Wavyzz/docker-volume-backup
2
0
Fork 0
mirror of https://github.com/offen/docker-volume-backup.git synced 2025-12-05 17:18:02 +01:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: Wavyzz:v2.46.1
Branches Tags
Wavyzz:main Wavyzz:swap-minio Wavyzz:execution-mode Wavyzz:failure-filename Wavyzz:retention-duration Wavyzz:validate-config Wavyzz:serve-metrics Wavyzz:test-post-hook Wavyzz:header-format Wavyzz:backup-uid Wavyzz:v1
Wavyzz:v2.46.1 Wavyzz:v2.46.0 Wavyzz:v2.45.0 Wavyzz:v2.44.1 Wavyzz:v2.44.0 Wavyzz:v2.43.4 Wavyzz:v2.43.3 Wavyzz:v2.43.2 Wavyzz:v2.43.1 Wavyzz:v2.43.0 Wavyzz:v2.42.0 Wavyzz:v2.41.0 Wavyzz:v2.40.0 Wavyzz:v2.39.1 Wavyzz:v2.39.0 Wavyzz:v2.38.2 Wavyzz:v2.38.1 Wavyzz:v2.38.0 Wavyzz:v2.37.3 Wavyzz:v2.37.2 Wavyzz:v2.37.1 Wavyzz:v2.37.0 Wavyzz:v2.37.0-alpha.6 Wavyzz:v2.37.0-alpha.5 Wavyzz:v2.37.0-alpha.4 Wavyzz:v2.37.0-alpha.3 Wavyzz:v2.37.0-alpha.2 Wavyzz:v2.37.0-alpha.1 Wavyzz:v2.36.1 Wavyzz:v2.36.0 Wavyzz:v2.36.0-alpha.4 Wavyzz:v2.36.0-alpha.3 Wavyzz:v2.36.0-alpha.2 Wavyzz:v2.36.0-alpha.1 Wavyzz:v2.35.0 Wavyzz:v2.34.0 Wavyzz:v2.33.2 Wavyzz:v2.33.1 Wavyzz:v2.33.0 Wavyzz:v2.32.0 Wavyzz:v2.31.0 Wavyzz:v2.30.0 Wavyzz:v2.29.0 Wavyzz:v2.28.0 Wavyzz:v2.27.0 Wavyzz:v2.26.2 Wavyzz:v2.26.1 Wavyzz:v2.26.0 Wavyzz:v2.25.1 Wavyzz:v2.25.0 Wavyzz:v2.24.0 Wavyzz:v2.24.0-pre.1 Wavyzz:v2.23.0 Wavyzz:v2.22.2 Wavyzz:v2.22.1 Wavyzz:v2.22.0 Wavyzz:v2.21.0 Wavyzz:v2.20.0 Wavyzz:v2.19.0 Wavyzz:v2.18.0 Wavyzz:v2.17.1 Wavyzz:v2.17.0 Wavyzz:v2.16.0 Wavyzz:v2.15.3 Wavyzz:v2.15.2 Wavyzz:v2.15.1 Wavyzz:v2.15.0 Wavyzz:v2.14.1 Wavyzz:v2.14.0 Wavyzz:v2.13.0 Wavyzz:v2.12.0 Wavyzz:v2.11.2 Wavyzz:v2.11.1 Wavyzz:v2.11.0 Wavyzz:v2.10.1 Wavyzz:v2.10.0 Wavyzz:v2.9.0 Wavyzz:v2.8.0 Wavyzz:v2.7.2 Wavyzz:v2.7.1 Wavyzz:v2.7.0 Wavyzz:v2.6.0 Wavyzz:v2.5.0 Wavyzz:v2.4.0 Wavyzz:v2.3.4 Wavyzz:v2.3.3 Wavyzz:v2.3.2 Wavyzz:v2.3.1 Wavyzz:v2.3.0 Wavyzz:v2.2.0 Wavyzz:v2.1.1 Wavyzz:v2.1.0 Wavyzz:v2.0.1 Wavyzz:v2.0.1-pre Wavyzz:v2.0.0 Wavyzz:v2.0.0-rc.1 Wavyzz:v2.0.0-alpha.6 Wavyzz:v2.0.0-alpha.5 Wavyzz:v2.0.0-alpha.4 Wavyzz:v2.0.0-alpha.3 Wavyzz:v2.0.0-alpha.2 Wavyzz:v2.0.0-alpha.1 Wavyzz:v1.8.3 Wavyzz:v1.8.2 Wavyzz:v1.8.1 Wavyzz:v1.8.0 Wavyzz:v1.7.0 Wavyzz:v1.6.1 Wavyzz:v1.6.0 Wavyzz:v1.5.1 Wavyzz:v1.5.0 Wavyzz:v1.4.0 Wavyzz:v1.3.0 Wavyzz:v1.2.0 Wavyzz:v1.1.0 Wavyzz:v1.0.2 Wavyzz:v1.0.1 Wavyzz:v1.0.0 Wavyzz:v0.1.1 Wavyzz:v0.1.0
..
compare: Wavyzz:header-format
Branches Tags
Wavyzz:swap-minio Wavyzz:main Wavyzz:execution-mode Wavyzz:failure-filename Wavyzz:retention-duration Wavyzz:validate-config Wavyzz:serve-metrics Wavyzz:test-post-hook Wavyzz:header-format Wavyzz:backup-uid Wavyzz:v1
Wavyzz:v2.46.1 Wavyzz:v2.46.0 Wavyzz:v2.45.0 Wavyzz:v2.44.1 Wavyzz:v2.44.0 Wavyzz:v2.43.4 Wavyzz:v2.43.3 Wavyzz:v2.43.2 Wavyzz:v2.43.1 Wavyzz:v2.43.0 Wavyzz:v2.42.0 Wavyzz:v2.41.0 Wavyzz:v2.40.0 Wavyzz:v2.39.1 Wavyzz:v2.39.0 Wavyzz:v2.38.2 Wavyzz:v2.38.1 Wavyzz:v2.38.0 Wavyzz:v2.37.3 Wavyzz:v2.37.2 Wavyzz:v2.37.1 Wavyzz:v2.37.0 Wavyzz:v2.37.0-alpha.6 Wavyzz:v2.37.0-alpha.5 Wavyzz:v2.37.0-alpha.4 Wavyzz:v2.37.0-alpha.3 Wavyzz:v2.37.0-alpha.2 Wavyzz:v2.37.0-alpha.1 Wavyzz:v2.36.1 Wavyzz:v2.36.0 Wavyzz:v2.36.0-alpha.4 Wavyzz:v2.36.0-alpha.3 Wavyzz:v2.36.0-alpha.2 Wavyzz:v2.36.0-alpha.1 Wavyzz:v2.35.0 Wavyzz:v2.34.0 Wavyzz:v2.33.2 Wavyzz:v2.33.1 Wavyzz:v2.33.0 Wavyzz:v2.32.0 Wavyzz:v2.31.0 Wavyzz:v2.30.0 Wavyzz:v2.29.0 Wavyzz:v2.28.0 Wavyzz:v2.27.0 Wavyzz:v2.26.2 Wavyzz:v2.26.1 Wavyzz:v2.26.0 Wavyzz:v2.25.1 Wavyzz:v2.25.0 Wavyzz:v2.24.0 Wavyzz:v2.24.0-pre.1 Wavyzz:v2.23.0 Wavyzz:v2.22.2 Wavyzz:v2.22.1 Wavyzz:v2.22.0 Wavyzz:v2.21.0 Wavyzz:v2.20.0 Wavyzz:v2.19.0 Wavyzz:v2.18.0 Wavyzz:v2.17.1 Wavyzz:v2.17.0 Wavyzz:v2.16.0 Wavyzz:v2.15.3 Wavyzz:v2.15.2 Wavyzz:v2.15.1 Wavyzz:v2.15.0 Wavyzz:v2.14.1 Wavyzz:v2.14.0 Wavyzz:v2.13.0 Wavyzz:v2.12.0 Wavyzz:v2.11.2 Wavyzz:v2.11.1 Wavyzz:v2.11.0 Wavyzz:v2.10.1 Wavyzz:v2.10.0 Wavyzz:v2.9.0 Wavyzz:v2.8.0 Wavyzz:v2.7.2 Wavyzz:v2.7.1 Wavyzz:v2.7.0 Wavyzz:v2.6.0 Wavyzz:v2.5.0 Wavyzz:v2.4.0 Wavyzz:v2.3.4 Wavyzz:v2.3.3 Wavyzz:v2.3.2 Wavyzz:v2.3.1 Wavyzz:v2.3.0 Wavyzz:v2.2.0 Wavyzz:v2.1.1 Wavyzz:v2.1.0 Wavyzz:v2.0.1 Wavyzz:v2.0.1-pre Wavyzz:v2.0.0 Wavyzz:v2.0.0-rc.1 Wavyzz:v2.0.0-alpha.6 Wavyzz:v2.0.0-alpha.5 Wavyzz:v2.0.0-alpha.4 Wavyzz:v2.0.0-alpha.3 Wavyzz:v2.0.0-alpha.2 Wavyzz:v2.0.0-alpha.1 Wavyzz:v1.8.3 Wavyzz:v1.8.2 Wavyzz:v1.8.1 Wavyzz:v1.8.0 Wavyzz:v1.7.0 Wavyzz:v1.6.1 Wavyzz:v1.6.0 Wavyzz:v1.5.1 Wavyzz:v1.5.0 Wavyzz:v1.4.0 Wavyzz:v1.3.0 Wavyzz:v1.2.0 Wavyzz:v1.1.0 Wavyzz:v1.0.2 Wavyzz:v1.0.1 Wavyzz:v1.0.0 Wavyzz:v0.1.1 Wavyzz:v0.1.0

2 Commits
v2.46.1 ... header-for

Author SHA1 Message Date
Frederik Ring
8caac8724c Add documentation for header format option 2022-04-19 21:21:23 +02:00
Frederik Ring
9eda23e512 Make header format for created tar archive configurable 2022-04-19 21:11:29 +02:00
185 changed files with 2968 additions and 22283 deletions
Expand all files Collapse all files

72
.circleci/config.yml Normal file
View File

@@ -0,0 +1,72 @@
version: 2.1
jobs:
canary:
machine:
image: ubuntu-2004:202201-02
working_directory: ~/docker-volume-backup
steps:
- checkout
- run:
name: Build
command: |
docker build . -t offen/docker-volume-backup:canary
- run:
name: Install gnupg
command: |
sudo apt-get install -y gnupg
- run:
name: Run tests
working_directory: ~/docker-volume-backup/test
command: |
export GPG_TTY=$(tty)
./test.sh canary
build:
docker:
- image: cimg/base:2020.06
environment:
DOCKER_BUILDKIT: '1'
DOCKER_CLI_EXPERIMENTAL: enabled
working_directory: ~/docker-volume-backup
steps:
- checkout
- setup_remote_docker:
version: 20.10.6
- docker/install-docker-credential-helper
- docker/configure-docker-credentials-store
- run:
name: Push to Docker Hub
command: |
echo "$DOCKER_ACCESSTOKEN" | docker login --username offen --password-stdin
# This is required for building ARM: https://gitlab.alpinelinux.org/alpine/aports/-/issues/12406
docker run --rm --privileged linuxkit/binfmt:v0.8
docker context create docker-volume-backup
docker buildx create docker-volume-backup --name docker-volume-backup --use
docker buildx inspect --bootstrap
tag_args="-t offen/docker-volume-backup:$CIRCLE_TAG"
if [[ "$CIRCLE_TAG" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
# prerelease tags like `v2.0.0-alpha.1` should not be released as `latest`
tag_args="$tag_args -t offen/docker-volume-backup:latest"
tag_args="$tag_args -t offen/docker-volume-backup:$(echo "$CIRCLE_TAG" | cut -d. -f1)"
fi
docker buildx build --platform linux/amd64,linux/arm64,linux/arm/v7 \
$tag_args . --push
workflows:
version: 2
docker_image:
jobs:
- canary:
filters:
tags:
ignore: /^v.*/
- build:
filters:
branches:
ignore: /.*/
tags:
only: /^v.*/
orbs:
docker: circleci/docker@1.0.1

6
.dockerignore
View File

@@ -1,7 +1 @@
test
.github
.circleci
docs
.editorconfig
LICENSE
README.md

20
.github/ISSUE_TEMPLATE.md vendored Normal file
View File

@@ -0,0 +1,20 @@
* **I'm submitting a ...**
- [ ] bug report
- [ ] feature request
- [ ] support request
* **What is the current behavior?**
* **If the current behavior is a bug, please provide the configuration and steps to reproduce and if possible a minimal demo of the problem.**
* **What is the expected behavior?**
* **What is the motivation / use case for changing the behavior?**
* **Please tell us about your environment:**
- Image version:
- Docker version:
- docker-compose version:
* **Other information** (e.g. detailed explanation, stacktraces, related issues, suggestions how to fix, links for us to have context, eg. stackoverflow, etc)

34
.github/ISSUE_TEMPLATE/bug_report.md vendored
View File

@@ -1,34 +0,0 @@
---
name: Bug report
about: Create a report to help us improve
title: ''
labels: ''
assignees: ''
---
**Describe the bug**
<!--
A clear and concise description of what the bug is.
-->
**To Reproduce**
Steps to reproduce the behavior:
1. ...
2. ...
3. ...
**Expected behavior**
<!--
A clear and concise description of what you expected to happen.
-->
**Version (please complete the following information):**
- Image Version: <!-- e.g. v2.21.0 -->
- Docker Version: <!-- e.g. 20.10.17 -->
- Docker Compose Version (if applicable): <!-- e.g. 1.29.2 -->
**Additional context**
<!--
Add any other context about the problem here.
-->

28
.github/ISSUE_TEMPLATE/feature_request.md vendored
View File

@@ -1,28 +0,0 @@
---
name: Feature request
about: Suggest an idea for this project
title: ''
labels: ''
assignees: ''
---
**Is your feature request related to a problem? Please describe.**
<!--
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
-->
**Describe the solution you'd like**
<!--
A clear and concise description of what you want to happen.
-->
**Describe alternatives you've considered**
<!--
A clear and concise description of any alternative solutions or features you've considered.
-->
**Additional context**
<!--
Add any other context or screenshots about the feature request here.
-->

28
.github/ISSUE_TEMPLATE/support_request.md vendored
View File

@@ -1,28 +0,0 @@
---
name: Support request
about: Ask for help
title: ''
labels: ''
assignees: ''
---
**What are you trying to do?**
<!--
A clear and concise description of what you are trying to do, but cannot get working.
-->
**What is your current configuration?**
<!--
Add the full configuration you are using. Please redact out any real-world credentials.
-->
**Log output**
<!--
Provide the full log output of your setup.
-->
**Additional context**
<!--
Add any other context or screenshots about the support request here.
-->

10
.github/dependabot.yml vendored
View File

@@ -1,10 +0,0 @@
version: 2
updates:
- package-ecosystem: docker
directory: /
schedule:
interval: weekly
- package-ecosystem: gomod
directory: /
schedule:
interval: weekly

55
.github/workflows/deploy-docs.yml vendored
View File

@@ -1,55 +0,0 @@
name: Deploy Documenation site to GitHub Pages
on:
push:
branches: ['main']
paths:
- 'docs/**'
- '.github/workflows/deploy-docs.yml'
workflow_dispatch:
permissions:
contents: read
pages: write
id-token: write
concurrency:
group: 'pages'
cancel-in-progress: true
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Ruby
uses: ruby/setup-ruby@v1
with:
ruby-version: '3.2'
bundler-cache: true
cache-version: 0
working-directory: docs
- name: Setup Pages
id: pages
uses: actions/configure-pages@v2
- name: Build with Jekyll
working-directory: docs
run: bundle exec jekyll build --baseurl "${{ steps.pages.outputs.base_path }}"
env:
JEKYLL_ENV: production
- name: Upload artifact
uses: actions/upload-pages-artifact@v3
with:
path: 'docs/_site/'
deploy:
environment:
name: github-pages
url: ${{ steps.deployment.outputs.page_url }}
runs-on: ubuntu-latest
needs: build
steps:
- name: Deploy to GitHub Pages
id: deployment
uses: actions/deploy-pages@v4

25
.github/workflows/golangci-lint.yml vendored
View File

@@ -1,25 +0,0 @@
name: Run Linters
on:
push:
branches:
- main
pull_request:
permissions:
contents: read
pull-requests: read
jobs:
golangci:
name: lint
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- uses: actions/setup-go@v6
with:
go-version: '1.25'
- name: golangci-lint
uses: golangci/golangci-lint-action@v8
with:
version: v2.4
args: --timeout 5m

92
.github/workflows/release.yml vendored
View File

@@ -1,92 +0,0 @@
name: Release Docker Image
on:
push:
tags: v**
jobs:
push_to_registries:
name: Push Docker image to multiple registries
runs-on: ubuntu-latest
permissions:
packages: write
contents: read
steps:
- name: Check out the repo
uses: actions/checkout@v4
- name: set Environment Variables
id: env
run: |
echo "NOW=$(date +'%F %Z %T')" >> $GITHUB_ENV
- name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
# list of Docker images to use as base name for tags
images: |
offen/docker-volume-backup
ghcr.io/offen/docker-volume-backup
# define global behaviour for tags
flavor: |
latest=false
# specify one tag which never gets set, to prevent the tag-attribute being empty, as it will fallback to a default
tags: |
# output v2.42.1-alpha.1 (incl. pre-releases)
type=semver,pattern=v{{version}},enable=false
labels: |
org.opencontainers.image.title=${{github.event.repository.name}}
org.opencontainers.image.description=Backup Docker volumes locally or to any S3, WebDAV, Azure Blob Storage, Dropbox or SSH compatible storage
org.opencontainers.image.vendor=${{github.repository_owner}}
org.opencontainers.image.licenses=MPL-2.0
org.opencontainers.image.version=${{github.ref_name}}
org.opencontainers.image.created=${{ env.NOW }}
org.opencontainers.image.source=${{github.server_url}}/${{github.repository}}
org.opencontainers.image.revision=${{github.sha}}
org.opencontainers.image.url=https://offen.github.io/docker-volume-backup/
org.opencontainers.image.documentation=https://offen.github.io/docker-volume-backup/
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
- name: Log in to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Log in to GHCR
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract Docker tags
id: tags
run: |
version_tag="${{github.ref_name}}"
tags=($version_tag)
if [[ "$version_tag" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
# prerelease tags like `v2.0.0-alpha.1` should not be released as `latest` nor `v2`
tags+=("latest")
tags+=($(echo "$version_tag" | cut -d. -f1))
fi
releases=""
for tag in "${tags[@]}"; do
releases="${releases:+$releases,}offen/docker-volume-backup:$tag,ghcr.io/offen/docker-volume-backup:$tag"
done
echo "releases=$releases" >> "$GITHUB_OUTPUT"
- name: Build and push Docker images
uses: docker/build-push-action@v5
with:
context: .
push: true
platforms: linux/amd64,linux/arm64,linux/arm/v7
tags: ${{ steps.tags.outputs.releases }}
labels: ${{ steps.meta.outputs.labels }}

21
.github/workflows/test.yml vendored
View File

@@ -1,21 +0,0 @@
name: Run Integration Tests
on:
push:
branches:
- main
pull_request:
jobs:
test:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
- name: Run Tests
working-directory: ./test
run: |
BUILD_IMAGE=1 ./test.sh

21
.github/workflows/unit.yml vendored
View File

@@ -1,21 +0,0 @@
name: Run Unit Tests
on:
push:
branches:
- main
pull_request:
jobs:
build:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4
- name: Setup Go
uses: actions/setup-go@v4
with:
go-version: '1.25.x'
- name: Install dependencies
run: go mod download
- name: Test with the Go CLI
run: go test -v ./...

7
.golangci.yml
View File

@@ -1,7 +0,0 @@
version: '2'
linters:
# Enable specific linter
# https://golangci-lint.run/usage/linters/#enabled-by-default
enable:
- staticcheck
- govet

17
Dockerfile
View File

@@ -1,21 +1,24 @@
# Copyright 2022 - offen.software <hioffen@posteo.de>
# Copyright 2021 - Offen Authors <hioffen@posteo.de>
# SPDX-License-Identifier: MPL-2.0
FROM golang:1.25-alpine AS builder
FROM golang:1.18-alpine as builder
WORKDIR /app
COPY . .
COPY go.mod go.sum ./
RUN go mod download
COPY cmd/backup ./cmd/backup/
WORKDIR /app/cmd/backup
RUN go build -o backup .
FROM alpine:3.22
FROM alpine:3.15
WORKDIR /root
RUN apk add --no-cache ca-certificates && \
chmod a+rw /var/lock
RUN apk add --no-cache ca-certificates
COPY --from=builder /app/cmd/backup/backup /usr/bin/backup
ENTRYPOINT ["/usr/bin/backup", "-foreground"]
COPY ./entrypoint.sh /root/
RUN chmod +x entrypoint.sh
ENTRYPOINT ["/root/entrypoint.sh"]

