""
+
+# ---
 
 # Instead of providing static credentials, you can also use IAM instance profiles
 # or similar to provide authentication. Some possible configuration options on AWS:
 # - EC2: http://169.254.169.254
 # - ECS: http://169.254.170.2
 
-# AWS_IAM_ROLE_ENDPOINT="http://169.254.169.254"
+# AWS_IAM_ROLE_ENDPOINT=""
+
+# ---
 
 # This is the FQDN of your storage server, e.g. `storage.example.com`.
-# Do not set this when working against AWS S3 (the default value is
-# `s3.amazonaws.com`). If you need to set a specific (non-https) protocol, you
-# will need to use the option below.
+# If you need to set a specific (non-https) protocol, you will need to use the option below.
+# The default value points to the standard AWS S3 endpoint.
 
-# AWS_ENDPOINT="storage.example.com"
+# AWS_ENDPOINT="s3.amazonaws.com"
 
-# The protocol to be used when communicating with your storage server.
+# ---
+
+# The protocol to be used when communicating with your S3 storage server.
 # Defaults to "https". You can set this to "http" when communicating with
-# a different Docker container on the same host for example.
+# a different Docker container in the same virtual network for example.
 
 # AWS_ENDPOINT_PROTO="https"
 
+# ---
+
 # Setting this variable to `true` will disable verification of
 # SSL certificates for AWS_ENDPOINT. You shouldn't use this unless you use
 # self-signed certificates for your remote storage backend. This can only be
 # used when AWS_ENDPOINT_PROTO is set to `https`.
 
-# AWS_ENDPOINT_INSECURE="true"
+# AWS_ENDPOINT_INSECURE="false"
+
+# ---
 
 # If you wish to use self signed certificates your S3 server, you can pass
 # the location of a PEM encoded CA certificate and it will be used for
-# validating your certificates.
-# Alternatively, pass a PEM encoded string containing the certificate.
+# validating your certificates. Alternatively, pass a PEM encoded string
+# containing the certificate.
+# Example: "/path/to/cert.pem"
 
-# AWS_ENDPOINT_CA_CERT="/path/to/cert.pem"
+# AWS_ENDPOINT_CA_CERT=""
 
-# Setting this variable will change the S3 storage class header.
-# Defaults to "STANDARD", you can set this value according to your needs.
+# ---
 
-# AWS_STORAGE_CLASS="GLACIER"
+# Setting a value for this key will change the S3 storage class header.
+# Default behavior is to use the standard class when no value is given.
+# Example: "GLACIER"
+
+# AWS_STORAGE_CLASS=""
+
+# ---
 
 # Setting this variable will change the S3 default part size for the copy step.
 # This value is useful when you want to upload large files.
-# NB : While using Scaleway as S3 provider, be aware that the parts counter is set to 1.000.
+# NB: While using Scaleway as S3 provider, be aware that the parts counter is set to 1.000.
 # While Minio uses a hard coded value to 10.000. As a workaround, try to set a higher value.
 # Defaults to "16" (MB) if unset (from minio), you can set this value according to your needs.
 # The unit is in MB and an integer.
 
-# AWS_PART_SIZE=16
+# AWS_PART_SIZE="16"
 
-# You can also backup files to any WebDAV server:
+########### WEBDAV STORAGE
 
 # The URL of the remote WebDAV server
+# Example: "https://webdav.example.com"
 
-# WEBDAV_URL="https://webdav.example.com"
+# WEBDAV_URL=""
+
+# ---
 
 # The Directory to place the backups to on the WebDAV server.
 # If the path is not present on the server it will be created.
+# Example: "/my/directory/"
 
-# WEBDAV_PATH="/my/directory/"
+# WEBDAV_PATH=""
+
+# ---
 
 # The username for the WebDAV server
+# Example: "user"
 
-# WEBDAV_USERNAME="user"
+# WEBDAV_USERNAME=""
+
+# ---
 
 # The password for the WebDAV server
+# Example: "password"
 
-# WEBDAV_PASSWORD="password"
+# WEBDAV_PASSWORD=""
 
-# Setting this variable to `true` will disable verification of
+# ---
+
+# Setting this variable to "true" will disable verification of
 # SSL certificates for WEBDAV_URL. You shouldn't use this unless you use
 # self-signed certificates for your remote storage backend.
 
-# WEBDAV_URL_INSECURE="true"
+# WEBDAV_URL_INSECURE="false"
 
-# You can also backup files to any SSH server:
+########### SSH/SFTP STORAGE
 
-# The URL of the remote SSH server
+# The FQDN of the remote SSH server
+# Example: "server.local"
 
-# SSH_HOST_NAME="server.local"
+# SSH_HOST_NAME=""
+
+# ---
 
 # The port of the remote SSH server
-# Optional variable default value is `22`
 
-# SSH_PORT=2222
+# SSH_PORT="22"
+
+# ---
 
 # The Directory to place the backups to on the SSH server.
+# If the directory does not exist, it will be created automatically.
+# Example: "/home/user/backups"
 
-# SSH_REMOTE_PATH="/my/directory/"
+# SSH_REMOTE_PATH=""
+
+# ---
 
 # The username for the SSH server
+# Example: "user"
 
-# SSH_USER="user"
+# SSH_USER=""
+
+# ---
 
 # The password for the SSH server
+# Example: "password"
 
-# SSH_PASSWORD="password"
+# SSH_PASSWORD=""
 
-# The private key path in container for SSH server
-# Default value: /root/.ssh/id_rsa
-# If file is mounted to /root/.ssh/id_rsa path it will be used. Non-RSA keys will
-# also work.
+# ---
+
+# The private key path in container for SSH server.
+# Consumers can mount a file into /root/.ssh/id_rsa (or the respective value)
+# in order to have it being used. Non-RSA keys (e.g. ed25519) will also work.
 
 # SSH_IDENTITY_FILE="/root/.ssh/id_rsa"
 
-# The passphrase for the identity file
+# ---
 
-# SSH_IDENTITY_PASSPHRASE="pass"
+# The passphrase for the identity file if applicable
+# Example: "pass"
+
+# SSH_IDENTITY_PASSPHRASE=""
+
+########### AZURE BLOB STORAGE
 
 # The credential's account name when using Azure Blob Storage. This has to be
 # set when using Azure Blob Storage.
+# Example: "account-name"
 
-# AZURE_STORAGE_ACCOUNT_NAME="account-name"
+# AZURE_STORAGE_ACCOUNT_NAME=""
+
+# ---
 
 # The credential's primary account key when using Azure Blob Storage. If this
 # is not given, the command tries to fall back to using a connection string
-# (if given) or a managed identity (if nothing is given).
+# (if given) or a managed identity (if neither is set).
 
-# AZURE_STORAGE_PRIMARY_ACCOUNT_KEY="<xxx>"
+# AZURE_STORAGE_PRIMARY_ACCOUNT_KEY=""
+
+# ---
 
 # A connection string for accessing Azure Blob Storage. If this
 # is not given, the command tries to fall back to using a primary account key
-# (if given) or a managed identity (if nothing is given).
+# (if given) or a managed identity (if neither is set).
 
-# AZURE_STORAGE_CONNECTION_STRING="<xxx>"
+# AZURE_STORAGE_CONNECTION_STRING=""
+
+# ---
 
 # The container name when using Azure Blob Storage.
+# Example: "container-name"
 
-# AZURE_STORAGE_CONTAINER_NAME="container-name"
+# AZURE_STORAGE_CONTAINER_NAME=""
+
+# ---
 
 # The service endpoint when using Azure Blob Storage. This is a template that
 # can be passed the account name as shown in the default value below.
 
 # AZURE_STORAGE_ENDPOINT="https://{{ .AccountName }}.blob.core.windows.net/"
 
+# ---
+
+# The access tier when using Azure Blob Storage. Possible values are
+# https://github.com/Azure/azure-sdk-for-go/blob/sdk/storage/azblob/v1.3.2/sdk/storage/azblob/internal/generated/zz_constants.go#L14-L30
+# Example: "Cold"
+
+# AZURE_STORAGE_ACCESS_TIER=""
+
+########### DROPBOX STORAGE
+
 # Absolute remote path in your Dropbox where the backups shall be stored.
 # Note: Use your app's subpath in Dropbox, if it doesn't have global access.
-# Consulte the README for further information.
+# Consult the README for further information.
+# Example: "/my/directory"
 
-# DROPBOX_REMOTE_PATH="/my/directory"
+# DROPBOX_REMOTE_PATH=""
+
+# ---
+
+# App key and app secret from your app created at https://www.dropbox.com/developers/apps
+
+# DROPBOX_APP_KEY=""
+# DROPBOX_APP_SECRET=""
+
+# ---
 
 # Number of concurrent chunked uploads for Dropbox.
 # Values above 6 usually result in no enhancements.
 
 # DROPBOX_CONCURRENCY_LEVEL="6"
 
-# App key and app secret from your app created at https://www.dropbox.com/developers/apps/info
-
-# DROPBOX_APP_KEY=""
-# DROPBOX_APP_SECRET=""
+# ---
 
 # Refresh token to request new short-lived tokens (OAuth2). Consult README to see how to get one.
 
 # DROPBOX_REFRESH_TOKEN=""
 
+########### GOOGLE DRIVE STORAGE
+
+# The JSON credentials for a Google service account with access to Google Drive.
+# You can provide either:
+# 1. The actual JSON content directly
+# 2. Use the _FILE suffix to load from a file (e.g., GOOGLE_DRIVE_CREDENTIALS_JSON_FILE)
+#
+# Examples:
+# Option 1 - JSON content:
+# docker run [...] \
+#    -e GOOGLE_DRIVE_CREDENTIALS_JSON='{"type":"service_account",...}'
+#
+# Option 2 - Using _FILE suffix (recommended for Docker Secrets):
+# docker run [...] \
+#    -v ./credentials.json:/creds/google-credentials.json \
+#    -e GOOGLE_DRIVE_CREDENTIALS_JSON_FILE=/creds/google-credentials.json
+#
+# GOOGLE_DRIVE_CREDENTIALS_JSON=""
+
+# ---
+
+# The ID of the Google Drive folder where backups will be uploaded.
+# You can find the folder ID in the URL when viewing the folder in Google Drive.
+# 
+# Example: "1A2B3C4D5E6F7G8H9I0J"
+#
+# GOOGLE_DRIVE_FOLDER_ID=""
+
+# ---
+
+# The email address of the user to impersonate when accessing Google Drive (domain-wide delegation).
+# This is required becasue your service account needs to act on behalf of a user in your organization in order to upload files.
+# How to: https://support.google.com/a/answer/162106
+# Example: "user@example.com"
+#
+# GOOGLE_DRIVE_IMPERSONATE_SUBJECT=""
+
+# ---
+
+# (Optional) Custom Google Drive API endpoint. This is primarily for testing with a mock server.
+# Example: "http://localhost:8080/drive/v3"
+#
+# GOOGLE_DRIVE_ENDPOINT=""
+
+# ---
+
+# (Optional) Custom token URL for Google Drive authentication. This is primarily for testing with a mock server.
+# Example: "http://localhost:8080/token"
+#
+# GOOGLE_DRIVE_TOKEN_URL=""
+
+########### LOCAL FILE STORAGE
+
 # In addition to storing backups remotely, you can also keep local copies.
 # Pass a container-local path to store your backups if needed. You also need to
 # mount a local folder or Docker volume into that location (`/archive`
@@ -306,10 +472,12 @@ You can populate below template according to your requirements and use it as you
 # for such files, or to configure BACKUP_PRUNING_PREFIX to limit
 # removal to certain files.
 
-# Define this value to enable automatic rotation of old backups. The value
-# declares the number of days for which a backup is kept.
+# Pass zero or a positive integer value to enable automatic rotation of
+# old backups. The value declares the number of days for which a backup is kept.
 
-# BACKUP_RETENTION_DAYS="7"
+# BACKUP_RETENTION_DAYS="-1"
+
+# ---
 
 # In case the duration a backup takes fluctuates noticeably in your setup
 # you can adjust this setting to make sure there are no race conditions
@@ -321,6 +489,8 @@ You can populate below template according to your requirements and use it as you
 
 # BACKUP_PRUNING_LEEWAY="1m"
 
+# ---
+
 # In case your target bucket or directory contains other files than the ones
 # managed by this container, you can limit the scope of rotation by setting
 # a prefix value. This would usually be the non-parametrized part of your
@@ -328,13 +498,37 @@ You can populate below template according to your requirements and use it as you
 # you can set BACKUP_PRUNING_PREFIX to `db-backup-` and make sure
 # unrelated files are not affected by the rotation mechanism.
 
-# BACKUP_PRUNING_PREFIX="backup-"
+# BACKUP_PRUNING_PREFIX=""
 
 ########### BACKUP ENCRYPTION
 
-# Backups can be encrypted using gpg in case a passphrase is given.
+# All of the encryption options are mutually exclusive. Provide a single option
+# for the encryption scheme of your choice.
 
-# GPG_PASSPHRASE="<xxx>"
+# Backups can be encrypted symmetrically using gpg in case a passphrase is given.
+
+# GPG_PASSPHRASE=""
+
+# ---
+
+# Backups can be encrypted asymmetrically using gpg in case publickeys are given.
+# You can use pipe syntax to pass a multiline value.
+
+# GPG_PUBLIC_KEY_RING=""
+
+# ---
+
+# Backups can be encrypted symmetrically using age in case a passphrase is given.
+
+# AGE_PASSPHRASE=""
+
+# ---
+
+# Backups can be encrypted asymmetrically using age in case publickeys are given.
+# Multiple keys need to be provided as a comma separated list. Right now, this
+# supports `age` and `ssh` keys
+
+# AGE_PUBLIC_KEYS=""
 
 ########### STOPPING CONTAINERS AND SERVICES DURING BACKUP
 
@@ -342,18 +536,24 @@ You can populate below template according to your requirements and use it as you
 # `docker-volume-backup.stop-during-backup` label. By default, all containers and
 # services that are labeled with `true` will be stopped. If you need more fine
 # grained control (e.g. when running multiple containers based on this image),
-# you can override this default by specifying a different value here.
-# BACKUP_STOP_DURING_BACKUP_LABEL="service1"
+# you can override this default by specifying a different string value here.
+# BACKUP_STOP_DURING_BACKUP_LABEL="true"
+
+# Containers or services can also be stopped for the duration of the backup
+# without being restarted afterwards by applying a
+# `docker-volume-backup.stop-during-backup-no-restart` label. This behaves the
+# same as `docker-volume-backup.stop-during-backup` but is mutually exclusive and
+# skips restarting the container or service once the backup has finished.
+# BACKUP_STOP_DURING_BACKUP_NO_RESTART_LABEL="true"
 
 # When trying to scale down Docker Swarm services, give up after
 # the specified amount of time in case the service has not converged yet.
 # In case you need to adjust this timeout, supply a duration
 # value as per https://pkg.go.dev/time#ParseDuration to `BACKUP_STOP_SERVICE_TIMEOUT`.
-# Defaults to 5 minutes.
 
 # BACKUP_STOP_SERVICE_TIMEOUT="5m"
 
-########### EXECUTING COMMANDS IN CONTAINERS PRE/POST BACKUP
+########### EXECUTING COMMANDS IN CONTAINERS DURING THE BACKUP LIFECYCLE
 
 # It is possible to define commands to be run in any container before and after
 # a backup is conducted. The commands themselves are defined in labels like
@@ -364,29 +564,34 @@ You can populate below template according to your requirements and use it as you
 # is configured to be "true", command execution output will be forwarded to
 # the backup container's stdout and stderr.
 
-# EXEC_FORWARD_OUTPUT="true"
+# EXEC_FORWARD_OUTPUT="false"
+
+# ---
 
 # Without any further configuration, all commands defined in labels will be
 # run before and after a backup. If you need more fine grained control, you
 # can use this option to set a label that will be used for narrowing down
-# the set of eligible containers. When set, an eligible container will also need
-# to be labeled as `docker-volume-backup.exec-label=database`.
+# the set of eligible containers. E.g. when setting this to `database`,
+# an eligible container will also need to be labeled as `docker-volume-backup.exec-label=database`.
 
-# EXEC_LABEL="database"
+# EXEC_LABEL=""
 
 ########### NOTIFICATIONS
 
 # Notifications (email, Slack, etc.) can be sent out when a backup run finishes.
 # Configuration is provided as a comma-separated list of URLs as consumed
-# by `shoutrrr`: https://containrrr.dev/shoutrrr/0.7/services/overview/
+# by `shoutrrr`: https://shoutrrr.nickfedor.com/v0.10.3/services/overview/
 # The content of such notifications can be customized. Dedicated documentation
 # on how to do this can be found in the README. When providing multiple URLs or
 # an URL that contains a comma, the values can be URL encoded to avoid ambiguities.
 
-# The below URL demonstrates how to send an email using the provided SMTP
+# The following example URL demonstrates how to send an email using the provided SMTP
 # configuration and credentials.
+# Example: "smtp://username:password@host:587/?fromAddress=sender@example.com&toAddresses=recipient@example.com"
 
-# NOTIFICATION_URLS=smtp://username:password@host:587/?fromAddress=sender@example.com&toAddresses=recipient@example.com
+# NOTIFICATION_URLS=""
+
+# ---
 
 # By default, notifications would only be sent out when a backup run fails
 # To receive notifications for every run, set `NOTIFICATION_LEVEL` to `info`
@@ -398,8 +603,9 @@ You can populate below template according to your requirements and use it as you
 
 # If you are interfacing with Docker via TCP you can set the Docker host here
 # instead of mounting the Docker socket as a volume. This is unset by default.
+# Example: "tcp://docker_socket_proxy:2375"
 
-# DOCKER_HOST="tcp://docker_socket_proxy:2375"
+# DOCKER_HOST=""
 
 ########### LOCK_TIMEOUT
 
@@ -426,20 +632,25 @@ You can populate below template according to your requirements and use it as you
 # The recipient(s) of the notification. Supply a comma separated list
 # of addresses if you want to notify multiple recipients. If this is
 # not set, no emails will be sent.
+# Example: "you@example.com"
 
-# EMAIL_NOTIFICATION_RECIPIENT="you@example.com"
+# EMAIL_NOTIFICATION_RECIPIENT=""
 
-# The "From" header of the sent email. Defaults to `noreply@nohost`.
+# ---
 
-# EMAIL_NOTIFICATION_SENDER="no-reply@example.com"
+# The "From" header of the sent email.
+# Example: "no-reply@example.com"
+
+# EMAIL_NOTIFICATION_SENDER="noreply@nohost"
+
+# ---
 