971
README.md
View File

@@ -1,22 +1,57 @@
<a href="https://www.offen.software/">
<img src="https://offen.github.io/press-kit/avatars/avatar-OS-header.svg" alt="offen.software logo" title="offen.software" width="60px"/>
<a href="https://www.offen.dev/">
<img src="https://offen.github.io/press-kit/offen-material/gfx-GitHub-Offen-logo.svg" alt="Offen logo" title="Offen" width="150px"/>
</a>
# docker-volume-backup
Backup Docker volumes locally or to any S3, WebDAV, Azure Blob Storage, Dropbox, Google Drive or SSH compatible storage.
Backup Docker volumes locally or to any S3 compatible storage.
The [offen/docker-volume-backup](https://hub.docker.com/r/offen/docker-volume-backup) Docker image can be used as a lightweight (below 25MB) companion container to an existing Docker setup.
It handles __recurring or one-off backups of Docker volumes__ to a __local directory__, __any S3, WebDAV, Azure Blob Storage, Dropbox, Google Drive or SSH compatible storage (or any combination thereof) and rotates away old backups__ if configured. It also supports __encrypting your backups using GPG__ and __sending notifications for (failed) backup runs__.
The [offen/docker-volume-backup](https://hub.docker.com/r/offen/docker-volume-backup) Docker image can be used as a lightweight (below 15MB) sidecar container to an existing Docker setup.
It handles __recurring or one-off backups of Docker volumes__ to a __local directory__, __any S3 or WebDAV compatible storage (or any combination) and rotates away old backups__ if configured. It also supports __encrypting your backups using GPG__ and __sending notifications for failed backup runs__.
Documentation is found at <https://offen.github.io/docker-volume-backup>
- [Quickstart](https://offen.github.io/docker-volume-backup)
- [Configuration Reference](https://offen.github.io/docker-volume-backup/reference/)
- [How Tos](https://offen.github.io/docker-volume-backup/how-tos/)
- [Recipes](https://offen.github.io/docker-volume-backup/recipes/)
<!-- MarkdownTOC -->
- [Quickstart](#quickstart)
- [Recurring backups in a compose setup](#recurring-backups-in-a-compose-setup)
- [One-off backups using Docker CLI](#one-off-backups-using-docker-cli)
- [Configuration reference](#configuration-reference)
- [How to](#how-to)
- [Stop containers during backup](#stop-containers-during-backup)
- [Automatically pruning old backups](#automatically-pruning-old-backups)
- [Send email notifications on failed backup runs](#send-email-notifications-on-failed-backup-runs)
- [Customize notifications](#customize-notifications)
- [Run custom commands before / after backup](#run-custom-commands-before--after-backup)
- [Encrypting your backup using GPG](#encrypting-your-backup-using-gpg)
- [Restoring a volume from a backup](#restoring-a-volume-from-a-backup)
- [Set the timezone the container runs in](#set-the-timezone-the-container-runs-in)
- [Using with Docker Swarm](#using-with-docker-swarm)
- [Manually triggering a backup](#manually-triggering-a-backup)
- [Update deprecated email configuration](#update-deprecated-email-configuration)
- [Replace deprecated `BACKUP_FROM_SNAPSHOT` usage](#replace-deprecated-backup_from_snapshot-usage)
- [Using a custom Docker host](#using-a-custom-docker-host)
- [Run multiple backup schedules in the same container](#run-multiple-backup-schedules-in-the-same-container)
- [Recipes](#recipes)
- [Backing up to AWS S3](#backing-up-to-aws-s3)
- [Backing up to Filebase](#backing-up-to-filebase)
- [Backing up to MinIO](#backing-up-to-minio)
- [Backing up to WebDAV](#backing-up-to-webdav)
- [Backing up locally](#backing-up-locally)
- [Backing up to AWS S3 as well as locally](#backing-up-to-aws-s3-as-well-as-locally)
- [Running on a custom cron schedule](#running-on-a-custom-cron-schedule)
- [Rotating away backups that are older than 7 days](#rotating-away-backups-that-are-older-than-7-days)
- [Encrypting your backups using GPG](#encrypting-your-backups-using-gpg)
- [Using mysqldump to prepare the backup](#using-mysqldump-to-prepare-the-backup)
- [Running multiple instances in the same setup](#running-multiple-instances-in-the-same-setup)
- [Differences to `futurice/docker-volume-backup`](#differences-to-futuricedocker-volume-backup)
<!-- /MarkdownTOC -->
---
Code and documentation for `v1` versions are found on [this branch][v1-branch].
[v1-branch]: https://github.com/offen/docker-volume-backup/tree/v1
## Quickstart
### Recurring backups in a compose setup
@@ -24,6 +59,8 @@ Documentation is found at <https://offen.github.io/docker-volume-backup>
Add a `backup` service to your compose setup and mount the volumes you would like to see backed up:
```yml
version: '3'
services:
volume-consumer:
build:
@@ -74,13 +111,917 @@ docker run --rm \
offen/docker-volume-backup:v2
```
Alternatively, pass a `--env-file` in order to use a full config as described [in the docs](https://offen.github.io/docker-volume-backup/reference/).
Alternatively, pass a `--env-file` in order to use a full config as described below.
### Looking for help?
## Configuration reference
In case your are looking for help or guidance on how to incorporate docker-volume-backup into your existing setup, consider [becoming a sponsor](https://github.com/sponsors/offen?frequency=one-time) and book a one hour consulting session.
Backup targets, schedule and retention are configured in environment variables.
You can populate below template according to your requirements and use it as your `env_file`:
```ini
########### BACKUP SCHEDULE
# Backups run on the given cron schedule in `busybox` flavor. If no
# value is set, `@daily` will be used. If you do not want the cron
# to ever run, use `0 0 5 31 2 ?`.
# BACKUP_CRON_EXPRESSION="0 2 * * *"
# The name of the backup file including the `.tar.gz` extension.
# Format verbs will be replaced as in `strftime`. Omitting them
# will result in the same filename for every backup run, which means previous
# versions will be overwritten on subsequent runs. The default results
# in filenames like `backup-2021-08-29T04-00-00.tar.gz`.
# BACKUP_FILENAME="backup-%Y-%m-%dT%H-%M-%S.tar.gz"
# Setting BACKUP_FILENAME_EXPAND to true allows for environment variable
# placeholders in BACKUP_FILENAME, BACKUP_LATEST_SYMLINK and in
# BACKUP_PRUNING_PREFIX that will get expanded at runtime,
# e.g. `backup-$HOSTNAME-%Y-%m-%dT%H-%M-%S.tar.gz`. Expansion happens before
# interpolating strftime tokens. It is disabled by default.
# Please note that you will need to escape the `$` when providing the value
# in a docker-compose.yml file, i.e. using $$VAR instead of $VAR.
# BACKUP_FILENAME_EXPAND="true"
# When storing local backups, a symlink to the latest backup can be created
# in case a value is given for this key. This has no effect on remote backups.
# BACKUP_LATEST_SYMLINK="backup.latest.tar.gz"
# ************************************************************************
# The BACKUP_FROM_SNAPSHOT option has been deprecated and will be removed
# in the next major version. Please use exec-pre and exec-post
# as documented below instead.
# ************************************************************************
# Whether to copy the content of backup folder before creating the tar archive.
# In the rare scenario where the content of the source backup volume is continously
# updating, but we do not wish to stop the container while performing the backup,
# this setting can be used to ensure the integrity of the tar.gz file.
# BACKUP_FROM_SNAPSHOT="false"
# By default, the `/backup` directory inside the container will be backed up.
# In case you need to use a custom location, set `BACKUP_SOURCES`.
# BACKUP_SOURCES="/other/location"
########### BACKUP STORAGE
# The name of the remote bucket that should be used for storing backups. If
# this is not set, no remote backups will be stored.
# AWS_S3_BUCKET_NAME="backup-bucket"
# If you want to store the backup in a non-root location on your bucket
# you can provide a path. The path must not contain a leading slash.
# AWS_S3_PATH="my/backup/location"
# Define credentials for authenticating against the backup storage and a bucket
# name. Although all of these keys are `AWS`-prefixed, the setup can be used
# with any S3 compatible storage.
# AWS_ACCESS_KEY_ID="<xxx>"
# AWS_SECRET_ACCESS_KEY="<xxx>"
# Instead of providing static credentials, you can also use IAM instance profiles
# or similar to provide authentication. Some possible configuration options on AWS:
# - EC2: http://169.254.169.254
# - ECS: http://169.254.170.2
# AWS_IAM_ROLE_ENDPOINT="http://169.254.169.254"
# This is the FQDN of your storage server, e.g. `storage.example.com`.
# Do not set this when working against AWS S3 (the default value is
# `s3.amazonaws.com`). If you need to set a specific (non-https) protocol, you
# will need to use the option below.
# AWS_ENDPOINT="storage.example.com"
# The protocol to be used when communicating with your storage server.
# Defaults to "https". You can set this to "http" when communicating with
# a different Docker container on the same host for example.
# AWS_ENDPOINT_PROTO="https"
# Setting this variable to `true` will disable verification of
# SSL certificates. You shouldn't use this unless you use self-signed
# certificates for your remote storage backend. This can only be used
# when AWS_ENDPOINT_PROTO is set to `https`.
# AWS_ENDPOINT_INSECURE="true"
# You can also backup files to any WebDAV server:
# The URL of the remote WebDAV server
# WEBDAV_URL="https://webdav.example.com"
# The Directory to place the backups to on the WebDAV server.
# If the path is not present on the server it will be created.
# WEBDAV_PATH="/my/directory/"
# The username for the WebDAV server
# WEBDAV_USERNAME="user"
# The password for the WebDAV server
# WEBDAV_PASSWORD="password"
# In addition to storing backups remotely, you can also keep local copies.
# Pass a container-local path to store your backups if needed. You also need to
# mount a local folder or Docker volume into that location (`/archive`
# by default) when running the container. In case the specified directory does
# not exist (nothing is mounted) in the container when the backup is running,
# local backups will be skipped. Local paths are also be subject to pruning of
# old backups as defined below.
# BACKUP_ARCHIVE="/archive"
########### BACKUP PRUNING
# **IMPORTANT, PLEASE READ THIS BEFORE USING THIS FEATURE**:
# The mechanism used for pruning old backups is not very sophisticated
# and applies its rules to **all files in the target directory** by default,
# which means that if you are storing your backups next to other files,
# these might become subject to deletion too. When using this option
# make sure the backup files are stored in a directory used exclusively
# for such files, or to configure BACKUP_PRUNING_PREFIX to limit
# removal to certain files.
# Define this value to enable automatic rotation of old backups. The value
# declares the number of days for which a backup is kept.
# BACKUP_RETENTION_DAYS="7"
# In case the duration a backup takes fluctuates noticeably in your setup
# you can adjust this setting to make sure there are no race conditions
# between the backup finishing and the rotation not deleting backups that
# sit on the edge of the time window. Set this value to a duration
# that is expected to be bigger than the maximum difference of backups.
# Valid values have a suffix of (s)econds, (m)inutes or (h)ours. By default,
# one minute is used.
# BACKUP_PRUNING_LEEWAY="1m"
# In case your target bucket or directory contains other files than the ones
# managed by this container, you can limit the scope of rotation by setting
# a prefix value. This would usually be the non-parametrized part of your
# BACKUP_FILENAME. E.g. if BACKUP_FILENAME is `db-backup-%Y-%m-%dT%H-%M-%S.tar.gz`,
# you can set BACKUP_PRUNING_PREFIX to `db-backup-` and make sure
# unrelated files are not affected by the rotation mechanism.
# BACKUP_PRUNING_PREFIX="backup-"
########### BACKUP ENCRYPTION
# Backups can be encrypted using gpg in case a passphrase is given.
# GPG_PASSPHRASE="<xxx>"
########### STOPPING CONTAINERS DURING BACKUP
# Containers can be stopped by applying a
# `docker-volume-backup.stop-during-backup` label. By default, all containers
# that are labeled with `true` will be stopped. If you need more fine grained
# control (e.g. when running multiple containers based on this image), you can
# override this default by specifying a different value here.
# BACKUP_STOP_CONTAINER_LABEL="service1"
########### EXECUTING COMMANDS IN CONTAINERS PRE/POST BACKUP
# It is possible to define commands to be run in any container before and after
# a backup is conducted. The commands themselves are defined in labels like
# `docker-volume-backup.exec-pre=/bin/sh -c 'mysqldump [options] > dump.sql'.
# Several options exist for controlling this feature:
# By default, any output of such a command is suppressed. If this value
# is configured to be "true", command execution output will be forwarded to
# the backup container's stdout and stderr.
# EXEC_FORWARD_OUTPUT="true"
# Without any further configuration, all commands defined in labels will be
# run before and after a backup. If you need more fine grained control, you
# can use this option to set a label that will be used for narrowing down
# the set of eligible containers. When set, an eligible container will also need
# to be labeled as `docker-volume-backup.exec-label=database`.
# EXEC_LABEL="database"
########### NOTIFICATIONS
# Notifications (email, Slack, etc.) can be sent out when a backup run finishes.
# Configuration is provided as a comma-separated list of URLs as consumed
# by `shoutrrr`: https://containrrr.dev/shoutrrr/v0.5/services/overview/
# The content of such notifications can be customized. Dedicated documentation
# on how to do this can be found in the README. When providing multiple URLs or
# an URL that contains a comma, the values can be URL encoded to avoid ambiguities.
# The below URL demonstrates how to send an email using the provided SMTP
# configuration and credentials.
# NOTIFICATION_URLS=smtp://username:password@host:587/?fromAddress=sender@example.com&toAddresses=recipient@example.com
# By default, notifications would only be sent out when a backup run fails
# To receive notifications for every run, set `NOTIFICATION_LEVEL` to `info`
# instead of the default `error`.
# NOTIFICATION_LEVEL="error"
########### DOCKER HOST
# If you are interfacing with Docker via TCP you can set the Docker host here
# instead of mounting the Docker socket as a volume. This is unset by default.
# DOCKER_HOST="tcp://docker_socket_proxy:2375"
########### LOCK_TIMEOUT
# In the case of overlapping cron schedules run by the same container,
# subsequent invocations will wait for previous runs to finish before starting.
# By default, this will time out and fail in case the lock could not be acquired
# after 60 minutes. In case you need to adjust this timeout, supply a duration
# value as per https://pkg.go.dev/time#ParseDuration to `LOCK_TIMEOUT`
# LOCK_TIMEOUT="60m"
########### HEADER FORMAT USED BY THE TAR ARCHIVE
# By default, tar archive creation will pick a header format that is appropriate
# for the archive's contents. In case you have special requirements or need to
# work with tools that do not support all standard header formats, you can use
# this option to enforce a certain header format. Valid options are "USTAR",
# "PAX" and "GNU". Be aware that setting this value might create situations where
# it's not possible to encode the information about a certain file, making the
# backup fail.
# In case no value is set, an appropriate format will be selected for each file.
# TAR_ARCHIVE_HEADER_FORMAT="USTAR"
########### EMAIL NOTIFICATIONS
# ************************************************************************
# Providing notification configuration like this has been deprecated
# and will be removed in the next major version. Please use NOTIFICATION_URLS
# as documented above instead.
# ************************************************************************
# In case SMTP credentials are provided, notification emails can be sent out when
# a backup run finished. These emails will contain the start time, the error
# message on failure and all prior log output.
# The recipient(s) of the notification. Supply a comma separated list
# of adresses if you want to notify multiple recipients. If this is
# not set, no emails will be sent.
# EMAIL_NOTIFICATION_RECIPIENT="you@example.com"
# The "From" header of the sent email. Defaults to `noreply@nohost`.
# EMAIL_NOTIFICATION_SENDER="no-reply@example.com"
# Configuration and credentials for the SMTP server to be used.
# EMAIL_SMTP_PORT defaults to 587.
# EMAIL_SMTP_HOST="posteo.de"
# EMAIL_SMTP_PASSWORD="<xxx>"
# EMAIL_SMTP_USERNAME="no-reply@example.com"
# EMAIL_SMTP_PORT="<port>"
```
In case you encouter double quoted values in your configuration you might be running an [older version of `docker-compose`].
You can work around this by either updating `docker-compose` or unquoting your configuration values.
[compose-issue]: https://github.com/docker/compose/issues/2854
## How to
### Stop containers during backup
In many cases, it will be desirable to stop the services that are consuming the volume you want to backup in order to ensure data integrity.
This image can automatically stop and restart containers and services (in case you are running Docker in Swarm mode).
By default, any container that is labeled `docker-volume-backup.stop-during-backup=true` will be stopped before the backup is being taken and restarted once it has finished.
In case you need more fine grained control about which containers should be stopped (e.g. when backing up multiple volumes on different schedules), you can set the `BACKUP_STOP_CONTAINER_LABEL` environment variable and then use the same value for labeling:
```yml
version: '3'
services:
app:
# definition for app ...
labels:
- docker-volume-backup.stop-during-backup=service1
backup:
image: offen/docker-volume-backup:v2
environment:
BACKUP_STOP_CONTAINER_LABEL: service1
volumes:
- data:/backup/my-app-backup:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
volumes:
data:
```
### Automatically pruning old backups
When `BACKUP_RETENTION_DAYS` is configured, the image will check if there are any backups in the remote bucket or local archive that are older than the given retention value and rotate these backups away.
Be aware that this mechanism looks at __all files in the target bucket or archive__, which means that other files that are older than the given deadline are deleted as well. In case you need to use a target that cannot be used exclusively for your backups, you can configure `BACKUP_PRUNING_PREFIX` to limit which files are considered eligible for deletion:
```yml
version: '3'
services:
# ... define other services using the `data` volume here
backup:
image: offen/docker-volume-backup:v2
environment:
BACKUP_FILENAME: backup-%Y-%m-%dT%H-%M-%S.tar.gz
BACKUP_PRUNING_PREFIX: backup-
BACKUP_RETENTION_DAYS: 7
volumes:
- ${HOME}/backups:/archive
- data:/backup/my-app-backup:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
volumes:
data:
```
### Send email notifications on failed backup runs
To send out email notifications on failed backup runs, provide SMTP credentials, a sender and a recipient:
```yml
version: '3'
services:
backup:
image: offen/docker-volume-backup:v2
environment:
# ... other configuration values go here
NOTIFICATION_URLS=smtp://me:secret@smtp.example.com:587/?fromAddress=no-reply@example.com&toAddresses=you@example.com
```
Notification backends other than email are also supported.
Refer to the documentation of [shoutrrr][shoutrrr-docs] to find out about options and configuration.
[shoutrrr-docs]: https://containrrr.dev/shoutrrr/v0.5/services/overview/
### Customize notifications
The title and body of the notifications can be easily tailored to your needs using [go templates](https://pkg.go.dev/text/template).
Templates must be mounted inside the container in `/etc/dockervolumebackup/notifications.d/`: any file inside this directory will be parsed.
The files have to define [nested templates](https://pkg.go.dev/text/template#hdr-Nested_template_definitions) in order to override the original values. An example:
```
{{ define "title_success" -}}
✅ Successfully ran backup {{ .Config.BackupStopContainerLabel }}
{{- end }}
{{ define "body_success" -}}
▶️ Start time: {{ .Stats.StartTime | formatTime }}
⏹️ End time: {{ .Stats.EndTime | formatTime }}
⌛ Took time: {{ .Stats.TookTime }}
🛑 Stopped containers: {{ .Stats.Containers.Stopped }}/{{ .Stats.Containers.All }} ({{ .Stats.Containers.StopErrors }} errors)
⚖️ Backup size: {{ .Stats.BackupFile.Size | formatBytesBin }} / {{ .Stats.BackupFile.Size | formatBytesDec }}
🗑️ Pruned backups: {{ .Stats.Storages.Local.Pruned }}/{{ .Stats.Storages.Local.Total }} ({{ .Stats.Storages.Local.PruneErrors }} errors)
{{- end }}
```
Overridable template names are: `title_success`, `body_success`, `title_failure`, `body_failure`.
For a full list of available variables and functions, see [this page](https://github.com/offen/docker-volume-backup/blob/master/docs/NOTIFICATION-TEMPLATES.md).
### Run custom commands before / after backup
In certain scenarios it can be required to run specific commands before and after a backup is taken (e.g. dumping a database).
When mounting the Docker socket into the `docker-volume-backup` container, you can define pre- and post-commands that will be run in the context of the target container.
Such commands are defined by specifying the command in a `docker-volume-backup.exec-[pre|post]` label.
Taking a database dump using `mysqldump` would look like this:
```yml
version: '3'
services:
# ... define other services using the `data` volume here
database:
image: mariadb
volumes:
- backup_data:/tmp/backups
labels:
- docker-volume-backup.exec-pre=/bin/sh -c 'mysqldump --all-databases > /backups/dump.sql'
volumes:
backup_data:
```
Due to Docker limitations, you currently cannot use any kind of redirection in these commands unless you pass the command to `/bin/sh -c` or similar.
I.e. instead of using `echo "ok" > ok.txt` you will need to use `/bin/sh -c 'echo "ok" > ok.txt'`.
If you need fine grained control about which container's commands are run, you can use the `EXEC_LABEL` configuration on your `docker-volume-backup` container:
```yml
version: '3'
services:
database:
image: mariadb
volumes:
- backup_data:/tmp/backups
labels:
- docker-volume-backup.exec-pre=/bin/sh -c 'mysqldump --all-databases > /tmp/volume/dump.sql'
- docker-volume-backup.exec-label=database
backup:
image: offen/docker-volume-backup:v2
environment:
EXEC_LABEL: database
volumes:
- data:/backup/dump:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
volumes:
backup_data:
```
The backup procedure is guaranteed to wait for all `pre` commands to finish.
However there are no guarantees about the order in which they are run, which could also happen concurrently.
### Encrypting your backup using GPG
The image supports encrypting backups using GPG out of the box.
In case a `GPG_PASSPHRASE` environment variable is set, the backup will be encrypted using the given key and saved as a `.gpg` file instead.
Assuming you have `gpg` installed, you can decrypt such a backup using (your OS will prompt for the passphrase before decryption can happen):
```console
gpg -o backup.tar.gz -d backup.tar.gz.gpg
```
### Restoring a volume from a backup
In case you need to restore a volume from a backup, the most straight forward procedure to do so would be:
- Stop the container(s) that are using the volume
- Untar the backup you want to restore
```console
tar -C /tmp -xvf backup.tar.gz
```
- Using a temporary once-off container, mount the volume (the example assumes it's named `data`) and copy over the backup. Make sure you copy the correct path level (this depends on how you mount your volume into the backup container), you might need to strip some leading elements
```console
docker run -d --name temp_restore_container -v data:/backup_restore alpine
docker cp /tmp/backup/data-backup temp_restore_container:/backup_restore
docker stop temp_restore_container
docker rm temp_restore_container
```
- Restart the container(s) that are using the volume
Depending on your setup and the application(s) you are running, this might involve other steps to be taken still.
---
Copyright &copy; 2024 <a target="_blank" href="https://www.offen.software">offen.software</a> and contributors.
Distributed under the <a href="https://github.com/offen/docker-volume-backup/tree/main/LICENSE">MPL-2.0 License</a>.
If you want to rollback an entire volume to an earlier backup snapshot (recommended for database volumes):
- Trigger a manual backup if necessary (see `Manually triggering a backup`).
- Stop the container(s) that are using the volume.
- If volume was initially created using docker-compose, find out exact volume name using:
```console
docker volume ls
```
- Remove existing volume (the example assumes it's named `data`):
```console
docker volume rm data
```
- Create new volume with the same name and restore a snapshot:
```console
docker run --rm -it -v data:/backup/my-app-backup -v /path/to/local_backups:/archive:ro alpine tar -xvzf /archive/full_backup_filename.tar.gz
```
- Restart the container(s) that are using the volume.
### Set the timezone the container runs in
By default a container based on this image will run in the UTC timezone.
As the image is designed to be as small as possible, additional timezone data is not included.
In case you want to run your cron rules in your local timezone (respecting DST and similar), you can mount your Docker host's `/etc/timezone` and `/etc/localtime` in read-only mode:
```yml
version: '3'
services:
backup:
image: offen/docker-volume-backup:v2
volumes:
- data:/backup/my-app-backup:ro
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
volumes:
data:
```
### Using with Docker Swarm
By default, Docker Swarm will restart stopped containers automatically, even when manually stopped.
If you plan to have your containers / services stopped during backup, this means you need to apply the `on-failure` restart policy to your service's definitions.
A restart policy of `always` is not compatible with this tool.
---
When running in Swarm mode, it's also advised to set a hard memory limit on your service (~25MB should be enough in most cases, but if you backup large files above half a gigabyte or similar, you might have to raise this in case the backup exits with `Killed`):
```yml
services:
backup:
image: offen/docker-volume-backup:v2
deployment:
resources:
limits:
memory: 25M
```
### Manually triggering a backup
You can manually trigger a backup run outside of the defined cron schedule by executing the `backup` command inside the container:
```
docker exec <container_ref> backup
```
### Update deprecated email configuration
Starting with version 2.6.0, configuring email notifications using `EMAIL_*` keys has been deprecated.
Instead of providing multiple values using multiple keys, you can now provide a single URL for `NOTIFICATION_URLS`.
Before:
```ini
EMAIL_NOTIFICATION_RECIPIENT="you@example.com"
EMAIL_NOTIFICATION_SENDER="no-reply@example.com"
EMAIL_SMTP_HOST="posteo.de"
EMAIL_SMTP_PASSWORD="secret"
EMAIL_SMTP_USERNAME="me"
EMAIL_SMTP_PORT="587"
```
After:
```ini
NOTIFICATION_URLS=smtp://me:secret@posteo.de:587/?fromAddress=no-reply@example.com&toAddresses=you@example.com
```
### Replace deprecated `BACKUP_FROM_SNAPSHOT` usage
Starting with version 2.15.0, the `BACKUP_FROM_SNAPSHOT` feature has been deprecated.
If you need to prepare your sources before the backup is taken, use `exec-pre`, `exec-post` and an intermediate volume:
```yml
version: '3'
services:
my_app:
build: .
volumes:
- data:/var/my_app
- backup:/tmp/backup
labels:
- docker-volume-backup.exec-pre=cp -r /var/my_app /tmp/backup/my-app
- docker-volume-backup.exec-post=rm -rf /tmp/backup/my-app
backup:
image: offen/docker-volume-backup:latest
environment:
BACKUP_SOURCES: /tmp/backup
volumes:
- backup:/backup:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
volumes:
data:
backup:
```
### Using a custom Docker host
If you are interfacing with Docker via TCP, set `DOCKER_HOST` to the correct URL.
```ini
DOCKER_HOST=tcp://docker_socket_proxy:2375
```
In case you are using a socket proxy, it must support `GET` and `POST` requests to the `/containers` endpoint. If you are using Docker Swarm, it must also support the `/services` endpoint. If you are using pre/post backup commands, it must also support the `/exec` endpoint.
### Run multiple backup schedules in the same container
Multiple backup schedules with different configuration can be configured by mounting an arbitrary number of configuration files (using the `.env` format) into `/etc/dockervolumebackup/conf.d`:
```yml
version: '3'
services:
# ... define other services using the `data` volume here
backup:
image: offen/docker-volume-backup:v2
volumes:
- data:/backup/my-app-backup:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./configuration:/etc/dockervolumebackup/conf.d
volumes:
data:
```
A separate cronjob will be created for each config file.
If a configuration value is set both in the global environment as well as in the config file, the config file will take precedence.
The `backup` command expects to run on an exclusive lock, so in case you provide the same or overlapping schedules in your cron expressions, the runs will still be executed serially, one after the other.
The exact order of schedules that use the same cron expression is not specified.
In case you need your schedules to overlap, you need to create a dedicated container for each schedule instead.
When changing the configuration, you currently need to manually restart the container for the changes to take effect.
## Recipes
This section lists configuration for some real-world use cases that you can mix and match according to your needs.
### Backing up to AWS S3
```yml
version: '3'
services:
# ... define other services using the `data` volume here
backup:
image: offen/docker-volume-backup:v2
environment:
AWS_S3_BUCKET_NAME: backup-bucket
AWS_ACCESS_KEY_ID: AKIAIOSFODNN7EXAMPLE
AWS_SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
volumes:
- data:/backup/my-app-backup:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
volumes:
data:
```
### Backing up to Filebase
```yml
version: '3'
services:
# ... define other services using the `data` volume here
backup:
image: offen/docker-volume-backup:v2
environment:
AWS_ENDPOINT: s3.filebase.com
AWS_S3_BUCKET_NAME: filebase-bucket
AWS_ACCESS_KEY_ID: FILEBASE-ACCESS-KEY
AWS_SECRET_ACCESS_KEY: FILEBASE-SECRET-KEY
volumes:
- data:/backup/my-app-backup:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
volumes:
data:
```
### Backing up to MinIO
```yml
version: '3'
services:
# ... define other services using the `data` volume here
backup:
image: offen/docker-volume-backup:v2
environment:
AWS_ENDPOINT: minio.example.com
AWS_S3_BUCKET_NAME: backup-bucket
AWS_ACCESS_KEY_ID: MINIOACCESSKEY
AWS_SECRET_ACCESS_KEY: MINIOSECRETKEY
volumes:
- data:/backup/my-app-backup:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
volumes:
data:
```
### Backing up to WebDAV
```yml
version: '3'
services:
# ... define other services using the `data` volume here
backup:
image: offen/docker-volume-backup:v2
environment:
WEBDAV_URL: https://webdav.mydomain.me
WEBDAV_PATH: /my/directory/
WEBDAV_USERNAME: user
WEBDAV_PASSWORD: password
volumes:
- data:/backup/my-app-backup:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
volumes:
data:
```
### Backing up locally
```yml
version: '3'
services:
# ... define other services using the `data` volume here
backup:
image: offen/docker-volume-backup:v2
environment:
BACKUP_FILENAME: backup-%Y-%m-%dT%H-%M-%S.tar.gz
BACKUP_LATEST_SYMLINK: backup-latest.tar.gz
volumes:
- data:/backup/my-app-backup:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ${HOME}/backups:/archive
volumes:
data:
```
### Backing up to AWS S3 as well as locally
```yml
version: '3'
services:
# ... define other services using the `data` volume here
backup:
image: offen/docker-volume-backup:v2
environment:
AWS_S3_BUCKET_NAME: backup-bucket
AWS_ACCESS_KEY_ID: AKIAIOSFODNN7EXAMPLE
AWS_SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
volumes:
- data:/backup/my-app-backup:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ${HOME}/backups:/archive
volumes:
data:
```
### Running on a custom cron schedule
```yml
version: '3'
services:
# ... define other services using the `data` volume here
backup:
image: offen/docker-volume-backup:v2
environment:
# take a backup on every hour
BACKUP_CRON_EXPRESSION: "0 * * * *"
AWS_S3_BUCKET_NAME: backup-bucket
AWS_ACCESS_KEY_ID: AKIAIOSFODNN7EXAMPLE
AWS_SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
volumes:
- data:/backup/my-app-backup:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
volumes:
data:
```
### Rotating away backups that are older than 7 days
```yml
version: '3'
services:
# ... define other services using the `data` volume here
backup:
image: offen/docker-volume-backup:v2
environment:
AWS_S3_BUCKET_NAME: backup-bucket
AWS_ACCESS_KEY_ID: AKIAIOSFODNN7EXAMPLE
AWS_SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
BACKUP_FILENAME: backup-%Y-%m-%dT%H-%M-%S.tar.gz
BACKUP_PRUNING_PREFIX: backup-
BACKUP_RETENTION_DAYS: 7
volumes:
- data:/backup/my-app-backup:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
volumes:
data:
```
### Encrypting your backups using GPG
```yml
version: '3'
services:
# ... define other services using the `data` volume here
backup:
image: offen/docker-volume-backup:v2
environment:
AWS_S3_BUCKET_NAME: backup-bucket
AWS_ACCESS_KEY_ID: AKIAIOSFODNN7EXAMPLE
AWS_SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
GPG_PASSPHRASE: somesecretstring
volumes:
- data:/backup/my-app-backup:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
volumes:
data:
```
### Using mysqldump to prepare the backup
```yml
version: '3'
services:
database:
image: mariadb:latest
labels:
- docker-volume-backup.exec-pre=/bin/sh -c 'mysqldump -psecret --all-databases > /tmp/dumps/dump.sql'
volumes:
- app_data:/tmp/dumps
backup:
image: offen/docker-volume-backup:v2
environment:
BACKUP_FILENAME: db.tar.gz
BACKUP_CRON_EXPRESSION: "0 2 * * *"
volumes:
- ./local:/archive
- data:/backup/data:ro
- /var/run/docker.sock:/var/run/docker.sock
volumes:
data:
```
### Running multiple instances in the same setup
```yml
version: '3'
services:
# ... define other services using the `data_1` and `data_2` volumes here
backup_1: &backup_service
image: offen/docker-volume-backup:v2
environment: &backup_environment
BACKUP_CRON_EXPRESSION: "0 2 * * *"
AWS_S3_BUCKET_NAME: backup-bucket
AWS_ACCESS_KEY_ID: AKIAIOSFODNN7EXAMPLE
AWS_SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
# Label the container using the `data_1` volume as `docker-volume-backup.stop-during-backup=service1`
BACKUP_STOP_CONTAINER_LABEL: service1
volumes:
- data_1:/backup/data-1-backup:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
backup_2:
<<: *backup_service
environment:
<<: *backup_environment
# Label the container using the `data_2` volume as `docker-volume-backup.stop-during-backup=service2`
BACKUP_CRON_EXPRESSION: "0 3 * * *"
BACKUP_STOP_CONTAINER_LABEL: service2
volumes:
- data_2:/backup/data-2-backup:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
volumes:
data_1:
data_2:
```
## Differences to `futurice/docker-volume-backup`
This image is heavily inspired by `futurice/docker-volume-backup`. We decided to publish this image as a simpler and more lightweight alternative because of the following requirements:
- The original image is based on `ubuntu` and requires additional tools, making it heavy.
This version is roughly 1/25 in compressed size (it's ~12MB).
- The original image uses a shell script, when this version is written in Go.
- The original image proposed to handle backup rotation through AWS S3 lifecycle policies.
This image adds the option to rotate away old backups through the same command so this functionality can also be offered for non-AWS storage backends like MinIO.
Local copies of backups can also be pruned once they reach a certain age.
- InfluxDB specific functionality from the original image was removed.
- `arm64` and `arm/v7` architectures are supported.
- Docker in Swarm mode is supported.
- Notifications on finished backups are supported.
- IAM authentication through instance profiles is supported.

121
cmd/backup/archive.go
View File

@@ -1,4 +1,4 @@
// Copyright 2022 - offen.software <hioffen@posteo.de>
// Copyright 2022 - Offen Authors <hioffen@posteo.de>
// SPDX-License-Identifier: MPL-2.0
// Portions of this file are taken from package `targz`, Copyright (c) 2014 Fredrik Wallgren
@@ -8,30 +8,28 @@ package main
import (
"archive/tar"
"compress/gzip"
"fmt"
"io"
"io/fs"
"os"
"path"
"path/filepath"
"runtime"
"strings"
"github.com/klauspost/compress/zstd"
"github.com/klauspost/pgzip"
"github.com/offen/docker-volume-backup/internal/errwrap"
)
func createArchive(files []string, inputFilePath, outputFilePath string, compression string, compressionConcurrency int) error {
_, outputFilePath, err := makeAbsolute(stripTrailingSlashes(inputFilePath), outputFilePath)
func createArchive(inputFilePath, outputFilePath string, options createArchiveOptions) error {
inputFilePath = stripTrailingSlashes(inputFilePath)
inputFilePath, outputFilePath, err := makeAbsolute(inputFilePath, outputFilePath)
if err != nil {
return errwrap.Wrap(err, "error transposing given file paths")
return fmt.Errorf("createArchive: error transposing given file paths: %w", err)
}
if err := os.MkdirAll(filepath.Dir(outputFilePath), 0755); err != nil {
return errwrap.Wrap(err, "error creating output file path")
return fmt.Errorf("createArchive: error creating output file path: %w", err)
}
if err := compress(files, outputFilePath, compression, compressionConcurrency); err != nil {
return errwrap.Wrap(err, "error creating archive")
if err := compress(inputFilePath, outputFilePath, filepath.Dir(inputFilePath), options); err != nil {
return fmt.Errorf("createArchive: error creating archive: %w", err)
}
return nil
@@ -54,78 +52,52 @@ func makeAbsolute(inputFilePath, outputFilePath string) (string, string, error)
return inputFilePath, outputFilePath, err
}
func compress(paths []string, outFilePath, algo string, concurrency int) error {
func compress(inPath, outFilePath, subPath string, options createArchiveOptions) error {
file, err := os.Create(outFilePath)
if err != nil {
return errwrap.Wrap(err, "error creating out file")
return fmt.Errorf("compress: error creating out file: %w", err)
}
prefix := path.Dir(outFilePath)
compressWriter, err := getCompressionWriter(file, algo, concurrency)
if err != nil {
return errwrap.Wrap(err, "error getting compression writer")
gzipWriter := gzip.NewWriter(file)
tarWriter := tar.NewWriter(gzipWriter)
var paths []string
if err := filepath.WalkDir(inPath, func(path string, di fs.DirEntry, err error) error {
paths = append(paths, path)
return err
}); err != nil {
return fmt.Errorf("compress: error walking filesystem tree: %w", err)
}
tarWriter := tar.NewWriter(compressWriter)
for _, p := range paths {
if err := writeTarball(p, tarWriter, prefix); err != nil {
return errwrap.Wrap(err, fmt.Sprintf("error writing %s to archive", p))
if err := writeTarGz(p, tarWriter, prefix, options.format); err != nil {
return fmt.Errorf("compress error writing %s to archive: %w", p, err)
}
}
err = tarWriter.Close()
if err != nil {
return errwrap.Wrap(err, "error closing tar writer")
return fmt.Errorf("compress: error closing tar writer: %w", err)
}
err = compressWriter.Close()
err = gzipWriter.Close()
if err != nil {
return errwrap.Wrap(err, "error closing compression writer")
return fmt.Errorf("compress: error closing gzip writer: %w", err)
}
err = file.Close()
if err != nil {
return errwrap.Wrap(err, "error closing file")
return fmt.Errorf("compress: error closing file: %w", err)
}
return nil
}
func getCompressionWriter(file *os.File, algo string, concurrency int) (io.WriteCloser, error) {
switch algo {
case "none":
return &passThroughWriteCloser{file}, nil
case "gz":
w, err := pgzip.NewWriterLevel(file, 5)
if err != nil {
return nil, errwrap.Wrap(err, "gzip error")
}
if concurrency == 0 {
concurrency = runtime.GOMAXPROCS(0)
}
if err := w.SetConcurrency(1<<20, concurrency); err != nil {
return nil, errwrap.Wrap(err, "error setting concurrency")
}
return w, nil
case "zst":
compressWriter, err := zstd.NewWriter(file)
if err != nil {
return nil, errwrap.Wrap(err, "zstd error")
}
return compressWriter, nil
default:
return nil, errwrap.Wrap(nil, fmt.Sprintf("unsupported compression algorithm: %s", algo))
}
}
func writeTarball(path string, tarWriter *tar.Writer, prefix string) (returnErr error) {
func writeTarGz(path string, tarWriter *tar.Writer, prefix string, format tar.Format) error {
fileInfo, err := os.Lstat(path)
if err != nil {
returnErr = errwrap.Wrap(err, fmt.Sprintf("error getting file info for %s", path))
return
return fmt.Errorf("writeTarGz: error getting file infor for %s: %w", path, err)
}
if fileInfo.Mode()&os.ModeSocket == os.ModeSocket {
@@ -136,22 +108,23 @@ func writeTarball(path string, tarWriter *tar.Writer, prefix string) (returnErr
if fileInfo.Mode()&os.ModeSymlink == os.ModeSymlink {
var err error
if link, err = os.Readlink(path); err != nil {
returnErr = errwrap.Wrap(err, fmt.Sprintf("error resolving symlink %s", path))
return
return fmt.Errorf("writeTarGz: error resolving symlink %s: %w", path, err)
}
}
header, err := tar.FileInfoHeader(fileInfo, link)
if format >= 0 {
header.Format = format
}
if err != nil {
returnErr = errwrap.Wrap(err, "error getting file info header")
return
return fmt.Errorf("writeTarGz: error getting file info header: %w", err)
}
header.Name = strings.TrimPrefix(path, prefix)
err = tarWriter.WriteHeader(header)
if err != nil {
returnErr = errwrap.Wrap(err, "error writing file info header")
return
return fmt.Errorf("writeTarGz: error writing file info header: %w", err)
}
if !fileInfo.Mode().IsRegular() {
@@ -160,30 +133,18 @@ func writeTarball(path string, tarWriter *tar.Writer, prefix string) (returnErr
file, err := os.Open(path)
if err != nil {
returnErr = errwrap.Wrap(err, fmt.Sprintf("error opening %s", path))
return
return fmt.Errorf("writeTarGz: error opening %s: %w", path, err)
}
defer func() {
returnErr = file.Close()
}()
defer file.Close()
_, err = io.Copy(tarWriter, file)
if err != nil {
returnErr = errwrap.Wrap(err, fmt.Sprintf("error copying %s to tar writer", path))
return
return fmt.Errorf("writeTarGz: error copying %s to tar writer: %w", path, err)
}
return nil
}
type passThroughWriteCloser struct {
target io.WriteCloser
}
func (p *passThroughWriteCloser) Write(b []byte) (int, error) {
return p.target.Write(b)
}
func (p *passThroughWriteCloser) Close() error {
return nil
type createArchiveOptions struct {
format tar.Format
}

152
cmd/backup/command.go
View File

@@ -1,152 +0,0 @@
// Copyright 2024 - offen.software <hioffen@posteo.de>
// SPDX-License-Identifier: MPL-2.0
package main
import (
"fmt"
"log/slog"
"os"
"os/signal"
"syscall"
"github.com/offen/docker-volume-backup/internal/errwrap"
"github.com/robfig/cron/v3"
)
type command struct {
logger *slog.Logger
schedules []cron.EntryID
cr *cron.Cron
reload chan struct{}
}
func newCommand() *command {
return &command{
logger: slog.New(slog.NewTextHandler(os.Stdout, nil)),
}
}
// runAsCommand executes a backup run for each configuration that is available
// and then returns
func (c *command) runAsCommand() error {
configurations, err := sourceConfiguration(configStrategyEnv)
if err != nil {
return errwrap.Wrap(err, "error loading env vars")
}
for _, config := range configurations {
if err := runScript(config); err != nil {
return errwrap.Wrap(err, "error running script")
}
}
return nil
}
type foregroundOpts struct {
profileCronExpression string
}
// runInForeground starts the program as a long running process, scheduling
// a job for each configuration that is available.
func (c *command) runInForeground(opts foregroundOpts) error {
c.cr = cron.New(
cron.WithParser(
cron.NewParser(
cron.SecondOptional | cron.Minute | cron.Hour | cron.Dom | cron.Month | cron.Dow | cron.Descriptor,
),
),
)
if err := c.schedule(configStrategyConfd); err != nil {
return errwrap.Wrap(err, "error scheduling")
}
if opts.profileCronExpression != "" {
if _, err := c.cr.AddFunc(opts.profileCronExpression, c.profile); err != nil {
return errwrap.Wrap(err, "error adding profiling job")
}
}
var quit = make(chan os.Signal, 1)
c.reload = make(chan struct{}, 1)
signal.Notify(quit, syscall.SIGTERM, syscall.SIGINT)
c.cr.Start()
for {
select {
case <-quit:
ctx := c.cr.Stop()
<-ctx.Done()
return nil
case <-c.reload:
if err := c.schedule(configStrategyConfd); err != nil {
return errwrap.Wrap(err, "error reloading configuration")
}
}
}
}
// schedule wipes all existing schedules and enqueues all schedules available
// using the given configuration strategy
func (c *command) schedule(strategy configStrategy) error {
for _, id := range c.schedules {
c.cr.Remove(id)
}
configurations, err := sourceConfiguration(strategy)
if err != nil {
return errwrap.Wrap(err, "error sourcing configuration")
}
for _, cfg := range configurations {
config := cfg
id, err := c.cr.AddFunc(config.BackupCronExpression, func() {
c.logger.Info(
fmt.Sprintf(
"Now running script on schedule %s",
config.BackupCronExpression,
),
)
if err := runScript(config); err != nil {
c.logger.Error(
fmt.Sprintf(
"Unexpected error running schedule %s: %v",
config.BackupCronExpression,
errwrap.Unwrap(err),
),
"error",
err,
)
}
})
if err != nil {
return errwrap.Wrap(err, fmt.Sprintf("error adding schedule %s", config.BackupCronExpression))
}
c.logger.Info(fmt.Sprintf("Successfully scheduled backup %s with expression %s", config.source, config.BackupCronExpression))
if ok := checkCronSchedule(config.BackupCronExpression); !ok {
c.logger.Warn(
fmt.Sprintf("Scheduled cron expression %s will never run, is this intentional?", config.BackupCronExpression),
)
}
c.schedules = append(c.schedules, id)
}
return nil
}
// must exits the program when passed an error. It should be the only
// place where the application exits forcefully.
func (c *command) must(err error) {
if err != nil {
c.logger.Error(
fmt.Sprintf("Fatal error running command: %v", errwrap.Unwrap(err)),
"error",
err,
)
os.Exit(1)
}
}