 # Configuration and credentials for the SMTP server to be used.
-# EMAIL_SMTP_PORT defaults to 587.
 
-# EMAIL_SMTP_HOST="posteo.de"
-# EMAIL_SMTP_PASSWORD="<xxx>"
-# EMAIL_SMTP_USERNAME="no-reply@example.com"
-# EMAIL_SMTP_PORT="<port>"
+# EMAIL_SMTP_HOST=""
+# EMAIL_SMTP_PASSWORD=""
+# EMAIL_SMTP_USERNAME=""
+# EMAIL_SMTP_PORT="587"
 ```
 {% endraw %}
 

go.mod

@@ -1,77 +1,111 @@
 module github.com/offen/docker-volume-backup
 
-go 1.22
+go 1.25.3
 
 require (
-	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1
-	github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.2.1
-	github.com/containrrr/shoutrrr v0.7.1
+	filippo.io/age v1.2.1
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.0
+	github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.3
 	github.com/cosiner/argv v0.1.0
-	github.com/docker/cli v24.0.9+incompatible
-	github.com/docker/docker v24.0.7+incompatible
-	github.com/gofrs/flock v0.8.1
+	github.com/docker/cli v28.5.1+incompatible
+	github.com/docker/docker v28.3.3+incompatible
+	github.com/gofrs/flock v0.13.0
 	github.com/joho/godotenv v1.5.1
-	github.com/klauspost/compress v1.17.7
+	github.com/klauspost/compress v1.18.1
 	github.com/leekchan/timeutil v0.0.0-20150802142658-28917288c48d
-	github.com/minio/minio-go/v7 v7.0.69
+	github.com/minio/minio-go/v7 v7.0.95
+	github.com/nicholas-fedor/shoutrrr v0.11.0
 	github.com/offen/envconfig v1.5.0
-	github.com/otiai10/copy v1.14.0
-	github.com/pkg/sftp v1.13.6
+	github.com/otiai10/copy v1.14.1
+	github.com/pkg/sftp v1.13.10
 	github.com/robfig/cron/v3 v3.0.1
-	github.com/studio-b12/gowebdav v0.9.0
-	golang.org/x/crypto v0.21.0
-	golang.org/x/oauth2 v0.19.0
-	golang.org/x/sync v0.7.0
-	mvdan.cc/sh/v3 v3.8.0
+	github.com/studio-b12/gowebdav v0.11.0
+	golang.org/x/crypto v0.43.0
+	golang.org/x/oauth2 v0.32.0
+	golang.org/x/sync v0.17.0
+	google.golang.org/api v0.253.0
+	mvdan.cc/sh/v3 v3.12.0
 )
 
 require (
+	cloud.google.com/go/auth v0.17.0 // indirect
+	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
+	cloud.google.com/go/compute/metadata v0.9.0 // indirect
+	filippo.io/edwards25519 v1.1.0 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 // indirect
-	github.com/cloudflare/circl v1.3.7 // indirect
-	github.com/golang-jwt/jwt/v5 v5.2.0 // indirect
-	github.com/golang/protobuf v1.5.3 // indirect
-	golang.org/x/time v0.0.0-20220609170525-579cf78fd858 // indirect
-	google.golang.org/protobuf v1.33.0 // indirect
+	github.com/cloudflare/circl v1.6.1 // indirect
+	github.com/containerd/errdefs v1.0.0 // indirect
+	github.com/containerd/errdefs/pkg v0.3.0 // indirect
+	github.com/containerd/log v0.1.0 // indirect
+	github.com/containerd/platforms v0.2.1 // indirect
+	github.com/distribution/reference v0.6.0 // indirect
+	github.com/docker/distribution v2.8.3+incompatible // indirect
+	github.com/docker/docker-credential-helpers v0.9.3 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/fvbommel/sortorder v1.1.0 // indirect
+	github.com/go-ini/ini v1.67.0 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/goccy/go-json v0.10.5 // indirect
+	github.com/golang-jwt/jwt/v5 v5.3.0 // indirect
+	github.com/google/s2a-go v0.1.9 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.6 // indirect
+	github.com/googleapis/gax-go/v2 v2.15.0 // indirect
+	github.com/mattn/go-runewidth v0.0.16 // indirect
+	github.com/minio/crc64nvme v1.0.2 // indirect
+	github.com/moby/docker-image-spec v1.3.1 // indirect
+	github.com/moby/sys/atomicwriter v0.1.0 // indirect
+	github.com/otiai10/mint v1.6.3 // indirect
+	github.com/philhofer/fwd v1.2.0 // indirect
+	github.com/rivo/uniseg v0.2.0 // indirect
+	github.com/theupdateframework/notary v0.7.0 // indirect
+	github.com/tinylib/msgp v1.3.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect
+	go.opentelemetry.io/otel v1.37.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.37.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.37.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.37.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.26.0 // indirect
+	go.opentelemetry.io/otel/metric v1.37.0 // indirect
+	go.opentelemetry.io/otel/trace v1.37.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.7.0 // indirect
+	golang.org/x/term v0.36.0 // indirect
+	golang.org/x/time v0.14.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20251014184007-4626949a642f // indirect
+	google.golang.org/grpc v1.76.0 // indirect
+	google.golang.org/protobuf v1.36.10 // indirect
 )
 
 require (
-	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.1 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.1 // indirect
-	github.com/AzureAD/microsoft-authentication-library-for-go v1.2.1 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.19.1 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 // indirect
+	github.com/AzureAD/microsoft-authentication-library-for-go v1.5.0 // indirect
 	github.com/Microsoft/go-winio v0.5.2 // indirect
-	github.com/ProtonMail/go-crypto v1.1.0-alpha.1
-	github.com/docker/distribution v2.8.2+incompatible // indirect
+	github.com/ProtonMail/go-crypto v1.3.0
 	github.com/docker/go-connections v0.4.0 // indirect
 	github.com/docker/go-units v0.4.0 // indirect
 	github.com/dropbox/dropbox-sdk-go-unofficial/v6 v6.0.5
 	github.com/dustin/go-humanize v1.0.1 // indirect
-	github.com/fatih/color v1.13.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/google/uuid v1.6.0 // indirect
-	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/klauspost/cpuid/v2 v2.2.6 // indirect
+	github.com/klauspost/cpuid/v2 v2.2.11 // indirect
 	github.com/klauspost/pgzip v1.2.6
 	github.com/kr/fs v0.1.0 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
-	github.com/mattn/go-colorable v0.1.13 // indirect
-	github.com/mattn/go-isatty v0.0.16 // indirect
+	github.com/mattn/go-colorable v0.1.14 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/minio/md5-simd v1.1.2 // indirect
-	github.com/minio/sha256-simd v1.0.1 // indirect
 	github.com/moby/term v0.0.0-20200312100748-672ec06f55cd // indirect
-	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
-	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
-	github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.0.3-0.20211202183452-c5a74bcca799 // indirect
+	github.com/opencontainers/image-spec v1.1.0-rc5 // indirect
 	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	github.com/pkg/errors v0.9.1 // indirect
-	github.com/rs/xid v1.5.0 // indirect
+	github.com/rs/xid v1.6.0 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
-	golang.org/x/net v0.22.0 // indirect
-	golang.org/x/sys v0.18.0 // indirect
-	golang.org/x/text v0.14.0 // indirect
-	gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect
-	gopkg.in/ini.v1 v1.67.0 // indirect
+	golang.org/x/net v0.46.0 // indirect
+	golang.org/x/sys v0.37.0 // indirect
+	golang.org/x/text v0.30.0 // indirect
 	gotest.tools/v3 v3.0.3 // indirect
 )

internal/errwrap/wrap.go

@@ -21,7 +21,7 @@ func Wrap(err error, msg string) error {
 	chunks := strings.Split(frame.Function, "/")
 	withCaller := fmt.Sprintf("%s: %s", chunks[len(chunks)-1], msg)
 	if err == nil {
-		return fmt.Errorf(withCaller)
+		return errors.New(withCaller)
 	}
 	return fmt.Errorf("%s: %w", withCaller, err)
 }

internal/storage/azure/azure.go

@@ -9,6 +9,7 @@ import (
 	"errors"
 	"fmt"
 	"os"
+	"path"
 	"path/filepath"
 	"strings"
 	"sync"
@@ -17,6 +18,8 @@ import (
 
 	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
 	"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob"
+	"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/blob"
+	"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/blockblob"
 	"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/container"
 	"github.com/offen/docker-volume-backup/internal/errwrap"
 	"github.com/offen/docker-volume-backup/internal/storage"
@@ -24,8 +27,9 @@ import (
 
 type azureBlobStorage struct {
 	*storage.StorageBackend
-	client        *azblob.Client
-	containerName string
+	client              *azblob.Client
+	uploadStreamOptions *blockblob.UploadStreamOptions
+	containerName       string
 }
 
 // Config contains values that define the configuration of an Azure Blob Storage.
@@ -36,6 +40,7 @@ type Config struct {
 	ConnectionString  string
 	Endpoint          string
 	RemotePath        string
+	AccessTier        string
 }
 
 // NewStorageBackend creates and initializes a new Azure Blob Storage backend.
@@ -81,9 +86,26 @@ func NewStorageBackend(opts Config, logFunc storage.Log) (storage.Backend, error
 		}
 	}
 
+	var uploadStreamOptions *blockblob.UploadStreamOptions
+	if opts.AccessTier != "" {
+		var found bool
+		for _, t := range blob.PossibleAccessTierValues() {
+			if string(t) == opts.AccessTier {
+				found = true
+				uploadStreamOptions = &blockblob.UploadStreamOptions{
+					AccessTier: &t,
+				}
+			}
+		}
+		if !found {
+			return nil, errwrap.Wrap(nil, fmt.Sprintf("%s is not a possible access tier value", opts.AccessTier))
+		}
+	}
+
 	storage := azureBlobStorage{
-		client:        client,
-		containerName: opts.ContainerName,
+		client:              client,
+		uploadStreamOptions: uploadStreamOptions,
+		containerName:       opts.ContainerName,
 		StorageBackend: &storage.StorageBackend{
 			DestinationPath: opts.RemotePath,
 			Log:             logFunc,
@@ -103,12 +125,13 @@ func (b *azureBlobStorage) Copy(file string) error {
 	if err != nil {
 		return errwrap.Wrap(err, fmt.Sprintf("error opening file %s", file))
 	}
+
 	_, err = b.client.UploadStream(
 		context.Background(),
 		b.containerName,
-		filepath.Join(b.DestinationPath, filepath.Base(file)),
+		path.Join(b.DestinationPath, filepath.Base(file)),
 		fileReader,
-		nil,
+		b.uploadStreamOptions,
 	)
 	if err != nil {
 		return errwrap.Wrap(err, fmt.Sprintf("error uploading file %s", file))
@@ -119,7 +142,7 @@ func (b *azureBlobStorage) Copy(file string) error {
 // Prune rotates away backups according to the configuration and provided
 // deadline for the Azure Blob storage backend.
 func (b *azureBlobStorage) Prune(deadline time.Time, pruningPrefix string) (*storage.PruneStats, error) {
-	lookupPrefix := filepath.Join(b.DestinationPath, pruningPrefix)
+	lookupPrefix := path.Join(b.DestinationPath, pruningPrefix)
 	pager := b.client.NewListBlobsFlatPager(b.containerName, &container.ListBlobsFlatOptions{
 		Prefix: &lookupPrefix,
 	})

internal/storage/dropbox/dropbox.go

@@ -7,7 +7,6 @@ import (
 	"net/url"
 	"os"
 	"path"
-	"path/filepath"
 	"strings"
 	"sync"
 	"time"
@@ -88,7 +87,7 @@ func (b *dropboxStorage) Name() string {
 }
 
 // Copy copies the given file to the WebDav storage backend.
-func (b *dropboxStorage) Copy(file string) error {
+func (b *dropboxStorage) Copy(file string) (returnErr error) {
 	_, name := path.Split(file)
 
 	folderArg := files.NewCreateFolderArg(b.DestinationPath)
@@ -96,19 +95,24 @@ func (b *dropboxStorage) Copy(file string) error {
 		switch err := err.(type) {
 		case files.CreateFolderV2APIError:
 			if err.EndpointError.Path.Tag != files.WriteErrorConflict {
-				return errwrap.Wrap(err, fmt.Sprintf("error creating directory '%s'", b.DestinationPath))
+				returnErr = errwrap.Wrap(err, fmt.Sprintf("error creating directory '%s'", b.DestinationPath))
+				return
 			}
 			b.Log(storage.LogLevelInfo, b.Name(), "Destination path '%s' already exists, no new directory required.", b.DestinationPath)
 		default:
-			return errwrap.Wrap(err, fmt.Sprintf("error creating directory '%s'", b.DestinationPath))
+			returnErr = errwrap.Wrap(err, fmt.Sprintf("error creating directory '%s'", b.DestinationPath))
+			return
 		}
 	}
 
 	r, err := os.Open(file)
 	if err != nil {
-		return errwrap.Wrap(err, "error opening the file to be uploaded")
+		returnErr = errwrap.Wrap(err, "error opening the file to be uploaded")
+		return
 	}
-	defer r.Close()
+	defer func() {
+		returnErr = r.Close()
+	}()
 
 	// Start new upload session and get session id
 	b.Log(storage.LogLevelInfo, b.Name(), "Starting upload session for backup '%s' at path '%s'.", file, b.DestinationPath)
@@ -117,7 +121,8 @@ func (b *dropboxStorage) Copy(file string) error {
 	uploadSessionStartArg := files.NewUploadSessionStartArg()
 	uploadSessionStartArg.SessionType = &files.UploadSessionType{Tagged: dropbox.Tagged{Tag: files.UploadSessionTypeConcurrent}}
 	if res, err := b.client.UploadSessionStart(uploadSessionStartArg, nil); err != nil {
-		return errwrap.Wrap(err, "error starting the upload session")
+		returnErr = errwrap.Wrap(err, "error starting the upload session")
+		return
 	} else {
 		sessionId = res.SessionId
 	}
@@ -195,10 +200,11 @@ loop:
 	_, err = b.client.UploadSessionFinish(
 		files.NewUploadSessionFinishArg(
 			files.NewUploadSessionCursor(sessionId, 0),
-			files.NewCommitInfo(filepath.Join(b.DestinationPath, name)),
+			files.NewCommitInfo(path.Join(b.DestinationPath, name)),
 		), nil)
 	if err != nil {
-		return errwrap.Wrap(err, "error finishing the upload session")
+		returnErr = errwrap.Wrap(err, "error finishing the upload session")
+		return
 	}
 
 	b.Log(storage.LogLevelInfo, b.Name(), "Uploaded a copy of backup '%s' at path '%s'.", file, b.DestinationPath)
@@ -247,7 +253,7 @@ func (b *dropboxStorage) Prune(deadline time.Time, pruningPrefix string) (*stora
 
 	pruneErr := b.DoPrune(b.Name(), len(matches), lenCandidates, deadline, func() error {
 		for _, match := range matches {
-			if _, err := b.client.DeleteV2(files.NewDeleteArg(filepath.Join(b.DestinationPath, match.Name))); err != nil {
+			if _, err := b.client.DeleteV2(files.NewDeleteArg(path.Join(b.DestinationPath, match.Name))); err != nil {
 				return errwrap.Wrap(err, "error removing file from Dropbox storage")
 			}
 		}

internal/storage/googledrive/googledrive.go

@@ -0,0 +1,178 @@
+// Copyright 2025 - The Gemini CLI authors <gemini-cli@google.com>
+// SPDX-License-Identifier: MPL-2.0
+
+package googledrive
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"crypto/tls"
+	"github.com/offen/docker-volume-backup/internal/errwrap"
+	"github.com/offen/docker-volume-backup/internal/storage"
+	"golang.org/x/oauth2"
+	"golang.org/x/oauth2/google"
+	"google.golang.org/api/drive/v3"
+	"google.golang.org/api/option"
+	"net/http"
+)
+
+type googleDriveStorage struct {
+	storage.StorageBackend
+	client *drive.Service
+}
+
+// Config allows to configure a Google Drive storage backend.
+type Config struct {
+	CredentialsJSON    string
+	FolderID           string
+	ImpersonateSubject string
+	Endpoint           string
+	TokenURL           string
+}
+
+// NewStorageBackend creates and initializes a new Google Drive storage backend.
+func NewStorageBackend(opts Config, logFunc storage.Log) (storage.Backend, error) {
+	ctx := context.Background()
+
+	credentialsBytes := []byte(opts.CredentialsJSON)
+
+	config, err := google.JWTConfigFromJSON(credentialsBytes, drive.DriveScope)
+	if err != nil {
+		return nil, errwrap.Wrap(err, "unable to parse credentials")
+	}
+	if opts.ImpersonateSubject != "" {
+		config.Subject = opts.ImpersonateSubject
+	}
+	if opts.TokenURL != "" {
+		config.TokenURL = opts.TokenURL
+	}
+
+	var clientOptions []option.ClientOption
+	if opts.Endpoint != "" {
+		clientOptions = append(clientOptions, option.WithEndpoint(opts.Endpoint))
+		// Insecure transport for http mock server
+		insecureTransport := &http.Transport{
+			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+		}
+		insecureClient := &http.Client{Transport: insecureTransport}
+		ctx = context.WithValue(ctx, oauth2.HTTPClient, insecureClient)
+	}
+	clientOptions = append(clientOptions, option.WithTokenSource(config.TokenSource(ctx)))
+
+	srv, err := drive.NewService(ctx, clientOptions...)
+	if err != nil {
+		return nil, errwrap.Wrap(err, "unable to create Drive client")
+	}
+
+	return &googleDriveStorage{
+		StorageBackend: storage.StorageBackend{
+			DestinationPath: opts.FolderID,
+			Log:             logFunc,
+		},
+		client: srv,
+	}, nil
+}
+
+// Name returns the name of the storage backend
+func (b *googleDriveStorage) Name() string {
+	return "GoogleDrive"
+}
+
+// Copy copies the given file to the Google Drive storage backend.
+func (b *googleDriveStorage) Copy(file string) (returnErr error) {
+	_, name := filepath.Split(file)
+	b.Log(storage.LogLevelInfo, b.Name(), "Starting upload for backup '%s'.", name)
+
+	f, err := os.Open(file)
+	if err != nil {
+		returnErr = errwrap.Wrap(err, fmt.Sprintf("failed to open file %s", file))
+		return
+	}
+	defer func() {
+		returnErr = f.Close()
+	}()
+
+	driveFile := &drive.File{Name: name}
+	if b.DestinationPath != "" {
+		driveFile.Parents = []string{b.DestinationPath}
+	} else {
+		driveFile.Parents = []string{"root"}
+	}
+
+	createCall := b.client.Files.Create(driveFile).SupportsAllDrives(true).Fields("id")
+	created, err := createCall.Media(f).Do()
+	if err != nil {
+		returnErr = errwrap.Wrap(err, fmt.Sprintf("failed to upload %s", name))
+		return
+	}
+
+	b.Log(storage.LogLevelInfo, b.Name(), "Finished upload for %s. File ID: %s", name, created.Id)
+	return nil
+}
+
+// Prune rotates away backups according to the configuration and provided deadline for the Google Drive storage backend.
+func (b *googleDriveStorage) Prune(deadline time.Time, pruningPrefix string) (*storage.PruneStats, error) {
+	parentID := b.DestinationPath
+	if parentID == "" {
+		parentID = "root"
+	}
+
+	query := fmt.Sprintf("name contains '%s' and trashed = false", pruningPrefix)
+	if parentID != "root" {
+		query = fmt.Sprintf("'%s' in parents and (%s)", parentID, query)
+	}
+
+	var allFiles []*drive.File
+	pageToken := ""
+	for {
+		req := b.client.Files.List().Q(query).SupportsAllDrives(true).Fields("files(id, name, createdTime, parents)").PageToken(pageToken)
+		res, err := req.Do()
+		if err != nil {
+			return nil, errwrap.Wrap(err, "listing files")
+		}
+		allFiles = append(allFiles, res.Files...)
+		pageToken = res.NextPageToken
+		if pageToken == "" {
+			break
+		}
+	}
+
+	var matches []*drive.File
+	var lenCandidates int
+	for _, f := range allFiles {
+		if !strings.HasPrefix(f.Name, pruningPrefix) {
+			continue
+		}
+		lenCandidates++
+		created, err := time.Parse(time.RFC3339, f.CreatedTime)
+		if err != nil {
+			b.Log(storage.LogLevelWarning, b.Name(), "Could not parse time for backup %s: %v", f.Name, err)
+			continue
+		}
+		if created.Before(deadline) {
+			matches = append(matches, f)
+		}
+	}
+
+	stats := &storage.PruneStats{
+		Total:  uint(lenCandidates),
+		Pruned: uint(len(matches)),
+	}
+
+	pruneErr := b.DoPrune(b.Name(), len(matches), lenCandidates, deadline, func() error {
+		for _, file := range matches {
+			b.Log(storage.LogLevelInfo, b.Name(), "Deleting old backup file: %s", file.Name)
+			if err := b.client.Files.Delete(file.Id).SupportsAllDrives(true).Do(); err != nil {
+				b.Log(storage.LogLevelWarning, b.Name(), "Error deleting %s: %v", file.Name, err)
+			}
+		}
+		return nil
+	})
+
+	return stats, pruneErr
+}

internal/storage/local/local.go

@@ -55,7 +55,9 @@ func (b *localStorage) Copy(file string) error {
 	if b.latestSymlink != "" {
 		symlink := path.Join(b.DestinationPath, b.latestSymlink)
 		if _, err := os.Lstat(symlink); err == nil {
-			os.Remove(symlink)
+			if err := os.Remove(symlink); err != nil {
+				return errwrap.Wrap(err, "error removing existing symlink")
+			}
 		}
 		if err := os.Symlink(name, symlink); err != nil {
 			return errwrap.Wrap(err, "error creating latest symlink")
@@ -96,7 +98,7 @@ func (b *localStorage) Prune(deadline time.Time, pruningPrefix string) (*storage
 			)
 		}
 
-		if fi.Mode()&os.ModeSymlink != os.ModeSymlink {
+		if !fi.IsDir() && fi.Mode()&os.ModeSymlink != os.ModeSymlink {
 			candidates = append(candidates, candidate)
 		}
 	}
@@ -146,22 +148,25 @@ func (b *localStorage) Prune(deadline time.Time, pruningPrefix string) (*storage
 }
 
 // copy creates a copy of the file located at `dst` at `src`.
-func copyFile(src, dst string) error {
+func copyFile(src, dst string) (returnErr error) {
 	in, err := os.Open(src)
 	if err != nil {
-		return err
+		returnErr = err
+		return
 	}
-	defer in.Close()
+	defer func() {
+		returnErr = in.Close()
+	}()
 
 	out, err := os.Create(dst)
 	if err != nil {
-		return err
+		returnErr = err
+		return
 	}
 
 	_, err = io.Copy(out, in)
 	if err != nil {
-		out.Close()
-		return err
+		return errors.Join(err, out.Close())
 	}
 	return out.Close()
 }

internal/storage/s3/s3.go

@@ -10,7 +10,6 @@ import (
 	"fmt"
 	"os"
 	"path"
-	"path/filepath"
 	"time"
 
 	"github.com/minio/minio-go/v7"
@@ -124,7 +123,7 @@ func (b *s3Storage) Copy(file string) error {
 		putObjectOptions.PartSize = uint64(partSize)
 	}
 
-	if _, err := b.client.FPutObject(context.Background(), b.bucket, filepath.Join(b.DestinationPath, name), file, putObjectOptions); err != nil {
+	if _, err := b.client.FPutObject(context.Background(), b.bucket, path.Join(b.DestinationPath, name), file, putObjectOptions); err != nil {
 		if errResp := minio.ToErrorResponse(err); errResp.Message != "" {
 			return errwrap.Wrap(
 				nil,
@@ -147,7 +146,7 @@ func (b *s3Storage) Copy(file string) error {
 // Prune rotates away backups according to the configuration and provided deadline for the S3/Minio storage backend.
 func (b *s3Storage) Prune(deadline time.Time, pruningPrefix string) (*storage.PruneStats, error) {
 	candidates := b.client.ListObjects(context.Background(), b.bucket, minio.ListObjectsOptions{
-		Prefix:    filepath.Join(b.DestinationPath, pruningPrefix),
+		Prefix:    path.Join(b.DestinationPath, pruningPrefix),
 		Recursive: true,
 	})
 

internal/storage/ssh/ssh.go

@@ -4,11 +4,11 @@
 package ssh
 
 import (
+	"errors"
 	"fmt"
 	"io"
 	"os"
 	"path"
-	"path/filepath"
 	"strings"
 	"time"
 
@@ -107,19 +107,29 @@ func (b *sshStorage) Name() string {
 }
 
 // Copy copies the given file to the SSH storage backend.
-func (b *sshStorage) Copy(file string) error {
+func (b *sshStorage) Copy(file string) (returnErr error) {
+	if err := b.sftpClient.MkdirAll(b.DestinationPath); err != nil {
+		return errwrap.Wrap(err, "error ensuring destination directory")
+	}
+
 	source, err := os.Open(file)
 	_, name := path.Split(file)
 	if err != nil {
-		return errwrap.Wrap(err, " error reading the file to be uploaded")
+		returnErr = errwrap.Wrap(err, " error reading the file to be uploaded")
+		return
 	}
-	defer source.Close()
+	defer func() {
+		returnErr = source.Close()
+	}()
 
-	destination, err := b.sftpClient.Create(filepath.Join(b.DestinationPath, name))
+	destination, err := b.sftpClient.Create(path.Join(b.DestinationPath, name))
 	if err != nil {
-		return errwrap.Wrap(err, "error creating file")
+		returnErr = errwrap.Wrap(err, "error creating file")
+		return
 	}
-	defer destination.Close()
+	defer func() {
+		returnErr = destination.Close()
+	}()
 
 	chunk := make([]byte, 1e9)
 	for {
@@ -127,27 +137,32 @@ func (b *sshStorage) Copy(file string) error {
 		if err == io.EOF {
 			tot, err := destination.Write(chunk[:num])
 			if err != nil {
-				return errwrap.Wrap(err, "error uploading the file")
+				returnErr = errwrap.Wrap(err, "error uploading the file")
+				return
 			}
 
 			if tot != len(chunk[:num]) {
-				return errwrap.Wrap(nil, "failed to write stream")
+				returnErr = errwrap.Wrap(nil, "failed to write stream")
+				return
 			}
 
 			break
 		}
 
 		if err != nil {
-			return errwrap.Wrap(err, "error uploading the file")
+			returnErr = errwrap.Wrap(err, "error uploading the file")
+			return
 		}
 
 		tot, err := destination.Write(chunk[:num])
 		if err != nil {
-			return errwrap.Wrap(err, "error uploading the file")
+			returnErr = errwrap.Wrap(err, "error uploading the file")
+			return
 		}
 
 		if tot != len(chunk[:num]) {
-			return errwrap.Wrap(nil, "failed to write stream")
+			returnErr = errwrap.Wrap(nil, "failed to write stream")
+			return
 		}
 	}
 
@@ -160,28 +175,36 @@ func (b *sshStorage) Copy(file string) error {
 func (b *sshStorage) Prune(deadline time.Time, pruningPrefix string) (*storage.PruneStats, error) {
 	candidates, err := b.sftpClient.ReadDir(b.DestinationPath)
 	if err != nil {
+		// If directory doesn't exist yet, nothing to prune
+		if errors.Is(err, os.ErrNotExist) {
+			return &storage.PruneStats{}, nil
+		}
 		return nil, errwrap.Wrap(err, "error reading directory")
 	}
 
 	var matches []string
+	var numCandidates int
 	for _, candidate := range candidates {
-		if !strings.HasPrefix(candidate.Name(), pruningPrefix) {
+		if candidate.IsDir() || !strings.HasPrefix(candidate.Name(), pruningPrefix) {
 			continue
 		}
+
+		numCandidates++
 		if candidate.ModTime().Before(deadline) {
 			matches = append(matches, candidate.Name())
 		}
 	}
 
 	stats := &storage.PruneStats{
-		Total:  uint(len(candidates)),
+		Total:  uint(numCandidates),
 		Pruned: uint(len(matches)),
 	}
 
-	pruneErr := b.DoPrune(b.Name(), len(matches), len(candidates), deadline, func() error {
+	pruneErr := b.DoPrune(b.Name(), len(matches), numCandidates, deadline, func() error {
 		for _, match := range matches {
-			if err := b.sftpClient.Remove(filepath.Join(b.DestinationPath, match)); err != nil {
-				return errwrap.Wrap(err, "error removing file")
+			p := path.Join(b.DestinationPath, match)
+			if err := b.sftpClient.Remove(p); err != nil {
+				return errwrap.Wrap(err, fmt.Sprintf("error removing file %s", p))
 			}
 		}
 		return nil

internal/storage/webdav/webdav.go

@@ -9,7 +9,6 @@ import (
 	"net/http"
 	"os"
 	"path"
-	"path/filepath"
 	"strings"
 	"time"
 
@@ -77,7 +76,7 @@ func (b *webDavStorage) Copy(file string) error {
 		return errwrap.Wrap(err, "error opening the file to be uploaded")
 	}
 
-	if err := b.client.WriteStream(filepath.Join(b.DestinationPath, name), r, 0644); err != nil {
+	if err := b.client.WriteStream(path.Join(b.DestinationPath, name), r, 0644); err != nil {
 		return errwrap.Wrap(err, "error uploading the file")
 	}
 	b.Log(storage.LogLevelInfo, b.Name(), "Uploaded a copy of backup '%s' to '%s' at path '%s'.", file, b.url, b.DestinationPath)
@@ -91,26 +90,27 @@ func (b *webDavStorage) Prune(deadline time.Time, pruningPrefix string) (*storag
 	if err != nil {
 		return nil, errwrap.Wrap(err, "error looking up candidates from remote storage")
 	}
+
 	var matches []fs.FileInfo
-	var lenCandidates int
+	var numCandidates int
 	for _, candidate := range candidates {
-		if !strings.HasPrefix(candidate.Name(), pruningPrefix) {
+		if candidate.IsDir() || !strings.HasPrefix(candidate.Name(), pruningPrefix) {
 			continue
 		}
-		lenCandidates++
+		numCandidates++
 		if candidate.ModTime().Before(deadline) {
 			matches = append(matches, candidate)
 		}
 	}
 
 	stats := &storage.PruneStats{
-		Total:  uint(lenCandidates),
+		Total:  uint(numCandidates),
 		Pruned: uint(len(matches)),
 	}
 
-	pruneErr := b.DoPrune(b.Name(), len(matches), lenCandidates, deadline, func() error {
+	pruneErr := b.DoPrune(b.Name(), len(matches), numCandidates, deadline, func() error {
 		for _, match := range matches {
-			if err := b.client.Remove(filepath.Join(b.DestinationPath, match.Name())); err != nil {
+			if err := b.client.Remove(path.Join(b.DestinationPath, match.Name())); err != nil {
 				return errwrap.Wrap(err, "error removing file")
 			}
 		}

test/Dockerfile

@@ -1,9 +1,12 @@
-FROM docker:26-dind
+FROM docker:28-dind
 
 RUN apk add \
+  age \
   coreutils \
   curl \
+  expect \
   gpg \
+  gpg-agent \
   jq \
   moreutils \
   tar \

test/README.md

@@ -39,14 +39,6 @@ Setting this value lets you run tests against different existing images, so you
 IMAGE_TAG=v2.30.0 ./test.sh
 ```
 