260
cmd/backup/config.go
View File

@@ -1,227 +1,75 @@
// Copyright 2022 - offen.software <hioffen@posteo.de>
// Copyright 2022 - Offen Authors <hioffen@posteo.de>
// SPDX-License-Identifier: MPL-2.0
package main
import (
"crypto/x509"
"encoding/pem"
"archive/tar"
"fmt"
"os"
"regexp"
"strconv"
"time"
"github.com/offen/docker-volume-backup/internal/errwrap"
)
// Config holds all configuration values that are expected to be set
// by users.
type Config struct {
AwsS3BucketName string `split_words:"true"`
AwsS3Path string `split_words:"true"`
AwsEndpoint string `split_words:"true" default:"s3.amazonaws.com"`
AwsEndpointProto string `split_words:"true" default:"https"`
AwsEndpointInsecure bool `split_words:"true"`
AwsEndpointCACert CertDecoder `envconfig:"AWS_ENDPOINT_CA_CERT"`
AwsStorageClass string `split_words:"true"`
AwsAccessKeyID string `envconfig:"AWS_ACCESS_KEY_ID"`
AwsSecretAccessKey string `split_words:"true"`
AwsIamRoleEndpoint string `split_words:"true"`
AwsPartSize int64 `split_words:"true"`
BackupCompression CompressionType `split_words:"true" default:"gz"`
GzipParallelism WholeNumber `split_words:"true" default:"1"`
BackupSources string `split_words:"true" default:"/backup"`
BackupFilename string `split_words:"true" default:"backup-%Y-%m-%dT%H-%M-%S.{{ .Extension }}"`
BackupFilenameExpand bool `split_words:"true"`
BackupLatestSymlink string `split_words:"true"`
BackupArchive string `split_words:"true" default:"/archive"`
BackupCronExpression string `split_words:"true" default:"@daily"`
BackupJitter time.Duration `split_words:"true" default:"0s"`
BackupRetentionDays int32 `split_words:"true" default:"-1"`
BackupPruningLeeway time.Duration `split_words:"true" default:"1m"`
BackupPruningPrefix string `split_words:"true"`
BackupStopContainerLabel string `split_words:"true"`
BackupStopDuringBackupLabel string `split_words:"true" default:"true"`
BackupStopDuringBackupNoRestartLabel string `split_words:"true" default:"true"`
BackupStopServiceTimeout time.Duration `split_words:"true" default:"5m"`
BackupFromSnapshot bool `split_words:"true"`
BackupExcludeRegexp RegexpDecoder `split_words:"true"`
BackupSkipBackendsFromPrune []string `split_words:"true"`
GpgPassphrase string `split_words:"true"`
GpgPublicKeyRing string `split_words:"true"`
AgePassphrase string `split_words:"true"`
AgePublicKeys []string `split_words:"true"`
NotificationURLs []string `envconfig:"NOTIFICATION_URLS"`
NotificationLevel string `split_words:"true" default:"error"`
EmailNotificationRecipient string `split_words:"true"`
EmailNotificationSender string `split_words:"true" default:"noreply@nohost"`
EmailSMTPHost string `envconfig:"EMAIL_SMTP_HOST"`
EmailSMTPPort int `envconfig:"EMAIL_SMTP_PORT" default:"587"`
EmailSMTPUsername string `envconfig:"EMAIL_SMTP_USERNAME"`
EmailSMTPPassword string `envconfig:"EMAIL_SMTP_PASSWORD"`
WebdavUrl string `split_words:"true"`
WebdavUrlInsecure bool `split_words:"true"`
WebdavPath string `split_words:"true" default:"/"`
WebdavUsername string `split_words:"true"`
WebdavPassword string `split_words:"true"`
SSHHostName string `split_words:"true"`
SSHPort string `split_words:"true" default:"22"`
SSHUser string `split_words:"true"`
SSHPassword string `split_words:"true"`
SSHIdentityFile string `split_words:"true" default:"/root/.ssh/id_rsa"`
SSHIdentityPassphrase string `split_words:"true"`
SSHRemotePath string `split_words:"true"`
ExecLabel string `split_words:"true"`
ExecForwardOutput bool `split_words:"true"`
LockTimeout time.Duration `split_words:"true" default:"60m"`
AzureStorageAccountName string `split_words:"true"`
AzureStoragePrimaryAccountKey string `split_words:"true"`
AzureStorageConnectionString string `split_words:"true"`
AzureStorageContainerName string `split_words:"true"`
AzureStoragePath string `split_words:"true"`
AzureStorageEndpoint string `split_words:"true" default:"https://{{ .AccountName }}.blob.core.windows.net/"`
AzureStorageAccessTier string `split_words:"true"`
DropboxEndpoint string `split_words:"true" default:"https://api.dropbox.com/"`
DropboxOAuth2Endpoint string `envconfig:"DROPBOX_OAUTH2_ENDPOINT" default:"https://api.dropbox.com/"`
DropboxRefreshToken string `split_words:"true"`
DropboxAppKey string `split_words:"true"`
DropboxAppSecret string `split_words:"true"`
DropboxRemotePath string `split_words:"true"`
DropboxConcurrencyLevel NaturalNumber `split_words:"true" default:"6"`
GoogleDriveCredentialsJSON string `split_words:"true"`
GoogleDriveFolderID string `split_words:"true"`
GoogleDriveImpersonateSubject string `split_words:"true"`
GoogleDriveEndpoint string `split_words:"true"`
GoogleDriveTokenURL string `split_words:"true"`
source string
additionalEnvVars map[string]string
BackupSources string `split_words:"true" default:"/backup"`
BackupFilename string `split_words:"true" default:"backup-%Y-%m-%dT%H-%M-%S.tar.gz"`
BackupFilenameExpand bool `split_words:"true"`
BackupLatestSymlink string `split_words:"true"`
BackupArchive string `split_words:"true" default:"/archive"`
BackupRetentionDays int32 `split_words:"true" default:"-1"`
BackupPruningLeeway time.Duration `split_words:"true" default:"1m"`
BackupPruningPrefix string `split_words:"true"`
BackupStopContainerLabel string `split_words:"true" default:"true"`
BackupFromSnapshot bool `split_words:"true"`
AwsS3BucketName string `split_words:"true"`
AwsS3Path string `split_words:"true"`
AwsEndpoint string `split_words:"true" default:"s3.amazonaws.com"`
AwsEndpointProto string `split_words:"true" default:"https"`
AwsEndpointInsecure bool `split_words:"true"`
AwsAccessKeyID string `envconfig:"AWS_ACCESS_KEY_ID"`
AwsSecretAccessKey string `split_words:"true"`
AwsIamRoleEndpoint string `split_words:"true"`
GpgPassphrase string `split_words:"true"`
NotificationURLs []string `envconfig:"NOTIFICATION_URLS"`
NotificationLevel string `split_words:"true" default:"error"`
EmailNotificationRecipient string `split_words:"true"`
EmailNotificationSender string `split_words:"true" default:"noreply@nohost"`
EmailSMTPHost string `envconfig:"EMAIL_SMTP_HOST"`
EmailSMTPPort int `envconfig:"EMAIL_SMTP_PORT" default:"587"`
EmailSMTPUsername string `envconfig:"EMAIL_SMTP_USERNAME"`
EmailSMTPPassword string `envconfig:"EMAIL_SMTP_PASSWORD"`
WebdavUrl string `split_words:"true"`
WebdavPath string `split_words:"true" default:"/"`
WebdavUsername string `split_words:"true"`
WebdavPassword string `split_words:"true"`
ExecLabel string `split_words:"true"`
ExecForwardOutput bool `split_words:"true"`
LockTimeout time.Duration `split_words:"true" default:"60m"`
TarArchiveHeaderFormat TarFormat `split_words:"true"`
}
type CompressionType string
type TarFormat tar.Format
func (c *CompressionType) Decode(v string) error {
switch v {
case "none", "gz", "zst":
*c = CompressionType(v)
func (t *TarFormat) Decode(value string) error {
switch value {
case "PAX":
*t = TarFormat(tar.FormatPAX)
return nil
case "USTAR":
*t = TarFormat(tar.FormatUSTAR)
return nil
case "GNU":
*t = TarFormat(tar.FormatGNU)
return nil
case "":
*t = TarFormat(-1)
return nil
default:
return errwrap.Wrap(nil, fmt.Sprintf("error decoding compression type %s", v))
return fmt.Errorf("tarFormat: unknown format %s", value)
}
}
func (c *CompressionType) String() string {
return string(*c)
}
type CertDecoder struct {
Cert *x509.Certificate
}
func (c *CertDecoder) Decode(v string) error {
if v == "" {
return nil
}
content, err := os.ReadFile(v)
if err != nil {
content = []byte(v)
}
block, _ := pem.Decode(content)
cert, err := x509.ParseCertificate(block.Bytes)
if err != nil {
return errwrap.Wrap(err, "error parsing certificate")
}
*c = CertDecoder{Cert: cert}
return nil
}
type RegexpDecoder struct {
Re *regexp.Regexp
}
func (r *RegexpDecoder) Decode(v string) error {
if v == "" {
return nil
}
re, err := regexp.Compile(v)
if err != nil {
return errwrap.Wrap(err, fmt.Sprintf("error compiling given regexp `%s`", v))
}
*r = RegexpDecoder{Re: re}
return nil
}
// NaturalNumber is a type that can be used to decode a positive, non-zero natural number
type NaturalNumber int
func (n *NaturalNumber) Decode(v string) error {
asInt, err := strconv.Atoi(v)
if err != nil {
return errwrap.Wrap(nil, fmt.Sprintf("error converting %s to int", v))
}
if asInt <= 0 {
return errwrap.Wrap(nil, fmt.Sprintf("expected a natural number, got %d", asInt))
}
*n = NaturalNumber(asInt)
return nil
}
func (n *NaturalNumber) Int() int {
return int(*n)
}
// WholeNumber is a type that can be used to decode a positive whole number, including zero
type WholeNumber int
func (n *WholeNumber) Decode(v string) error {
asInt, err := strconv.Atoi(v)
if err != nil {
return errwrap.Wrap(nil, fmt.Sprintf("error converting %s to int", v))
}
if asInt < 0 {
return errwrap.Wrap(nil, fmt.Sprintf("expected a whole, positive number, including zero. Got %d", asInt))
}
*n = WholeNumber(asInt)
return nil
}
func (n *WholeNumber) Int() int {
return int(*n)
}
type envVarLookup struct {
ok bool
key string
value string
}
// applyEnv sets the values in `additionalEnvVars` as environment variables.
// It returns a function that reverts all values that have been set to its
// previous state.
func (c *Config) applyEnv() (func() error, error) {
lookups := []envVarLookup{}
unset := func() error {
for _, lookup := range lookups {
if !lookup.ok {
if err := os.Unsetenv(lookup.key); err != nil {
return errwrap.Wrap(err, fmt.Sprintf("error unsetting env var %s", lookup.key))
}
continue
}
if err := os.Setenv(lookup.key, lookup.value); err != nil {
return errwrap.Wrap(err, fmt.Sprintf("error setting back env var %s", lookup.key))
}
}
return nil
}
for key, value := range c.additionalEnvVars {
current, ok := os.LookupEnv(key)
lookups = append(lookups, envVarLookup{ok: ok, key: key, value: current})
if err := os.Setenv(key, value); err != nil {
return unset, errwrap.Wrap(err, "error setting env var")
}
}
return unset, nil
func (t *TarFormat) Format() tar.Format {
return tar.Format(*t)
}

166
cmd/backup/config_provider.go
View File

@@ -1,166 +0,0 @@
// Copyright 2024 - offen.software <hioffen@posteo.de>
// SPDX-License-Identifier: MPL-2.0
package main
import (
"bufio"
"fmt"
"os"
"path/filepath"
"strings"
"github.com/joho/godotenv"
"github.com/offen/docker-volume-backup/internal/errwrap"
"github.com/offen/envconfig"
shell "mvdan.cc/sh/v3/shell"
)
type configStrategy string
const (
configStrategyEnv configStrategy = "env"
configStrategyConfd configStrategy = "confd"
)
// sourceConfiguration returns a list of config objects using the given
// strategy. It should be the single entrypoint for retrieving configuration
// for all consumers.
func sourceConfiguration(strategy configStrategy) ([]*Config, error) {
switch strategy {
case configStrategyEnv:
c, err := loadConfigFromEnvVars()
return []*Config{c}, err
case configStrategyConfd:
cs, err := loadConfigsFromEnvFiles("/etc/dockervolumebackup/conf.d")
if err != nil {
if os.IsNotExist(err) {
return sourceConfiguration(configStrategyEnv)
}
return nil, errwrap.Wrap(err, "error loading config files")
}
return cs, nil
default:
return nil, errwrap.Wrap(nil, fmt.Sprintf("received unknown config strategy: %v", strategy))
}
}
// envProxy is a function that mimics os.LookupEnv but can read values from any other source
type envProxy func(string) (string, bool)
// loadConfig creates a config object using the given lookup function
func loadConfig(lookup envProxy) (*Config, error) {
envconfig.Lookup = func(key string) (string, bool) {
value, okValue := lookup(key)
location, okFile := lookup(key + "_FILE")
switch {
case okValue && !okFile: // only value
return value, true
case !okValue && okFile: // only file
contents, err := os.ReadFile(location)
if err != nil {
return "", false
}
return string(contents), true
case okValue && okFile: // both
return "", false
default: // neither, ignore
return "", false
}
}
var c = &Config{}
if err := envconfig.Process("", c); err != nil {
return nil, errwrap.Wrap(err, "failed to process configuration values")
}
return c, nil
}
func loadConfigFromEnvVars() (*Config, error) {
c, err := loadConfig(os.LookupEnv)
if err != nil {
return nil, errwrap.Wrap(err, "error loading config from environment")
}
c.source = "from environment"
return c, nil
}
func loadConfigsFromEnvFiles(directory string) ([]*Config, error) {
items, err := os.ReadDir(directory)
if err != nil {
if os.IsNotExist(err) {
return nil, err
}
return nil, errwrap.Wrap(err, "failed to read files from env directory")
}
configs := []*Config{}
for _, item := range items {
if item.IsDir() {
continue
}
p := filepath.Join(directory, item.Name())
envFile, err := source(p)
if err != nil {
return nil, errwrap.Wrap(err, fmt.Sprintf("error reading config file %s", p))
}
lookup := func(key string) (string, bool) {
val, ok := envFile[key]
if ok {
return val, ok
}
return os.LookupEnv(key)
}
c, err := loadConfig(lookup)
if err != nil {
return nil, errwrap.Wrap(err, fmt.Sprintf("error loading config from file %s", p))
}
c.source = item.Name()
c.additionalEnvVars = envFile
configs = append(configs, c)
}
return configs, nil
}
// source tries to mimic the pre v2.37.0 behavior of calling
// `set +a; source $path; set -a` and returns the env vars as a map
func source(path string) (map[string]string, error) {
f, err := os.Open(path)
if err != nil {
return nil, errwrap.Wrap(err, fmt.Sprintf("error opening %s", path))
}
result := map[string]string{}
scanner := bufio.NewScanner(f)
for scanner.Scan() {
line := scanner.Text()
line = strings.TrimSpace(line)
if strings.HasPrefix(line, "#") {
continue
}
withExpansion, err := shell.Expand(line, nil)
if err != nil {
return nil, errwrap.Wrap(err, "error expanding env")
}
m, err := godotenv.Unmarshal(withExpansion)
if err != nil {
return nil, errwrap.Wrap(err, fmt.Sprintf("error sourcing %s", path))
}
for key, value := range m {
currentValue, currentOk := os.LookupEnv(key)
defer func() {
if currentOk {
_ = os.Setenv(key, currentValue)
return
}
_ = os.Unsetenv(key)
}()
result[key] = value
_ = os.Setenv(key, value)
}
}
return result, nil
}

79
cmd/backup/config_provider_test.go
View File

@@ -1,79 +0,0 @@
package main
import (
"os"
"reflect"
"testing"
)
func TestSource(t *testing.T) {
tests := []struct {
name string
input string
expectError bool
expectedOutput map[string]string
}{
{
"default",
"testdata/default.env",
false,
map[string]string{
"FOO": "bar",
"BAZ": "qux",
},
},
{
"not found",
"testdata/nope.env",
true,
nil,
},
{
"braces",
"testdata/braces.env",
false,
map[string]string{
"FOO": "qux",
"BAR": "xxx",
"BAZ": "",
},
},
{
"expansion",
"testdata/expansion.env",
false,
map[string]string{
"BAR": "xxx",
"FOO": "xxx",
"BAZ": "xxx",
"QUX": "yyy",
},
},
{
"comments",
"testdata/comments.env",
false,
map[string]string{
"BAR": "xxx",
"BAZ": "yyy",
},
},
}
_ = os.Setenv("QUX", "yyy")
defer func() {
_ = os.Unsetenv("QUX")
}()
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
result, err := source(test.input)
if (err != nil) != test.expectError {
t.Errorf("Unexpected error value %v", err)
}
if !reflect.DeepEqual(test.expectedOutput, result) {
t.Errorf("Expected %v, got %v", test.expectedOutput, result)
}
})
}
}

41
cmd/backup/copy_archive.go
View File

@@ -1,41 +0,0 @@
// Copyright 2024 - offen.software <hioffen@posteo.de>
// SPDX-License-Identifier: MPL-2.0
package main
import (
"os"
"path"
"github.com/offen/docker-volume-backup/internal/errwrap"
"golang.org/x/sync/errgroup"
)
// copyArchive makes sure the backup file is copied to both local and remote locations
// as per the given configuration.
func (s *script) copyArchive() error {
_, name := path.Split(s.file)
if stat, err := os.Stat(s.file); err != nil {
return errwrap.Wrap(err, "unable to stat backup file")
} else {
size := stat.Size()
s.stats.BackupFile = BackupFileStats{
Size: uint64(size),
Name: name,
FullPath: s.file,
}
}
eg := errgroup.Group{}
for _, backend := range s.storages {
b := backend
eg.Go(func() error {
return b.Copy(s.file)
})
}
if err := eg.Wait(); err != nil {
return errwrap.Wrap(err, "error copying archive")
}
return nil
}

88
cmd/backup/create_archive.go
View File

@@ -1,88 +0,0 @@
// Copyright 2024 - offen.software <hioffen@posteo.de>
// SPDX-License-Identifier: MPL-2.0
package main
import (
"fmt"
"io/fs"
"path/filepath"
"github.com/offen/docker-volume-backup/internal/errwrap"
"github.com/otiai10/copy"
)
// createArchive creates a tar archive of the configured backup location and
// saves it to disk.
func (s *script) createArchive() error {
backupSources := s.c.BackupSources
if s.c.BackupFromSnapshot {
s.logger.Warn(
"Using BACKUP_FROM_SNAPSHOT has been deprecated and will be removed in the next major version.",
)
s.logger.Warn(
"Please use `archive-pre` and `archive-post` commands to prepare your backup sources. Refer to the documentation for an upgrade guide.",
)
backupSources = filepath.Join("/tmp", s.c.BackupSources)
// copy before compressing guard against a situation where backup folder's content are still growing.
s.registerHook(hookLevelPlumbing, func(error) error {
if err := remove(backupSources); err != nil {
return errwrap.Wrap(err, "error removing snapshot")
}
s.logger.Info(
fmt.Sprintf("Removed snapshot `%s`.", backupSources),
)
return nil
})
if err := copy.Copy(s.c.BackupSources, backupSources, copy.Options{
PreserveTimes: true,
PreserveOwner: true,
}); err != nil {
return errwrap.Wrap(err, "error creating snapshot")
}
s.logger.Info(
fmt.Sprintf("Created snapshot of `%s` at `%s`.", s.c.BackupSources, backupSources),
)
}
tarFile := s.file
s.registerHook(hookLevelPlumbing, func(error) error {
if err := remove(tarFile); err != nil {
return errwrap.Wrap(err, "error removing tar file")
}
s.logger.Info(
fmt.Sprintf("Removed tar file `%s`.", tarFile),
)
return nil
})
backupPath, err := filepath.Abs(stripTrailingSlashes(backupSources))
if err != nil {
return errwrap.Wrap(err, "error getting absolute path")
}
var filesEligibleForBackup []string
if err := filepath.WalkDir(backupPath, func(path string, di fs.DirEntry, err error) error {
if err != nil {
return err
}
if s.c.BackupExcludeRegexp.Re != nil && s.c.BackupExcludeRegexp.Re.MatchString(path) {
return nil
}
filesEligibleForBackup = append(filesEligibleForBackup, path)
return nil
}); err != nil {
return errwrap.Wrap(err, "error walking filesystem tree")
}
if err := createArchive(filesEligibleForBackup, backupSources, tarFile, s.c.BackupCompression.String(), s.c.GzipParallelism.Int()); err != nil {
return errwrap.Wrap(err, "error compressing backup folder")
}
s.logger.Info(
fmt.Sprintf("Created backup of `%s` at `%s`.", backupSources, tarFile),
)
return nil
}

226
cmd/backup/encrypt_archive.go
View File

@@ -1,226 +0,0 @@
// Copyright 2024 - offen.software <hioffen@posteo.de>
// SPDX-License-Identifier: MPL-2.0
package main
import (
"bytes"
"errors"
"fmt"
"io"
"os"
"path"
"strings"
"filippo.io/age"
"filippo.io/age/agessh"
"github.com/ProtonMail/go-crypto/openpgp/armor"
openpgp "github.com/ProtonMail/go-crypto/openpgp/v2"
"github.com/offen/docker-volume-backup/internal/errwrap"
)
func countTrue(b ...bool) int {
c := int(0)
for _, v := range b {
if v {
c++
}
}
return c
}
// encryptArchive encrypts the backup file using PGP and the configured passphrase or publickey(s).
// In case no passphrase or publickey is given it returns early, leaving the backup file
// untouched.
func (s *script) encryptArchive() error {
useGPGSymmetric := s.c.GpgPassphrase != ""
useGPGAsymmetric := s.c.GpgPublicKeyRing != ""
useAgeSymmetric := s.c.AgePassphrase != ""
useAgeAsymmetric := len(s.c.AgePublicKeys) > 0
switch nconfigured := countTrue(
useGPGSymmetric,
useGPGAsymmetric,
useAgeSymmetric,
useAgeAsymmetric,
); nconfigured {
case 0:
return nil
case 1:
// ok!
default:
return fmt.Errorf(
"error in selecting archive encryption method: expected 0 or 1 to be configured, %d methods are configured",
nconfigured,
)
}
if useGPGSymmetric {
return s.encryptWithGPGSymmetric()
} else if useGPGAsymmetric {
return s.encryptWithGPGAsymmetric()
} else if useAgeSymmetric || useAgeAsymmetric {
ar, err := s.getConfiguredAgeRecipients()
if err != nil {
return errwrap.Wrap(err, "failed to get configured age recipients")
}
return s.encryptWithAge(ar)
}
return nil
}
func (s *script) getConfiguredAgeRecipients() ([]age.Recipient, error) {
if s.c.AgePassphrase == "" && len(s.c.AgePublicKeys) == 0 {
return nil, fmt.Errorf("no age recipients configured")
}
recipients := []age.Recipient{}
if len(s.c.AgePublicKeys) > 0 {
for _, pk := range s.c.AgePublicKeys {
pkr, err := parseAgeRecipient(pk)
if err != nil {
return nil, errwrap.Wrap(err, "failed to parse age public key")
}
recipients = append(recipients, pkr)
}
}
if s.c.AgePassphrase != "" {
if len(recipients) != 0 {
return nil, fmt.Errorf("age encryption must only be enabled via passphrase or public key, not both")
}
r, err := age.NewScryptRecipient(s.c.AgePassphrase)
if err != nil {
return nil, errwrap.Wrap(err, "failed to create scrypt identity from age passphrase")
}
recipients = append(recipients, r)
}
return recipients, nil
}
func parseAgeRecipient(arg string) (age.Recipient, error) {
// This logic is adapted from what the age CLI is doing
// stripping some special cases
switch {
case strings.HasPrefix(arg, "age1"):
return age.ParseX25519Recipient(arg)
case strings.HasPrefix(arg, "ssh-"):
return agessh.ParseRecipient(arg)
}
return nil, fmt.Errorf("unknown recipient type: %q", arg)
}
func (s *script) encryptWithAge(rec []age.Recipient) error {
return s.doEncrypt("age", func(ciphertextWriter io.Writer) (io.WriteCloser, error) {
return age.Encrypt(ciphertextWriter, rec...)
})
}
func (s *script) encryptWithGPGSymmetric() error {
return s.doEncrypt("gpg", func(ciphertextWriter io.Writer) (io.WriteCloser, error) {
_, name := path.Split(s.file)
return openpgp.SymmetricallyEncrypt(ciphertextWriter, []byte(s.c.GpgPassphrase), &openpgp.FileHints{
FileName: name,
}, nil)
})
}
type closeAllWriter struct {
io.Writer
closers []io.Closer
}
func (c *closeAllWriter) Close() (err error) {
for _, cl := range c.closers {
err = errors.Join(err, cl.Close())
}
return
}
var _ io.WriteCloser = (*closeAllWriter)(nil)
func (s *script) encryptWithGPGAsymmetric() error {
return s.doEncrypt("gpg", func(ciphertextWriter io.Writer) (_ io.WriteCloser, outerr error) {
entityList, err := openpgp.ReadArmoredKeyRing(bytes.NewReader([]byte(s.c.GpgPublicKeyRing)))
if err != nil {
return nil, errwrap.Wrap(err, "error parsing armored keyring")
}
armoredWriter, err := armor.Encode(ciphertextWriter, "PGP MESSAGE", nil)
if err != nil {
return nil, errwrap.Wrap(err, "error preparing encryption")
}
defer func() {
if outerr != nil {
_ = armoredWriter.Close()
}
}()
_, name := path.Split(s.file)
encWriter, err := openpgp.Encrypt(armoredWriter, entityList, nil, nil, &openpgp.FileHints{
FileName: name,
}, nil)
if err != nil {
return nil, err
}
return &closeAllWriter{
Writer: encWriter,
closers: []io.Closer{encWriter, armoredWriter},
}, nil
})
}
func (s *script) doEncrypt(
extension string,
encryptor func(ciphertextWriter io.Writer) (io.WriteCloser, error),
) (outerr error) {
encFile := fmt.Sprintf("%s.%s", s.file, extension)
s.registerHook(hookLevelPlumbing, func(error) error {
if err := remove(encFile); err != nil {
return errwrap.Wrap(err, "error removing encrypted file")
}
s.logger.Info(
fmt.Sprintf("Removed encrypted file `%s`.", encFile),
)
return nil
})
outFile, err := os.Create(encFile)
if err != nil {
return errwrap.Wrap(err, "error opening out file")
}
defer func() {
if err := outFile.Close(); err != nil {
outerr = errors.Join(outerr, errwrap.Wrap(err, "error closing out file"))
}
}()
dst, err := encryptor(outFile)
if err != nil {
return errwrap.Wrap(err, "error encrypting backup file")
}
defer func() {
if err := dst.Close(); err != nil {
outerr = errors.Join(outerr, errwrap.Wrap(err, "error closing encrypted backup file"))
}
}()
src, err := os.Open(s.file)
if err != nil {
return errwrap.Wrap(err, fmt.Sprintf("error opening backup file %q", s.file))
}
defer func() {
if err := src.Close(); err != nil {
outerr = errors.Join(outerr, errwrap.Wrap(err, "error closing backup file"))
}
}()
if _, err := io.Copy(dst, src); err != nil {
return errwrap.Wrap(err, "error writing ciphertext to file")
}
s.file = encFile
s.logger.Info(
fmt.Sprintf("Encrypted backup using %q, saving as %q", extension, s.file),
)
return
}

167
cmd/backup/exec.go
View File

@@ -1,4 +1,4 @@
// Copyright 2022 - offen.software <hioffen@posteo.de>
// Copyright 2022 - Offen Authors <hioffen@posteo.de>
// SPDX-License-Identifier: MPL-2.0
// Portions of this file are taken and adapted from `moby`, Copyright 2012-2017 Docker, Inc.
@@ -9,86 +9,67 @@ package main
import (
"bytes"
"context"
"errors"
"fmt"
"io"
"io/ioutil"
"os"
"strings"
"github.com/cosiner/argv"
"github.com/docker/docker/api/types/container"
"github.com/docker/docker/api/types"
"github.com/docker/docker/api/types/filters"
"github.com/docker/docker/pkg/stdcopy"
"github.com/offen/docker-volume-backup/internal/errwrap"
"golang.org/x/sync/errgroup"
)
func (s *script) exec(containerRef string, command string, user string) ([]byte, []byte, error) {
args, err := argv.Argv(command, nil, nil)
if err != nil {
return nil, nil, errwrap.Wrap(err, fmt.Sprintf("error parsing argv from '%s'", command))
}
if len(args) == 0 {
return nil, nil, errwrap.Wrap(nil, "received unexpected empty command")
}
commandEnv := []string{
fmt.Sprintf("COMMAND_RUNTIME_ARCHIVE_FILEPATH=%s", s.file),
}
execID, err := s.cli.ContainerExecCreate(context.Background(), containerRef, container.ExecOptions{
func (s *script) exec(containerRef string, command string) ([]byte, []byte, error) {
args, _ := argv.Argv(command, nil, nil)
execID, err := s.cli.ContainerExecCreate(context.Background(), containerRef, types.ExecConfig{
Cmd: args[0],
AttachStdin: true,
AttachStderr: true,
Env: commandEnv,
User: user,
})
if err != nil {
return nil, nil, errwrap.Wrap(err, "error creating container exec")
return nil, nil, fmt.Errorf("exec: error creating container exec: %w", err)
}
resp, err := s.cli.ContainerExecAttach(context.Background(), execID.ID, container.ExecStartOptions{})
resp, err := s.cli.ContainerExecAttach(context.Background(), execID.ID, types.ExecStartCheck{})
if err != nil {
return nil, nil, errwrap.Wrap(err, "error attaching container exec")
return nil, nil, fmt.Errorf("exec: error attaching container exec: %w", err)
}
defer resp.Close()
var outBuf, errBuf, fullRespBuf bytes.Buffer
var outBuf, errBuf bytes.Buffer
outputDone := make(chan error)
tee := io.TeeReader(resp.Reader, &fullRespBuf)
go func() {
_, err := stdcopy.StdCopy(&outBuf, &errBuf, tee)
_, err := stdcopy.StdCopy(&outBuf, &errBuf, resp.Reader)
outputDone <- err
}()
if err := <-outputDone; err != nil {
if body, bErr := io.ReadAll(&fullRespBuf); bErr == nil {
// if possible, try to append the exec output to the error
// as it's likely to be more relevant for users than the error from
// calling stdcopy.Copy
err = errwrap.Wrap(errors.New(string(body)), err.Error())
select {
case err := <-outputDone:
if err != nil {
return nil, nil, fmt.Errorf("exec: error demultiplexing output: %w", err)
}
return nil, nil, errwrap.Wrap(err, "error demultiplexing output")
break
}
stdout, err := io.ReadAll(&outBuf)
stdout, err := ioutil.ReadAll(&outBuf)
if err != nil {
return nil, nil, errwrap.Wrap(err, "error reading stdout")
return nil, nil, fmt.Errorf("exec: error reading stdout: %w", err)
}
stderr, err := io.ReadAll(&errBuf)
stderr, err := ioutil.ReadAll(&errBuf)
if err != nil {
return nil, nil, errwrap.Wrap(err, "error reading stderr")
return nil, nil, fmt.Errorf("exec: error reading stderr: %w", err)
}
res, err := s.cli.ContainerExecInspect(context.Background(), execID.ID)
if err != nil {
return nil, nil, errwrap.Wrap(err, "error inspecting container exec")
return nil, nil, fmt.Errorf("exec: error inspecting container exec: %w", err)
}
if res.ExitCode > 0 {
return stdout, stderr, errwrap.Wrap(nil, fmt.Sprintf("running command exited %d", res.ExitCode))
return stdout, stderr, fmt.Errorf("exec: running command exited %d", res.ExitCode)
}
return stdout, stderr, nil
@@ -104,123 +85,39 @@ func (s *script) runLabeledCommands(label string) error {
Value: fmt.Sprintf("docker-volume-backup.exec-label=%s", s.c.ExecLabel),
})
}
containersWithCommand, err := s.cli.ContainerList(context.Background(), container.ListOptions{
containersWithCommand, err := s.cli.ContainerList(context.Background(), types.ContainerListOptions{
Quiet: true,
Filters: filters.NewArgs(f...),
})
if err != nil {
return errwrap.Wrap(err, "error querying for containers")
}
var hasDeprecatedContainers bool
if label == "docker-volume-backup.archive-pre" {
f[0] = filters.KeyValuePair{
Key: "label",
Value: "docker-volume-backup.exec-pre",
}
deprecatedContainers, err := s.cli.ContainerList(context.Background(), container.ListOptions{
Filters: filters.NewArgs(f...),
})
if err != nil {
return errwrap.Wrap(err, "error querying for containers")
}
if len(deprecatedContainers) != 0 {
hasDeprecatedContainers = true
containersWithCommand = append(containersWithCommand, deprecatedContainers...)
}
}
if label == "docker-volume-backup.archive-post" {
f[0] = filters.KeyValuePair{
Key: "label",
Value: "docker-volume-backup.exec-post",
}
deprecatedContainers, err := s.cli.ContainerList(context.Background(), container.ListOptions{
Filters: filters.NewArgs(f...),
})
if err != nil {
return errwrap.Wrap(err, "error querying for containers")
}
if len(deprecatedContainers) != 0 {
hasDeprecatedContainers = true
containersWithCommand = append(containersWithCommand, deprecatedContainers...)
}
return fmt.Errorf("runLabeledCommands: error querying for containers: %w", err)
}
if len(containersWithCommand) == 0 {
return nil
}
if hasDeprecatedContainers {
s.logger.Warn(
"Using `docker-volume-backup.exec-pre` and `docker-volume-backup.exec-post` labels has been deprecated and will be removed in the next major version.",
)
s.logger.Warn(
"Please use other `-pre` and `-post` labels instead. Refer to the README for an upgrade guide.",
)
}
g := new(errgroup.Group)
for _, container := range containersWithCommand {
c := container
g.Go(func() error {
cmd, ok := c.Labels[label]
if !ok && label == "docker-volume-backup.archive-pre" {
cmd = c.Labels["docker-volume-backup.exec-pre"]
} else if !ok && label == "docker-volume-backup.archive-post" {
cmd = c.Labels["docker-volume-backup.exec-post"]
}
userLabelName := fmt.Sprintf("%s.user", label)
user := c.Labels[userLabelName]
s.logger.Info(fmt.Sprintf("Running %s command %s for container %s", label, cmd, strings.TrimPrefix(c.Names[0], "/")))
stdout, stderr, err := s.exec(c.ID, cmd, user)
cmd, _ := c.Labels[label]
s.logger.Infof("Running %s command %s for container %s", label, cmd, strings.TrimPrefix(c.Names[0], "/"))
stdout, stderr, err := s.exec(c.ID, cmd)
if s.c.ExecForwardOutput {
if _, err := os.Stderr.Write(stderr); err != nil {
return errwrap.Wrap(err, "error writing to stderr")
}
if _, err := os.Stdout.Write(stdout); err != nil {
return errwrap.Wrap(err, "error writing to stdout")
}
os.Stderr.Write(stderr)
os.Stdout.Write(stdout)
}
if err != nil {
return errwrap.Wrap(err, "error executing command")
return fmt.Errorf("runLabeledCommands: error executing command: %w", err)
}
return nil
})
}
if err := g.Wait(); err != nil {
return errwrap.Wrap(err, "error from errgroup")
return fmt.Errorf("runLabeledCommands: error from errgroup: %w", err)
}
return nil
}
type lifecyclePhase string
const (
lifecyclePhaseArchive lifecyclePhase = "archive"
lifecyclePhaseProcess lifecyclePhase = "process"
lifecyclePhaseCopy lifecyclePhase = "copy"
lifecyclePhasePrune lifecyclePhase = "prune"
)
func (s *script) withLabeledCommands(step lifecyclePhase, cb func() error) func() error {
if s.cli == nil {
return cb
}
return func() (err error) {
if err = s.runLabeledCommands(fmt.Sprintf("docker-volume-backup.%s-pre", step)); err != nil {
err = errwrap.Wrap(err, fmt.Sprintf("error running %s-pre commands", step))
return
}
defer func() {
if derr := s.runLabeledCommands(fmt.Sprintf("docker-volume-backup.%s-post", step)); derr != nil {
err = errors.Join(err, errwrap.Wrap(derr, fmt.Sprintf("error running %s-post commands", step)))
}
}()
err = cb()
return
}
}

10
cmd/backup/hooks.go
View File

@@ -1,13 +1,11 @@
// Copyright 2022 - offen.software <hioffen@posteo.de>
// Copyright 2022 - Offen Authors <hioffen@posteo.de>
// SPDX-License-Identifier: MPL-2.0
package main
import (
"errors"
"fmt"
"sort"
"github.com/offen/docker-volume-backup/internal/errwrap"
)
// hook contains a queued action that can be trigger them when the script
@@ -48,11 +46,11 @@ func (s *script) runHooks(err error) error {
continue
}
if actionErr := hook.action(err); actionErr != nil {
actionErrors = append(actionErrors, errwrap.Wrap(actionErr, "error running hook"))
actionErrors = append(actionErrors, fmt.Errorf("runHooks: error running hook: %w", actionErr))
}
}
if len(actionErrors) != 0 {
return errors.Join(actionErrors...)
return join(actionErrors...)
}
return nil
}

18
cmd/backup/lock.go
View File

@@ -1,14 +1,14 @@
// Copyright 2022 - offen.software <hioffen@posteo.de>
// Copyright 2022 - Offen Authors <hioffen@posteo.de>
// SPDX-License-Identifier: MPL-2.0
package main
import (
"errors"
"fmt"
"time"
"github.com/gofrs/flock"
"github.com/offen/docker-volume-backup/internal/errwrap"
)
// lock opens a lockfile at the given location, keeping it locked until the
@@ -18,7 +18,7 @@ import (
func (s *script) lock(lockfile string) (func() error, error) {
start := time.Now()
defer func() {
s.stats.LockedTime = time.Since(start)
s.stats.LockedTime = time.Now().Sub(start)
}()
retry := time.NewTicker(5 * time.Second)
@@ -31,7 +31,7 @@ func (s *script) lock(lockfile string) (func() error, error) {
for {
acquired, err := fileLock.TryLock()
if err != nil {
return noop, errwrap.Wrap(err, "error trying to lock")
return noop, fmt.Errorf("lock: error trying lock: %w", err)
}
if acquired {
if s.encounteredLock {
@@ -41,11 +41,9 @@ func (s *script) lock(lockfile string) (func() error, error) {
}
if !s.encounteredLock {
s.logger.Info(
fmt.Sprintf(
"Exclusive lock was not available on first attempt. Will retry until it becomes available or the timeout of %s is exceeded.",
s.c.LockTimeout,
),
s.logger.Infof(
"Exclusive lock was not available on first attempt. Will retry until it becomes available or the timeout of %s is exceeded.",
s.c.LockTimeout,
)
s.encounteredLock = true
}
@@ -54,7 +52,7 @@ func (s *script) lock(lockfile string) (func() error, error) {
case <-retry.C:
continue
case <-deadline.C:
return noop, errwrap.Wrap(nil, "timed out waiting for lockfile to become available")
return noop, errors.New("lock: timed out waiting for lockfile to become available")
}
}
}