-#### `NO_IMAGE_CACHE`
-
-When set, images from remote registries will not be cached and shared between sandbox containers.
-
-```sh
-NO_IMAGE_CACHE=1 ./test.sh
-```
-
 By default, two local images are created that persist the image data and provide it to containers at runtime.
 
 ## Understanding the test setup
@@ -57,8 +49,8 @@ As the sandbox container is also expected to be torn down post test, the scripts
 
 ## Anatomy of a test case
 
-The `test.sh` script looks for an exectuable file called `run.sh` in each directory.
-When found, it is executed and signals success by returning a 0 exit code.
+The `test.sh` script looks for all exectuable files in each directory.
+When found, all of them are executed in series and are expected to signal success by returning a 0 exit code.
 Any other exit code is considered a failure and will halt execution of further tests.
 
 There is an `util.sh` file containing a few commonly used helpers which can be used by putting the following prelude to a new test case:
@@ -68,3 +60,13 @@ cd "$(dirname "$0")"
 . ../util.sh
 current_test=$(basename $(pwd))
 ```
+
+### Running tests in swarm mode
+
+A test case can signal it wants to run in swarm mode by placing an empty `.swarm` file inside the directory.
+In case the swarm setup should be compose of multiple nodes, a `.multinode` file can be used.
+
+A multinode setup will contain one manager (`manager`) and two worker nodes (`worker1` and `worker2`).
+
+If a test is expected to run in the context of a node other than the `manager`, you can create a `.context` file containing the name of the node you want the test to run in.
+E.g. if your script `02run.sh` is expected to be run on `worker2`, create a file called `02run.sh.context` with the content `worker2`

test/age-passphrase/docker-compose.yml

@@ -0,0 +1,24 @@
+services:
+  backup:
+    image: offen/docker-volume-backup:${TEST_VERSION:-canary}
+    restart: always
+    environment:
+      BACKUP_CRON_EXPRESSION: 0 0 5 31 2 ?
+      BACKUP_FILENAME: test.tar.gz
+      BACKUP_LATEST_SYMLINK: test-latest.tar.gz.age
+      BACKUP_RETENTION_DAYS: ${BACKUP_RETENTION_DAYS:-7}
+      AGE_PASSPHRASE: "Dance.0Tonight.Go.Typical"
+    volumes:
+      - ${LOCAL_DIR:-./local}:/archive
+      - app_data:/backup/app_data:ro
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+
+  offen:
+    image: offen/offen:latest
+    labels:
+      - docker-volume-backup.stop-during-backup=true
+    volumes:
+      - app_data:/var/opt/offen
+
+volumes:
+  app_data:

test/age-passphrase/run.sh

@@ -0,0 +1,39 @@
+#!/bin/sh
+
+set -e
+
+cd "$(dirname "$0")"
+. ../util.sh
+current_test=$(basename "$(pwd)")
+
+export LOCAL_DIR="$(mktemp -d)"
+
+docker compose up -d --quiet-pull
+sleep 5
+
+docker compose exec backup backup
+
+expect_running_containers "2"
+
+TMP_DIR=$(mktemp -d)
+
+# complex usage of expect(1) due to age not have a way to programmatically
+# provide the passphrase
+expect -i <<EOL
+spawn age --decrypt -o "$LOCAL_DIR/decrypted.tar.gz" "$LOCAL_DIR/test.tar.gz.age"
+expect -exact "Enter passphrase: "
+send -- "Dance.0Tonight.Go.Typical\r"
+sleep 1
+EOL
+tar -xf "$LOCAL_DIR/decrypted.tar.gz" -C "$TMP_DIR"
+
+if [ ! -f "$TMP_DIR/backup/app_data/offen.db" ]; then
+  fail "Could not find expected file in untared archive."
+fi
+rm -vf "$LOCAL_DIR/decrypted.tar.gz"
+
+pass "Found relevant files in decrypted and untared local backup."
+
+if [ ! -L "$LOCAL_DIR/test-latest.tar.gz.age" ]; then
+  fail "Could not find local symlink to latest encrypted backup."
+fi

test/age-publickey/.gitignore

@@ -0,0 +1 @@
+pk-*.txt

test/age-publickey/docker-compose.yml

@@ -0,0 +1,24 @@
+services:
+  backup:
+    image: offen/docker-volume-backup:${TEST_VERSION:-canary}
+    restart: always
+    environment:
+      BACKUP_CRON_EXPRESSION: 0 0 5 31 2 ?
+      BACKUP_FILENAME: test.tar.gz
+      BACKUP_LATEST_SYMLINK: test-latest.tar.gz.age
+      BACKUP_RETENTION_DAYS: ${BACKUP_RETENTION_DAYS:-7}
+      AGE_PUBLIC_KEYS: "${BACKUP_AGE_PUBLIC_KEYS}"
+    volumes:
+      - ${LOCAL_DIR:-./local}:/archive
+      - app_data:/backup/app_data:ro
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+
+  offen:
+    image: offen/offen:latest
+    labels:
+      - docker-volume-backup.stop-during-backup=true
+    volumes:
+      - app_data:/var/opt/offen
+
+volumes:
+  app_data:

test/age-publickey/run.sh

@@ -0,0 +1,47 @@
+#!/bin/sh
+
+set -e
+
+cd "$(dirname "$0")"
+. ../util.sh
+current_test=$(basename "$(pwd)")
+
+export LOCAL_DIR="$(mktemp -d)"
+
+age-keygen >"$LOCAL_DIR/pk-a.txt"
+PK_A="$(grep -E 'public key' <"$LOCAL_DIR/pk-a.txt" | cut -d: -f2 | xargs)"
+age-keygen >"$LOCAL_DIR/pk-b.txt"
+PK_B="$(grep -E 'public key' <"$LOCAL_DIR/pk-b.txt" | cut -d: -f2 | xargs)"
+
+ssh-keygen -t ed25519 -m pem -f "$LOCAL_DIR/id_ed25519" -C "docker-volume-backup@local"
+PK_C="$(cat $LOCAL_DIR/id_ed25519.pub)"
+
+export BACKUP_AGE_PUBLIC_KEYS="$PK_A,$PK_B,$PK_C"
+
+docker compose up -d --quiet-pull
+sleep 5
+
+docker compose exec backup backup
+
+expect_running_containers "2"
+
+do_decrypt() {
+  TMP_DIR=$(mktemp -d)
+  age --decrypt -i "$1" -o "$LOCAL_DIR/decrypted.tar.gz" "$LOCAL_DIR/test.tar.gz.age"
+  tar -xf "$LOCAL_DIR/decrypted.tar.gz" -C "$TMP_DIR"
+
+  if [ ! -f "$TMP_DIR/backup/app_data/offen.db" ]; then
+    fail "Could not find expected file in untared archive."
+  fi
+  rm -vf "$LOCAL_DIR/decrypted.tar.gz"
+
+  pass "Found relevant files in decrypted and untared local backup."
+
+  if [ ! -L "$LOCAL_DIR/test-latest.tar.gz.age" ]; then
+    fail "Could not find local symlink to latest encrypted backup."
+  fi
+}
+
+do_decrypt "$LOCAL_DIR/pk-a.txt"
+do_decrypt "$LOCAL_DIR/pk-b.txt"
+do_decrypt "$LOCAL_DIR/id_ed25519"

test/azure/docker-compose.yml

@@ -1,8 +1,6 @@
-version: '3'
-
 services:
   storage:
-    image: mcr.microsoft.com/azure-storage/azurite:3.26.0
+    image: mcr.microsoft.com/azure-storage/azurite:3.35.0
     volumes:
       - ${DATA_DIR:-./data}:/data
     command: azurite-blob --blobHost 0.0.0.0 --blobPort 10000 --location /data
@@ -12,7 +10,7 @@ services:
       retries: 30
 
   az_cli:
-    image: mcr.microsoft.com/azure-cli:2.51.0
+    image: mcr.microsoft.com/azure-cli:2.78.0
     volumes:
       - ${LOCAL_DIR:-./local}:/dump
     command:
@@ -36,6 +34,7 @@ services:
       AZURE_STORAGE_CONTAINER_NAME: test-container
       AZURE_STORAGE_ENDPOINT: http://storage:10000/{{ .AccountName }}/
       AZURE_STORAGE_PATH: 'path/to/backup'
+      AZURE_STORAGE_ACCESS_TIER: Hot
       BACKUP_FILENAME: test.tar.gz
       BACKUP_CRON_EXPRESSION: 0 0 5 31 2 ?
       BACKUP_RETENTION_DAYS: ${BACKUP_RETENTION_DAYS:-7}
@@ -43,7 +42,7 @@ services:
       BACKUP_PRUNING_PREFIX: test
     volumes:
       - app_data:/backup/app_data:ro
-      - /var/run/docker.sock:/var/run/docker.sock
+      - /var/run/docker.sock:/var/run/docker.sock:ro
 
   offen:
     image: offen/offen:latest

test/certs/docker-compose.yml

@@ -1,5 +1,3 @@
-version: '3'
-
 services:
   minio:
     hostname: minio.local
@@ -32,7 +30,7 @@ services:
       BACKUP_PRUNING_LEEWAY: 5s
     volumes:
       - app_data:/backup/app_data:ro
-      - /var/run/docker.sock:/var/run/docker.sock
+      - /var/run/docker.sock:/var/run/docker.sock:ro
       - ${CERT_DIR:-.}/rootCA.crt:/root/minio-rootCA.crt
 
   offen:

test/cli/run.sh

@@ -37,7 +37,7 @@ docker run --rm -q \
   --network test_network \
   -v app_data:/backup/app_data \
   -v empty_data:/backup/empty_data \
-  -v /var/run/docker.sock:/var/run/docker.sock \
+  -v /var/run/docker.sock:/var/run/docker.sock:ro \
   --env AWS_ACCESS_KEY_ID=test \
   --env AWS_SECRET_ACCESS_KEY=GMusLtUmILge2by+z890kQ \
   --env AWS_ENDPOINT=minio:9000 \

test/collision/docker-compose.yml

@@ -1,8 +1,6 @@
 # Copyright 2020-2021 - offen.software <hioffen@posteo.de>
 # SPDX-License-Identifier: Unlicense
 
-version: '3.8'
-
 services:
   backup:
     image: offen/docker-volume-backup:${TEST_VERSION:-canary}
@@ -11,7 +9,7 @@ services:
     volumes:
       - offen_data:/backup/offen_data:ro
       - ${LOCAL_DIR:-./local}:/archive
-      - /var/run/docker.sock:/var/run/docker.sock
+      - /var/run/docker.sock:/var/run/docker.sock:ro
 
   offen:
     image: offen/offen:latest

test/collision/run.sh

@@ -8,8 +8,6 @@ current_test=$(basename $(pwd))
 
 export LOCAL_DIR=$(mktemp -d)
 
-docker swarm init
-
 docker stack deploy --compose-file=docker-compose.yml test_stack
 
 while [ -z $(docker ps -q -f name=backup) ]; do

test/commands/01compose.sh

@@ -31,32 +31,3 @@ fi
 pass "Did not find unexpected file."
 
 docker compose down --volumes
-
-info "Running commands test in swarm mode next."
-
-export LOCAL_DIR=$(mktemp -d)
-export TMP_DIR=$(mktemp -d)
-
-docker swarm init
-
-docker stack deploy --compose-file=docker-compose.yml test_stack
-
-while [ -z $(docker ps -q -f name=backup) ]; do
-  info "Backup container not ready yet. Retrying."
-  sleep 1
-done
-
-sleep 20
-
-docker exec $(docker ps -q -f name=backup) backup
-
-tar -xvf "$LOCAL_DIR/test.tar.gz" -C $TMP_DIR
-if [ ! -f "$TMP_DIR/backup/data/dump.sql" ]; then
-  fail "Could not find file written by pre command."
-fi
-pass "Found expected file."
-
-if [ -f "$TMP_DIR/backup/data/post.txt" ]; then
-  fail "File created in post command was present in backup."
-fi
-pass "Did not find unexpected file."

test/commands/02swarm.sh

@@ -0,0 +1,34 @@
+#!/bin/sh
+
+set -e
+
+cd $(dirname $0)
+. ../util.sh
+current_test=$(basename $(pwd))
+
+export LOCAL_DIR=$(mktemp -d)
+export TMP_DIR=$(mktemp -d)
+
+docker swarm init
+
+docker stack deploy --compose-file=docker-compose.yml test_stack
+
+while [ -z $(docker ps -q -f name=backup) ]; do
+  info "Backup container not ready yet. Retrying."
+  sleep 1
+done
+
+sleep 20
+
+docker exec $(docker ps -q -f name=backup) backup
+
+tar -xvf "$LOCAL_DIR/test.tar.gz" -C $TMP_DIR
+if [ ! -f "$TMP_DIR/backup/data/dump.sql" ]; then
+  fail "Could not find file written by pre command."
+fi
+pass "Found expected file."
+
+if [ -f "$TMP_DIR/backup/data/post.txt" ]; then
+  fail "File created in post command was present in backup."
+fi
+pass "Did not find unexpected file."

test/commands/docker-compose.yml

@@ -1,5 +1,3 @@
-version: '3.8'
-
 services:
   database:
     image: mariadb:10.7
@@ -44,7 +42,7 @@ services:
     volumes:
       - ${LOCAL_DIR:-./local}:/archive
       - app_data:/backup/data:ro
-      - /var/run/docker.sock:/var/run/docker.sock
+      - /var/run/docker.sock:/var/run/docker.sock:ro
 
 volumes:
   app_data:

test/confd/docker-compose.yml

@@ -1,5 +1,3 @@
-version: '3'
-
 services:
   backup:
     image: offen/docker-volume-backup:${TEST_VERSION:-canary}
@@ -14,7 +12,7 @@ services:
       - ./01backup.env:/etc/dockervolumebackup/conf.d/01backup.env
       - ./02backup.env:/etc/dockervolumebackup/conf.d/02backup.env
       - ./03never.env:/etc/dockervolumebackup/conf.d/03never.env
-      - /var/run/docker.sock:/var/run/docker.sock
+      - /var/run/docker.sock:/var/run/docker.sock:ro
 
   offen:
     image: offen/offen:latest

test/docker-compose.yml

@@ -0,0 +1,30 @@
+services:
+  manager: &node
+    hostname: manager
+    privileged: true
+    image: offen/docker-volume-backup:test-sandbox
+    healthcheck:
+      test: ["CMD", "docker", "info"]
+      interval: 1s
+      timeout: 5s
+      retries: 50
+    volumes:
+      - ./:/code
+      - ${TARBALL:-.}:/cache/image.tar.gz
+      - docker_volume_backup_test_sandbox_image:/var/lib/docker/image
+      - docker_volume_backup_test_sandbox_overlay2:/var/lib/docker/overlay2
+
+  worker1:
+    <<: *node
+    hostname: worker1
+    profiles:
+      - multinode
+  worker2:
+    <<: *node
+    hostname: worker2
+    profiles:
+      - multinode
+
+volumes:
+  docker_volume_backup_test_sandbox_image:
+  docker_volume_backup_test_sandbox_overlay2:

test/dropbox/docker-compose.yml

@@ -1,5 +1,3 @@
-version: '3'
-
 services:
   openapi_mock:
     image: muonsoft/openapi-mock:0.3.9
@@ -44,7 +42,7 @@ services:
       DROPBOX_CONCURRENCY_LEVEL: 6
     volumes:
       - app_data:/backup/app_data:ro
-      - /var/run/docker.sock:/var/run/docker.sock
+      - /var/run/docker.sock:/var/run/docker.sock:ro
 
   offen:
     image: offen/offen:latest

test/extend/docker-compose.yml

@@ -1,5 +1,3 @@
-version: '3'
-
 services:
   backup:
     image: offen/docker-volume-backup:${TEST_VERSION:-canary}
@@ -13,7 +11,7 @@ services:
     volumes:
       - ${LOCAL_DIR:-local}:/local
       - app_data:/backup/app_data:ro
-      - /var/run/docker.sock:/var/run/docker.sock
+      - /var/run/docker.sock:/var/run/docker.sock:ro
 
   offen:
     image: offen/offen:latest

test/googledrive/credentials.json

@@ -0,0 +1,12 @@
+{
+  "type": "service_account",
+  "project_id": "dummy-project",
+  "private_key_id": "dummykeyid",
+  "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCus0CDXvrHhl6a\nLBj7onfU3vRExQQAPstSovS4x3/3BLJNbdMUjrxWnmV5I+Y/U1iw18+8I87CMJDA\n+rIG37tSQ6WYhj2d9ym31O2EgVDQJMkVack/rdXCoWYWn6o7dZcv4K5MEtwW8uWQ\n5PEw0wbK7NIHSSotB9RajzHnLFkSu2XcEThlOp+wkfpTCYGg6+uCBJcMwUBR45eJ\nBLcvifBJVpWaAdj7DcYqWSxRQxensqB5wzCTatwwxDZo3KxnXsf2XRU+C3B71e5q\nb26XTkuIe9W04pj9Fp3fM7RgPSJpElMRFnPUliRhkyppspfYJBYQlpdzDdqKGkGK\nLMDu2c8DAgMBAAECggEAARG8QQ+HJqWNF4VSKCXPO0+C8RtD/IULCNX3NhJzTO4c\nI3ezrp9mlGsUWvPAPAarHmYbgBJtU2I+EZsmse4TaWhcIyVnMm+Dpy1ECucpZoeU\nqIgWe90iW9daBiC3NtRXIlSQNVGjM0mpX8olZM924am6o5/wNh2CP+hsRayBAkqf\nZojppQxYnI+WNNqOlke0T8FoWWm1ZX1gHAJQAeiLpDG675lckP5WxK0RmmKOW/UM\nFU/D4+csMG3eJPhT/Qm3LyAB+pNGpfzHuQXD5jubUhUq2uSsH4ko23wSl0nGHXRW\nX3YhlMDbK4bZtG7YNHQTmh05l6HvEQVbxgHTQLN9gQKBgQDTDDlBQEkLLCWyjmja\nTNt6308CZWZIrWMVtlrpY7S0a6NKm0YGhnXsDGRY4UCNqfMv7xmIw0efN4x90JoX\nglOVeODWgCJHqt6Zzsl8zbEOgbBEvcUO0dMa5PdpMzqd2Y2WghDH1PcrXueMVNXO\nUdf7Rs157LXx5+NouzfGZVmBwQKBgQDT6RwjWV04cxXsCg3QJ06q6YsVeoAawtQE\nWLQ13e0Soa2sBH5TbuOkEQIXVRAVeGSlPfL7N5FsSiZz+ozIhRdTTgNAHqF/TJCf\nEuLEb32Sfw/krLon0LoHBf6GgP+lWqvG4K2YCoAJwBlyHKoQuvbxGer7quuQ29V1\nDqmRL8g5wwKBgQDC0UjU/BOxVYpi/mS6BzKfhR35F0NJGY0a0N+xDBIWbjopN5Z3\nlY2rXXEQPraJTvWnLO8EOUeXKP7ucS6dPvgLRa8/Mr7yK0Aa+TEznOixfHQLsKYE\nXRqje/MLUHfumJHD+sKkxOl5Rr015GYNc62NTjmFMEZwTN+2oQQGhy4NwQKBgBrA\n6W6FD8Hatb/RHSFUdRga2BZkGtxGEKJj2IycchvSEa0P/CroaxEBnLP5Z0hupLY/\n9fdFcrSrP+OQlEmUk/dOeBaWR2lc7z1GEx8dvErMg+Mo82+naHUOiq3Mh3oG0n0P\nTJtPaA7TE+NWPxpRoG+cCBCx6X+mYXKf4USVNcAlAoGBAMH2a8qlnU/lrXSNGcrd\na2TNVi2qDfy0fU6IVFGEydmLMB3wuUUCUcBS6n1d62FqdJY9Rf1wKVIeZgtqJbCv\nOculz64WaXP8TSVrXnqfW8rUsYSTIdV+/P8gxJ9gYGS8E8KZSW5a8yRDc0jcKGI6\nzUJ8tz0Q5jEWC4MdDm7G1XrG\n-----END PRIVATE KEY-----\n",
+  "client_email": "dummy@dummy-project.iam.gserviceaccount.com",
+  "client_id": "dummyclientid",
+  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+  "token_uri": "https://oauth2.googleapis.com/token",
+  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/dummy%40dummy-project.iam.gserviceaccount.com"
+}

test/googledrive/docker-compose.yml

@@ -0,0 +1,52 @@
+services:
+  openapi_mock:
+    image: muonsoft/openapi-mock:0.3.9
+    environment:
+      OPENAPI_MOCK_USE_EXAMPLES: if_present
+      OPENAPI_MOCK_SPECIFICATION_URL: '/etc/openapi/googledrive_v3.yaml'
+    ports:
+      - 8080:8080
+    volumes:
+      - ${SPEC_FILE:-./googledrive_v3.yaml}:/etc/openapi/googledrive_v3.yaml
+
+  oauth2_mock:
+    image: ghcr.io/navikt/mock-oauth2-server:1.0.0
+    ports:
+      - 8090:8090
+    environment:
+      PORT: 8090
+      JSON_CONFIG_PATH: '/etc/oauth2/config.json'
+    volumes:
+      - ./oauth2_config.json:/etc/oauth2/config.json
+
+  backup:
+    image: offen/docker-volume-backup:${TEST_VERSION:-canary}
+    hostname: hostnametoken
+    depends_on:
+      - openapi_mock
+      - oauth2_mock
+    restart: always
+    environment:
+      BACKUP_FILENAME_EXPAND: 'true'
+      BACKUP_FILENAME: test-$$HOSTNAME.tar.gz
+      BACKUP_CRON_EXPRESSION: 0 0 5 31 2 ?
+      BACKUP_RETENTION_DAYS: ${BACKUP_RETENTION_DAYS:-7}
+      BACKUP_PRUNING_LEEWAY: 5s
+      BACKUP_PRUNING_PREFIX: test
+      GOOGLE_DRIVE_ENDPOINT: http://openapi_mock:8080
+      GOOGLE_DRIVE_TOKEN_URL: http://oauth2_mock:8090/issuer1/token
+      GOOGLE_DRIVE_CREDENTIALS_JSON_FILE: /etc/gdrive/credentials.json
+      GOOGLE_DRIVE_FOLDER_ID: "root"
+    volumes:
+      - app_data:/backup/app_data:ro
+      - ./credentials.json:/etc/gdrive/credentials.json
+
+  offen:
+    image: offen/offen:latest
+    labels:
+      - docker-volume-backup.stop-during-backup=true
+    volumes:
+      - app_data:/var/opt/offen
+
+volumes:
+  app_data:

test/googledrive/googledrive_v3.yaml

@@ -0,0 +1,139 @@
+openapi: 3.0.1
+info:
+  title: Minimal Google Drive API Mock
+  version: 1.0.0
+  description: Minimal mock implementation of Google Drive API v3 for testing
+servers:
+  - url: /
+paths:
+  /upload/drive/v3/files:
+    post:
+      summary: Upload file to Google Drive
+      parameters:
+        - name: uploadType
+          in: query
+          schema:
+            type: string
+        - name: fields
+          in: query
+          schema:
+            type: string
+        - name: supportsAllDrives
+          in: query
+          schema:
+            type: boolean
+        - name: alt
+          in: query
+          schema:
+            type: string
+        - name: prettyPrint
+          in: query
+          schema:
+            type: boolean
+      requestBody:
+        content:
+          multipart/related:
+            schema:
+              type: string
+              format: binary
+      responses:
+        '200':
+          description: File uploaded successfully
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  id:
+                    type: string
+                    description: "The ID of the file"
+                  name:
+                    type: string
+                    description: "The name of the file (extracted from request.metadata.name)"
+                  mimeType:
+                    type: string
+                    description: "The MIME type of the file"
+                  size:
+                    type: string
+                    description: "The size of the file in bytes"
+              examples:
+                UploadSuccess:
+                  summary: "Response when file is uploaded successfully"
+                  description: "The response includes the filename from the request metadata"
+                  value:
+                    id: "1BxiMVs0XRA5nFMdKvBdBZjgmUUqptlbs74OgvE2upms"
+                    name: "test-backup.tar.gz"
+                    mimeType: "application/gzip"
+  /files:
+    get:
+      summary: List files in Google Drive
+      parameters:
+        - name: q
+          in: query
+          schema:
+            type: string
+            description: "A query for filtering the file results"
+        - name: fields
+          in: query
+          schema:
+            type: string
+        - name: supportsAllDrives
+          in: query
+          schema:
+            type: boolean
+        - name: includeItemsFromAllDrives