69
cmd/backup/main.go
View File

@@ -1,24 +1,65 @@
// Copyright 2021-2022 - offen.software <hioffen@posteo.de>
// Copyright 2021-2022 - Offen Authors <hioffen@posteo.de>
// SPDX-License-Identifier: MPL-2.0
package main
import (
"flag"
"os"
)
func main() {
foreground := flag.Bool("foreground", false, "run the tool in the foreground")
profile := flag.String("profile", "", "collect runtime metrics and log them periodically on the given cron expression")
flag.Parse()
c := newCommand()
if *foreground {
opts := foregroundOpts{
profileCronExpression: *profile,
}
c.must(c.runInForeground(opts))
} else {
c.must(c.runAsCommand())
s, err := newScript()
if err != nil {
panic(err)
}
unlock, err := s.lock("/var/lock/dockervolumebackup.lock")
defer unlock()
s.must(err)
defer func() {
if pArg := recover(); pArg != nil {
if err, ok := pArg.(error); ok {
if hookErr := s.runHooks(err); hookErr != nil {
s.logger.Errorf("An error occurred calling the registered hooks: %s", hookErr)
}
os.Exit(1)
}
panic(pArg)
}
if err := s.runHooks(nil); err != nil {
s.logger.Errorf(
"Backup procedure ran successfully, but an error ocurred calling the registered hooks: %v",
err,
)
os.Exit(1)
}
s.logger.Info("Finished running backup tasks.")
}()
s.must(func() error {
runPostCommands, err := s.runCommands()
defer func() {
s.must(runPostCommands())
}()
if err != nil {
return err
}
restartContainers, err := s.stopContainers()
// The mechanism for restarting containers is not using hooks as it
// should happen as soon as possible (i.e. before uploading backups or
// similar).
defer func() {
s.must(restartContainers())
}()
if err != nil {
return err
}
return s.takeBackup()
}())
s.must(s.encryptBackup())
s.must(s.copyBackup())
s.must(s.pruneBackups())
}

37
cmd/backup/notifications.go
View File

@@ -1,4 +1,4 @@
// Copyright 2022 - offen.software <hioffen@posteo.de>
// Copyright 2022 - Offen Authors <hioffen@posteo.de>
// SPDX-License-Identifier: MPL-2.0
package main
@@ -6,15 +6,11 @@ package main
import (
"bytes"
_ "embed"
"encoding/json"
"errors"
"fmt"
"os"
"text/template"
"time"
sTypes "github.com/nicholas-fedor/shoutrrr/pkg/types"
"github.com/offen/docker-volume-backup/internal/errwrap"
sTypes "github.com/containrrr/shoutrrr/pkg/types"
)
//go:embed notifications.tmpl
@@ -38,16 +34,16 @@ func (s *script) notify(titleTemplate string, bodyTemplate string, err error) er
titleBuf := &bytes.Buffer{}
if err := s.template.ExecuteTemplate(titleBuf, titleTemplate, params); err != nil {
return errwrap.Wrap(err, fmt.Sprintf("error executing %s template", titleTemplate))
return fmt.Errorf("notifyFailure: error executing %s template: %w", titleTemplate, err)
}
bodyBuf := &bytes.Buffer{}
if err := s.template.ExecuteTemplate(bodyBuf, bodyTemplate, params); err != nil {
return errwrap.Wrap(err, fmt.Sprintf("error executing %s template", bodyTemplate))
return fmt.Errorf("notifyFailure: error executing %s template: %w", bodyTemplate, err)
}
if err := s.sendNotification(titleBuf.String(), bodyBuf.String()); err != nil {
return errwrap.Wrap(err, "error sending notification")
return fmt.Errorf("notifyFailure: error notifying: %w", err)
}
return nil
}
@@ -71,7 +67,7 @@ func (s *script) sendNotification(title, body string) error {
}
}
if len(errs) != 0 {
return errwrap.Wrap(errors.Join(errs...), "error sending message")
return fmt.Errorf("sendNotification: error sending message: %w", join(errs...))
}
return nil
}
@@ -86,9 +82,6 @@ var templateHelpers = template.FuncMap{
"formatBytesBin": func(bytes uint64) string {
return formatBytes(bytes, false)
},
"env": os.Getenv,
"toJson": toJson,
"toPrettyJson": toPrettyJson,
}
// formatBytes converts an amount of bytes in a human-readable representation
@@ -110,21 +103,3 @@ func formatBytes(b uint64, decimal bool) string {
}
return fmt.Sprintf(format, float64(b)/float64(div), "kMGTPE"[exp])
}
func toJson(v interface{}) string {
var bytes []byte
var err error
if bytes, err = json.Marshal(v); err != nil {
return fmt.Sprintf("failed to marshal JSON in notification template: %v", err)
}
return string(bytes)
}
func toPrettyJson(v interface{}) string {
var bytes []byte
var err error
if bytes, err = json.MarshalIndent(v, "", " "); err != nil {
return fmt.Sprintf("failed to marshal indent JSON in notification template: %v", err)
}
return string(bytes)
}

24
cmd/backup/profile.go
View File

@@ -1,24 +0,0 @@
// Copyright 2024 - offen.software <hioffen@posteo.de>
// SPDX-License-Identifier: MPL-2.0
package main
import "runtime"
func (c *command) profile() {
memStats := runtime.MemStats{}
runtime.ReadMemStats(&memStats)
c.logger.Info(
"Collecting runtime information",
"num_goroutines",
runtime.NumGoroutine(),
"memory_heap_alloc",
formatBytes(memStats.HeapAlloc, false),
"memory_heap_inuse",
formatBytes(memStats.HeapInuse, false),
"memory_heap_sys",
formatBytes(memStats.HeapSys, false),
"memory_heap_objects",
memStats.HeapObjects,
)
}

66
cmd/backup/prune_backups.go
View File

@@ -1,66 +0,0 @@
// Copyright 2024 - offen.software <hioffen@posteo.de>
// SPDX-License-Identifier: MPL-2.0
package main
import (
"fmt"
"slices"
"strings"
"time"
"github.com/offen/docker-volume-backup/internal/errwrap"
"golang.org/x/sync/errgroup"
)
// pruneBackups rotates away backups from local and remote storages using
// the given configuration. In case the given configuration would delete all
// backups, it does nothing instead and logs a warning.
func (s *script) pruneBackups() error {
if s.c.BackupRetentionDays < 0 {
return nil
}
deadline := time.Now().AddDate(0, 0, -int(s.c.BackupRetentionDays)).Add(s.c.BackupPruningLeeway)
eg := errgroup.Group{}
for _, backend := range s.storages {
b := backend
eg.Go(func() error {
if skipPrune(b.Name(), s.c.BackupSkipBackendsFromPrune) {
s.logger.Info(
fmt.Sprintf("Skipping pruning for backend `%s`.", b.Name()),
)
return nil
}
stats, err := b.Prune(deadline, s.c.BackupPruningPrefix)
if err != nil {
return err
}
s.stats.Lock()
s.stats.Storages[b.Name()] = StorageStats{
Total: stats.Total,
Pruned: stats.Pruned,
}
s.stats.Unlock()
return nil
})
}
if err := eg.Wait(); err != nil {
return errwrap.Wrap(err, "error pruning backups")
}
return nil
}
// skipPrune returns true if the given backend name is contained in the
// list of skipped backends.
func skipPrune(name string, skippedBackends []string) bool {
return slices.ContainsFunc(
skippedBackends,
func(b string) bool {
return strings.EqualFold(b, name) // ignore case on both sides
},
)
}

124
cmd/backup/run_script.go
View File

@@ -1,124 +0,0 @@
// Copyright 2024 - offen.software <hioffen@posteo.de>
// SPDX-License-Identifier: MPL-2.0
package main
import (
"errors"
"fmt"
"math/rand"
"runtime/debug"
"time"
"github.com/offen/docker-volume-backup/internal/errwrap"
)
// runScript instantiates a new script object and orchestrates a backup run.
// To ensure it runs mutually exclusive a global file lock is acquired before
// it starts running. Any panic within the script will be recovered and returned
// as an error.
func runScript(c *Config) (err error) {
defer func() {
if derr := recover(); derr != nil {
fmt.Printf("%s: %s\n", derr, debug.Stack())
asErr, ok := derr.(error)
if ok {
err = errwrap.Wrap(asErr, "unexpected panic running script")
} else {
err = errwrap.Wrap(nil, fmt.Sprintf("%v", derr))
}
}
}()
s := newScript(c)
unlock, lockErr := s.lock("/var/lock/dockervolumebackup.lock")
if lockErr != nil {
err = errwrap.Wrap(lockErr, "error acquiring file lock")
return
}
defer func() {
if derr := unlock(); derr != nil {
err = errors.Join(err, errwrap.Wrap(derr, "error releasing file lock"))
}
}()
unset, err := s.c.applyEnv()
if err != nil {
return errwrap.Wrap(err, "error applying env")
}
defer func() {
if derr := unset(); derr != nil {
err = errors.Join(err, errwrap.Wrap(derr, "error unsetting environment variables"))
}
}()
if s.c != nil && s.c.BackupJitter > 0 {
max := s.c.BackupJitter
delay := time.Duration(rand.Int63n(int64(max) + 1))
if delay > 0 {
s.logger.Info(fmt.Sprintf("Applying startup jitter of %v", delay))
time.Sleep(delay)
}
}
if initErr := s.init(); initErr != nil {
err = errwrap.Wrap(initErr, "error instantiating script")
return
}
return func() (err error) {
scriptErr := func() error {
if err := s.withLabeledCommands(lifecyclePhaseArchive, func() (err error) {
restartContainersAndServices, err := s.stopContainersAndServices()
// The mechanism for restarting containers is not using hooks as it
// should happen as soon as possible (i.e. before uploading backups or
// similar).
defer func() {
if derr := restartContainersAndServices(); derr != nil {
err = errors.Join(err, errwrap.Wrap(derr, "error restarting containers and services"))
}
}()
if err != nil {
return
}
err = s.createArchive()
return
})(); err != nil {
return err
}
if err := s.withLabeledCommands(lifecyclePhaseProcess, s.encryptArchive)(); err != nil {
return err
}
if err := s.withLabeledCommands(lifecyclePhaseCopy, s.copyArchive)(); err != nil {
return err
}
if err := s.withLabeledCommands(lifecyclePhasePrune, s.pruneBackups)(); err != nil {
return err
}
return nil
}()
if hookErr := s.runHooks(scriptErr); hookErr != nil {
if scriptErr != nil {
return errwrap.Wrap(
nil,
fmt.Sprintf(
"error %v executing the script followed by %v calling the registered hooks",
scriptErr,
hookErr,
),
)
}
return errwrap.Wrap(
hookErr,
"the script ran successfully, but an error occurred calling the registered hooks",
)
}
if scriptErr != nil {
return errwrap.Wrap(scriptErr, "error running script")
}
return nil
}()
}

751
cmd/backup/script.go
View File

@@ -1,43 +1,48 @@
// Copyright 2022 - offen.software <hioffen@posteo.de>
// Copyright 2022 - Offen Authors <hioffen@posteo.de>
// SPDX-License-Identifier: MPL-2.0
package main
import (
"bytes"
"context"
"errors"
"fmt"
"log/slog"
"io"
"io/fs"
"os"
"path"
"path/filepath"
"strings"
"text/template"
"time"
"github.com/offen/docker-volume-backup/internal/errwrap"
"github.com/offen/docker-volume-backup/internal/storage"
"github.com/offen/docker-volume-backup/internal/storage/azure"
"github.com/offen/docker-volume-backup/internal/storage/dropbox"
"github.com/offen/docker-volume-backup/internal/storage/googledrive"
"github.com/offen/docker-volume-backup/internal/storage/local"
"github.com/offen/docker-volume-backup/internal/storage/s3"
"github.com/offen/docker-volume-backup/internal/storage/ssh"
"github.com/offen/docker-volume-backup/internal/storage/webdav"
"github.com/containrrr/shoutrrr"
"github.com/containrrr/shoutrrr/pkg/router"
"github.com/docker/docker/api/types"
"github.com/docker/docker/api/types/filters"
"github.com/docker/docker/api/types/swarm"
"github.com/docker/docker/client"
"github.com/kelseyhightower/envconfig"
"github.com/leekchan/timeutil"
"github.com/nicholas-fedor/shoutrrr"
"github.com/nicholas-fedor/shoutrrr/pkg/router"
"github.com/minio/minio-go/v7"
"github.com/minio/minio-go/v7/pkg/credentials"
"github.com/otiai10/copy"
"github.com/sirupsen/logrus"
"github.com/studio-b12/gowebdav"
"golang.org/x/crypto/openpgp"
)
// script holds all the stateful information required to orchestrate a
// single backup run.
type script struct {
cli *client.Client
storages []storage.Backend
logger *slog.Logger
sender *router.ServiceRouter
template *template.Template
hooks []hook
hookLevel hookLevel
cli *client.Client
minioClient *minio.Client
webdavClient *gowebdav.Client
logger *logrus.Logger
sender *router.ServiceRouter
template *template.Template
hooks []hook
hookLevel hookLevel
file string
stats *Stats
@@ -51,54 +56,34 @@ type script struct {
// remote resources like the Docker engine or remote storage locations. All
// reading from env vars or other configuration sources is expected to happen
// in this method.
func newScript(c *Config) *script {
func newScript() (*script, error) {
stdOut, logBuffer := buffer(os.Stdout)
return &script{
c: c,
logger: slog.New(slog.NewTextHandler(stdOut, nil)),
s := &script{
c: &Config{},
logger: &logrus.Logger{
Out: stdOut,
Formatter: new(logrus.TextFormatter),
Hooks: make(logrus.LevelHooks),
Level: logrus.InfoLevel,
},
stats: &Stats{
StartTime: time.Now(),
LogOutput: logBuffer,
Storages: map[string]StorageStats{
"S3": {},
"WebDAV": {},
"SSH": {},
"Local": {},
"Azure": {},
"Dropbox": {},
"GoogleDrive": {},
},
Storages: StoragesStats{},
},
}
}
func (s *script) init() error {
s.registerHook(hookLevelPlumbing, func(error) error {
s.stats.EndTime = time.Now()
s.stats.TookTime = s.stats.EndTime.Sub(s.stats.StartTime)
return nil
})
if err := envconfig.Process("", s.c); err != nil {
return nil, fmt.Errorf("newScript: failed to process configuration values: %w", err)
}
s.file = path.Join("/tmp", s.c.BackupFilename)
tmplFileName, tErr := template.New("extension").Parse(s.file)
if tErr != nil {
return errwrap.Wrap(tErr, "unable to parse backup file extension template")
}
var bf bytes.Buffer
if tErr := tmplFileName.Execute(&bf, map[string]string{
"Extension": func() string {
if s.c.BackupCompression == "none" {
return "tar"
}
return fmt.Sprintf("tar.%s", s.c.BackupCompression)
}(),
}); tErr != nil {
return errwrap.Wrap(tErr, "error executing backup file extension template")
}
s.file = bf.String()
if s.c.BackupFilenameExpand {
s.file = os.ExpandEnv(s.file)
s.c.BackupLatestSymlink = os.ExpandEnv(s.c.BackupLatestSymlink)
@@ -111,145 +96,57 @@ func (s *script) init() error {
if !os.IsNotExist(err) || dockerHostSet {
cli, err := client.NewClientWithOpts(client.FromEnv, client.WithAPIVersionNegotiation())
if err != nil {
return errwrap.Wrap(err, "failed to create docker client")
return nil, fmt.Errorf("newScript: failed to create docker client")
}
s.cli = cli
s.registerHook(hookLevelPlumbing, func(err error) error {
if err := s.cli.Close(); err != nil {
return errwrap.Wrap(err, "failed to close docker client")
}
return nil
})
}
logFunc := func(logType storage.LogLevel, context string, msg string, params ...any) {
switch logType {
case storage.LogLevelWarning:
s.logger.Warn(fmt.Sprintf(msg, params...), "storage", context)
default:
s.logger.Info(fmt.Sprintf(msg, params...), "storage", context)
}
}
if s.c.AwsS3BucketName != "" {
s3Config := s3.Config{
Endpoint: s.c.AwsEndpoint,
AccessKeyID: s.c.AwsAccessKeyID,
SecretAccessKey: s.c.AwsSecretAccessKey,
IamRoleEndpoint: s.c.AwsIamRoleEndpoint,
EndpointProto: s.c.AwsEndpointProto,
EndpointInsecure: s.c.AwsEndpointInsecure,
RemotePath: s.c.AwsS3Path,
BucketName: s.c.AwsS3BucketName,
StorageClass: s.c.AwsStorageClass,
CACert: s.c.AwsEndpointCACert.Cert,
PartSize: s.c.AwsPartSize,
var creds *credentials.Credentials
if s.c.AwsAccessKeyID != "" && s.c.AwsSecretAccessKey != "" {
creds = credentials.NewStaticV4(
s.c.AwsAccessKeyID,
s.c.AwsSecretAccessKey,
"",
)
} else if s.c.AwsIamRoleEndpoint != "" {
creds = credentials.NewIAM(s.c.AwsIamRoleEndpoint)
} else {
return nil, errors.New("newScript: AWS_S3_BUCKET_NAME is defined, but no credentials were provided")
}
s3Backend, err := s3.NewStorageBackend(s3Config, logFunc)
options := minio.Options{
Creds: creds,
Secure: s.c.AwsEndpointProto == "https",
}
if s.c.AwsEndpointInsecure {
if !options.Secure {
return nil, errors.New("newScript: AWS_ENDPOINT_INSECURE = true is only meaningful for https")
}
transport, err := minio.DefaultTransport(true)
if err != nil {
return nil, fmt.Errorf("newScript: failed to create default minio transport")
}
transport.TLSClientConfig.InsecureSkipVerify = true
options.Transport = transport
}
mc, err := minio.New(s.c.AwsEndpoint, &options)
if err != nil {
return errwrap.Wrap(err, "error creating s3 storage backend")
return nil, fmt.Errorf("newScript: error setting up minio client: %w", err)
}
s.storages = append(s.storages, s3Backend)
s.minioClient = mc
}
if s.c.WebdavUrl != "" {
webDavConfig := webdav.Config{
URL: s.c.WebdavUrl,
URLInsecure: s.c.WebdavUrlInsecure,
Username: s.c.WebdavUsername,
Password: s.c.WebdavPassword,
RemotePath: s.c.WebdavPath,
if s.c.WebdavUsername == "" || s.c.WebdavPassword == "" {
return nil, errors.New("newScript: WEBDAV_URL is defined, but no credentials were provided")
} else {
webdavClient := gowebdav.NewClient(s.c.WebdavUrl, s.c.WebdavUsername, s.c.WebdavPassword)
s.webdavClient = webdavClient
}
webdavBackend, err := webdav.NewStorageBackend(webDavConfig, logFunc)
if err != nil {
return errwrap.Wrap(err, "error creating webdav storage backend")
}
s.storages = append(s.storages, webdavBackend)
}
if s.c.SSHHostName != "" {
sshConfig := ssh.Config{
HostName: s.c.SSHHostName,
Port: s.c.SSHPort,
User: s.c.SSHUser,
Password: s.c.SSHPassword,
IdentityFile: s.c.SSHIdentityFile,
IdentityPassphrase: s.c.SSHIdentityPassphrase,
RemotePath: s.c.SSHRemotePath,
}
sshBackend, closeSSHConnection, err := ssh.NewStorageBackend(sshConfig, logFunc)
s.registerHook(hookLevelPlumbing, func(err error) error {
if err := closeSSHConnection(); err != nil {
return errwrap.Wrap(err, "failed to close ssh connection")
}
return nil
})
if err != nil {
return errwrap.Wrap(err, "error creating ssh storage backend")
}
s.storages = append(s.storages, sshBackend)
}
if _, err := os.Stat(s.c.BackupArchive); !os.IsNotExist(err) {
localConfig := local.Config{
ArchivePath: s.c.BackupArchive,
LatestSymlink: s.c.BackupLatestSymlink,
}
localBackend := local.NewStorageBackend(localConfig, logFunc)
s.storages = append(s.storages, localBackend)
}
if s.c.AzureStorageAccountName != "" {
azureConfig := azure.Config{
ContainerName: s.c.AzureStorageContainerName,
AccountName: s.c.AzureStorageAccountName,
PrimaryAccountKey: s.c.AzureStoragePrimaryAccountKey,
Endpoint: s.c.AzureStorageEndpoint,
RemotePath: s.c.AzureStoragePath,
ConnectionString: s.c.AzureStorageConnectionString,
AccessTier: s.c.AzureStorageAccessTier,
}
azureBackend, err := azure.NewStorageBackend(azureConfig, logFunc)
if err != nil {
return errwrap.Wrap(err, "error creating azure storage backend")
}
s.storages = append(s.storages, azureBackend)
}
if s.c.DropboxRefreshToken != "" && s.c.DropboxAppKey != "" && s.c.DropboxAppSecret != "" {
dropboxConfig := dropbox.Config{
Endpoint: s.c.DropboxEndpoint,
OAuth2Endpoint: s.c.DropboxOAuth2Endpoint,
RefreshToken: s.c.DropboxRefreshToken,
AppKey: s.c.DropboxAppKey,
AppSecret: s.c.DropboxAppSecret,
RemotePath: s.c.DropboxRemotePath,
ConcurrencyLevel: s.c.DropboxConcurrencyLevel.Int(),
}
dropboxBackend, err := dropbox.NewStorageBackend(dropboxConfig, logFunc)
if err != nil {
return errwrap.Wrap(err, "error creating dropbox storage backend")
}
s.storages = append(s.storages, dropboxBackend)
}
if s.c.GoogleDriveCredentialsJSON != "" {
googleDriveConfig := googledrive.Config{
CredentialsJSON: s.c.GoogleDriveCredentialsJSON,
FolderID: s.c.GoogleDriveFolderID,
ImpersonateSubject: s.c.GoogleDriveImpersonateSubject,
Endpoint: s.c.GoogleDriveEndpoint,
TokenURL: s.c.GoogleDriveTokenURL,
}
googleDriveBackend, err := googledrive.NewStorageBackend(googleDriveConfig, logFunc)
if err != nil {
return errwrap.Wrap(err, "error creating googledrive storage backend")
}
s.storages = append(s.storages, googleDriveBackend)
}
if s.c.EmailNotificationRecipient != "" {
@@ -273,14 +170,14 @@ func (s *script) init() error {
hookLevel, ok := hookLevels[s.c.NotificationLevel]
if !ok {
return errwrap.Wrap(nil, fmt.Sprintf("unknown NOTIFICATION_LEVEL %s", s.c.NotificationLevel))
return nil, fmt.Errorf("newScript: unknown NOTIFICATION_LEVEL %s", s.c.NotificationLevel)
}
s.hookLevel = hookLevel
if len(s.c.NotificationURLs) > 0 {
sender, senderErr := shoutrrr.CreateSender(s.c.NotificationURLs...)
if senderErr != nil {
return errwrap.Wrap(senderErr, "error creating sender")
return nil, fmt.Errorf("newScript: error creating sender: %w", senderErr)
}
s.sender = sender
@@ -288,13 +185,13 @@ func (s *script) init() error {
tmpl.Funcs(templateHelpers)
tmpl, err = tmpl.Parse(defaultNotifications)
if err != nil {
return errwrap.Wrap(err, "unable to parse default notifications templates")
return nil, fmt.Errorf("newScript: unable to parse default notifications templates: %w", err)
}
if fi, err := os.Stat("/etc/dockervolumebackup/notifications.d"); err == nil && fi.IsDir() {
tmpl, err = tmpl.ParseGlob("/etc/dockervolumebackup/notifications.d/*.*")
if err != nil {
return errwrap.Wrap(err, "unable to parse user defined notifications templates")
return nil, fmt.Errorf("newScript: unable to parse user defined notifications templates: %w", err)
}
}
s.template = tmpl
@@ -315,5 +212,485 @@ func (s *script) init() error {
})
}
return s, nil
}
func (s *script) runCommands() (func() error, error) {
if s.cli == nil {
return noop, nil
}
if err := s.runLabeledCommands("docker-volume-backup.exec-pre"); err != nil {
return noop, fmt.Errorf("runCommands: error running pre commands: %w", err)
}
return func() error {
if err := s.runLabeledCommands("docker-volume-backup.exec-post"); err != nil {
return fmt.Errorf("runCommands: error running post commands: %w", err)
}
return nil
}, nil
}
// stopContainers stops all Docker containers that are marked as to being
// stopped during the backup and returns a function that can be called to
// restart everything that has been stopped.
func (s *script) stopContainers() (func() error, error) {
if s.cli == nil {
return noop, nil
}
allContainers, err := s.cli.ContainerList(context.Background(), types.ContainerListOptions{
Quiet: true,
})
if err != nil {
return noop, fmt.Errorf("stopContainersAndRun: error querying for containers: %w", err)
}
containerLabel := fmt.Sprintf(
"docker-volume-backup.stop-during-backup=%s",
s.c.BackupStopContainerLabel,
)
containersToStop, err := s.cli.ContainerList(context.Background(), types.ContainerListOptions{
Quiet: true,
Filters: filters.NewArgs(filters.KeyValuePair{
Key: "label",
Value: containerLabel,
}),
})
if err != nil {
return noop, fmt.Errorf("stopContainersAndRun: error querying for containers to stop: %w", err)
}
if len(containersToStop) == 0 {
return noop, nil
}
s.logger.Infof(
"Stopping %d container(s) labeled `%s` out of %d running container(s).",
len(containersToStop),
containerLabel,
len(allContainers),
)
var stoppedContainers []types.Container
var stopErrors []error
for _, container := range containersToStop {
if err := s.cli.ContainerStop(context.Background(), container.ID, nil); err != nil {
stopErrors = append(stopErrors, err)
} else {
stoppedContainers = append(stoppedContainers, container)
}
}
var stopError error
if len(stopErrors) != 0 {
stopError = fmt.Errorf(
"stopContainersAndRun: %d error(s) stopping containers: %w",
len(stopErrors),
join(stopErrors...),
)
}
s.stats.Containers = ContainersStats{
All: uint(len(allContainers)),
ToStop: uint(len(containersToStop)),
Stopped: uint(len(stoppedContainers)),
}
return func() error {
servicesRequiringUpdate := map[string]struct{}{}
var restartErrors []error
for _, container := range stoppedContainers {
if swarmServiceName, ok := container.Labels["com.docker.swarm.service.name"]; ok {
servicesRequiringUpdate[swarmServiceName] = struct{}{}
continue
}
if err := s.cli.ContainerStart(context.Background(), container.ID, types.ContainerStartOptions{}); err != nil {
restartErrors = append(restartErrors, err)
}
}
if len(servicesRequiringUpdate) != 0 {
services, _ := s.cli.ServiceList(context.Background(), types.ServiceListOptions{})
for serviceName := range servicesRequiringUpdate {
var serviceMatch swarm.Service
for _, service := range services {
if service.Spec.Name == serviceName {
serviceMatch = service
break
}
}
if serviceMatch.ID == "" {
return fmt.Errorf("stopContainersAndRun: couldn't find service with name %s", serviceName)
}
serviceMatch.Spec.TaskTemplate.ForceUpdate = 1
if _, err := s.cli.ServiceUpdate(
context.Background(), serviceMatch.ID,
serviceMatch.Version, serviceMatch.Spec, types.ServiceUpdateOptions{},
); err != nil {
restartErrors = append(restartErrors, err)
}
}
}
if len(restartErrors) != 0 {
return fmt.Errorf(
"stopContainersAndRun: %d error(s) restarting containers and services: %w",
len(restartErrors),
join(restartErrors...),
)
}
s.logger.Infof(
"Restarted %d container(s) and the matching service(s).",
len(stoppedContainers),
)
return nil
}, stopError
}
// takeBackup creates a tar archive of the configured backup location and
// saves it to disk.
func (s *script) takeBackup() error {
backupSources := s.c.BackupSources
if s.c.BackupFromSnapshot {
s.logger.Warn(
"Using BACKUP_FROM_SNAPSHOT has been deprecated and will be removed in the next major version.",
)
s.logger.Warn(
"Please use `exec-pre` and `exec-post` commands to prepare your backup sources. Refer to the README for an upgrade guide.",
)
backupSources = filepath.Join("/tmp", s.c.BackupSources)
// copy before compressing guard against a situation where backup folder's content are still growing.
s.registerHook(hookLevelPlumbing, func(error) error {
if err := remove(backupSources); err != nil {
return fmt.Errorf("takeBackup: error removing snapshot: %w", err)
}
s.logger.Infof("Removed snapshot `%s`.", backupSources)
return nil
})
if err := copy.Copy(s.c.BackupSources, backupSources, copy.Options{
PreserveTimes: true,
PreserveOwner: true,
}); err != nil {
return fmt.Errorf("takeBackup: error creating snapshot: %w", err)
}
s.logger.Infof("Created snapshot of `%s` at `%s`.", s.c.BackupSources, backupSources)
}
tarFile := s.file
s.registerHook(hookLevelPlumbing, func(error) error {
if err := remove(tarFile); err != nil {
return fmt.Errorf("takeBackup: error removing tar file: %w", err)
}
s.logger.Infof("Removed tar file `%s`.", tarFile)
return nil
})
if err := createArchive(backupSources, tarFile, createArchiveOptions{
format: s.c.TarArchiveHeaderFormat.Format(),
}); err != nil {
return fmt.Errorf("takeBackup: error compressing backup folder: %w", err)
}
s.logger.Infof("Created backup of `%s` at `%s`.", backupSources, tarFile)
return nil
}
// encryptBackup encrypts the backup file using PGP and the configured passphrase.
// In case no passphrase is given it returns early, leaving the backup file
// untouched.
func (s *script) encryptBackup() error {
if s.c.GpgPassphrase == "" {
return nil
}
gpgFile := fmt.Sprintf("%s.gpg", s.file)
s.registerHook(hookLevelPlumbing, func(error) error {
if err := remove(gpgFile); err != nil {
return fmt.Errorf("encryptBackup: error removing gpg file: %w", err)
}
s.logger.Infof("Removed GPG file `%s`.", gpgFile)
return nil
})
outFile, err := os.Create(gpgFile)
defer outFile.Close()
if err != nil {
return fmt.Errorf("encryptBackup: error opening out file: %w", err)
}
_, name := path.Split(s.file)
dst, err := openpgp.SymmetricallyEncrypt(outFile, []byte(s.c.GpgPassphrase), &openpgp.FileHints{
IsBinary: true,
FileName: name,
}, nil)
defer dst.Close()
if err != nil {
return fmt.Errorf("encryptBackup: error encrypting backup file: %w", err)
}
src, err := os.Open(s.file)
if err != nil {
return fmt.Errorf("encryptBackup: error opening backup file `%s`: %w", s.file, err)
}
if _, err := io.Copy(dst, src); err != nil {
return fmt.Errorf("encryptBackup: error writing ciphertext to file: %w", err)
}
s.file = gpgFile
s.logger.Infof("Encrypted backup using given passphrase, saving as `%s`.", s.file)
return nil
}
// copyBackup makes sure the backup file is copied to both local and remote locations
// as per the given configuration.
func (s *script) copyBackup() error {
_, name := path.Split(s.file)
if stat, err := os.Stat(s.file); err != nil {
return fmt.Errorf("copyBackup: unable to stat backup file: %w", err)
} else {
size := stat.Size()
s.stats.BackupFile = BackupFileStats{
Size: uint64(size),
Name: name,
FullPath: s.file,
}
}
if s.minioClient != nil {
if _, err := s.minioClient.FPutObject(context.Background(), s.c.AwsS3BucketName, filepath.Join(s.c.AwsS3Path, name), s.file, minio.PutObjectOptions{
ContentType: "application/tar+gzip",
}); err != nil {
return fmt.Errorf("copyBackup: error uploading backup to remote storage: %w", err)
}
s.logger.Infof("Uploaded a copy of backup `%s` to bucket `%s`.", s.file, s.c.AwsS3BucketName)
}
if s.webdavClient != nil {
bytes, err := os.ReadFile(s.file)
if err != nil {
return fmt.Errorf("copyBackup: error reading the file to be uploaded: %w", err)
}
if err := s.webdavClient.MkdirAll(s.c.WebdavPath, 0644); err != nil {
return fmt.Errorf("copyBackup: error creating directory '%s' on WebDAV server: %w", s.c.WebdavPath, err)
}
if err := s.webdavClient.Write(filepath.Join(s.c.WebdavPath, name), bytes, 0644); err != nil {
return fmt.Errorf("copyBackup: error uploading the file to WebDAV server: %w", err)
}
s.logger.Infof("Uploaded a copy of backup `%s` to WebDAV-URL '%s' at path '%s'.", s.file, s.c.WebdavUrl, s.c.WebdavPath)
}
if _, err := os.Stat(s.c.BackupArchive); !os.IsNotExist(err) {
if err := copyFile(s.file, path.Join(s.c.BackupArchive, name)); err != nil {
return fmt.Errorf("copyBackup: error copying file to local archive: %w", err)
}
s.logger.Infof("Stored copy of backup `%s` in local archive `%s`.", s.file, s.c.BackupArchive)
if s.c.BackupLatestSymlink != "" {
symlink := path.Join(s.c.BackupArchive, s.c.BackupLatestSymlink)
if _, err := os.Lstat(symlink); err == nil {
os.Remove(symlink)
}
if err := os.Symlink(name, symlink); err != nil {
return fmt.Errorf("copyBackup: error creating latest symlink: %w", err)
}
s.logger.Infof("Created/Updated symlink `%s` for latest backup.", s.c.BackupLatestSymlink)
}
}
return nil
}
// pruneBackups rotates away backups from local and remote storages using
// the given configuration. In case the given configuration would delete all
// backups, it does nothing instead and logs a warning.
func (s *script) pruneBackups() error {
if s.c.BackupRetentionDays < 0 {
return nil
}
deadline := time.Now().AddDate(0, 0, -int(s.c.BackupRetentionDays)).Add(s.c.BackupPruningLeeway)
// doPrune holds general control flow that applies to any kind of storage.
// Callers can pass in a thunk that performs the actual deletion of files.
var doPrune = func(lenMatches, lenCandidates int, description string, doRemoveFiles func() error) error {
if lenMatches != 0 && lenMatches != lenCandidates {
if err := doRemoveFiles(); err != nil {
return err
}
s.logger.Infof(
"Pruned %d out of %d %s as their age exceeded the configured retention period of %d days.",
lenMatches,
lenCandidates,
description,
s.c.BackupRetentionDays,
)
} else if lenMatches != 0 && lenMatches == lenCandidates {
s.logger.Warnf("The current configuration would delete all %d existing %s.", lenMatches, description)
s.logger.Warn("Refusing to do so, please check your configuration.")
} else {
s.logger.Infof("None of %d existing %s were pruned.", lenCandidates, description)
}
return nil
}
if s.minioClient != nil {
candidates := s.minioClient.ListObjects(context.Background(), s.c.AwsS3BucketName, minio.ListObjectsOptions{
WithMetadata: true,
Prefix: filepath.Join(s.c.AwsS3Path, s.c.BackupPruningPrefix),
Recursive: true,
})
var matches []minio.ObjectInfo
var lenCandidates int
for candidate := range candidates {
lenCandidates++
if candidate.Err != nil {
return fmt.Errorf(
"pruneBackups: error looking up candidates from remote storage: %w",
candidate.Err,
)
}
if candidate.LastModified.Before(deadline) {
matches = append(matches, candidate)
}
}
s.stats.Storages.S3 = StorageStats{
Total: uint(lenCandidates),
Pruned: uint(len(matches)),
}
doPrune(len(matches), lenCandidates, "remote backup(s)", func() error {
objectsCh := make(chan minio.ObjectInfo)
go func() {
for _, match := range matches {
objectsCh <- match
}
close(objectsCh)
}()
errChan := s.minioClient.RemoveObjects(context.Background(), s.c.AwsS3BucketName, objectsCh, minio.RemoveObjectsOptions{})
var removeErrors []error
for result := range errChan {
if result.Err != nil {
removeErrors = append(removeErrors, result.Err)
}
}
if len(removeErrors) != 0 {
return join(removeErrors...)
}
return nil
})
}
if s.webdavClient != nil {
candidates, err := s.webdavClient.ReadDir(s.c.WebdavPath)
if err != nil {
return fmt.Errorf("pruneBackups: error looking up candidates from remote storage: %w", err)
}
var matches []fs.FileInfo
var lenCandidates int
for _, candidate := range candidates {
if !strings.HasPrefix(candidate.Name(), s.c.BackupPruningPrefix) {
continue
}
lenCandidates++
if candidate.ModTime().Before(deadline) {
matches = append(matches, candidate)
}
}
s.stats.Storages.WebDAV = StorageStats{
Total: uint(lenCandidates),
Pruned: uint(len(matches)),
}
doPrune(len(matches), lenCandidates, "WebDAV backup(s)", func() error {
for _, match := range matches {
if err := s.webdavClient.Remove(filepath.Join(s.c.WebdavPath, match.Name())); err != nil {
return fmt.Errorf("pruneBackups: error removing file from WebDAV storage: %w", err)
}
}
return nil
})
}
if _, err := os.Stat(s.c.BackupArchive); !os.IsNotExist(err) {
globPattern := path.Join(
s.c.BackupArchive,
fmt.Sprintf("%s*", s.c.BackupPruningPrefix),
)
globMatches, err := filepath.Glob(globPattern)
if err != nil {
return fmt.Errorf(
"pruneBackups: error looking up matching files using pattern %s: %w",
globPattern,
err,
)
}
var candidates []string
for _, candidate := range globMatches {
fi, err := os.Lstat(candidate)
if err != nil {
return fmt.Errorf(
"pruneBackups: error calling Lstat on file %s: %w",
candidate,
err,
)
}
if fi.Mode()&os.ModeSymlink != os.ModeSymlink {
candidates = append(candidates, candidate)
}
}
var matches []string
for _, candidate := range candidates {
fi, err := os.Stat(candidate)
if err != nil {
return fmt.Errorf(
"pruneBackups: error calling stat on file %s: %w",
candidate,
err,
)
}
if fi.ModTime().Before(deadline) {
matches = append(matches, candidate)
}
}
s.stats.Storages.Local = StorageStats{
Total: uint(len(candidates)),
Pruned: uint(len(matches)),
}
doPrune(len(matches), len(candidates), "local backup(s)", func() error {
var removeErrors []error
for _, match := range matches {
if err := os.Remove(match); err != nil {
removeErrors = append(removeErrors, err)
}
}
if len(removeErrors) != 0 {
return fmt.Errorf(
"pruneBackups: %d error(s) deleting local files, starting with: %w",
len(removeErrors),
join(removeErrors...),
)
}
return nil
})
}
return nil
}
// must exits the script run prematurely in case the given error
// is non-nil.
func (s *script) must(err error) {
if err != nil {
s.logger.Errorf("Fatal error running backup: %s", err)
panic(err)
}
}

23
cmd/backup/stats.go
View File

@@ -1,11 +1,10 @@
// Copyright 2022 - offen.software <hioffen@posteo.de>
// Copyright 2022 - Offen Authors <hioffen@posteo.de>
// SPDX-License-Identifier: MPL-2.0
package main
import (
"bytes"
"sync"
"time"
)
@@ -17,15 +16,6 @@ type ContainersStats struct {
StopErrors uint
}
// ServicesStats contains info about Swarm services that have been
// operated upon
type ServicesStats struct {
All uint
ToScaleDown uint
ScaledDown uint
ScaleDownErrors uint
}
// BackupFileStats stats about the created backup file
type BackupFileStats struct {
Name string
@@ -40,16 +30,21 @@ type StorageStats struct {
PruneErrors uint
}
// StoragesStats stats about each possible archival location (Local, WebDAV, S3)
type StoragesStats struct {
Local StorageStats
WebDAV StorageStats
S3 StorageStats
}
// Stats global stats regarding script execution
type Stats struct {
sync.Mutex
StartTime time.Time
EndTime time.Time
TookTime time.Duration
LockedTime time.Duration
LogOutput *bytes.Buffer
Containers ContainersStats
Services ServicesStats
BackupFile BackupFileStats
Storages map[string]StorageStats
Storages StoragesStats
}

416
cmd/backup/stop_restart.go
View File

@@ -1,416 +0,0 @@
// Copyright 2024 - offen.software <hioffen@posteo.de>
// SPDX-License-Identifier: MPL-2.0
package main
import (
"context"
"errors"
"fmt"
"io"
"os"
"sync"
"time"
"github.com/docker/cli/cli/command/service/progress"
ctr "github.com/docker/docker/api/types/container"
"github.com/docker/docker/api/types/filters"
"github.com/docker/docker/api/types/swarm"
"github.com/docker/docker/api/types/system"
"github.com/docker/docker/client"
"github.com/offen/docker-volume-backup/internal/errwrap"
)
func scaleService(cli *client.Client, serviceID string, replicas uint64) ([]string, error) {
service, _, err := cli.ServiceInspectWithRaw(context.Background(), serviceID, swarm.ServiceInspectOptions{})
if err != nil {
return nil, errwrap.Wrap(err, fmt.Sprintf("error inspecting service %s", serviceID))
}
serviceMode := &service.Spec.Mode
switch {
case serviceMode.Replicated != nil:
serviceMode.Replicated.Replicas = &replicas
default:
return nil, errwrap.Wrap(nil, fmt.Sprintf("service to be scaled %s has to be in replicated mode", service.Spec.Name))
}
response, err := cli.ServiceUpdate(context.Background(), service.ID, service.Version, service.Spec, swarm.ServiceUpdateOptions{})
if err != nil {
return nil, errwrap.Wrap(err, "error updating service")
}
discardWriter := &noopWriteCloser{io.Discard}
if err := progress.ServiceProgress(context.Background(), cli, service.ID, discardWriter); err != nil {
return nil, err
}
return response.Warnings, nil
}
func awaitContainerCountForService(cli *client.Client, serviceID string, count int, timeoutAfter time.Duration) error {
poll := time.NewTicker(time.Second)
timeout := time.NewTimer(timeoutAfter)
defer timeout.Stop()
defer poll.Stop()
for {
select {
case <-timeout.C:
return errwrap.Wrap(
nil,
fmt.Sprintf(
"timed out after waiting %s for service %s to reach desired container count of %d",
timeoutAfter,
serviceID,
count,
),
)
case <-poll.C:
containers, err := cli.ContainerList(context.Background(), ctr.ListOptions{
Filters: filters.NewArgs(filters.KeyValuePair{
Key: "label",
Value: fmt.Sprintf("com.docker.swarm.service.id=%s", serviceID),
}),
})
if err != nil {
return errwrap.Wrap(err, "error listing containers")
}
if len(containers) == count {
return nil
}
}
}
}
func isSwarm(c interface {
Info(context.Context) (system.Info, error)
}) (bool, error) {
info, err := c.Info(context.Background())
if err != nil {
return false, errwrap.Wrap(err, "error getting docker info")
}
return info.Swarm.LocalNodeState != "" && info.Swarm.LocalNodeState != swarm.LocalNodeStateInactive && info.Swarm.ControlAvailable, nil
}
func hasLabel(labels map[string]string, key, value string) bool {
val, ok := labels[key]
return ok && val == value
}
func checkStopLabels(labels map[string]string, stopDuringBackupLabelValue string, stopDuringBackupNoRestartLabelValue string) (bool, bool, error) {
hasStopDuringBackupLabel := hasLabel(labels, "docker-volume-backup.stop-during-backup", stopDuringBackupLabelValue)
hasStopDuringBackupNoRestartLabel := hasLabel(labels, "docker-volume-backup.stop-during-backup-no-restart", stopDuringBackupNoRestartLabelValue)
if hasStopDuringBackupLabel && hasStopDuringBackupNoRestartLabel {
return hasStopDuringBackupLabel, hasStopDuringBackupNoRestartLabel, errwrap.Wrap(nil, "both docker-volume-backup.stop-during-backup and docker-volume-backup.stop-during-backup-no-restart have been set, cannot continue")
}
return hasStopDuringBackupLabel, hasStopDuringBackupNoRestartLabel, nil
}
// stopContainersAndServices stops all Docker containers that are marked as to being
// stopped during the backup and returns a function that can be called to
// restart everything that has been stopped.
func (s *script) stopContainersAndServices() (func() error, error) {
if s.cli == nil {
return noop, nil
}
isDockerSwarm, err := isSwarm(s.cli)
if err != nil {
return noop, errwrap.Wrap(err, "error determining swarm state")
}
labelValue := s.c.BackupStopDuringBackupLabel
if s.c.BackupStopContainerLabel != "" {
s.logger.Warn(
"Using BACKUP_STOP_CONTAINER_LABEL has been deprecated and will be removed in the next major version.",
)
s.logger.Warn(
"Please use BACKUP_STOP_DURING_BACKUP_LABEL instead. Refer to the docs for an upgrade guide.",
)
if _, ok := os.LookupEnv("BACKUP_STOP_DURING_BACKUP_LABEL"); ok {
return noop, errwrap.Wrap(nil, "both BACKUP_STOP_DURING_BACKUP_LABEL and BACKUP_STOP_CONTAINER_LABEL have been set, cannot continue")
}
labelValue = s.c.BackupStopContainerLabel
}
stopDuringBackupLabel := fmt.Sprintf(
"docker-volume-backup.stop-during-backup=%s",
labelValue,
)
stopDuringBackupNoRestartLabel := fmt.Sprintf(
"docker-volume-backup.stop-during-backup-no-restart=%s",
s.c.BackupStopDuringBackupNoRestartLabel,
)
allContainers, err := s.cli.ContainerList(context.Background(), ctr.ListOptions{})
if err != nil {
return noop, errwrap.Wrap(err, "error querying for containers")
}
var containersToStop []handledContainer
for _, c := range allContainers {
hasStopDuringBackupLabel, hasStopDuringBackupNoRestartLabel, err := checkStopLabels(c.Labels, labelValue, s.c.BackupStopDuringBackupNoRestartLabel)
if err != nil {
return noop, errwrap.Wrap(err, "error querying for containers to stop")
}
if !hasStopDuringBackupLabel && !hasStopDuringBackupNoRestartLabel {
continue
}
containersToStop = append(containersToStop, handledContainer{
summary: c,
restart: !hasStopDuringBackupNoRestartLabel,
})
}
var allServices []swarm.Service
var servicesToScaleDown []handledSwarmService
if isDockerSwarm {
allServices, err = s.cli.ServiceList(context.Background(), swarm.ServiceListOptions{Status: true})
if err != nil {
return noop, errwrap.Wrap(err, "error querying for services")
}
for _, service := range allServices {
hasStopDuringBackupLabel, hasStopDuringBackupNoRestartLabel, err := checkStopLabels(service.Spec.Labels, labelValue, s.c.BackupStopDuringBackupNoRestartLabel)
if err != nil {
return noop, errwrap.Wrap(err, "error querying for services to scale down")
}
if !hasStopDuringBackupLabel && !hasStopDuringBackupNoRestartLabel {
continue
}
if service.Spec.Mode.Replicated == nil {
return noop, errwrap.Wrap(
nil,
fmt.Sprintf("only replicated services can be restarted, but found a label on service %s", service.Spec.Name),
)
}
servicesToScaleDown = append(servicesToScaleDown, handledSwarmService{
serviceID: service.ID,
initialReplicaCount: *service.Spec.Mode.Replicated.Replicas,
restart: !hasStopDuringBackupNoRestartLabel,
})
}
}
if len(containersToStop) == 0 && len(servicesToScaleDown) == 0 {
return noop, nil
}
if isDockerSwarm {
for _, container := range containersToStop {
if swarmServiceID, ok := container.summary.Labels["com.docker.swarm.service.id"]; ok {
parentService, _, err := s.cli.ServiceInspectWithRaw(context.Background(), swarmServiceID, swarm.ServiceInspectOptions{})
if err != nil {
return noop, errwrap.Wrap(err, fmt.Sprintf("error querying for parent service with ID %s", swarmServiceID))
}
for label := range parentService.Spec.Labels {
if label == "docker-volume-backup.stop-during-backup" {
return noop, errwrap.Wrap(
nil,
fmt.Sprintf(
"container %s is labeled to stop but has parent service %s which is also labeled, cannot continue",
container.summary.Names[0],
parentService.Spec.Name,
),
)
}
}
}
}
}
s.logger.Info(
fmt.Sprintf(
"Stopping %d out of %d running container(s) as they were labeled %s or %s.",
len(containersToStop),
len(allContainers),
stopDuringBackupLabel,
stopDuringBackupNoRestartLabel,
),
)
if isDockerSwarm {
s.logger.Info(
fmt.Sprintf(
"Scaling down %d out of %d active service(s) as they were labeled %s or %s.",
len(servicesToScaleDown),
len(allServices),
stopDuringBackupLabel,
stopDuringBackupNoRestartLabel,
),
)
}
var stoppedContainers []handledContainer
var stopErrors []error
for _, container := range containersToStop {
if err := s.cli.ContainerStop(context.Background(), container.summary.ID, ctr.StopOptions{}); err != nil {
stopErrors = append(stopErrors, err)
} else {
stoppedContainers = append(stoppedContainers, container)
}
}
var scaledDownServices []handledSwarmService
var scaleDownErrors concurrentSlice[error]
if isDockerSwarm {
wg := sync.WaitGroup{}
for _, svc := range servicesToScaleDown {
wg.Add(1)
go func(svc handledSwarmService) {
defer wg.Done()
warnings, err := scaleService(s.cli, svc.serviceID, 0)
if err != nil {
scaleDownErrors.append(err)
return
}
scaledDownServices = append(scaledDownServices, svc)
for _, warning := range warnings {
s.logger.Warn(
fmt.Sprintf("The Docker API returned a warning when scaling down service %s: %s", svc.serviceID, warning),
)
}
// progress.ServiceProgress returns too early, so we need to manually check
// whether all containers belonging to the service have actually been removed
if err := awaitContainerCountForService(s.cli, svc.serviceID, 0, s.c.BackupStopServiceTimeout); err != nil {
scaleDownErrors.append(err)
}
}(svc)
}
wg.Wait()
}
s.stats.Containers = ContainersStats{
All: uint(len(allContainers)),
ToStop: uint(len(containersToStop)),
Stopped: uint(len(stoppedContainers)),
StopErrors: uint(len(stopErrors)),
}
s.stats.Services = ServicesStats{
All: uint(len(allServices)),
ToScaleDown: uint(len(servicesToScaleDown)),
ScaledDown: uint(len(scaledDownServices)),
ScaleDownErrors: uint(len(scaleDownErrors.value())),
}
var initialErr error
allErrors := append(stopErrors, scaleDownErrors.value()...)
if len(allErrors) != 0 {
initialErr = errwrap.Wrap(
errors.Join(allErrors...),
fmt.Sprintf(
"%d error(s) stopping containers",
len(allErrors),
),
)
}
return func() error {
var restartErrors []error
var restartedContainers []handledContainer
matchedServices := map[string]bool{}
for _, container := range stoppedContainers {
if !container.restart {
continue
}
if swarmServiceID, ok := container.summary.Labels["com.docker.swarm.service.id"]; ok && isDockerSwarm {
if _, ok := matchedServices[swarmServiceID]; ok {
continue
}
matchedServices[swarmServiceID] = true
// in case a container was part of a swarm service, the service requires to
// be force updated instead of restarting the container as it would otherwise
// remain in a "completed" state
service, _, err := s.cli.ServiceInspectWithRaw(context.Background(), swarmServiceID, swarm.ServiceInspectOptions{})
if err != nil {
restartErrors = append(
restartErrors,
errwrap.Wrap(err, "error looking up parent service"),
)
continue
}
service.Spec.TaskTemplate.ForceUpdate += 1
if _, err := s.cli.ServiceUpdate(
context.Background(), service.ID,
service.Version, service.Spec, swarm.ServiceUpdateOptions{},
); err != nil {
restartErrors = append(restartErrors, err)
}
continue
}
if err := s.cli.ContainerStart(context.Background(), container.summary.ID, ctr.StartOptions{}); err != nil {
restartErrors = append(restartErrors, err)
} else {
restartedContainers = append(restartedContainers, container)
}
}
var scaleUpErrors concurrentSlice[error]
var scaledUpServices []handledSwarmService
if isDockerSwarm {
wg := &sync.WaitGroup{}
for _, svc := range servicesToScaleDown {
if !svc.restart {
continue
}
wg.Add(1)
go func(svc handledSwarmService) {
defer wg.Done()
warnings, err := scaleService(s.cli, svc.serviceID, svc.initialReplicaCount)
if err != nil {
scaleDownErrors.append(err)
return
}
scaledUpServices = append(scaledUpServices, svc)
for _, warning := range warnings {
s.logger.Warn(
fmt.Sprintf("The Docker API returned a warning when scaling up service %s: %s", svc.serviceID, warning),
)
}
}(svc)
}
wg.Wait()
}
allErrors := append(restartErrors, scaleUpErrors.value()...)
if len(allErrors) != 0 {
return errwrap.Wrap(
errors.Join(allErrors...),
fmt.Sprintf(
"%d error(s) restarting containers and services",
len(allErrors),
),
)
}
s.logger.Info(
fmt.Sprintf(
"Restarted %d out of %d stopped container(s).",
len(restartedContainers),
len(stoppedContainers),
),
)
if isDockerSwarm {
s.logger.Info(
fmt.Sprintf(
"Scaled %d out of %d scaled down service(s) back up.",
len(scaledUpServices),
len(scaledDownServices),
),
)
}
return nil
}, initialErr
}

98
cmd/backup/stop_restart_test.go
View File

@@ -1,98 +0,0 @@
package main
import (
"context"
"errors"
"testing"
"github.com/docker/docker/api/types/swarm"
"github.com/docker/docker/api/types/system"
)
type mockInfoClient struct {
result system.Info
err error
}
func (m *mockInfoClient) Info(context.Context) (system.Info, error) {
return m.result, m.err
}
func TestIsSwarm(t *testing.T) {
tests := []struct {
name string
client *mockInfoClient
expected bool
expectError bool
}{
{
"swarm",
&mockInfoClient{
result: system.Info{
Swarm: swarm.Info{
LocalNodeState: swarm.LocalNodeStateActive,
ControlAvailable: true,
},
},
},
true,
false,
},
{
"worker",
&mockInfoClient{
result: system.Info{
Swarm: swarm.Info{
LocalNodeState: swarm.LocalNodeStateActive,
},
},
},
false,
false,
},
{
"compose",
&mockInfoClient{
result: system.Info{
Swarm: swarm.Info{
LocalNodeState: swarm.LocalNodeStateInactive,
},
},
},
false,
false,
},
{
"balena",
&mockInfoClient{
result: system.Info{
Swarm: swarm.Info{
LocalNodeState: "",
},
},
},
false,
false,
},
{
"error",
&mockInfoClient{
err: errors.New("the dinosaurs escaped"),
},
false,
true,
},
}
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
result, err := isSwarm(test.client)
if (err != nil) != test.expectError {
t.Errorf("Unexpected error value %v", err)
}
if test.expected != result {
t.Errorf("Expected %v, got %v", test.expected, result)
}
})
}
}

3
cmd/backup/testdata/braces.env vendored
View File

@@ -1,3 +0,0 @@
FOO=${bar:-qux}
BAR=xxx
BAZ=$NOPE

7
cmd/backup/testdata/comments.env vendored
View File

@@ -1,7 +0,0 @@
# This is a comment about `why` things are here
# FOO="${bar:-qux}"
# e.g. `backup-$HOSTNAME-%Y-%m-%dT%H-%M-%S.tar.gz`. Expansion happens before`
BAR=xxx
BAZ=$QUX

2
cmd/backup/testdata/default.env vendored
View File

@@ -1,2 +0,0 @@
FOO=bar
BAZ=qux

4
cmd/backup/testdata/expansion.env vendored
View File

@@ -1,4 +0,0 @@
BAR=xxx
FOO=${BAR}
BAZ=$BAR
QUX=${QUX}

105
cmd/backup/util.go
View File

@@ -1,23 +1,55 @@
// Copyright 2022 - offen.software <hioffen@posteo.de>
// Copyright 2022 - Offen Authors <hioffen@posteo.de>
// SPDX-License-Identifier: MPL-2.0
package main
import (
"bytes"
"errors"
"fmt"
"io"
"os"
"sync"
"time"
ctr "github.com/docker/docker/api/types/container"
"github.com/offen/docker-volume-backup/internal/errwrap"
"github.com/robfig/cron/v3"
"strings"
)
var noop = func() error { return nil }
// copy creates a copy of the file located at `dst` at `src`.
func copyFile(src, dst string) error {
in, err := os.Open(src)
if err != nil {
return err
}
defer in.Close()
out, err := os.Create(dst)
if err != nil {
return err
}
_, err = io.Copy(out, in)
if err != nil {
out.Close()
return err
}
return out.Close()
}
// join takes a list of errors and joins them into a single error
func join(errs ...error) error {
if len(errs) == 1 {
return errs[0]
}
var msgs []string
for _, err := range errs {
if err == nil {
continue
}
msgs = append(msgs, err.Error())
}
return errors.New("[" + strings.Join(msgs, ", ") + "]")
}
// remove removes the given file or directory from disk.
func remove(location string) error {
fi, err := os.Lstat(location)
@@ -25,7 +57,7 @@ func remove(location string) error {
if os.IsNotExist(err) {
return nil
}
return errwrap.Wrap(err, fmt.Sprintf("error checking for existence of `%s`", location))
return fmt.Errorf("remove: error checking for existence of `%s`: %w", location, err)
}
if fi.IsDir() {
err = os.RemoveAll(location)
@@ -33,7 +65,7 @@ func remove(location string) error {
err = os.Remove(location)
}
if err != nil {
return errwrap.Wrap(err, fmt.Sprintf("error removing `%s", location))
return fmt.Errorf("remove: error removing `%s`: %w", location, err)
}
return nil
}
@@ -52,60 +84,7 @@ type bufferingWriter struct {
func (b *bufferingWriter) Write(p []byte) (n int, err error) {
if n, err := b.buf.Write(p); err != nil {
return n, errwrap.Wrap(err, "error writing to buffer")
return n, fmt.Errorf("bufferingWriter: error writing to buffer: %w", err)
}
return b.writer.Write(p)
}
type noopWriteCloser struct {
io.Writer
}
func (noopWriteCloser) Close() error {
return nil
}
type handledContainer struct {
summary ctr.Summary
restart bool
}
type handledSwarmService struct {
serviceID string
initialReplicaCount uint64
restart bool
}
type concurrentSlice[T any] struct {
val []T
sync.Mutex
}
func (c *concurrentSlice[T]) append(v T) {
c.Lock()
defer c.Unlock()
c.val = append(c.val, v)
}
func (c *concurrentSlice[T]) value() []T {
return c.val
}
// checkCronSchedule detects whether the given cron expression will actually
// ever be executed or not.
func checkCronSchedule(expression string) (ok bool) {
defer func() {
if err := recover(); err != nil {
ok = false
}
}()
sched, err := cron.ParseStandard(expression)
if err != nil {
ok = false
return
}
now := time.Now()
sched.Next(now) // panics when the cron would never run
ok = true
return
}

2
docs/.gitignore vendored
View File

@@ -1,2 +0,0 @@
_site
.jekyll-cache

4
docs/Gemfile
View File

@@ -1,4 +0,0 @@
source 'https://rubygems.org'
gem "jekyll", "~> 4.3.2"
gem "just-the-docs", "0.6.1"

80
docs/Gemfile.lock
View File

@@ -1,80 +0,0 @@
GEM
remote: https://rubygems.org/
specs:
addressable (2.8.5)
public_suffix (>= 2.0.2, < 6.0)
colorator (1.1.0)
concurrent-ruby (1.2.2)
em-websocket (0.5.3)
eventmachine (>= 0.12.9)
http_parser.rb (~> 0)
eventmachine (1.2.7)
ffi (1.15.5)
forwardable-extended (2.6.0)
http_parser.rb (0.8.0)
i18n (1.14.1)
concurrent-ruby (~> 1.0)
jekyll (4.3.2)
addressable (~> 2.4)
colorator (~> 1.0)
em-websocket (~> 0.5)
i18n (~> 1.0)
jekyll-sass-converter (>= 2.0, < 4.0)
jekyll-watch (~> 2.0)
kramdown (~> 2.3, >= 2.3.1)
kramdown-parser-gfm (~> 1.0)
liquid (~> 4.0)
mercenary (>= 0.3.6, < 0.5)
pathutil (~> 0.9)
rouge (>= 3.0, < 5.0)
safe_yaml (~> 1.0)
terminal-table (>= 1.8, < 4.0)
webrick (~> 1.7)
jekyll-include-cache (0.2.1)
jekyll (>= 3.7, < 5.0)
jekyll-sass-converter (2.2.0)
sassc (> 2.0.1, < 3.0)
jekyll-seo-tag (2.8.0)
jekyll (>= 3.8, < 5.0)
jekyll-watch (2.2.1)
listen (~> 3.0)
just-the-docs (0.6.1)
jekyll (>= 3.8.5)
jekyll-include-cache
jekyll-seo-tag (>= 2.0)
rake (>= 12.3.1)
kramdown (2.4.0)
rexml
kramdown-parser-gfm (1.1.0)
kramdown (~> 2.0)
liquid (4.0.4)
listen (3.8.0)
rb-fsevent (~> 0.10, >= 0.10.3)
rb-inotify (~> 0.9, >= 0.9.10)
mercenary (0.4.0)
pathutil (0.16.2)
forwardable-extended (~> 2.6)
public_suffix (4.0.7)
rake (13.0.6)
rb-fsevent (0.11.2)
rb-inotify (0.10.1)
ffi (~> 1.0)
rexml (3.4.2)
rouge (3.30.0)
safe_yaml (1.0.5)
sassc (2.4.0)
ffi (~> 1.9)
terminal-table (3.0.2)
unicode-display_width (>= 1.1.1, < 3)
unicode-display_width (2.4.2)
webrick (1.8.2)
PLATFORMS
ruby
DEPENDENCIES
jekyll (~> 4.3.2)
just-the-docs (= 0.6.1)
BUNDLED WITH
2.1.4

39
docs/NOTIFICATION-TEMPLATES.md Normal file
View File

@@ -0,0 +1,39 @@
# Notification templates reference
In order to customize title and body of notifications you'll have to write a [go template](https://pkg.go.dev/text/template) and mount it inside the `/etc/dockervolumebackup/notifications.d/` directory.
Configuration, data about the backup run and helper functions will be passed to this template, this page documents them fully.
## Data
Here is a list of all data passed to the template:
* `Config`: this object holds the configuration that has been passed to the script. The field names are the name of the recognized environment variables converted in PascalCase. (e.g. `BACKUP_STOP_CONTAINER_LABEL` becomes `BackupStopContainerLabel`)
* `Error`: the error that made the backup fail. Only available in the `title_failure` and `body_failure` templates
* `Stats`: objects that holds stats regarding script execution. In case of an unsuccessful run, some information may not be available.
* `StartTime`: time when the script started execution
* `EndTime`: time when the backup has completed successfully (after pruning)
* `TookTime`: amount of time it took for the backup to run. (equal to `EndTime - StartTime`)
* `LockedTime`: amount of time it took for the backup to acquire the exclusive lock
* `LogOutput`: full log of the application
* `Containers`: object containing stats about the docker containers
* `All`: total number of containers
* `ToStop`: number of containers matched by the stop rule
* `Stopped`: number of containers successfully stopped
* `StopErrors`: number of containers that were unable to be stopped (equal to `ToStop - Stopped`)
* `BackupFile`: object containing information about the backup file
* `Name`: name of the backup file (e.g. `backup-2022-02-11T01-00-00.tar.gz`)
* `FullPath`: full path of the backup file (e.g. `/archive/backup-2022-02-11T01-00-00.tar.gz`)
* `Size`: size in bytes of the backup file
* `Storages`: object that holds stats about each storage
* `Local`, `S3` or `WebDAV`:
* `Total`: total number of backup files
* `Pruned`: number of backup files that were deleted due to pruning rule
* `PruneErrors`: number of backup files that were unable to be pruned
## Functions
Some formatting functions are also available:
* `formatTime`: formats a time object using [RFC3339](https://datatracker.ietf.org/doc/html/rfc3339) format (e.g. `2022-02-11T01:00:00Z`)
* `formatBytesBin`: formats an amount of bytes using powers of 1024 (e.g. `7055258` bytes will be `6.7 MiB`)
* `formatBytesDec`: formats an amount of bytes using powers of 1000 (e.g. `7055258` bytes will be `7.1 MB`)

14
docs/README.md
View File

@@ -1,14 +0,0 @@
# Documentation site
This directory contains the sources for the documentation site published at <https://offen.github.io/docker-volume-backup>.
Assuming you have Ruby and [`bundler`][bundler] installed, you can run the site locally using the following commands:
```
bundle install
bundle exec jekyll serve
```
Note that changes in `_config.yml` require a manual restart to take effect.
[bundler]: https://bundler.io/

35
docs/_config.yml
View File

@@ -1,35 +0,0 @@
title: docker-volume-backup
description: Documentation for the offen/docker-volume-backup Docker image.
theme: just-the-docs
url: https://offen.github.io/docker-volume-backup/
callouts_level: quiet
callouts:
highlight:
color: yellow
important:
title: Important
color: blue
new:
title: New
color: green
note:
title: Note
color: purple
warning:
title: Warning
color: red
aux_links:
'GitHub Repository':
- https://github.com/offen/docker-volume-backup
nav_external_links:
- title: GitHub Repository
url: https://github.com/offen/docker-volume-backup
footer_content: >-
Copyright &copy; 2024 <a target="_blank" href="https://www.offen.software">offen.software</a> and contributors.
Distributed under the <a href="https://github.com/offen/docker-volume-backup/tree/main/LICENSE">MPL-2.0 License.</a><br>
Something missing, unclear or not working? Open <a href="https://github.com/offen/docker-volume-backup/issues">an issue</a>.

7
docs/_sass/custom/custom.scss
View File

@@ -1,7 +0,0 @@
.site-title {
font-size: unset !important;
}
.main-content pre {
font-size: 1.1em;
}

32
docs/how-tos/automatically-prune-old-backups.md
View File

@@ -1,32 +0,0 @@
---
title: Automatically prune old backups
layout: default
parent: How Tos
nav_order: 3
---
# Automatically prune old backups
When `BACKUP_RETENTION_DAYS` is configured, the command will check if there are any archives in the remote storage backend(s) or local archive that are older than the given retention value and rotate these backups away.
{: .note }
Be aware that this mechanism looks at __all files in the target bucket or archive__, which means that other files that are older than the given deadline are deleted as well.
In case you need to use a target that cannot be used exclusively for your backups, you can configure `BACKUP_PRUNING_PREFIX` to limit which files are considered eligible for deletion:
```yml
services:
# ... define other services using the `data` volume here
backup:
image: offen/docker-volume-backup:v2
environment:
BACKUP_FILENAME: backup-%Y-%m-%dT%H-%M-%S.tar.gz
BACKUP_PRUNING_PREFIX: backup-
BACKUP_RETENTION_DAYS: '7'
volumes:
- ${HOME}/backups:/archive
- data:/backup/my-app-backup:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
volumes:
data:
```

40
docs/how-tos/define-different-retention-schedules.md
View File

@@ -1,40 +0,0 @@
---
title: Define different retention schedules
layout: default
parent: How Tos
nav_order: 9
---
# Define different retention schedules
If you want to manage backup retention on different schedules, the most straight forward approach is to define a dedicated configuration for retention rule using a different prefix in the `BACKUP_FILENAME` parameter and then run them on different cron schedules.
For example, if you wanted to keep daily backups for 7 days, weekly backups for a month, and retain monthly backups forever, you could create three configuration files and mount them into `/etc/dockervolumebackup/conf.d`:
```ini
# 01daily.conf
BACKUP_FILENAME="daily-backup-%Y-%m-%dT%H-%M-%S.tar.gz"
# run every day at 2am
BACKUP_CRON_EXPRESSION="0 2 * * *"
BACKUP_PRUNING_PREFIX="daily-backup-"
BACKUP_RETENTION_DAYS="7"
```
```ini
# 02weekly.conf
BACKUP_FILENAME="weekly-backup-%Y-%m-%dT%H-%M-%S.tar.gz"
# run every monday at 3am
BACKUP_CRON_EXPRESSION="0 3 * * 1"
BACKUP_PRUNING_PREFIX="weekly-backup-"
BACKUP_RETENTION_DAYS="31"
```
```ini
# 03monthly.conf
BACKUP_FILENAME="monthly-backup-%Y-%m-%dT%H-%M-%S.tar.gz"
# run every 1st of a month at 4am
BACKUP_CRON_EXPRESSION="0 4 1 * *"
```
{: .note }
While it's possible to define colliding cron schedules for each of these configurations, you might need to adjust the value for `LOCK_TIMEOUT` in case your backups are large and might take longer than an hour.

9
docs/how-tos/encrypt-backups-using-gpg.md
View File

@@ -1,9 +0,0 @@
---
title: Encrypt backups using GPG
layout: default
parent: How Tos
nav_order: 7
nav_exclude: true
---
See: [Encrypt Backups](encrypt-backups)

30
docs/how-tos/encrypt-backups.md
View File

@@ -1,30 +0,0 @@
---
title: Encrypting backups
layout: default
parent: How Tos
nav_order: 7
---
# Encrypting backups
The image supports encrypting backups using one of two available methods: **GPG** or **[age](https://age-encryption.org/)**
## Using GPG encryption
In case a `GPG_PASSPHRASE` or `GPG_PUBLIC_KEY_RING` environment variable is set, the backup archive will be encrypted using the given key and saved as a `.gpg` file instead.
Assuming you have `gpg` installed, you can decrypt such a backup using (your OS will prompt for the passphrase before decryption can happen):
```console
gpg -o backup.tar.gz -d backup.tar.gz.gpg
```
## Using age encryption
age allows backups to be encrypted with either a symmetric key (password) or a public key. One of those options are available for use.
Given `AGE_PASSPHRASE` being provided, the backup archive will be encrypted with the passphrase and saved as a `.age` file instead. Refer to age documentation for how to properly decrypt.
Given `AGE_PUBLIC_KEYS` being provided (allowing multiple by separating each public key with `,`), the backup archive will be encrypted with the provided public keys. It will also result in the archive being saved as a `.age` file.
You can use SSH keys in addition to `age` keys for encryption; `AGE_PUBLIC_KEYS` accepts both.

42
docs/how-tos/handle-file-uploads-using-third-party-tools.md
View File

@@ -1,42 +0,0 @@
---
title: Handle file uploads using third party tools
layout: default
parent: How Tos
nav_order: 10
---
# Handle file uploads using third party tools
If you want to use an unsupported storage backend, or want to use a third party (e.g. rsync, rclone) tool for file uploads, you can build a Docker image containing the required binaries off this one, and call through to these in lifecycle hooks.
For example, if you wanted to use `rsync`, define your Docker image like this:
```Dockerfile
FROM offen/docker-volume-backup:v2
RUN apk add rsync
```
Using this image, you can now omit configuring any of the supported storage backends, and instead define your own mechanism in a `docker-volume-backup.copy-post` label:
```yml
services:
backup:
image: your-custom-image
restart: always
environment:
BACKUP_FILENAME: "daily-backup-%Y-%m-%dT%H-%M-%S.tar.gz"
BACKUP_CRON_EXPRESSION: "0 2 * * *"
labels:
- docker-volume-backup.copy-post=/bin/sh -c 'rsync $$COMMAND_RUNTIME_ARCHIVE_FILEPATH /destination'
volumes:
- app_data:/backup/app_data:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
# other services defined here ...
volumes:
app_data:
```
{: .note }
Commands will be invoked with the filepath of the tar archive passed as `COMMAND_RUNTIME_BACKUP_FILEPATH`.

8
docs/how-tos/index.md
View File

@@ -1,8 +0,0 @@
---
title: How Tos
layout: default
nav_order: 3
has_children: true
---
## How Tos

20
docs/how-tos/manual-trigger.md
View File

@@ -1,20 +0,0 @@
---
title: Trigger a backup manually
layout: default
parent: How Tos
nav_order: 8
---
# Trigger a backup manually
You can manually trigger a backup run outside of the defined cron schedule by executing the `backup` command inside the container:
```console
docker exec <container_ref> backup
```
If the container is configured to run multiple schedules, you can source the respective conf file before invoking the command:
```console
docker exec <container_ref> /bin/sh -c 'set -a; source /etc/dockervolumebackup/conf.d/myconf.env; set +a && backup'
```

35
docs/how-tos/replace-deprecated-backup-from-snapshot.md
View File

@@ -1,35 +0,0 @@
---
title: Replace deprecated BACKUP_FROM_SNAPSHOT usage
layout: default
parent: How Tos
nav_order: 17
---
# Replace deprecated `BACKUP_FROM_SNAPSHOT` usage
Starting with version 2.15.0, the `BACKUP_FROM_SNAPSHOT` feature has been deprecated.
If you need to prepare your sources before the backup is taken, use `archive-pre`, `archive-post` and an intermediate volume:
```yml
services:
my_app:
build: .
volumes:
- data:/var/my_app
- backup:/tmp/backup
labels:
- docker-volume-backup.archive-pre=cp -r /var/my_app /tmp/backup/my-app
- docker-volume-backup.archive-post=rm -rf /tmp/backup/my-app
backup:
image: offen/docker-volume-backup:v2
environment:
BACKUP_SOURCES: /tmp/backup
volumes:
- backup:/backup:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
volumes:
data:
backup:
```

19
docs/how-tos/replace-deprecated-backup-stop-container-label.md
View File

@@ -1,19 +0,0 @@
---
title: Replace deprecated BACKUP_STOP_CONTAINER_LABEL setting
layout: default
parent: How Tos
nav_order: 20
---
# Replace deprecated `BACKUP_STOP_CONTAINER_LABEL` setting
Version `v2.36.0` deprecated the `BACKUP_STOP_CONTAINER_LABEL` setting and renamed it `BACKUP_STOP_DURING_BACKUP_LABEL` which is supposed to signal that this will stop both containers _and_ services.
Migrating is done by renaming the key for your custom value:
```diff
env:
- BACKUP_STOP_CONTAINER_LABEL: database
+ BACKUP_STOP_DURING_BACKUP_LABEL: database
```
The old key will stay supported until the next major version, but logs a warning each time a backup is taken.

23
docs/how-tos/replace-deprecated-exec-labels.md
View File

@@ -1,23 +0,0 @@
---
title: Replace deprecated exec-pre and exec-post labels
layout: default
parent: How Tos
nav_order: 18
---
# Replace deprecated `exec-pre` and `exec-post` labels
Version 2.19.0 introduced the option to run labeled commands at multiple points in time during the backup lifecycle.
In order to be able to use more obvious terminology in the new labels, the existing `exec-pre` and `exec-post` labels have been deprecated.
If you want to emulate the existing behavior, all you need to do is change `exec-pre` to `archive-pre` and `exec-post` to `archive-post`:
```diff
labels:
- - docker-volume-backup.exec-pre=cp -r /var/my_app /tmp/backup/my-app
+ - docker-volume-backup.archive-pre=cp -r /var/my_app /tmp/backup/my-app
- - docker-volume-backup.exec-post=rm -rf /tmp/backup/my-app
+ - docker-volume-backup.archive-post=rm -rf /tmp/backup/my-app
```
The `EXEC_LABEL` setting and the `docker-volume-backup.exec-label` label stay as is.
Check the additional documentation on running commands during the backup lifecycle to find out about further possibilities.

46
docs/how-tos/restore-volumes-from-backup.md
View File

@@ -1,46 +0,0 @@
---
title: Restore volumes from a backup
layout: default
parent: How Tos
nav_order: 6
---
# Restore volumes from a backup
In case you need to restore a volume from a backup, the most straight forward procedure to do so would be:
- Stop the container(s) that are using the volume
- Untar the backup you want to restore
```console
tar -C /tmp -xvf backup.tar.gz
```
- Using a temporary once-off container, mount the volume (the example assumes it's named `data`) and copy over the backup. Make sure you copy the correct path level (this depends on how you mount your volume into the backup container), you might need to strip some leading elements
```console
docker run -d --name temp_restore_container -v data:/backup_restore alpine
docker cp /tmp/backup/data-backup temp_restore_container:/backup_restore
docker stop temp_restore_container
docker rm temp_restore_container
```
- Restart the container(s) that are using the volume
Depending on your setup and the application(s) you are running, this might involve other steps to be taken still.
---
If you want to rollback an entire volume to an earlier backup snapshot (recommended for database volumes):
- Trigger a manual backup if necessary (see `Manually triggering a backup`).
- Stop the container(s) that are using the volume.
- If volume was initially created using docker-compose, find out exact volume name using:
```console
docker volume ls
```
- Remove existing volume (the example assumes it's named `data`):
```console
docker volume rm data
```
- Create new volume with the same name and restore a snapshot:
```console
docker run --rm -it -v data:/backup/my-app-backup -v /path/to/local_backups:/archive:ro alpine tar -xvzf /archive/full_backup_filename.tar.gz
```
- Restart the container(s) that are using the volume.

96
docs/how-tos/run-custom-commands.md
View File

@@ -1,96 +0,0 @@
---
title: Run custom commands during the backup lifecycle
layout: default
nav_order: 5
parent: How Tos
---
# Run custom commands during the backup lifecycle
In certain scenarios it can be required to run specific commands before and after a backup is taken (e.g. dumping a database).
When mounting the Docker socket into the `docker-volume-backup` container, you can define pre- and post-commands that will be run in the context of the target container (it is also possible to run commands inside the `docker-volume-backup` container itself using this feature).
{: .important }
In a multi-node Swarm setup, commands can currently only be run on the node the `offen/docker-volume-backup` container is running on.
Labeled containers on other nodes are not visible to the backup command.
Such commands are defined by specifying the command in a `docker-volume-backup.[step]-[pre|post]` label where `step` can be any of the following phases of a backup lifecycle:
- `archive` (the tar archive is created)
- `process` (the tar archive is processed, e.g. encrypted - optional)
- `copy` (the tar archive is copied to all configured storages)
- `prune` (existing backups are pruned based on the defined ruleset - optional)
{: .note }
So that the `docker-volume-backup` container can access the labels on other containers, it is necessary that the docker socket is mounted into
the `docker-volume-backup` container as shown in the Quickstart example.
Taking a database dump using `mysqldump` would look like this:
```yml
services:
# ... define other services using the `data` volume here
database:
image: mariadb
volumes:
- backup_data:/tmp/backups
labels:
- docker-volume-backup.archive-pre=/bin/sh -c 'mysqldump --all-databases > /backups/dump.sql'
volumes:
backup_data:
```
{: .note }
Due to Docker limitations, you currently cannot use any kind of redirection in these commands unless you pass the command to `/bin/sh -c` or similar.
I.e. instead of using `echo "ok" > ok.txt` you will need to use `/bin/sh -c 'echo "ok" > ok.txt'`.
If you have more than one `docker-volume-backup` container (possibly across several docker-compose environments) to backup or you are using
multiple backup schedules, you will need to use `EXEC_LABEL` in the configuration and a `docker-volume-backup.exec-label` label on each
container using custom commands to ensure that the commands are only run by the correct `docker-volume-backup` instance.
{: .important }
In case you use `EXEC_LABEL` together with configuration mounted from `conf.d` it's important to understand that a distinct `EXEC_LABEL` __should be set in each configuration__.
Else, schedules that do not specify an `EXEC_LABEL` will still trigger commands on all containers with such labels, no matter whether they specify `docker-volume-backup.exec-label` or not.
```yml
services:
database:
image: mariadb
volumes:
- backup_data:/tmp/backups
labels:
- docker-volume-backup.archive-pre=/bin/sh -c 'mysqldump --all-databases > /tmp/volume/dump.sql'
- docker-volume-backup.exec-label=database
backup:
image: offen/docker-volume-backup:v2
environment:
EXEC_LABEL: database
volumes:
- data:/backup/dump:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
volumes:
backup_data:
```
The backup procedure is guaranteed to wait for all `pre` or `post` commands to finish before proceeding.
However, there are no guarantees about the order in which they are run, which could also happen concurrently.
By default the backup command is executed by the user provided by the container's image.
It is possible to specify a custom user that is used to run commands in dedicated labels with the format `docker-volume-backup.[step]-[pre|post].user`:
```yml
services:
gitea:
image: gitea/gitea
volumes:
- backup_data:/tmp
labels:
- docker-volume-backup.archive-pre.user=git
- docker-volume-backup.archive-pre=/bin/bash -c 'cd /tmp; /usr/local/bin/gitea dump -c /data/gitea/conf/app.ini -R -f dump.zip'
```
Make sure the user exists and is present in `passwd` inside the target container.

50
docs/how-tos/run-multiple-schedules.md
View File

@@ -1,50 +0,0 @@
---
title: Run multiple backup schedules in the same container
layout: default
parent: How Tos
nav_order: 11
---
# Run multiple backup schedules in the same container
Multiple backup schedules with different configuration can be configured by mounting an arbitrary number of configuration files (using the `.env` format) into `/etc/dockervolumebackup/conf.d`:
```yml
services:
# ... define other services using the `data` volume here
backup:
image: offen/docker-volume-backup:v2
volumes:
- data:/backup/my-app-backup:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./configuration:/etc/dockervolumebackup/conf.d
volumes:
data:
```
A separate cronjob will be created for each config file.
If a configuration value is set both in the global environment as well as in the config file, the config file will take precedence.
The `backup` command expects to run on an exclusive lock, so in case you provide the same or overlapping schedules in your cron expressions, the runs will still be executed serially, one after the other.
The exact order of schedules that use the same cron expression is not specified.
In case you need your schedules to overlap, you need to create a dedicated container for each schedule instead.
When changing the configuration, you currently need to manually restart the container for the changes to take effect.
Set `BACKUP_SOURCES` for each config file to control which subset of volume mounts gets backed up:
```yml
# With a volume configuration like this:
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./configuration:/etc/dockervolumebackup/conf.d
- app1_data:/backup/app1_data:ro
- app2_data:/backup/app2_data:ro
```
```ini
# In the 1st config file:
BACKUP_SOURCES=/backup/app1_data
# In the 2nd config file:
BACKUP_SOURCES=/backup/app2_data
```

25
docs/how-tos/set-container-timezone.md
View File

@@ -1,25 +0,0 @@
---
title: Set the timezone the container runs in
layout: default
parent: How Tos
nav_order: 8
---
# Set the timezone the container runs in
By default a container based on this image will run in the UTC timezone.
As the image is designed to be as small as possible, additional timezone data is not included.
In case you want to run your cron rules in your local timezone (respecting DST and similar), you can mount your Docker host's `/etc/timezone` and `/etc/localtime` in read-only mode:
```yml
services:
backup:
image: offen/docker-volume-backup:v2
volumes:
- data:/backup/my-app-backup:ro
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
volumes:
data:
```

39
docs/how-tos/set-up-dropbox.md
View File

@@ -1,39 +0,0 @@
---
title: Set up Dropbox storage backend
layout: default
parent: How Tos
nav_order: 12
---
# Set up Dropbox storage backend
## Acquiring authentication tokens
1. Create a new Dropbox App in the [App Console](https://www.dropbox.com/developers/apps)
2. Open your new Dropbox App and set `DROPBOX_APP_KEY` and `DROPBOX_APP_SECRET` in your environment (e.g. docker-compose.yml) accordingly
3. Click on `Permissions` in your app and make sure, that the following permissions are cranted (or more):
- `files.metadata.write`
- `files.metadata.read`
- `files.content.write`
- `files.content.read`
4. Replace APPKEY in `https://www.dropbox.com/oauth2/authorize?client_id=APPKEY&token_access_type=offline&response_type=code` with the app key from step 2
5. Visit the URL and confirm the access of your app. This gives you an `auth code` -> save it somewhere!
6. Replace AUTHCODE, APPKEY, APPSECRET accordingly and perform the request:
```
curl https://api.dropbox.com/oauth2/token \
-d code=AUTHCODE \
-d grant_type=authorization_code \
-d client_id=APPKEY \
-d client_secret=APPSECRET
```
7. Execute the request. You will get a JSON formatted reply. Use the value of the `refresh_token` for the last environment variable `DROPBOX_REFRESH_TOKEN`
8. You should now have `DROPBOX_APP_KEY`, `DROPBOX_APP_SECRET` and `DROPBOX_REFRESH_TOKEN` set. These don't expire.
Note: Using the "Generated access token" in the app console is not supported, as it is only very short lived and therefore not suitable for an automatic backup solution. The refresh token handles this automatically - the setup procedure above is only needed once.
## Other parameters
Important: If you chose `App folder` access during the creation of your Dropbox app in step 1 above, `DROPBOX_REMOTE_PATH` will be a relative path under the App folder!
(_For example, DROPBOX_REMOTE_PATH=/somedir means the backup file will be uploaded to /Apps/myapp/somedir_)
On the other hand if you chose `Full Dropbox` access, the value for `DROPBOX_REMOTE_PATH` will represent an absolute path inside your Dropbox storage area.
(_Still considering the same example above, the backup file will be uploaded to /somedir in your Dropbox root_)

130
docs/how-tos/set-up-notifications.md
View File

@@ -1,130 +0,0 @@
---
title: Receive notifications
layout: default
nav_order: 4
parent: How Tos
---
# Receive notifications
## Send email notifications on failed backup runs
To send out email notifications on failed backup runs, provide SMTP credentials, a sender and a recipient:
```yml
services:
backup:
image: offen/docker-volume-backup:v2
environment:
# ... other configuration values go here
NOTIFICATION_URLS=smtp://me:secret@smtp.example.com:587/?fromAddress=no-reply@example.com&toAddresses=you@example.com
```
Notification backends other than email are also supported.
Refer to the documentation of [shoutrrr][shoutrrr-docs] to find out about options and configuration.
[shoutrrr-docs]: https://shoutrrr.nickfedor.com/v0.10.3/services/overview/
{: .note }
If you also want notifications on successful executions, set `NOTIFICATION_LEVEL` to `info`.
## Customize notifications
The title and body of the notifications can be tailored to your needs using [Go templates](https://pkg.go.dev/text/template).
Template sources must be mounted inside the container in `/etc/dockervolumebackup/notifications.d/`: any file inside this directory will be parsed.
```yml
services:
backup:
image: offen/docker-volume-backup:v2
volumes:
- ./customized.template:/etc/dockervolumebackup/notifications.d/01.template
```
The files have to define [nested templates](https://pkg.go.dev/text/template#hdr-Nested_template_definitions) in order to override the original values. An example:
{% raw %}
```
{{ define "title_success" -}}
✅ Successfully ran backup {{ .Config.BackupStopDuringBackupLabel }}
{{- end }}
{{ define "body_success" -}}
▶️ Start time: {{ .Stats.StartTime | formatTime }}
⏹️ End time: {{ .Stats.EndTime | formatTime }}
⌛ Took time: {{ .Stats.TookTime }}
🛑 Stopped containers: {{ .Stats.Containers.Stopped }}/{{ .Stats.Containers.All }} ({{ .Stats.Containers.StopErrors }} errors)
⚖️ Backup size: {{ .Stats.BackupFile.Size | formatBytesBin }} / {{ .Stats.BackupFile.Size | formatBytesDec }}
🗑️ Pruned backups: {{ .Stats.Storages.Local.Pruned }}/{{ .Stats.Storages.Local.Total }} ({{ .Stats.Storages.Local.PruneErrors }} errors)
{{- end }}
```
{% endraw %}
Template names that can be overridden are:
- `title_success` (the title used for a successful execution)
- `body_success` (the body used for a successful execution)
- `title_failure` (the title used for a failed execution)
- `body_failure` (the body used for a failed execution)
## Notification templates reference
Configuration, data about the backup run and helper functions will be passed to these templates, this page documents them fully.
### Data
Here is a list of all data passed to the template:
* `Config`: this object holds the configuration that has been passed to the script. The field names are the name of the recognized environment variables converted in PascalCase. (e.g. `BACKUP_STOP_DURING_BACKUP_LABEL` becomes `BackupStopDuringBackupLabel`)
* `Error`: the error that made the backup fail. Only available in the `title_failure` and `body_failure` templates
* `Stats`: objects that holds stats regarding script execution. In case of an unsuccessful run, some information may not be available.
* `StartTime`: time when the script started execution
* `EndTime`: time when the backup has completed successfully (after pruning)
* `TookTime`: amount of time it took for the backup to run. (equal to `EndTime - StartTime`)
* `LockedTime`: amount of time it took for the backup to acquire the exclusive lock
* `LogOutput`: full log of the application
* `Containers`: object containing stats about the docker containers
* `All`: total number of containers
* `ToStop`: number of containers matched by the stop rule
* `Stopped`: number of containers successfully stopped
* `StopErrors`: number of containers that were unable to be stopped (equal to `ToStop - Stopped`)
* `Services`: object containing stats about the docker services (only populated when Docker is running in Swarm mode)
* `All`: total number of services
* `ToScaleDown`: number of containers matched by the scale down rule
* `ScaledDwon`: number of containers successfully scaled down
* `ScaleDownErrors`: number of containers that were unable to be stopped (equal to `ToScaleDown - ScaledDowm`)
* `BackupFile`: object containing information about the backup file
* `Name`: name of the backup file (e.g. `backup-2022-02-11T01-00-00.tar.gz`)
* `FullPath`: full path of the backup file (e.g. `/archive/backup-2022-02-11T01-00-00.tar.gz`)
* `Size`: size in bytes of the backup file
* `Storages`: object that holds stats about each storage
* `Local`, `S3`, `WebDAV`, `Azure`, `Dropbox` or `SSH`:
* `Total`: total number of backup files
* `Pruned`: number of backup files that were deleted due to pruning rule
* `PruneErrors`: number of backup files that were unable to be pruned
### Functions
Some formatting and helper functions are also available:
* `formatTime`: formats a time object using [RFC3339](https://datatracker.ietf.org/doc/html/rfc3339) format (e.g. `2022-02-11T01:00:00Z`)
* `formatBytesBin`: formats an amount of bytes using powers of 1024 (e.g. `7055258` bytes will be `6.7 MiB`)
* `formatBytesDec`: formats an amount of bytes using powers of 1000 (e.g. `7055258` bytes will be `7.1 MB`)
* `env`: returns the value of the environment variable of the given key if set
* `toJson`: converting object to JSON
* `toPrettyJson`: converting object to pretty JSON
## Special characters in notification URLs
The value given to `NOTIFICATION_URLS` is a comma separated list of URLs.
If such a URL contains special characters (e.g. commas) these need to be URL encoded.
To obtain an encoded version of your URL, you can use the CLI tool provided by `shoutrrr` (which is the library used for sending notifications):
```
docker run --rm -ti ghcr.io/nicholas-fedor/shoutrrr generate [service]
```
where service is any of the [supported services][shoutrrr-docs], e.g. for SMTP:
```
docker run --rm -ti ghcr.io/nicholas-fedor/shoutrrr generate smtp
```

62
docs/how-tos/stop-containers-during-backup.md
View File

@@ -1,62 +0,0 @@
---
title: Stop containers during backup
layout: default
parent: How Tos
nav_order: 1
---
# Stop containers during backup
{: .note }
In case you are running Docker in Swarm mode, [dedicated documentation](./use-with-docker-swarm.html) on service and container restart applies.
In many cases, it will be desirable to stop the services that are consuming the volume you want to backup in order to ensure data integrity.
This image can automatically stop and restart containers and services.
By default, any container that is labeled `docker-volume-backup.stop-during-backup=true` will be stopped before the backup is being taken and restarted once it has finished.
In case you need more fine grained control about which containers should be stopped (e.g. when backing up multiple volumes on different schedules), you can set the `BACKUP_STOP_DURING_BACKUP_LABEL` environment variable and then use the same value for labeling:
```yml
services:
app:
# definition for app ...
labels:
- docker-volume-backup.stop-during-backup=service1
backup:
image: offen/docker-volume-backup:v2
environment:
BACKUP_STOP_DURING_BACKUP_LABEL: service1
volumes:
- data:/backup/my-app-backup:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
volumes:
data:
```
## Stop containers during backup without restarting
Sometimes you might want to stop containers for the backup but not have them start again automatically, for example if they are normally started by an external process or scheduler.
For this use case, you can use the label `docker-volume-backup.stop-during-backup-no-restart`.
This label is **mutually exclusive** with `docker-volume-backup.stop-during-backup` and performs the same stop operation but skips restarting the container after the backup has finished.
```yml
services:
app:
# definition for app ...
labels:
- docker-volume-backup.stop-during-backup-no-restart=service2
backup:
image: offen/docker-volume-backup:v2
environment:
BACKUP_STOP_DURING_BACKUP__NO_RESTART_LABEL: service2
volumes:
- data:/backup/my-app-backup:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
volumes:
data:
```

26
docs/how-tos/update-deprecated-email-config.md
View File

@@ -1,26 +0,0 @@
---
title: Update deprecated email configuration
layout: default
parent: How Tos
nav_order: 19
---
# Update deprecated email configuration
Starting with version 2.6.0, configuring email notifications using `EMAIL_*` keys has been deprecated.
Instead of providing multiple values using multiple keys, you can now provide a single URL for `NOTIFICATION_URLS`.
Before:
```ini
EMAIL_NOTIFICATION_RECIPIENT="you@example.com"
EMAIL_NOTIFICATION_SENDER="no-reply@example.com"
EMAIL_SMTP_HOST="posteo.de"
EMAIL_SMTP_PASSWORD="secret"
EMAIL_SMTP_USERNAME="me"
EMAIL_SMTP_PORT="587"
```
After:
```ini
NOTIFICATION_URLS=smtp://me:secret@posteo.de:587/?fromAddress=no-reply@example.com&toAddresses=you@example.com
```

36
docs/how-tos/use-as-non-root.md
View File

@@ -1,36 +0,0 @@
---
title: Use the image as a non-root user
layout: default
parent: How Tos
nav_order: 16
---
# Use the image as a non-root user
{: .important }
Running as a non-root user limits interaction with the Docker Daemon.
If you want to stop and restart containers and services during backup, and the host's Docker daemon is running as root, you will also need to run this tool as root.
By default, this image executes backups using the `root` user.
In case you prefer to use a different user, you can use Docker's [`user`](https://docs.docker.com/engine/reference/run/#user) option, passing the user and group id:
```console
docker run --rm \
-v data:/backup/data \
--env AWS_ACCESS_KEY_ID="<xxx>" \
--env AWS_SECRET_ACCESS_KEY="<xxx>" \
--env AWS_S3_BUCKET_NAME="<xxx>" \
--entrypoint backup \
--user 1000:1000 \
offen/docker-volume-backup:v2
```
or in a compose file:
```yml
services:
backup:
image: offen/docker-volume-backup:v2
user: 1000:1000
# further configuration omitted ...
```

45
docs/how-tos/use-custom-docker-host.md
View File

@@ -1,45 +0,0 @@
---
title: Use a custom Docker host
layout: default
parent: How Tos
nav_order: 14
---
# Use a custom Docker host
If you are interfacing with Docker via TCP, set `DOCKER_HOST` to the correct URL.
```ini
DOCKER_HOST=tcp://docker_socket_proxy:2375
```
If you do this as you seek to restrict access to the Docker socket, this tool is potentially calling the following Docker APIs:
| API | When |
|-|-|
| `Info` | always |
| `ContainerExecCreate` | running commands from `exec-labels` |
| `ContainerExecAttach` | running commands from `exec-labels` |
| `ContainerExecInspect` | running commands from `exec-labels` |
| `ContainerList` | always |
`ServiceList` | Docker engine is running in Swarm mode |
| `ServiceInspect` | Docker engine is running in Swarm mode |
| `ServiceUpdate` | Docker engine is running in Swarm mode and `stop-during-backup` is used |
| `ConatinerStop` | `stop-during-backup` labels are applied to containers |
| `ContainerStart` | `stop-during-backup` labels are applied to container |
---
In case you are using [`docker-socket-proxy`][proxy], this means following permissions are required:
| Permission | When |
|-|-|
| INFO | always required |
| CONTAINERS | always required |
| POST | required when using `stop-during-backup` or `exec` labels |
| EXEC | required when using `exec`-labeled commands |
| SERVICES | required when Docker Engine is running in Swarm mode |
| NODES | required when labeling services `stop-during-backup` |
| TASKS | required when labeling services `stop-during-backup` |
[proxy]: https://github.com/Tecnativa/docker-socket-proxy

23
docs/how-tos/use-rootless-docker.md
View File

@@ -1,23 +0,0 @@
---
title: Use with rootless Docker
layout: default
parent: How Tos
nav_order: 15
---
# Use with rootless Docker
It's also possible to use this image with a [rootless Docker installation][rootless-docker].
Instead of mounting `/var/run/docker.sock`, mount the user-specific socket into the container:
```yml
services:
backup:
image: offen/docker-volume-backup:v2
# ... configuration omitted
volumes:
- backup:/backup:ro
- /run/user/1000/docker.sock:/var/run/docker.sock:ro
```
[rootless-docker]: https://docs.docker.com/engine/security/rootless/

82
docs/how-tos/use-with-docker-swarm.md
View File

@@ -1,82 +0,0 @@
---
title: Use with Docker Swarm
layout: default
parent: How Tos
nav_order: 13
---
# Use with Docker Swarm
{: .note }
The mechanisms described in this page __do only apply when Docker is running in [Swarm mode][swarm]__ and __when placing the `docker-volume-backup` container on a manager node__.
Containers that are placed on worker nodes function as if the Docker engine is not running in Swarm mode, i.e. there is no access to services and there is no way to interact with resources that are running on different host nodes.
[swarm]: https://docs.docker.com/engine/swarm/
## Stopping containers during backup
Stopping and restarting containers during backup creation when running Docker in Swarm mode is supported in two ways.
{: .important }
Make sure you label your services and containers using only one of the describe approaches.
In case the script encounters a container that is labeled and has a parent service that is also labeled, it will exit early.
### Scaling services down to zero before scaling back up
When labeling a service in the `deploy` section, the following strategy for stopping and restarting will be used:
- The service is scaled down to zero replicas
- The backup is created
- The service is scaled back up to the previous number of replicas
{: .note }
This approach will only work for services that are deployed in __replicated mode__.
Such a service definition could look like:
```yml
services:
app:
image: myorg/myimage:latest
deploy:
labels:
- docker-volume-backup.stop-during-backup=true
replicas: 2
```
### Stopping the containers
This approach bypasses the services and stops containers directly, creates the backup and restarts the containers again.
As Docker Swarm would usually try to instantly restart containers that are manually stopped, this approach only works when using the `on-failure` restart policy.
A restart policy of `always` is not compatible with this approach.
Such a service definition could look like:
```yml
services:
app:
image: myapp/myimage:latest
labels:
- docker-volume-backup.stop-during-backup=true
deploy:
replicas: 2
restart_policy:
condition: on-failure
```
---
## Memory limit considerations
When running in Swarm mode, it's also advised to set a hard memory limit on your service (~25MB should be enough in most cases, but if you backup large files above half a gigabyte or similar, you might have to raise this in case the backup exits with `Killed`):
```yml
services:
backup:
image: offen/docker-volume-backup:v2
deployment:
resources:
limits:
memory: 25M
```

120
docs/index.md
View File

@@ -1,120 +0,0 @@
---
title: Home
layout: home
nav_order: 1
---
# offen/docker-volume-backup
{:.no_toc}
Backup Docker volumes locally or to any S3, WebDAV, Azure Blob Storage, Dropbox, Google Drive or SSH compatible storage.
{: .fs-6 .fw-300 }
---
The [offen/docker-volume-backup](https://hub.docker.com/r/offen/docker-volume-backup) Docker image can be used as a lightweight (below 15MB) companion container to an existing Docker setup.
It handles __recurring or one-off backups of Docker volumes__ to a __local directory__, __any S3, WebDAV, Azure Blob Storage, Dropbox, Google Drive or SSH compatible storage (or any combination thereof) and rotates away old backups__ if configured. It also supports __encrypting your backups using GPG__ and __sending notifications for (failed) backup runs__.
{: .note }
Code and documentation for `v1` versions are found on [this branch][v1-branch].
[v1-branch]: https://github.com/offen/docker-volume-backup/tree/v1
---
1. TOC
{:toc}
## Quickstart
### Recurring backups in a compose setup
Add a `backup` service to your compose setup and mount the volumes you would like to see backed up:
```yml
services:
volume-consumer:
build:
context: ./my-app
volumes:
- data:/var/my-app
labels:
# This means the container will be stopped during backup to ensure
# backup integrity. You can omit this label if stopping during backup
# not required.
- docker-volume-backup.stop-during-backup=true
backup:
# In production, it is advised to lock your image tag to a proper
# release version instead of using `latest`.
# Check https://github.com/offen/docker-volume-backup/releases
# for a list of available releases.
image: offen/docker-volume-backup:latest
restart: always
env_file: ./backup.env # see below for configuration reference
volumes:
- data:/backup/my-app-backup:ro
# Mounting the Docker socket allows the script to stop and restart
# the container during backup and to access the container labels to
# specify custom commands. You can omit this if you don't want to
# stop the container or run custom commands. In case you need to
# proxy the socket, you can also provide a location by setting
# `DOCKER_HOST` in the container
- /var/run/docker.sock:/var/run/docker.sock:ro
# If you mount a local directory or volume to `/archive` a local
# copy of the backup will be stored there. You can override the
# location inside of the container by setting `BACKUP_ARCHIVE`.
# You can omit this if you do not want to keep local backups.
- /path/to/local_backups:/archive
volumes:
data:
```
### One-off backups using Docker CLI
To run a one time backup, mount the volume you would like to see backed up into a container and run the `backup` command:
```console
docker run --rm \
-v data:/backup/data \
--env AWS_ACCESS_KEY_ID="<xxx>" \
--env AWS_SECRET_ACCESS_KEY="<xxx>" \
--env AWS_S3_BUCKET_NAME="<xxx>" \
--entrypoint backup \
offen/docker-volume-backup:v2
```
Alternatively, pass a `--env-file` in order to use a full config as described below.
## Available image registries
This Docker image is published to both Docker Hub and the GitHub container registry.
Depending on your preferences and needs, you can reference both `offen/docker-volume-backup` as well as `ghcr.io/offen/docker-volume-backup`:
```
docker pull offen/docker-volume-backup:v2
docker pull ghcr.io/offen/docker-volume-backup:v2
```
Documentation references Docker Hub, but all examples will work using ghcr.io just as well.
## Supported Engines
This tool is developed and tested against the Docker CE engine exclusively.
While it may work against different implementations (e.g. Balena Engine), there are no guarantees about support for non-Docker engines.
## Differences to `jareware/docker-volume-backup`
This image is heavily inspired by `jareware/docker-volume-backup`. We decided to publish this image as a simpler and more lightweight alternative because of the following requirements:
- The original image is based on `ubuntu` and requires additional tools, making it heavy.
This version is roughly 1/20 in compressed size (it's ~25MB).
- The original image uses a shell script, when this version is written in Go.
- The original image proposed to handle backup rotation through AWS S3 lifecycle policies.
This image adds the option to rotate away old backups through the same command so this functionality can also be offered for non-AWS storage backends like MinIO.
Local copies of backups can also be pruned once they reach a certain age.
- InfluxDB specific functionality from the original image was removed.
- `arm64` and `arm/v7` architectures are supported.
- Docker in Swarm mode is supported.
- Notifications on finished backups are supported.
- IAM authentication through instance profiles is supported.

387
docs/recipes/index.md
View File

@@ -1,387 +0,0 @@
---
title: Recipes
layout: default
nav_order: 4
---
# Recipes
{: .no_toc }
This doc lists configuration for some real-world use cases that you can copy and paste to tweak and match your needs.
1. TOC
{: toc }
## Backing up to AWS S3
```yml
services:
# ... define other services using the `data` volume here
backup:
image: offen/docker-volume-backup:v2
environment:
AWS_S3_BUCKET_NAME: backup-bucket
AWS_ACCESS_KEY_ID: AKIAIOSFODNN7EXAMPLE
AWS_SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
volumes:
- data:/backup/my-app-backup:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
volumes:
data:
```
## Backing up to Filebase
```yml
services:
# ... define other services using the `data` volume here
backup:
image: offen/docker-volume-backup:v2
environment:
AWS_ENDPOINT: s3.filebase.com
AWS_S3_BUCKET_NAME: filebase-bucket
AWS_ACCESS_KEY_ID: FILEBASE-ACCESS-KEY
AWS_SECRET_ACCESS_KEY: FILEBASE-SECRET-KEY
volumes:
- data:/backup/my-app-backup:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
volumes:
data:
```
## Backing up to MinIO
```yml
services:
# ... define other services using the `data` volume here
backup:
image: offen/docker-volume-backup:v2
environment:
AWS_ENDPOINT: minio.example.com
AWS_S3_BUCKET_NAME: backup-bucket
AWS_ACCESS_KEY_ID: MINIOACCESSKEY
AWS_SECRET_ACCESS_KEY: MINIOSECRETKEY
volumes:
- data:/backup/my-app-backup:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
volumes:
data:
```
## Backing up to MinIO (using Docker secrets)
```yml
services:
# ... define other services using the `data` volume here
backup:
image: offen/docker-volume-backup:v2
environment:
AWS_ENDPOINT: minio.example.com
AWS_S3_BUCKET_NAME: backup-bucket
AWS_ACCESS_KEY_ID_FILE: /run/secrets/minio_access_key
AWS_SECRET_ACCESS_KEY_FILE: /run/secrets/minio_secret_key
volumes:
- data:/backup/my-app-backup:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
secrets:
- minio_access_key
- minio_secret_key
volumes:
data:
secrets:
minio_access_key:
# ... define how secret is accessed
minio_secret_key:
# ... define how secret is accessed
```
## Backing up to WebDAV
```yml
services:
# ... define other services using the `data` volume here
backup:
image: offen/docker-volume-backup:v2
environment:
WEBDAV_URL: https://webdav.mydomain.me
WEBDAV_PATH: /my/directory/
WEBDAV_USERNAME: user
WEBDAV_PASSWORD: password
volumes:
- data:/backup/my-app-backup:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
volumes:
data:
```
## Backing up to SSH
```yml
services:
# ... define other services using the `data` volume here
backup:
image: offen/docker-volume-backup:v2
environment:
SSH_HOST_NAME: server.local
SSH_PORT: 2222
SSH_USER: user
SSH_REMOTE_PATH: /data
volumes:
- data:/backup/my-app-backup:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- /path/to/private_key:/root/.ssh/id_rsa
volumes:
data:
```
## Backing up to Azure Blob Storage
```yml
services:
# ... define other services using the `data` volume here
backup:
image: offen/docker-volume-backup:v2
environment:
AZURE_STORAGE_CONTAINER_NAME: backup-container
AZURE_STORAGE_ACCOUNT_NAME: account-name
AZURE_STORAGE_PRIMARY_ACCOUNT_KEY: Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw==
volumes:
- data:/backup/my-app-backup:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
volumes:
data:
```
## Backing up to Dropbox
See [Dropbox Setup](../how-tos/set-up-dropbox.md) on how to get the appropriate environment values.
```yml
services:
# ... define other services using the `data` volume here
backup:
image: offen/docker-volume-backup:v2
environment:
DROPBOX_REFRESH_TOKEN: REFRESH_KEY # replace
DROPBOX_APP_KEY: APP_KEY # replace
DROPBOX_APP_SECRET: APP_SECRET # replace
DROPBOX_REMOTE_PATH: /somedir # replace
volumes:
- data:/backup/my-app-backup:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
volumes:
data:
```
## Backing up locally
```yml
services:
# ... define other services using the `data` volume here
backup:
image: offen/docker-volume-backup:v2
environment:
BACKUP_FILENAME: backup-%Y-%m-%dT%H-%M-%S.tar.gz
BACKUP_LATEST_SYMLINK: backup-latest.tar.gz
volumes:
- data:/backup/my-app-backup:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ${HOME}/backups:/archive
volumes:
data:
```
## Backing up to AWS S3 as well as locally
```yml
services:
# ... define other services using the `data` volume here
backup:
image: offen/docker-volume-backup:v2
environment:
AWS_S3_BUCKET_NAME: backup-bucket
AWS_ACCESS_KEY_ID: AKIAIOSFODNN7EXAMPLE
AWS_SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
volumes:
- data:/backup/my-app-backup:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ${HOME}/backups:/archive
volumes:
data:
```
## Running on a custom cron schedule
```yml
services:
# ... define other services using the `data` volume here
backup:
image: offen/docker-volume-backup:v2
environment:
# take a backup on every hour
BACKUP_CRON_EXPRESSION: "0 * * * *"
AWS_S3_BUCKET_NAME: backup-bucket
AWS_ACCESS_KEY_ID: AKIAIOSFODNN7EXAMPLE
AWS_SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
volumes:
- data:/backup/my-app-backup:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
volumes:
data:
```
## Rotating away backups that are older than 7 days
```yml
services:
# ... define other services using the `data` volume here
backup:
image: offen/docker-volume-backup:v2
environment:
AWS_S3_BUCKET_NAME: backup-bucket
AWS_ACCESS_KEY_ID: AKIAIOSFODNN7EXAMPLE
AWS_SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
BACKUP_FILENAME: backup-%Y-%m-%dT%H-%M-%S.tar.gz
BACKUP_PRUNING_PREFIX: backup-
BACKUP_RETENTION_DAYS: 7
volumes:
- data:/backup/my-app-backup:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
volumes:
data:
```
## Encrypting your backups symmetrically using GPG
```yml
services:
# ... define other services using the `data` volume here
backup:
image: offen/docker-volume-backup:v2
environment:
AWS_S3_BUCKET_NAME: backup-bucket
AWS_ACCESS_KEY_ID: AKIAIOSFODNN7EXAMPLE
AWS_SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
GPG_PASSPHRASE: somesecretstring
volumes:
- data:/backup/my-app-backup:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
volumes:
data:
```
## Encrypting your backups asymmetrically using GPG
```yml
services:
# ... define other services using the `data` volume here
backup:
image: offen/docker-volume-backup:v2
environment:
AWS_S3_BUCKET_NAME: backup-bucket
AWS_ACCESS_KEY_ID: AKIAIOSFODNN7EXAMPLE
AWS_SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
GPG_PUBLIC_KEY_RING: |
-----BEGIN PGP PUBLIC KEY BLOCK-----
D/cIHu6GH/0ghlcUVSbgMg5RRI5QKNNKh04uLAPxr75mKwUg0xPUaWgyyrAChVBi
...
-----END PGP PUBLIC KEY BLOCK-----
volumes:
- data:/backup/my-app-backup:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
volumes:
data:
```
## Using mariadb-dump/mysqldump to prepare the backup
```yml
services:
database:
image: mariadb:latest
labels:
- docker-volume-backup.archive-pre=/bin/sh -c 'mariadb-dump -psecret --all-databases > /tmp/dumps/dump.sql'
volumes:
- data:/tmp/dumps
backup:
image: offen/docker-volume-backup:v2
environment:
BACKUP_FILENAME: db.tar.gz
BACKUP_CRON_EXPRESSION: "0 2 * * *"
volumes:
- ./local:/archive
- data:/backup/data:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
volumes:
data:
```
## Running multiple instances in the same setup
```yml
services:
# ... define other services using the `data_1` and `data_2` volumes here
backup_1: &backup_service
image: offen/docker-volume-backup:v2
environment: &backup_environment
BACKUP_CRON_EXPRESSION: "0 2 * * *"
AWS_S3_BUCKET_NAME: backup-bucket
AWS_ACCESS_KEY_ID: AKIAIOSFODNN7EXAMPLE
AWS_SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
# Label the container using the `data_1` volume as `docker-volume-backup.stop-during-backup=service1`
BACKUP_STOP_DURING_BACKUP_LABEL: service1
volumes:
- data_1:/backup/data-1-backup:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
backup_2:
<<: *backup_service
environment:
<<: *backup_environment
# Label the container using the `data_2` volume as `docker-volume-backup.stop-during-backup=service2`
BACKUP_CRON_EXPRESSION: "0 3 * * *"
BACKUP_STOP_DURING_BACKUP_LABEL: service2
volumes:
- data_2:/backup/data-2-backup:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
volumes:
data_1:
data_2:
```
## Running as a non-root user
```yml
services:
# ... define other services using the `data` volume here
backup:
image: offen/docker-volume-backup:v2
user: 1000:1000
environment:
AWS_S3_BUCKET_NAME: backup-bucket
AWS_ACCESS_KEY_ID: AKIAIOSFODNN7EXAMPLE
AWS_SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
volumes:
- data:/backup/my-app-backup:ro
volumes:
data:
```

657
docs/reference/index.md
View File

@@ -1,657 +0,0 @@
---
title: Configuration Reference
layout: default
nav_order: 2
---
# Configuration reference
Backup targets, schedule and retention are configured using environment variables.
{: .note }
As per established convention, you can use any environment variable key from below with a `_FILE` suffix in order to load the value from a file instead.
This is typically useful when using [Docker Secrets](https://docs.docker.com/engine/swarm/secrets/) or similar.
Note that secrets will not be trimmed of leading or trailing whitespace.
{: .warning }
In case you encounter double quoted values in your runtime configuration you might still be using an [older version of `docker-compose`][compose-issue].
You can work around this by either updating `docker-compose` or unquoting your configuration values.
You can populate below template according to your requirements and use it as your `env_file`.
The values for each key currently match its default.
{% raw %}
```
########### BACKUP SCHEDULE
# Backups can be run on fixed scheduled that are defined as a cron expression.
# A cron expression represents a set of times, using 5 or 6 space-separated fields.
#
# Field name | Mandatory? | Allowed values | Allowed special characters
# ---------- | ---------- | -------------- | --------------------------
# Seconds | No | 0-59 | * / , -
# Minutes | Yes | 0-59 | * / , -
# Hours | Yes | 0-23 | * / , -
# Day of month | Yes | 1-31 | * / , - ?
# Month | Yes | 1-12 or JAN-DEC | * / , -
# Day of week | Yes | 0-6 or SUN-SAT | * / , - ?
#
# Month and Day-of-week field values are case insensitive.
# "SUN", "Sun", and "sun" are equally accepted.
# If you do not want the cron to ever run, use `0 0 5 31 2 ?`.
# Refer to sites like <https://crontab.guru> for help.
# If no value is set, `@daily` will be used, which runs every
# day at midnight.
# BACKUP_CRON_EXPRESSION="@daily"
# ---
# Optional startup delay ("jitter") applied before each backup run.
# The jitter introduces a random delay between 0 and the given duration,
#
# Set to "0s" or omit the variable to disable jitter completely.
# Default = "0s". In case you need to adjust this value, supply a duration
# value as per https://pkg.go.dev/time#ParseDuration to `BACKUP_JITTER`.
#
# BACKUP_JITTER="0s"
# ---
# The compression algorithm used in conjunction with tar.
# Valid options are: "gz" (Gzip), "zst" (Zstd) or "none" (tar only).
# Default is "gz". Note that the selection affects the file extension.
# BACKUP_COMPRESSION="gz"
# ---
# Parallelism level for "gz" (Gzip) compression.
# Defines how many blocks of data are concurrently processed.
# Higher values result in faster compression. No effect on decompression
# Default = 1. Setting this to 0 will use all available threads.
# GZIP_PARALLELISM="1"
# ---
# The desired name of the backup file including the extension.
# Format verbs will be replaced as in `strftime`. Omitting all verbs
# will result in the same filename for every backup run, which means previous
# versions will be overwritten on subsequent runs.
# Extension can be defined literally or via "{{ .Extension }}" template,
# in which case it will become either "tar.gz", "tar.zst" or ".tar" (depending
# on your BACKUP_COMPRESSION setting).
# The default results in filenames like: `backup-2021-08-29T04-00-00.tar.gz`.
# BACKUP_FILENAME="backup-%Y-%m-%dT%H-%M-%S.{{ .Extension }}"
# ---
# Setting BACKUP_FILENAME_EXPAND to true allows for environment variable
# placeholders in BACKUP_FILENAME, BACKUP_LATEST_SYMLINK and in
# BACKUP_PRUNING_PREFIX that will get expanded at runtime,
# e.g. `backup-$HOSTNAME-%Y-%m-%dT%H-%M-%S.tar.gz`. Expansion happens before
# interpolating strftime tokens. It is disabled by default.
# Please note that you will need to escape the `$` when providing the value
# in a docker-compose.yml file, i.e. using $$VAR instead of $VAR.
# BACKUP_FILENAME_EXPAND="true"
# ---
# When storing local backups, a symlink to the latest backup can be created
# in case a value is given for this key. This has no effect on remote backups.
# Example: "backup.latest.tar.gz"
# BACKUP_LATEST_SYMLINK=""
# ---
# ************************************************************************
# The BACKUP_FROM_SNAPSHOT option has been deprecated and will be removed
# in the next major version. Please use exec-pre and exec-post
# as documented below instead.
# ************************************************************************
# Whether to copy the content of backup folder before creating the tar archive.
# In the rare scenario where the content of the source backup volume is continuously
# updating, but we do not wish to stop the container while performing the backup,
# this setting can be used to ensure the integrity of the tar.gz file.
# BACKUP_FROM_SNAPSHOT="false"
# ---
# By default, the contents of the `/backup` directory inside the container
# will be backed up. In case you need to use a custom location, set `BACKUP_SOURCES`.
# Example: "/other/location"
# BACKUP_SOURCES="/backup"
# ---
# When a value is given, all files in BACKUP_SOURCES whose full path matches the
# regular expression will be excluded from the archive. Regular Expressions
# can be used as from the Go standard library https://pkg.go.dev/regexp
# Example: "\.log$"
# BACKUP_EXCLUDE_REGEXP=""
# ---
# Exclude one or many storage backends from the pruning process.
# Available backends are: S3, WebDAV, SSH, Local, Dropbox, Azure
# E.g. with one backend excluded: BACKUP_SKIP_BACKENDS_FROM_PRUNE=s3
# E.g. with multiple backends excluded: BACKUP_SKIP_BACKENDS_FROM_PRUNE=s3,webdav
# Note: The names of the backends are case insensitive.
# Default: All backends get pruned.
# BACKUP_SKIP_BACKENDS_FROM_PRUNE=""
########### S3 COMPATIBLE STORAGE
# The name of the remote bucket that should be used for storing backups. If
# this is not set, no remote backups will be stored.
# Example: "backup-bucket"
# AWS_S3_BUCKET_NAME=""
# ---
# If you want to store the backup in a non-root location on your bucket
# you can provide a path. The path must not contain a leading slash.
# Example: "my/backup/location"
# AWS_S3_PATH=""
# ---
# Define credentials for authenticating against the backup storage and a bucket
# name. Although all of these keys are `AWS`-prefixed, the setup can be used
# with any S3 compatible storage.
# AWS_ACCESS_KEY_ID=""
# AWS_SECRET_ACCESS_KEY=""
# ---
# Instead of providing static credentials, you can also use IAM instance profiles
# or similar to provide authentication. Some possible configuration options on AWS:
# - EC2: http://169.254.169.254
# - ECS: http://169.254.170.2
# AWS_IAM_ROLE_ENDPOINT=""
# ---
# This is the FQDN of your storage server, e.g. `storage.example.com`.
# If you need to set a specific (non-https) protocol, you will need to use the option below.
# The default value points to the standard AWS S3 endpoint.
# AWS_ENDPOINT="s3.amazonaws.com"
# ---
# The protocol to be used when communicating with your S3 storage server.
# Defaults to "https". You can set this to "http" when communicating with
# a different Docker container in the same virtual network for example.
# AWS_ENDPOINT_PROTO="https"
# ---
# Setting this variable to `true` will disable verification of
# SSL certificates for AWS_ENDPOINT. You shouldn't use this unless you use
# self-signed certificates for your remote storage backend. This can only be
# used when AWS_ENDPOINT_PROTO is set to `https`.
# AWS_ENDPOINT_INSECURE="false"
# ---
# If you wish to use self signed certificates your S3 server, you can pass
# the location of a PEM encoded CA certificate and it will be used for
# validating your certificates. Alternatively, pass a PEM encoded string
# containing the certificate.
# Example: "/path/to/cert.pem"
# AWS_ENDPOINT_CA_CERT=""
# ---
# Setting a value for this key will change the S3 storage class header.
# Default behavior is to use the standard class when no value is given.
# Example: "GLACIER"
# AWS_STORAGE_CLASS=""
# ---
# Setting this variable will change the S3 default part size for the copy step.
# This value is useful when you want to upload large files.
# NB: While using Scaleway as S3 provider, be aware that the parts counter is set to 1.000.
# While Minio uses a hard coded value to 10.000. As a workaround, try to set a higher value.
# Defaults to "16" (MB) if unset (from minio), you can set this value according to your needs.
# The unit is in MB and an integer.
# AWS_PART_SIZE="16"
########### WEBDAV STORAGE
# The URL of the remote WebDAV server
# Example: "https://webdav.example.com"
# WEBDAV_URL=""
# ---
# The Directory to place the backups to on the WebDAV server.
# If the path is not present on the server it will be created.
# Example: "/my/directory/"
# WEBDAV_PATH=""
# ---
# The username for the WebDAV server
# Example: "user"
# WEBDAV_USERNAME=""
# ---
# The password for the WebDAV server
# Example: "password"
# WEBDAV_PASSWORD=""
# ---
# Setting this variable to "true" will disable verification of
# SSL certificates for WEBDAV_URL. You shouldn't use this unless you use
# self-signed certificates for your remote storage backend.
# WEBDAV_URL_INSECURE="false"
########### SSH/SFTP STORAGE
# The FQDN of the remote SSH server
# Example: "server.local"
# SSH_HOST_NAME=""
# ---
# The port of the remote SSH server
# SSH_PORT="22"
# ---
# The Directory to place the backups to on the SSH server.
# If the directory does not exist, it will be created automatically.
# Example: "/home/user/backups"
# SSH_REMOTE_PATH=""
# ---
# The username for the SSH server
# Example: "user"
# SSH_USER=""
# ---
# The password for the SSH server
# Example: "password"
# SSH_PASSWORD=""
# ---
# The private key path in container for SSH server.
# Consumers can mount a file into /root/.ssh/id_rsa (or the respective value)
# in order to have it being used. Non-RSA keys (e.g. ed25519) will also work.
# SSH_IDENTITY_FILE="/root/.ssh/id_rsa"
# ---
# The passphrase for the identity file if applicable
# Example: "pass"
# SSH_IDENTITY_PASSPHRASE=""
########### AZURE BLOB STORAGE
# The credential's account name when using Azure Blob Storage. This has to be
# set when using Azure Blob Storage.
# Example: "account-name"
# AZURE_STORAGE_ACCOUNT_NAME=""
# ---
# The credential's primary account key when using Azure Blob Storage. If this
# is not given, the command tries to fall back to using a connection string
# (if given) or a managed identity (if neither is set).
# AZURE_STORAGE_PRIMARY_ACCOUNT_KEY=""
# ---
# A connection string for accessing Azure Blob Storage. If this
# is not given, the command tries to fall back to using a primary account key
# (if given) or a managed identity (if neither is set).
# AZURE_STORAGE_CONNECTION_STRING=""
# ---
# The container name when using Azure Blob Storage.
# Example: "container-name"
# AZURE_STORAGE_CONTAINER_NAME=""
# ---
# The service endpoint when using Azure Blob Storage. This is a template that
# can be passed the account name as shown in the default value below.
# AZURE_STORAGE_ENDPOINT="https://{{ .AccountName }}.blob.core.windows.net/"
# ---
# The access tier when using Azure Blob Storage. Possible values are
# https://github.com/Azure/azure-sdk-for-go/blob/sdk/storage/azblob/v1.3.2/sdk/storage/azblob/internal/generated/zz_constants.go#L14-L30
# Example: "Cold"
# AZURE_STORAGE_ACCESS_TIER=""
########### DROPBOX STORAGE
# Absolute remote path in your Dropbox where the backups shall be stored.
# Note: Use your app's subpath in Dropbox, if it doesn't have global access.
# Consult the README for further information.
# Example: "/my/directory"
# DROPBOX_REMOTE_PATH=""
# ---
# App key and app secret from your app created at https://www.dropbox.com/developers/apps
# DROPBOX_APP_KEY=""
# DROPBOX_APP_SECRET=""
# ---
# Number of concurrent chunked uploads for Dropbox.
# Values above 6 usually result in no enhancements.
# DROPBOX_CONCURRENCY_LEVEL="6"
# ---
# Refresh token to request new short-lived tokens (OAuth2). Consult README to see how to get one.
# DROPBOX_REFRESH_TOKEN=""
########### GOOGLE DRIVE STORAGE
# The JSON credentials for a Google service account with access to Google Drive.
# You can provide either:
# 1. The actual JSON content directly
# 2. Use the _FILE suffix to load from a file (e.g., GOOGLE_DRIVE_CREDENTIALS_JSON_FILE)
#
# Examples:
# Option 1 - JSON content:
# docker run [...] \
# -e GOOGLE_DRIVE_CREDENTIALS_JSON='{"type":"service_account",...}'
#
# Option 2 - Using _FILE suffix (recommended for Docker Secrets):
# docker run [...] \
# -v ./credentials.json:/creds/google-credentials.json \
# -e GOOGLE_DRIVE_CREDENTIALS_JSON_FILE=/creds/google-credentials.json
#
# GOOGLE_DRIVE_CREDENTIALS_JSON=""
# ---
# The ID of the Google Drive folder where backups will be uploaded.
# You can find the folder ID in the URL when viewing the folder in Google Drive.
#
# Example: "1A2B3C4D5E6F7G8H9I0J"
#
# GOOGLE_DRIVE_FOLDER_ID=""
# ---
# The email address of the user to impersonate when accessing Google Drive (domain-wide delegation).
# This is required becasue your service account needs to act on behalf of a user in your organization in order to upload files.
# How to: https://support.google.com/a/answer/162106
# Example: "user@example.com"
#
# GOOGLE_DRIVE_IMPERSONATE_SUBJECT=""
# ---
# (Optional) Custom Google Drive API endpoint. This is primarily for testing with a mock server.
# Example: "http://localhost:8080/drive/v3"
#
# GOOGLE_DRIVE_ENDPOINT=""
# ---
# (Optional) Custom token URL for Google Drive authentication. This is primarily for testing with a mock server.
# Example: "http://localhost:8080/token"
#
# GOOGLE_DRIVE_TOKEN_URL=""
########### LOCAL FILE STORAGE
# In addition to storing backups remotely, you can also keep local copies.
# Pass a container-local path to store your backups if needed. You also need to
# mount a local folder or Docker volume into that location (`/archive`
# by default) when running the container. In case the specified directory does
# not exist (nothing is mounted) in the container when the backup is running,
# local backups will be skipped. Local paths are also be subject to pruning of
# old backups as defined below.
# BACKUP_ARCHIVE="/archive"
########### BACKUP PRUNING
# **IMPORTANT, PLEASE READ THIS BEFORE USING THIS FEATURE**:
# The mechanism used for pruning old backups is not very sophisticated
# and applies its rules to **all files in the target directory** by default,
# which means that if you are storing your backups next to other files,
# these might become subject to deletion too. When using this option
# make sure the backup files are stored in a directory used exclusively
# for such files, or to configure BACKUP_PRUNING_PREFIX to limit
# removal to certain files.
# Pass zero or a positive integer value to enable automatic rotation of
# old backups. The value declares the number of days for which a backup is kept.
# BACKUP_RETENTION_DAYS="-1"
# ---
# In case the duration a backup takes fluctuates noticeably in your setup
# you can adjust this setting to make sure there are no race conditions
# between the backup finishing and the rotation not deleting backups that
# sit on the edge of the time window. Set this value to a duration
# that is expected to be bigger than the maximum difference of backups.
# Valid values have a suffix of (s)econds, (m)inutes or (h)ours. By default,
# one minute is used.
# BACKUP_PRUNING_LEEWAY="1m"
# ---
# In case your target bucket or directory contains other files than the ones
# managed by this container, you can limit the scope of rotation by setting
# a prefix value. This would usually be the non-parametrized part of your
# BACKUP_FILENAME. E.g. if BACKUP_FILENAME is `db-backup-%Y-%m-%dT%H-%M-%S.tar.gz`,
# you can set BACKUP_PRUNING_PREFIX to `db-backup-` and make sure
# unrelated files are not affected by the rotation mechanism.
# BACKUP_PRUNING_PREFIX=""
########### BACKUP ENCRYPTION
# All of the encryption options are mutually exclusive. Provide a single option
# for the encryption scheme of your choice.
# Backups can be encrypted symmetrically using gpg in case a passphrase is given.
# GPG_PASSPHRASE=""
# ---
# Backups can be encrypted asymmetrically using gpg in case publickeys are given.
# You can use pipe syntax to pass a multiline value.
# GPG_PUBLIC_KEY_RING=""
# ---
# Backups can be encrypted symmetrically using age in case a passphrase is given.
# AGE_PASSPHRASE=""
# ---
# Backups can be encrypted asymmetrically using age in case publickeys are given.
# Multiple keys need to be provided as a comma separated list. Right now, this
# supports `age` and `ssh` keys
# AGE_PUBLIC_KEYS=""
########### STOPPING CONTAINERS AND SERVICES DURING BACKUP
# Containers or services can be stopped by applying a
# `docker-volume-backup.stop-during-backup` label. By default, all containers and
# services that are labeled with `true` will be stopped. If you need more fine
# grained control (e.g. when running multiple containers based on this image),
# you can override this default by specifying a different string value here.
# BACKUP_STOP_DURING_BACKUP_LABEL="true"
# Containers or services can also be stopped for the duration of the backup
# without being restarted afterwards by applying a
# `docker-volume-backup.stop-during-backup-no-restart` label. This behaves the
# same as `docker-volume-backup.stop-during-backup` but is mutually exclusive and
# skips restarting the container or service once the backup has finished.
# BACKUP_STOP_DURING_BACKUP_NO_RESTART_LABEL="true"
# When trying to scale down Docker Swarm services, give up after
# the specified amount of time in case the service has not converged yet.
# In case you need to adjust this timeout, supply a duration
# value as per https://pkg.go.dev/time#ParseDuration to `BACKUP_STOP_SERVICE_TIMEOUT`.
# BACKUP_STOP_SERVICE_TIMEOUT="5m"
########### EXECUTING COMMANDS IN CONTAINERS DURING THE BACKUP LIFECYCLE
# It is possible to define commands to be run in any container before and after
# a backup is conducted. The commands themselves are defined in labels like
# `docker-volume-backup.archive-pre=/bin/sh -c 'mysqldump [options] > dump.sql'.
# Several options exist for controlling this feature:
# By default, any output of such a command is suppressed. If this value
# is configured to be "true", command execution output will be forwarded to
# the backup container's stdout and stderr.
# EXEC_FORWARD_OUTPUT="false"
# ---
# Without any further configuration, all commands defined in labels will be
# run before and after a backup. If you need more fine grained control, you
# can use this option to set a label that will be used for narrowing down
# the set of eligible containers. E.g. when setting this to `database`,
# an eligible container will also need to be labeled as `docker-volume-backup.exec-label=database`.
# EXEC_LABEL=""
########### NOTIFICATIONS
# Notifications (email, Slack, etc.) can be sent out when a backup run finishes.
# Configuration is provided as a comma-separated list of URLs as consumed
# by `shoutrrr`: https://shoutrrr.nickfedor.com/v0.10.3/services/overview/
# The content of such notifications can be customized. Dedicated documentation
# on how to do this can be found in the README. When providing multiple URLs or
# an URL that contains a comma, the values can be URL encoded to avoid ambiguities.
# The following example URL demonstrates how to send an email using the provided SMTP
# configuration and credentials.
# Example: "smtp://username:password@host:587/?fromAddress=sender@example.com&toAddresses=recipient@example.com"
# NOTIFICATION_URLS=""
# ---
# By default, notifications would only be sent out when a backup run fails
# To receive notifications for every run, set `NOTIFICATION_LEVEL` to `info`
# instead of the default `error`.
# NOTIFICATION_LEVEL="error"
########### DOCKER HOST
# If you are interfacing with Docker via TCP you can set the Docker host here
# instead of mounting the Docker socket as a volume. This is unset by default.
# Example: "tcp://docker_socket_proxy:2375"
# DOCKER_HOST=""
########### LOCK_TIMEOUT
# In the case of overlapping cron schedules run by the same container,
# subsequent invocations will wait for previous runs to finish before starting.
# By default, this will time out and fail in case the lock could not be acquired
# after 60 minutes. In case you need to adjust this timeout, supply a duration
# value as per https://pkg.go.dev/time#ParseDuration to `LOCK_TIMEOUT`
# LOCK_TIMEOUT="60m"
########### EMAIL NOTIFICATIONS
# ************************************************************************
# Providing notification configuration like this has been deprecated
# and will be removed in the next major version. Please use NOTIFICATION_URLS
# as documented above instead.
# ************************************************************************
# In case SMTP credentials are provided, notification emails can be sent out when
# a backup run finished. These emails will contain the start time, the error
# message on failure and all prior log output.
# The recipient(s) of the notification. Supply a comma separated list
# of addresses if you want to notify multiple recipients. If this is
# not set, no emails will be sent.
# Example: "you@example.com"
# EMAIL_NOTIFICATION_RECIPIENT=""
# ---
# The "From" header of the sent email.
# Example: "no-reply@example.com"
# EMAIL_NOTIFICATION_SENDER="noreply@nohost"
# ---
# Configuration and credentials for the SMTP server to be used.
# EMAIL_SMTP_HOST=""
# EMAIL_SMTP_PASSWORD=""
# EMAIL_SMTP_USERNAME=""
# EMAIL_SMTP_PORT="587"
```
{% endraw %}
[compose-issue]: https://github.com/docker/compose/issues/2854

25
entrypoint.sh Normal file
View File

@@ -0,0 +1,25 @@
#!/bin/sh
# Copyright 2021 - Offen Authors <hioffen@posteo.de>
# SPDX-License-Identifier: MPL-2.0
set -e
if [ ! -d "/etc/dockervolumebackup/conf.d" ]; then
BACKUP_CRON_EXPRESSION="${BACKUP_CRON_EXPRESSION:-@daily}"
echo "Installing cron.d entry with expression $BACKUP_CRON_EXPRESSION."
echo "$BACKUP_CRON_EXPRESSION backup 2>&1" | crontab -
else
echo "/etc/dockervolumebackup/conf.d was found, using configuration files from this directory."
for file in /etc/dockervolumebackup/conf.d/*; do
source $file
BACKUP_CRON_EXPRESSION="${BACKUP_CRON_EXPRESSION:-@daily}"
echo "Appending cron.d entry with expression $BACKUP_CRON_EXPRESSION and configuration file $file"
(crontab -l; echo "$BACKUP_CRON_EXPRESSION /bin/sh -c 'set -a; source $file; set +a && backup' 2>&1") | crontab -
done
fi
echo "Starting cron in foreground."
crond -f -l 8

137
go.mod
View File

@@ -1,111 +1,60 @@
module github.com/offen/docker-volume-backup
go 1.25.3
go 1.18
require (
filippo.io/age v1.2.1
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.0
github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.3
github.com/containrrr/shoutrrr v0.5.2
github.com/cosiner/argv v0.1.0
github.com/docker/cli v28.5.1+incompatible
github.com/docker/docker v28.3.3+incompatible
github.com/gofrs/flock v0.13.0
github.com/joho/godotenv v1.5.1
github.com/klauspost/compress v1.18.1
github.com/docker/docker v20.10.11+incompatible
github.com/gofrs/flock v0.8.1
github.com/kelseyhightower/envconfig v1.4.0
github.com/leekchan/timeutil v0.0.0-20150802142658-28917288c48d
github.com/minio/minio-go/v7 v7.0.95
github.com/nicholas-fedor/shoutrrr v0.11.1
github.com/offen/envconfig v1.5.0
github.com/otiai10/copy v1.14.1
github.com/pkg/sftp v1.13.10
github.com/robfig/cron/v3 v3.0.1
github.com/studio-b12/gowebdav v0.11.0
golang.org/x/crypto v0.43.0
golang.org/x/oauth2 v0.32.0
golang.org/x/sync v0.17.0
google.golang.org/api v0.254.0
mvdan.cc/sh/v3 v3.12.0
github.com/minio/minio-go/v7 v7.0.16
github.com/otiai10/copy v1.7.0
github.com/sirupsen/logrus v1.8.1
github.com/studio-b12/gowebdav v0.0.0-20211109083228-3f8721cd4b6f
golang.org/x/crypto v0.0.0-20210817164053-32db794688a5
golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
)
require (
cloud.google.com/go/auth v0.17.0 // indirect
cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
cloud.google.com/go/compute/metadata v0.9.0 // indirect
filippo.io/edwards25519 v1.1.0 // indirect
github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 // indirect
github.com/cloudflare/circl v1.6.1 // indirect
github.com/containerd/errdefs v1.0.0 // indirect
github.com/containerd/errdefs/pkg v0.3.0 // indirect
github.com/containerd/log v0.1.0 // indirect
github.com/containerd/platforms v0.2.1 // indirect
github.com/distribution/reference v0.6.0 // indirect
github.com/docker/distribution v2.8.3+incompatible // indirect
github.com/docker/docker-credential-helpers v0.9.3 // indirect
github.com/felixge/httpsnoop v1.0.4 // indirect
github.com/fvbommel/sortorder v1.1.0 // indirect
github.com/go-ini/ini v1.67.0 // indirect
github.com/go-logr/logr v1.4.3 // indirect
github.com/go-logr/stdr v1.2.2 // indirect
github.com/goccy/go-json v0.10.5 // indirect
github.com/golang-jwt/jwt/v5 v5.3.0 // indirect
github.com/google/s2a-go v0.1.9 // indirect
github.com/googleapis/enterprise-certificate-proxy v0.3.6 // indirect
github.com/googleapis/gax-go/v2 v2.15.0 // indirect
github.com/mattn/go-runewidth v0.0.16 // indirect
github.com/minio/crc64nvme v1.0.2 // indirect
github.com/moby/docker-image-spec v1.3.1 // indirect
github.com/moby/sys/atomicwriter v0.1.0 // indirect
github.com/otiai10/mint v1.6.3 // indirect
github.com/philhofer/fwd v1.2.0 // indirect
github.com/rivo/uniseg v0.2.0 // indirect
github.com/theupdateframework/notary v0.7.0 // indirect
github.com/tinylib/msgp v1.3.0 // indirect
go.opentelemetry.io/auto/sdk v1.1.0 // indirect
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect
go.opentelemetry.io/otel v1.37.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.37.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.37.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.37.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.26.0 // indirect
go.opentelemetry.io/otel/metric v1.37.0 // indirect
go.opentelemetry.io/otel/trace v1.37.0 // indirect
go.opentelemetry.io/proto/otlp v1.7.0 // indirect
golang.org/x/term v0.36.0 // indirect
golang.org/x/time v0.14.0 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20251022142026-3a174f9686a8 // indirect
google.golang.org/grpc v1.76.0 // indirect
google.golang.org/protobuf v1.36.10 // indirect
)
require (
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.19.1 // indirect
github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 // indirect
github.com/AzureAD/microsoft-authentication-library-for-go v1.5.0 // indirect
github.com/Microsoft/go-winio v0.5.2 // indirect
github.com/ProtonMail/go-crypto v1.3.0
github.com/Microsoft/go-winio v0.4.17 // indirect
github.com/containerd/containerd v1.5.5 // indirect
github.com/docker/distribution v2.7.1+incompatible // indirect
github.com/docker/go-connections v0.4.0 // indirect
github.com/docker/go-units v0.4.0 // indirect
github.com/dropbox/dropbox-sdk-go-unofficial/v6 v6.0.5
github.com/dustin/go-humanize v1.0.1 // indirect
github.com/dustin/go-humanize v1.0.0 // indirect
github.com/fatih/color v1.10.0 // indirect
github.com/fsnotify/fsnotify v1.4.9 // indirect
github.com/gogo/protobuf v1.3.2 // indirect
github.com/google/uuid v1.6.0 // indirect
github.com/klauspost/cpuid/v2 v2.2.11 // indirect
github.com/klauspost/pgzip v1.2.6
github.com/kr/fs v0.1.0 // indirect
github.com/kylelemons/godebug v1.1.0 // indirect
github.com/mattn/go-colorable v0.1.14 // indirect
github.com/mattn/go-isatty v0.0.20 // indirect
github.com/golang/protobuf v1.5.0 // indirect
github.com/google/uuid v1.3.0 // indirect
github.com/json-iterator/go v1.1.12 // indirect
github.com/klauspost/compress v1.13.6 // indirect
github.com/klauspost/cpuid/v2 v2.0.9 // indirect
github.com/mattn/go-colorable v0.1.8 // indirect
github.com/mattn/go-isatty v0.0.12 // indirect
github.com/minio/md5-simd v1.1.2 // indirect
github.com/moby/term v0.0.0-20200312100748-672ec06f55cd // indirect
github.com/minio/sha256-simd v1.0.0 // indirect
github.com/mitchellh/go-homedir v1.1.0 // indirect
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
github.com/modern-go/reflect2 v1.0.2 // indirect
github.com/morikuni/aec v1.0.0 // indirect
github.com/nxadm/tail v1.4.6 // indirect
github.com/onsi/ginkgo v1.14.2 // indirect
github.com/onsi/gomega v1.10.3 // indirect
github.com/opencontainers/go-digest v1.0.0 // indirect
github.com/opencontainers/image-spec v1.1.0-rc5 // indirect
github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
github.com/opencontainers/image-spec v1.0.1 // indirect
github.com/pkg/errors v0.9.1 // indirect
github.com/rs/xid v1.6.0 // indirect
github.com/sirupsen/logrus v1.9.3 // indirect
golang.org/x/net v0.46.0 // indirect
golang.org/x/sys v0.37.0 // indirect
golang.org/x/text v0.30.0 // indirect
gotest.tools/v3 v3.0.3 // indirect
github.com/rs/xid v1.3.0 // indirect
golang.org/x/net v0.0.0-20210226172049-e18ecbb05110 // indirect
golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1 // indirect
golang.org/x/text v0.3.6 // indirect
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
google.golang.org/genproto v0.0.0-20201110150050-8816d57aaa9a // indirect
google.golang.org/grpc v1.33.2 // indirect
google.golang.org/protobuf v1.26.0 // indirect
gopkg.in/ini.v1 v1.65.0 // indirect
gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
)

1088
go.sum
View File

File diff suppressed because it is too large Load Diff

43
internal/errwrap/wrap.go
View File

@@ -1,43 +0,0 @@
// Copyright 2024 - offen.software <hioffen@posteo.de>
// SPDX-License-Identifier: MPL-2.0
package errwrap
import (
"errors"
"fmt"
"runtime"
"strings"
)
// Wrap wraps the given error using the given message while prepending
// the name of the calling function, creating a poor man's stack trace
func Wrap(err error, msg string) error {
pc := make([]uintptr, 15)
n := runtime.Callers(2, pc)
frames := runtime.CallersFrames(pc[:n])
frame, _ := frames.Next()
// strip full import paths and just use the package name
chunks := strings.Split(frame.Function, "/")
withCaller := fmt.Sprintf("%s: %s", chunks[len(chunks)-1], msg)
if err == nil {
return errors.New(withCaller)
}
return fmt.Errorf("%s: %w", withCaller, err)
}
// Unwrap receives an error and returns the last error in the chain of
// wrapped errors
func Unwrap(err error) error {
if err == nil {
return nil
}
for {
u := errors.Unwrap(err)
if u == nil {
break
}
err = u
}
return err
}

192
internal/storage/azure/azure.go
View File

@@ -1,192 +0,0 @@
// Copyright 2022 - offen.software <hioffen@posteo.de>
// SPDX-License-Identifier: MPL-2.0
package azure
import (
"bytes"
"context"
"errors"
"fmt"
"os"
"path"
"path/filepath"
"strings"
"sync"
"text/template"
"time"
"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob"
"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/blob"
"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/blockblob"
"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/container"
"github.com/offen/docker-volume-backup/internal/errwrap"
"github.com/offen/docker-volume-backup/internal/storage"
)
type azureBlobStorage struct {
*storage.StorageBackend
client *azblob.Client
uploadStreamOptions *blockblob.UploadStreamOptions
containerName string
}
// Config contains values that define the configuration of an Azure Blob Storage.
type Config struct {
AccountName string
ContainerName string
PrimaryAccountKey string
ConnectionString string
Endpoint string
RemotePath string
AccessTier string
}
// NewStorageBackend creates and initializes a new Azure Blob Storage backend.
func NewStorageBackend(opts Config, logFunc storage.Log) (storage.Backend, error) {
if opts.PrimaryAccountKey != "" && opts.ConnectionString != "" {
return nil, errwrap.Wrap(nil, "using primary account key and connection string are mutually exclusive")
}
endpointTemplate, err := template.New("endpoint").Parse(opts.Endpoint)
if err != nil {
return nil, errwrap.Wrap(err, "error parsing endpoint template")
}
var ep bytes.Buffer
if err := endpointTemplate.Execute(&ep, opts); err != nil {
return nil, errwrap.Wrap(err, "error executing endpoint template")
}
normalizedEndpoint := fmt.Sprintf("%s/", strings.TrimSuffix(ep.String(), "/"))
var client *azblob.Client
if opts.PrimaryAccountKey != "" {
cred, err := azblob.NewSharedKeyCredential(opts.AccountName, opts.PrimaryAccountKey)
if err != nil {
return nil, errwrap.Wrap(err, "error creating shared key Azure credential")
}
client, err = azblob.NewClientWithSharedKeyCredential(normalizedEndpoint, cred, nil)
if err != nil {
return nil, errwrap.Wrap(err, "error creating azure client from primary account key")
}
} else if opts.ConnectionString != "" {
client, err = azblob.NewClientFromConnectionString(opts.ConnectionString, nil)
if err != nil {
return nil, errwrap.Wrap(err, "error creating azure client from connection string")
}
} else {
cred, err := azidentity.NewManagedIdentityCredential(nil)
if err != nil {
return nil, errwrap.Wrap(err, "error creating managed identity credential")
}
client, err = azblob.NewClient(normalizedEndpoint, cred, nil)
if err != nil {
return nil, errwrap.Wrap(err, "error creating azure client from managed identity")
}
}
var uploadStreamOptions *blockblob.UploadStreamOptions
if opts.AccessTier != "" {
var found bool
for _, t := range blob.PossibleAccessTierValues() {
if string(t) == opts.AccessTier {
found = true
uploadStreamOptions = &blockblob.UploadStreamOptions{
AccessTier: &t,
}
}
}
if !found {
return nil, errwrap.Wrap(nil, fmt.Sprintf("%s is not a possible access tier value", opts.AccessTier))
}
}
storage := azureBlobStorage{
client: client,
uploadStreamOptions: uploadStreamOptions,
containerName: opts.ContainerName,
StorageBackend: &storage.StorageBackend{
DestinationPath: opts.RemotePath,
Log: logFunc,
},
}
return &storage, nil
}
// Name returns the name of the storage backend
func (b *azureBlobStorage) Name() string {
return "Azure"
}
// Copy copies the given file to the storage backend.
func (b *azureBlobStorage) Copy(file string) error {
fileReader, err := os.Open(file)
if err != nil {
return errwrap.Wrap(err, fmt.Sprintf("error opening file %s", file))
}
_, err = b.client.UploadStream(
context.Background(),
b.containerName,
path.Join(b.DestinationPath, filepath.Base(file)),
fileReader,
b.uploadStreamOptions,
)
if err != nil {
return errwrap.Wrap(err, fmt.Sprintf("error uploading file %s", file))
}
return nil
}
// Prune rotates away backups according to the configuration and provided
// deadline for the Azure Blob storage backend.
func (b *azureBlobStorage) Prune(deadline time.Time, pruningPrefix string) (*storage.PruneStats, error) {
lookupPrefix := path.Join(b.DestinationPath, pruningPrefix)
pager := b.client.NewListBlobsFlatPager(b.containerName, &container.ListBlobsFlatOptions{
Prefix: &lookupPrefix,
})
var matches []string
var totalCount uint
for pager.More() {
resp, err := pager.NextPage(context.Background())
if err != nil {
return nil, errwrap.Wrap(err, "error paging over blobs")
}
for _, v := range resp.Segment.BlobItems {
totalCount++
if v.Properties.LastModified.Before(deadline) {
matches = append(matches, *v.Name)
}
}
}
stats := &storage.PruneStats{
Total: totalCount,
Pruned: uint(len(matches)),
}
pruneErr := b.DoPrune(b.Name(), len(matches), int(totalCount), deadline, func() error {
wg := sync.WaitGroup{}
wg.Add(len(matches))
var errs []error
for _, match := range matches {
name := match
go func() {
_, err := b.client.DeleteBlob(context.Background(), b.containerName, name, nil)
if err != nil {
errs = append(errs, err)
}
wg.Done()
}()
}
wg.Wait()
if len(errs) != 0 {
return errors.Join(errs...)
}
return nil
})
return stats, pruneErr
}

264
internal/storage/dropbox/dropbox.go
View File

@@ -1,264 +0,0 @@
package dropbox
import (
"bytes"
"context"
"fmt"
"net/url"
"os"
"path"
"strings"
"sync"
"time"
"github.com/dropbox/dropbox-sdk-go-unofficial/v6/dropbox"
"github.com/dropbox/dropbox-sdk-go-unofficial/v6/dropbox/files"
"github.com/offen/docker-volume-backup/internal/errwrap"
"github.com/offen/docker-volume-backup/internal/storage"
"golang.org/x/oauth2"
)
type dropboxStorage struct {
*storage.StorageBackend
client files.Client
concurrencyLevel int
}
// Config allows to configure a Dropbox storage backend.
type Config struct {
Endpoint string
OAuth2Endpoint string
RefreshToken string
AppKey string
AppSecret string
RemotePath string
ConcurrencyLevel int
}
// NewStorageBackend creates and initializes a new Dropbox storage backend.
func NewStorageBackend(opts Config, logFunc storage.Log) (storage.Backend, error) {
tokenUrl, _ := url.JoinPath(opts.OAuth2Endpoint, "oauth2/token")
conf := &oauth2.Config{
ClientID: opts.AppKey,
ClientSecret: opts.AppSecret,
Endpoint: oauth2.Endpoint{
TokenURL: tokenUrl,
},
}
logFunc(storage.LogLevelInfo, "Dropbox", "Fetching fresh access token for Dropbox storage backend.")
tkSource := conf.TokenSource(context.Background(), &oauth2.Token{RefreshToken: opts.RefreshToken})
token, err := tkSource.Token()
if err != nil {
return nil, errwrap.Wrap(err, "error refreshing token")
}
dbxConfig := dropbox.Config{
Token: token.AccessToken,
}
if opts.Endpoint != "https://api.dropbox.com/" {
dbxConfig.URLGenerator = func(hostType string, namespace string, route string) string {
return fmt.Sprintf("%s/%d/%s/%s", opts.Endpoint, 2, namespace, route)
}
}
client := files.New(dbxConfig)
if opts.ConcurrencyLevel < 1 {
logFunc(storage.LogLevelWarning, "Dropbox", "Concurrency level must be at least 1! Using 1 instead of %d.", opts.ConcurrencyLevel)
opts.ConcurrencyLevel = 1
}
return &dropboxStorage{
StorageBackend: &storage.StorageBackend{
DestinationPath: opts.RemotePath,
Log: logFunc,
},
client: client,
concurrencyLevel: opts.ConcurrencyLevel,
}, nil
}
// Name returns the name of the storage backend
func (b *dropboxStorage) Name() string {
return "Dropbox"
}
// Copy copies the given file to the WebDav storage backend.
func (b *dropboxStorage) Copy(file string) (returnErr error) {
_, name := path.Split(file)
folderArg := files.NewCreateFolderArg(b.DestinationPath)
if _, err := b.client.CreateFolderV2(folderArg); err != nil {
switch err := err.(type) {
case files.CreateFolderV2APIError:
if err.EndpointError.Path.Tag != files.WriteErrorConflict {
returnErr = errwrap.Wrap(err, fmt.Sprintf("error creating directory '%s'", b.DestinationPath))
return
}
b.Log(storage.LogLevelInfo, b.Name(), "Destination path '%s' already exists, no new directory required.", b.DestinationPath)
default:
returnErr = errwrap.Wrap(err, fmt.Sprintf("error creating directory '%s'", b.DestinationPath))
return
}
}
r, err := os.Open(file)
if err != nil {
returnErr = errwrap.Wrap(err, "error opening the file to be uploaded")
return
}
defer func() {
returnErr = r.Close()
}()
// Start new upload session and get session id
b.Log(storage.LogLevelInfo, b.Name(), "Starting upload session for backup '%s' at path '%s'.", file, b.DestinationPath)
var sessionId string
uploadSessionStartArg := files.NewUploadSessionStartArg()
uploadSessionStartArg.SessionType = &files.UploadSessionType{Tagged: dropbox.Tagged{Tag: files.UploadSessionTypeConcurrent}}
if res, err := b.client.UploadSessionStart(uploadSessionStartArg, nil); err != nil {
returnErr = errwrap.Wrap(err, "error starting the upload session")
return
} else {
sessionId = res.SessionId
}
// Send the file in 148MB chunks (Dropbox API limit is 150MB, concurrent upload requires a multiple of 4MB though)
// Last append can be any size <= 150MB with Close=True
const chunkSize = 148 * 1024 * 1024 // 148MB
var offset uint64 = 0
var guard = make(chan struct{}, b.concurrencyLevel)
var errorChn = make(chan error, b.concurrencyLevel)
var EOFChn = make(chan bool, b.concurrencyLevel)
var mu sync.Mutex
var wg sync.WaitGroup
loop:
for {
guard <- struct{}{} // limit concurrency
select {
case err := <-errorChn: // error from goroutine
return err
case <-EOFChn: // EOF from goroutine
wg.Wait() // wait for all goroutines to finish
break loop
default:
}
go func() {
defer func() {
wg.Done()
<-guard
}()
wg.Add(1)
chunk := make([]byte, chunkSize)
mu.Lock() // to preserve offset of chunks
select {
case <-EOFChn:
EOFChn <- true // put it back for outer loop
mu.Unlock()
return // already EOF
default:
}
bytesRead, err := r.Read(chunk)
if err != nil {
errorChn <- errwrap.Wrap(err, "error reading the file to be uploaded")
mu.Unlock()
return
}
chunk = chunk[:bytesRead]
uploadSessionAppendArg := files.NewUploadSessionAppendArg(
files.NewUploadSessionCursor(sessionId, offset),
)
isEOF := bytesRead < chunkSize
uploadSessionAppendArg.Close = isEOF
if isEOF {
EOFChn <- true
}
offset += uint64(bytesRead)
mu.Unlock()
if err := b.client.UploadSessionAppendV2(uploadSessionAppendArg, bytes.NewReader(chunk)); err != nil {
errorChn <- errwrap.Wrap(err, "error appending the file to the upload session")
return
}
}()
}
// Finish the upload session, commit the file (no new data added)
_, err = b.client.UploadSessionFinish(
files.NewUploadSessionFinishArg(
files.NewUploadSessionCursor(sessionId, 0),
files.NewCommitInfo(path.Join(b.DestinationPath, name)),
), nil)
if err != nil {
returnErr = errwrap.Wrap(err, "error finishing the upload session")
return
}
b.Log(storage.LogLevelInfo, b.Name(), "Uploaded a copy of backup '%s' at path '%s'.", file, b.DestinationPath)
return nil
}
// Prune rotates away backups according to the configuration and provided deadline for the Dropbox storage backend.
func (b *dropboxStorage) Prune(deadline time.Time, pruningPrefix string) (*storage.PruneStats, error) {
var entries []files.IsMetadata
res, err := b.client.ListFolder(files.NewListFolderArg(b.DestinationPath))
if err != nil {
return nil, errwrap.Wrap(err, "error looking up candidates from remote storage")
}
entries = append(entries, res.Entries...)
for res.HasMore {
res, err = b.client.ListFolderContinue(files.NewListFolderContinueArg(res.Cursor))
if err != nil {
return nil, errwrap.Wrap(err, "error looking up candidates from remote storage")
}
entries = append(entries, res.Entries...)
}
var matches []*files.FileMetadata
var lenCandidates int
for _, candidate := range entries {
switch candidate := candidate.(type) {
case *files.FileMetadata:
if !strings.HasPrefix(candidate.Name, pruningPrefix) {
continue
}
lenCandidates++
if candidate.ServerModified.Before(deadline) {
matches = append(matches, candidate)
}
default:
continue
}
}
stats := &storage.PruneStats{
Total: uint(lenCandidates),
Pruned: uint(len(matches)),
}
pruneErr := b.DoPrune(b.Name(), len(matches), lenCandidates, deadline, func() error {
for _, match := range matches {
if _, err := b.client.DeleteV2(files.NewDeleteArg(path.Join(b.DestinationPath, match.Name))); err != nil {
return errwrap.Wrap(err, "error removing file from Dropbox storage")
}
}
return nil
})
return stats, pruneErr
}

178
internal/storage/googledrive/googledrive.go
View File

@@ -1,178 +0,0 @@
// Copyright 2025 - The Gemini CLI authors <gemini-cli@google.com>
// SPDX-License-Identifier: MPL-2.0
package googledrive
import (
"context"
"fmt"
"os"
"path/filepath"
"strings"
"time"
"crypto/tls"
"github.com/offen/docker-volume-backup/internal/errwrap"
"github.com/offen/docker-volume-backup/internal/storage"
"golang.org/x/oauth2"
"golang.org/x/oauth2/google"
"google.golang.org/api/drive/v3"
"google.golang.org/api/option"
"net/http"
)
type googleDriveStorage struct {
storage.StorageBackend
client *drive.Service
}
// Config allows to configure a Google Drive storage backend.
type Config struct {
CredentialsJSON string
FolderID string
ImpersonateSubject string
Endpoint string
TokenURL string
}
// NewStorageBackend creates and initializes a new Google Drive storage backend.
func NewStorageBackend(opts Config, logFunc storage.Log) (storage.Backend, error) {
ctx := context.Background()
credentialsBytes := []byte(opts.CredentialsJSON)
config, err := google.JWTConfigFromJSON(credentialsBytes, drive.DriveScope)
if err != nil {
return nil, errwrap.Wrap(err, "unable to parse credentials")
}
if opts.ImpersonateSubject != "" {
config.Subject = opts.ImpersonateSubject
}
if opts.TokenURL != "" {
config.TokenURL = opts.TokenURL
}
var clientOptions []option.ClientOption
if opts.Endpoint != "" {
clientOptions = append(clientOptions, option.WithEndpoint(opts.Endpoint))
// Insecure transport for http mock server
insecureTransport := &http.Transport{
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
}
insecureClient := &http.Client{Transport: insecureTransport}
ctx = context.WithValue(ctx, oauth2.HTTPClient, insecureClient)
}
clientOptions = append(clientOptions, option.WithTokenSource(config.TokenSource(ctx)))
srv, err := drive.NewService(ctx, clientOptions...)
if err != nil {
return nil, errwrap.Wrap(err, "unable to create Drive client")
}
return &googleDriveStorage{
StorageBackend: storage.StorageBackend{
DestinationPath: opts.FolderID,
Log: logFunc,
},
client: srv,
}, nil
}
// Name returns the name of the storage backend
func (b *googleDriveStorage) Name() string {
return "GoogleDrive"
}
// Copy copies the given file to the Google Drive storage backend.
func (b *googleDriveStorage) Copy(file string) (returnErr error) {
_, name := filepath.Split(file)
b.Log(storage.LogLevelInfo, b.Name(), "Starting upload for backup '%s'.", name)
f, err := os.Open(file)
if err != nil {
returnErr = errwrap.Wrap(err, fmt.Sprintf("failed to open file %s", file))
return
}
defer func() {
returnErr = f.Close()
}()
driveFile := &drive.File{Name: name}
if b.DestinationPath != "" {
driveFile.Parents = []string{b.DestinationPath}
} else {
driveFile.Parents = []string{"root"}
}
createCall := b.client.Files.Create(driveFile).SupportsAllDrives(true).Fields("id")
created, err := createCall.Media(f).Do()
if err != nil {
returnErr = errwrap.Wrap(err, fmt.Sprintf("failed to upload %s", name))
return
}
b.Log(storage.LogLevelInfo, b.Name(), "Finished upload for %s. File ID: %s", name, created.Id)
return nil
}
// Prune rotates away backups according to the configuration and provided deadline for the Google Drive storage backend.
func (b *googleDriveStorage) Prune(deadline time.Time, pruningPrefix string) (*storage.PruneStats, error) {
parentID := b.DestinationPath
if parentID == "" {
parentID = "root"
}
query := fmt.Sprintf("name contains '%s' and trashed = false", pruningPrefix)
if parentID != "root" {
query = fmt.Sprintf("'%s' in parents and (%s)", parentID, query)
}
var allFiles []*drive.File
pageToken := ""
for {
req := b.client.Files.List().Q(query).SupportsAllDrives(true).Fields("files(id, name, createdTime, parents)").PageToken(pageToken)
res, err := req.Do()
if err != nil {
return nil, errwrap.Wrap(err, "listing files")
}
allFiles = append(allFiles, res.Files...)
pageToken = res.NextPageToken
if pageToken == "" {
break
}
}
var matches []*drive.File
var lenCandidates int
for _, f := range allFiles {
if !strings.HasPrefix(f.Name, pruningPrefix) {
continue
}
lenCandidates++
created, err := time.Parse(time.RFC3339, f.CreatedTime)
if err != nil {
b.Log(storage.LogLevelWarning, b.Name(), "Could not parse time for backup %s: %v", f.Name, err)
continue
}
if created.Before(deadline) {
matches = append(matches, f)
}
}
stats := &storage.PruneStats{
Total: uint(lenCandidates),
Pruned: uint(len(matches)),
}
pruneErr := b.DoPrune(b.Name(), len(matches), lenCandidates, deadline, func() error {
for _, file := range matches {
b.Log(storage.LogLevelInfo, b.Name(), "Deleting old backup file: %s", file.Name)
if err := b.client.Files.Delete(file.Id).SupportsAllDrives(true).Do(); err != nil {
b.Log(storage.LogLevelWarning, b.Name(), "Error deleting %s: %v", file.Name, err)
}
}
return nil
})
return stats, pruneErr
}

172
internal/storage/local/local.go
View File

@@ -1,172 +0,0 @@
// Copyright 2022 - offen.software <hioffen@posteo.de>
// SPDX-License-Identifier: MPL-2.0
package local
import (
"errors"
"fmt"
"io"
"os"
"path"
"path/filepath"
"time"
"github.com/offen/docker-volume-backup/internal/errwrap"
"github.com/offen/docker-volume-backup/internal/storage"
)
type localStorage struct {
*storage.StorageBackend
latestSymlink string
}
// Config allows configuration of a local storage backend.
type Config struct {
ArchivePath string
LatestSymlink string
}
// NewStorageBackend creates and initializes a new local storage backend.
func NewStorageBackend(opts Config, logFunc storage.Log) storage.Backend {
return &localStorage{
StorageBackend: &storage.StorageBackend{
DestinationPath: opts.ArchivePath,
Log: logFunc,
},
latestSymlink: opts.LatestSymlink,
}
}
// Name return the name of the storage backend
func (b *localStorage) Name() string {
return "Local"
}
// Copy copies the given file to the local storage backend.
func (b *localStorage) Copy(file string) error {
_, name := path.Split(file)
if err := copyFile(file, path.Join(b.DestinationPath, name)); err != nil {
return errwrap.Wrap(err, "error copying file to archive")
}
b.Log(storage.LogLevelInfo, b.Name(), "Stored copy of backup `%s` in `%s`.", file, b.DestinationPath)
if b.latestSymlink != "" {
symlink := path.Join(b.DestinationPath, b.latestSymlink)
if _, err := os.Lstat(symlink); err == nil {
if err := os.Remove(symlink); err != nil {
return errwrap.Wrap(err, "error removing existing symlink")
}
}
if err := os.Symlink(name, symlink); err != nil {
return errwrap.Wrap(err, "error creating latest symlink")
}
b.Log(storage.LogLevelInfo, b.Name(), "Created/Updated symlink `%s` for latest backup.", b.latestSymlink)
}
return nil
}
// Prune rotates away backups according to the configuration and provided deadline for the local storage backend.
func (b *localStorage) Prune(deadline time.Time, pruningPrefix string) (*storage.PruneStats, error) {
globPattern := path.Join(
b.DestinationPath,
fmt.Sprintf("%s*", pruningPrefix),
)
globMatches, err := filepath.Glob(globPattern)
if err != nil {
return nil, errwrap.Wrap(
err,
fmt.Sprintf(
"error looking up matching files using pattern %s",
globPattern,
),
)
}
var candidates []string
for _, candidate := range globMatches {
fi, err := os.Lstat(candidate)
if err != nil {
return nil, errwrap.Wrap(
err,
fmt.Sprintf(
"error calling Lstat on file %s",
candidate,
),
)
}
if !fi.IsDir() && fi.Mode()&os.ModeSymlink != os.ModeSymlink {
candidates = append(candidates, candidate)
}
}
var matches []string
for _, candidate := range candidates {
fi, err := os.Stat(candidate)
if err != nil {
return nil, errwrap.Wrap(
err,
fmt.Sprintf(
"error calling stat on file %s",
candidate,
),
)
}
if fi.ModTime().Before(deadline) {
matches = append(matches, candidate)
}
}
stats := &storage.PruneStats{
Total: uint(len(candidates)),
Pruned: uint(len(matches)),
}
pruneErr := b.DoPrune(b.Name(), len(matches), len(candidates), deadline, func() error {
var removeErrors []error
for _, match := range matches {
if err := os.Remove(match); err != nil {
removeErrors = append(removeErrors, err)
}
}
if len(removeErrors) != 0 {
return errwrap.Wrap(
errors.Join(removeErrors...),
fmt.Sprintf(
"%d error(s) deleting files",
len(removeErrors),
),
)
}
return nil
})
return stats, pruneErr
}
// copy creates a copy of the file located at `dst` at `src`.
func copyFile(src, dst string) (returnErr error) {
in, err := os.Open(src)
if err != nil {
returnErr = err
return
}
defer func() {
returnErr = in.Close()
}()
out, err := os.Create(dst)
if err != nil {
returnErr = err
return
}
_, err = io.Copy(out, in)
if err != nil {
return errors.Join(err, out.Close())
}
return out.Close()
}

195
internal/storage/s3/s3.go
View File

@@ -1,195 +0,0 @@
// Copyright 2022 - offen.software <hioffen@posteo.de>
// SPDX-License-Identifier: MPL-2.0
package s3
import (
"context"
"crypto/x509"
"errors"
"fmt"
"os"
"path"
"time"
"github.com/minio/minio-go/v7"
"github.com/minio/minio-go/v7/pkg/credentials"
"github.com/offen/docker-volume-backup/internal/errwrap"
"github.com/offen/docker-volume-backup/internal/storage"
)
type s3Storage struct {
*storage.StorageBackend
client *minio.Client
bucket string
storageClass string
partSize int64
}
// Config contains values that define the configuration of a S3 backend.
type Config struct {
Endpoint string
AccessKeyID string
SecretAccessKey string
IamRoleEndpoint string
EndpointProto string
EndpointInsecure bool
RemotePath string
BucketName string
StorageClass string
PartSize int64
CACert *x509.Certificate
}
// NewStorageBackend creates and initializes a new S3/Minio storage backend.
func NewStorageBackend(opts Config, logFunc storage.Log) (storage.Backend, error) {
var creds *credentials.Credentials
if opts.AccessKeyID != "" && opts.SecretAccessKey != "" {
creds = credentials.NewStaticV4(
opts.AccessKeyID,
opts.SecretAccessKey,
"",
)
} else if opts.IamRoleEndpoint != "" {
creds = credentials.NewIAM(opts.IamRoleEndpoint)
} else {
return nil, errwrap.Wrap(nil, "AWS_S3_BUCKET_NAME is defined, but no credentials were provided")
}
options := minio.Options{
Creds: creds,
Secure: opts.EndpointProto == "https",
}
transport, err := minio.DefaultTransport(true)
if err != nil {
return nil, errwrap.Wrap(err, "failed to create default minio transport")
}
if opts.EndpointInsecure {
if !options.Secure {
return nil, errwrap.Wrap(nil, "AWS_ENDPOINT_INSECURE = true is only meaningful for https")
}
transport.TLSClientConfig.InsecureSkipVerify = true
} else if opts.CACert != nil {
if transport.TLSClientConfig.RootCAs == nil {
transport.TLSClientConfig.RootCAs = x509.NewCertPool()
}
transport.TLSClientConfig.RootCAs.AddCert(opts.CACert)
}
options.Transport = transport
mc, err := minio.New(opts.Endpoint, &options)
if err != nil {
return nil, errwrap.Wrap(err, "error setting up minio client")
}
return &s3Storage{
StorageBackend: &storage.StorageBackend{
DestinationPath: opts.RemotePath,
Log: logFunc,
},
client: mc,
bucket: opts.BucketName,
storageClass: opts.StorageClass,
partSize: opts.PartSize,
}, nil
}
// Name returns the name of the storage backend
func (v *s3Storage) Name() string {
return "S3"
}
// Copy copies the given file to the S3/Minio storage backend.
func (b *s3Storage) Copy(file string) error {
_, name := path.Split(file)
putObjectOptions := minio.PutObjectOptions{
ContentType: "application/tar+gzip",
StorageClass: b.storageClass,
}
if b.partSize > 0 {
srcFileInfo, err := os.Stat(file)
if err != nil {
return errwrap.Wrap(err, "error reading the local file")
}
_, partSize, _, err := minio.OptimalPartInfo(srcFileInfo.Size(), uint64(b.partSize*1024*1024))
if err != nil {
return errwrap.Wrap(err, "error computing the optimal s3 part size")
}
putObjectOptions.PartSize = uint64(partSize)
}
if _, err := b.client.FPutObject(context.Background(), b.bucket, path.Join(b.DestinationPath, name), file, putObjectOptions); err != nil {
if errResp := minio.ToErrorResponse(err); errResp.Message != "" {
return errwrap.Wrap(
nil,
fmt.Sprintf(
"error uploading backup to remote storage: [Message]: '%s', [Code]: %s, [StatusCode]: %d",
errResp.Message,
errResp.Code,
errResp.StatusCode,
),
)
}
return errwrap.Wrap(err, "error uploading backup to remote storage")
}
b.Log(storage.LogLevelInfo, b.Name(), "Uploaded a copy of backup `%s` to bucket `%s`.", file, b.bucket)
return nil
}
// Prune rotates away backups according to the configuration and provided deadline for the S3/Minio storage backend.
func (b *s3Storage) Prune(deadline time.Time, pruningPrefix string) (*storage.PruneStats, error) {
candidates := b.client.ListObjects(context.Background(), b.bucket, minio.ListObjectsOptions{
Prefix: path.Join(b.DestinationPath, pruningPrefix),
Recursive: true,
})
var matches []minio.ObjectInfo
var lenCandidates int
for candidate := range candidates {
lenCandidates++
if candidate.Err != nil {
return nil, errwrap.Wrap(
candidate.Err,
"error looking up candidates from remote storage",
)
}
if candidate.LastModified.Before(deadline) {
matches = append(matches, candidate)
}
}
stats := &storage.PruneStats{
Total: uint(lenCandidates),
Pruned: uint(len(matches)),
}
pruneErr := b.DoPrune(b.Name(), len(matches), lenCandidates, deadline, func() error {
objectsCh := make(chan minio.ObjectInfo)
go func() {
for _, match := range matches {
objectsCh <- match
}
close(objectsCh)
}()
errChan := b.client.RemoveObjects(context.Background(), b.bucket, objectsCh, minio.RemoveObjectsOptions{})
var removeErrors []error
for result := range errChan {
if result.Err != nil {
removeErrors = append(removeErrors, result.Err)
}
}
if len(removeErrors) != 0 {
return errors.Join(removeErrors...)
}
return nil
})
return stats, pruneErr
}

215
internal/storage/ssh/ssh.go
View File

@@ -1,215 +0,0 @@
// Copyright 2022 - offen.software <hioffen@posteo.de>
// SPDX-License-Identifier: MPL-2.0
package ssh
import (
"errors"
"fmt"
"io"
"os"
"path"
"strings"
"time"
"github.com/offen/docker-volume-backup/internal/errwrap"
"github.com/offen/docker-volume-backup/internal/storage"
"github.com/pkg/sftp"
"golang.org/x/crypto/ssh"
)
type sshStorage struct {
*storage.StorageBackend
client *ssh.Client
sftpClient *sftp.Client
hostName string
}
// Config allows to configure a SSH backend.
type Config struct {
HostName string
Port string
User string
Password string
IdentityFile string
IdentityPassphrase string
RemotePath string
}
var noop = func() error { return nil }
// NewStorageBackend creates and initializes a new SSH storage backend.
func NewStorageBackend(opts Config, logFunc storage.Log) (storage.Backend, func() error, error) {
var authMethods []ssh.AuthMethod
if opts.Password != "" {
authMethods = append(authMethods, ssh.Password(opts.Password))
}
if _, err := os.Stat(opts.IdentityFile); err == nil {
key, err := os.ReadFile(opts.IdentityFile)
if err != nil {
return nil, noop, errwrap.Wrap(nil, "error reading the private key")
}
var signer ssh.Signer
if opts.IdentityPassphrase != "" {
signer, err = ssh.ParsePrivateKeyWithPassphrase(key, []byte(opts.IdentityPassphrase))
if err != nil {
return nil, noop, errwrap.Wrap(nil, "error parsing the encrypted private key")
}
authMethods = append(authMethods, ssh.PublicKeys(signer))
} else {
signer, err = ssh.ParsePrivateKey(key)
if err != nil {
return nil, noop, errwrap.Wrap(nil, "error parsing the private key")
}
authMethods = append(authMethods, ssh.PublicKeys(signer))
}
}
sshClientConfig := &ssh.ClientConfig{
User: opts.User,
Auth: authMethods,
HostKeyCallback: ssh.InsecureIgnoreHostKey(),
}
sshClient, err := ssh.Dial("tcp", fmt.Sprintf("%s:%s", opts.HostName, opts.Port), sshClientConfig)
if err != nil || sshClient == nil {
return nil, noop, errwrap.Wrap(err, "error creating ssh client")
}
_, _, err = sshClient.SendRequest("keepalive", false, nil)
if err != nil {
return nil, sshClient.Close, err
}
sftpClient, err := sftp.NewClient(sshClient,
sftp.UseConcurrentReads(true),
sftp.UseConcurrentWrites(true),
sftp.MaxConcurrentRequestsPerFile(64),
)
if err != nil {
return nil, sshClient.Close, errwrap.Wrap(err, "error creating sftp client")
}
return &sshStorage{
StorageBackend: &storage.StorageBackend{
DestinationPath: opts.RemotePath,
Log: logFunc,
},
client: sshClient,
sftpClient: sftpClient,
hostName: opts.HostName,
}, sshClient.Close, nil
}
// Name returns the name of the storage backend
func (b *sshStorage) Name() string {
return "SSH"
}
// Copy copies the given file to the SSH storage backend.
func (b *sshStorage) Copy(file string) (returnErr error) {
if err := b.sftpClient.MkdirAll(b.DestinationPath); err != nil {
return errwrap.Wrap(err, "error ensuring destination directory")
}
source, err := os.Open(file)
_, name := path.Split(file)
if err != nil {
returnErr = errwrap.Wrap(err, " error reading the file to be uploaded")
return
}
defer func() {
returnErr = source.Close()
}()
destination, err := b.sftpClient.Create(path.Join(b.DestinationPath, name))
if err != nil {
returnErr = errwrap.Wrap(err, "error creating file")
return
}
defer func() {
returnErr = destination.Close()
}()
chunk := make([]byte, 1e9)
for {
num, err := source.Read(chunk)
if err == io.EOF {
tot, err := destination.Write(chunk[:num])
if err != nil {
returnErr = errwrap.Wrap(err, "error uploading the file")
return
}
if tot != len(chunk[:num]) {
returnErr = errwrap.Wrap(nil, "failed to write stream")
return
}
break
}
if err != nil {
returnErr = errwrap.Wrap(err, "error uploading the file")
return
}
tot, err := destination.Write(chunk[:num])
if err != nil {
returnErr = errwrap.Wrap(err, "error uploading the file")
return
}
if tot != len(chunk[:num]) {
returnErr = errwrap.Wrap(nil, "failed to write stream")
return
}
}
b.Log(storage.LogLevelInfo, b.Name(), "Uploaded a copy of backup `%s` to '%s' at path '%s'.", file, b.hostName, b.DestinationPath)
return nil
}
// Prune rotates away backups according to the configuration and provided deadline for the SSH storage backend.
func (b *sshStorage) Prune(deadline time.Time, pruningPrefix string) (*storage.PruneStats, error) {
candidates, err := b.sftpClient.ReadDir(b.DestinationPath)
if err != nil {
// If directory doesn't exist yet, nothing to prune
if errors.Is(err, os.ErrNotExist) {
return &storage.PruneStats{}, nil
}
return nil, errwrap.Wrap(err, "error reading directory")
}
var matches []string
var numCandidates int
for _, candidate := range candidates {
if candidate.IsDir() || !strings.HasPrefix(candidate.Name(), pruningPrefix) {
continue
}
numCandidates++
if candidate.ModTime().Before(deadline) {
matches = append(matches, candidate.Name())
}
}
stats := &storage.PruneStats{
Total: uint(numCandidates),
Pruned: uint