+          in: query
+          schema:
+            type: boolean
+      responses:
+        '200':
+          description: Files listed successfully
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  files:
+                    type: array
+                    items:
+                      type: object
+                      properties:
+                        id:
+                          type: string
+                          description: "The ID of the file"
+                        name:
+                          type: string
+                          description: "The name of the file"
+                        mimeType:
+                          type: string
+                          description: "The MIME type of the file"
+                        createdTime:
+                          type: string
+                          description: "The time the file was created"
+              examples:
+                FilesList:
+                  value:
+                    files:
+                      - id: "1BxiMVs0XRA5nFMdKvBdBZjgmUUqptlbs74OgvE2upms"
+                        name: "test-hostnametoken.tar.gz"
+                        createdTime: "CREATED_TIME_1"
+                      - id: "jgmUUqptlbs74OgvE2upms1BxiMVs0XRA5nFMdKvBdBZ"
+                        name: "test-hostnametoken-old.tar.gz"
+                        createdTime: "CREATED_TIME_2"
+
+  /files/{fileId}:
+    delete:
+      summary: Delete a file from Google Drive
+      parameters:
+        - name: fileId
+          in: path
+          required: true
+          schema:
+            type: string
+        - name: supportsAllDrives
+          in: query
+          schema:
+            type: boolean
+      responses:
+        '204':
+          description: File deleted successfully

test/googledrive/oauth2_config.json

@@ -0,0 +1,37 @@
+{
+   "interactiveLogin": true,
+   "httpServer": "NettyWrapper",
+   "tokenCallbacks": [
+       {
+           "issuerId": "issuer1",
+           "tokenExpiry": 120,
+           "requestMappings": [
+               {
+                   "requestParam": "scope",
+                   "match": "scope1",
+                   "claims": {
+                       "sub": "subByScope",
+                       "aud": [
+                           "audByScope"
+                       ]
+                   }
+               }
+           ]
+       },
+       {
+           "issuerId": "issuer2",
+           "requestMappings": [
+               {
+                   "requestParam": "someparam",
+                   "match": "somevalue",
+                   "claims": {
+                       "sub": "subBySomeParam",
+                       "aud": [
+                           "audBySomeParam"
+                       ]
+                   }
+               }
+           ]
+       }
+   ]
+}

test/googledrive/run.sh

@@ -0,0 +1,59 @@
+#!/bin/sh
+
+set -e
+
+cd "$(dirname "$0")"
+. ../util.sh
+current_test=$(basename $(pwd))
+
+export SPEC_FILE=$(mktemp -d)/googledrive_v3.yaml
+cp googledrive_v3.yaml $SPEC_FILE
+sed -i 's/CREATED_TIME_1/'"$(date "+%Y-%m-%dT%H:%M:%SZ")/g" $SPEC_FILE
+sed -i 's/CREATED_TIME_2/'"$(date "+%Y-%m-%dT%H:%M:%SZ" -d "14 days ago")/g" $SPEC_FILE
+
+docker compose up -d --quiet-pull
+sleep 5
+
+logs=$(docker compose exec backup backup | tee /dev/stderr)
+
+sleep 5
+
+expect_running_containers "4"
+
+if echo "$logs" | grep -q "ERROR"; then
+  fail "Backup failed, check logs for error"
+else
+  pass "Backup succeeded, no errors reported."
+fi
+
+# The second part of this test checks if backups get deleted when the retention
+# is set to 0 days (which it should not as it would mean all backups get deleted)
+BACKUP_RETENTION_DAYS="0" docker compose up -d
+sleep 5
+
+logs=$(docker compose exec -T backup backup | tee /dev/stderr)
+
+if echo "$logs" | grep -q "Refusing to do so, please check your configuration"; then
+  pass "Remote backups have not been deleted."
+else
+  fail "Remote backups would have been deleted: $logs"
+fi
+
+# The third part of this test checks if old backups get deleted when the retention
+# is set to 7 days (which it should)
+BACKUP_RETENTION_DAYS="7" docker compose up -d
+sleep 5
+
+info "Create second backup and prune"
+
+logs=$(docker compose exec -T backup backup | tee /dev/stderr)
+
+if echo "$logs" | grep -q "Pruned 1 out of 2 backups as they were older"; then
+  pass "Old remote backup has been pruned, new one is still present."
+elif echo "$logs" | grep -q "ERROR"; then
+  fail "Pruning failed, errors reported: $logs"
+elif echo "$logs" | grep -q "None of 1 existing backups were pruned"; then
+  fail "Pruning failed, old backup has not been pruned: $logs"
+else
+  fail "Pruning failed, unknown result: $logs"
+fi

test/gpg-asym/docker-compose.yml

@@ -0,0 +1,25 @@
+services:
+  backup:
+    image: offen/docker-volume-backup:${TEST_VERSION:-canary}
+    restart: always
+    environment:
+      BACKUP_CRON_EXPRESSION: 0 0 5 31 2 ?
+      BACKUP_FILENAME: test.tar.gz
+      BACKUP_LATEST_SYMLINK: test-latest.tar.gz.gpg
+      BACKUP_RETENTION_DAYS: ${BACKUP_RETENTION_DAYS:-7}
+      GPG_PUBLIC_KEY_RING_FILE: /keys/public_key.asc
+    volumes:
+      - ${KEY_DIR:-.}/public_key.asc:/keys/public_key.asc
+      - ${LOCAL_DIR:-./local}:/archive
+      - app_data:/backup/app_data:ro
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+
+  offen:
+    image: offen/offen:latest
+    labels:
+      - docker-volume-backup.stop-during-backup=true
+    volumes:
+      - app_data:/var/opt/offen
+
+volumes:
+  app_data:

test/gpg-asym/run.sh

@@ -0,0 +1,49 @@
+#!/bin/sh
+
+set -e
+
+cd "$(dirname "$0")"
+. ../util.sh
+current_test=$(basename $(pwd))
+
+export LOCAL_DIR=$(mktemp -d)
+
+export KEY_DIR=$(mktemp -d)
+
+export PASSPHRASE="test"
+
+gpg --batch --gen-key <<EOF
+Key-Type: RSA
+Key-Length: 4096
+Name-Real: offen
+Name-Email: docker-volume-backup@local
+Expire-Date: 0
+Passphrase: $PASSPHRASE
+%commit
+EOF
+
+gpg --export --armor --batch --yes --pinentry-mode loopback --passphrase $PASSPHRASE --output $KEY_DIR/public_key.asc
+
+docker compose up -d --quiet-pull
+sleep 5
+
+docker compose exec backup backup
+
+expect_running_containers "2"
+
+TMP_DIR=$(mktemp -d)
+
+gpg -d --pinentry-mode loopback --yes --passphrase $PASSPHRASE "$LOCAL_DIR/test.tar.gz.gpg" > "$LOCAL_DIR/decrypted.tar.gz"
+
+tar -xf "$LOCAL_DIR/decrypted.tar.gz" -C $TMP_DIR
+
+if [ ! -f $TMP_DIR/backup/app_data/offen.db ]; then
+  fail "Could not find expected file in untared archive."
+fi
+rm "$LOCAL_DIR/decrypted.tar.gz"
+
+pass "Found relevant files in decrypted and untared local backup."
+
+if [ ! -L "$LOCAL_DIR/test-latest.tar.gz.gpg" ]; then
+  fail "Could not find local symlink to latest encrypted backup."
+fi

test/gpg/docker-compose.yml

@@ -1,5 +1,3 @@
-version: '3'
-
 services:
   backup:
     image: offen/docker-volume-backup:${TEST_VERSION:-canary}
@@ -13,7 +11,7 @@ services:
     volumes:
       - ${LOCAL_DIR:-./local}:/archive
       - app_data:/backup/app_data:ro
-      - /var/run/docker.sock:/var/run/docker.sock
+      - /var/run/docker.sock:/var/run/docker.sock:ro
 
   offen:
     image: offen/offen:latest

test/ignore/docker-compose.yml

@@ -1,5 +1,3 @@
-version: '3.8'
-
 services:
   backup:
     image: offen/docker-volume-backup:${TEST_VERSION:-canary}

test/local/docker-compose.yml

@@ -1,5 +1,3 @@
-version: '3'
-
 services:
   backup:
     image: offen/docker-volume-backup:${TEST_VERSION:-canary}
@@ -15,7 +13,7 @@ services:
       BACKUP_PRUNING_PREFIX: test
     volumes:
       - app_data:/backup/app_data:ro
-      - /var/run/docker.sock:/var/run/docker.sock
+      - /var/run/docker.sock:/var/run/docker.sock:ro
       - ${LOCAL_DIR:-./local}:/archive
 
   offen:

test/lock/docker-compose.yml

@@ -1,5 +1,3 @@
-version: '3'
-
 services:
   backup:
     image: offen/docker-volume-backup:${TEST_VERSION:-canary}
@@ -9,7 +7,7 @@ services:
       BACKUP_RETENTION_DAYS: '7'
     volumes:
       - app_data:/backup/app_data:ro
-      - /var/run/docker.sock:/var/run/docker.sock
+      - /var/run/docker.sock:/var/run/docker.sock:ro
       - ${LOCAL_DIR:-./local}:/archive
 
   offen:

test/no-restart/docker-compose.yml

@@ -0,0 +1,27 @@
+services:
+  backup:
+    image: offen/docker-volume-backup:${TEST_VERSION:-canary}
+    hostname: hostnametoken
+    restart: always
+    environment:
+      BACKUP_FILENAME_EXPAND: 'true'
+      BACKUP_FILENAME: test-$$HOSTNAME.tar.gz
+      BACKUP_LATEST_SYMLINK: test-$$HOSTNAME.latest.tar.gz.gpg
+      BACKUP_CRON_EXPRESSION: 0 0 5 31 2 ?
+      BACKUP_RETENTION_DAYS: ${BACKUP_RETENTION_DAYS:-7}
+      BACKUP_PRUNING_LEEWAY: 5s
+      BACKUP_PRUNING_PREFIX: test
+    volumes:
+      - app_data:/backup/app_data:ro
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - ${LOCAL_DIR:-./local}:/archive
+
+  offen:
+    image: offen/offen:latest
+    labels:
+      - docker-volume-backup.stop-during-backup-no-restart=true
+    volumes:
+      - app_data:/var/opt/offen
+
+volumes:
+  app_data:

test/no-restart/run.sh

@@ -0,0 +1,76 @@
+#!/bin/sh
+
+set -e
+
+cd "$(dirname "$0")"
+. ../util.sh
+current_test=$(basename $(pwd))
+
+export LOCAL_DIR=$(mktemp -d)
+
+docker compose up -d --quiet-pull
+sleep 5
+
+# A symlink for a known file in the volume is created so the test can check
+# whether symlinks are preserved on backup.
+docker compose exec offen ln -s /var/opt/offen/offen.db /var/opt/offen/db.link
+docker compose exec backup backup
+
+sleep 5
+
+expect_running_containers "1"
+
+tmp_dir=$(mktemp -d)
+tar -xvf "$LOCAL_DIR/test-hostnametoken.tar.gz" -C $tmp_dir
+if [ ! -f "$tmp_dir/backup/app_data/offen.db" ]; then
+  fail "Could not find expected file in untared archive."
+fi
+rm -f "$LOCAL_DIR/test-hostnametoken.tar.gz"
+
+if [ ! -L "$tmp_dir/backup/app_data/db.link" ]; then
+  fail "Could not find expected symlink in untared archive."
+fi
+
+pass "Found relevant files in decrypted and untared local backup."
+
+if [ ! -L "$LOCAL_DIR/test-hostnametoken.latest.tar.gz.gpg" ]; then
+  fail "Could not find symlink to latest version."
+fi
+
+pass "Found symlink to latest version in local backup."
+
+# The second part of this test checks if backups get deleted when the retention
+# is set to 0 days (which it should not as it would mean all backups get deleted)
+BACKUP_RETENTION_DAYS="0" docker compose up -d
+sleep 5
+
+docker compose exec backup backup
+
+if [ "$(find "$LOCAL_DIR" -type f | wc -l)" != "1" ]; then
+  fail "Backups should not have been deleted, instead seen: "$(find "$local_dir" -type f)""
+fi
+pass "Local backups have not been deleted."
+
+# The third part of this test checks if old backups get deleted when the retention
+# is set to 7 days (which it should)
+
+BACKUP_RETENTION_DAYS="7" docker compose up -d
+sleep 5
+
+info "Create first backup with no prune"
+docker compose exec backup backup
+
+touch -r "$LOCAL_DIR/test-hostnametoken.tar.gz" -d "14 days ago" "$LOCAL_DIR/test-hostnametoken-old.tar.gz"
+
+info "Create second backup and prune"
+docker compose exec backup backup
+
+if [ -f "$LOCAL_DIR/test-hostnametoken-old.tar.gz" ]; then
+  fail "Backdated file has not been deleted."
+fi
+
+if [ ! -f "$LOCAL_DIR/test-hostnametoken.tar.gz" ]; then
+  fail "Recent file has been deleted."
+fi
+
+pass "Old remote backup has been pruned, new one is still present."

test/nonroot/docker-compose.yml

@@ -1,5 +1,3 @@
-version: '3'
-
 services:
   minio:
     image: minio/minio:RELEASE.2020-08-04T23-10-51Z

test/notifications/docker-compose.yml

@@ -1,5 +1,3 @@
-version: '3'
-
 services:
   backup:
     image: offen/docker-volume-backup:${TEST_VERSION:-canary}

test/ownership/docker-compose.yml

@@ -1,5 +1,3 @@
-version: '3'
-
 services:
   db:
     image: postgres:14-alpine

test/pgzip/run.sh

@@ -23,7 +23,7 @@ docker run --rm -q \
   --network test_network \
   -v app_data:/backup/app_data \
   -v $LOCAL_DIR:/archive \
-  -v /var/run/docker.sock:/var/run/docker.sock \
+  -v /var/run/docker.sock:/var/run/docker.sock:ro \
   --env BACKUP_COMPRESSION=gz \
   --env GZIP_PARALLELISM=0 \
   --env BACKUP_FILENAME='test.{{ .Extension }}' \

test/proxy/01compose.sh

@@ -0,0 +1,39 @@
+#!/bin/sh
+
+set -e
+
+cd $(dirname $0)
+. ../util.sh
+current_test=$(basename $(pwd))
+
+export LOCAL_DIR=$(mktemp -d)
+
+docker compose up -d --quiet-pull
+sleep 5
+
+# The default configuration in docker-compose.yml should
+# successfully create a backup.
+docker compose exec backup backup
+
+sleep 5
+
+expect_running_containers "3"
+
+if [ ! -f "$LOCAL_DIR/test.tar.gz" ]; then
+  fail "Archive was not created"
+fi
+pass "Found relevant archive file."
+
+# Disabling POST should make the backup run fail
+ALLOW_POST="0" docker compose up -d
+sleep 5
+
+set +e
+docker compose exec backup backup
+if [ $? = "0" ]; then
+  fail "Expected invocation to exit non-zero."
+fi
+set -e
+pass "Invocation exited non-zero."
+
+docker compose down --volumes

test/proxy/02swarm.sh

@@ -6,40 +6,6 @@ cd $(dirname $0)
 . ../util.sh
 current_test=$(basename $(pwd))
 
-export LOCAL_DIR=$(mktemp -d)
-
-docker compose up -d --quiet-pull
-sleep 5
-
-# The default configuration in docker-compose.yml should
-# successfully create a backup.
-docker compose exec backup backup
-
-sleep 5
-
-expect_running_containers "3"
-
-if [ ! -f "$LOCAL_DIR/test.tar.gz" ]; then
-  fail "Archive was not created"
-fi
-pass "Found relevant archive file."
-
-# Disabling POST should make the backup run fail
-ALLOW_POST="0" docker compose up -d
-sleep 5
-
-set +e
-docker compose exec backup backup
-if [ $? = "0" ]; then
-  fail "Expected invocation to exit non-zero."
-fi
-set -e
-pass "Invocation exited non-zero."
-
-docker compose down --volumes
-
-# Next, the test is run against a Swarm setup
-
 docker swarm init
 
 export LOCAL_DIR=$(mktemp -d)

test/proxy/docker-compose.swarm.yml

@@ -1,8 +1,6 @@
 # Copyright 2020-2021 - offen.software <hioffen@posteo.de>
 # SPDX-License-Identifier: Unlicense
 
-version: '3.8'
-
 services:
   backup:
     image: offen/docker-volume-backup:${TEST_VERSION:-canary}
@@ -24,7 +22,7 @@ services:
       TASKS: ${ALLOW_TASKS:-1}
       NODES: ${ALLOW_NODES:-1}
     volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
+      - /var/run/docker.sock:/var/run/docker.sock:ro
 
   pg:
     image: postgres:14-alpine

test/proxy/docker-compose.yml

@@ -1,8 +1,6 @@
 # Copyright 2020-2021 - offen.software <hioffen@posteo.de>
 # SPDX-License-Identifier: Unlicense
 
-version: '3.8'
-
 services:
   backup:
     image: offen/docker-volume-backup:${TEST_VERSION:-canary}
@@ -21,7 +19,7 @@ services:
       CONTAINERS: ${ALLOW_CONTAINERS:-1}
       POST: ${ALLOW_POST:-1}
     volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
+      - /var/run/docker.sock:/var/run/docker.sock:ro
 
   pg:
     image: postgres:14-alpine

test/pruning/docker-compose.yml

@@ -1,5 +1,3 @@
-version: '3'
-
 services:
   minio:
     image: minio/minio:RELEASE.2020-08-04T23-10-51Z
@@ -34,7 +32,7 @@ services:
       BACKUP_SKIP_BACKENDS_FROM_PRUNE: 's3'
     volumes:
       - app_data:/backup/app_data:ro
-      - /var/run/docker.sock:/var/run/docker.sock
+      - /var/run/docker.sock:/var/run/docker.sock:ro
       - ${LOCAL_DIR:-./local}:/archive
 
   offen:

test/s3/docker-compose.yml

@@ -1,5 +1,3 @@
-version: '3'
-
 services:
   minio:
     image: minio/minio:RELEASE.2020-08-04T23-10-51Z
@@ -32,7 +30,7 @@ services:
       BACKUP_PRUNING_PREFIX: test
     volumes:
       - app_data:/backup/app_data:ro
-      - /var/run/docker.sock:/var/run/docker.sock
+      - /var/run/docker.sock:/var/run/docker.sock:ro
 
   offen:
     image: offen/offen:latest

test/secrets/docker-compose.yml

@@ -1,8 +1,6 @@
 # Copyright 2020-2021 - offen.software <hioffen@posteo.de>
 # SPDX-License-Identifier: Unlicense
 
-version: '3.8'
-
 services:
   minio:
     image: minio/minio:RELEASE.2020-08-04T23-10-51Z
@@ -37,7 +35,7 @@ services:
       BACKUP_PRUNING_LEEWAY: 5s
     volumes:
       - pg_data:/backup/pg_data:ro
-      - /var/run/docker.sock:/var/run/docker.sock
+      - /var/run/docker.sock:/var/run/docker.sock:ro
     secrets:
       - minio_root_user
       - minio_root_password

test/secrets/run.sh

@@ -6,8 +6,6 @@ cd $(dirname $0)
 . ../util.sh
 current_test=$(basename $(pwd))
 
-docker swarm init
-
 printf "test" | docker secret create minio_root_user -
 printf "GMusLtUmILge2by+z890kQ" | docker secret create minio_root_password -
 

test/services/docker-compose.yml

@@ -1,8 +1,6 @@
 # Copyright 2020-2021 - offen.software <hioffen@posteo.de>
 # SPDX-License-Identifier: Unlicense
 
-version: '3.8'
-
 services:
   minio:
     image: minio/minio:RELEASE.2020-08-04T23-10-51Z
@@ -31,7 +29,7 @@ services:
       BACKUP_PRUNING_LEEWAY: 5s
     volumes:
       - pg_data:/backup/pg_data:ro
-      - /var/run/docker.sock:/var/run/docker.sock
+      - /var/run/docker.sock:/var/run/docker.sock:ro
 
   offen:
     image: offen/offen:latest

test/services/run.sh

@@ -6,8 +6,6 @@ cd $(dirname $0)
 . ../util.sh
 current_test=$(basename $(pwd))
 
-docker swarm init
-
 docker stack deploy --compose-file=docker-compose.yml test_stack
 
 while [ -z $(docker ps -q -f name=backup) ]; do

test/ssh/docker-compose.yml

@@ -1,5 +1,3 @@
-version: '3'
-
 services:
   ssh:
     image: linuxserver/openssh-server:version-8.6_p1-r3
@@ -32,7 +30,7 @@ services:
     volumes:
       - ${KEY_DIR:-.}/id_rsa:/root/.ssh/id_rsa
       - app_data:/backup/app_data:ro
-      - /var/run/docker.sock:/var/run/docker.sock
+      - /var/run/docker.sock:/var/run/docker.sock:ro
 
   offen:
     image: offen/offen:latest

test/swarm/docker-compose.yml

@@ -1,8 +1,6 @@
 # Copyright 2020-2021 - offen.software <hioffen@posteo.de>
 # SPDX-License-Identifier: Unlicense
 
-version: '3.8'
-
 services:
   minio:
     image: minio/minio:RELEASE.2020-08-04T23-10-51Z
@@ -37,7 +35,7 @@ services:
       BACKUP_PRUNING_LEEWAY: 5s
     volumes:
       - pg_data:/backup/pg_data:ro
-      - /var/run/docker.sock:/var/run/docker.sock
+      - /var/run/docker.sock:/var/run/docker.sock:ro
 
   offen:
     image: offen/offen:latest

test/swarm/run.sh

@@ -6,8 +6,6 @@ cd $(dirname $0)
 . ../util.sh
 current_test=$(basename $(pwd))
 
-docker swarm init
-
 docker stack deploy --compose-file=docker-compose.yml test_stack
 
 while [ -z $(docker ps -q -f name=backup) ]; do

test/tar/docker-compose.yml

@@ -0,0 +1,21 @@
+services:
+  backup:
+    image: offen/docker-volume-backup:${TEST_VERSION:-canary}
+    restart: always
+    environment:
+      BACKUP_FILENAME: test.{{ .Extension }}
+      BACKUP_COMPRESSION: none
+    volumes:
+      - app_data:/backup/app_data:ro
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - ${LOCAL_DIR:-./local}:/archive
+
+  offen:
+    image: offen/offen:latest
+    labels:
+      - docker-volume-backup.stop-during-backup=true
+    volumes:
+      - app_data:/var/opt/offen
+
+volumes:
+  app_data: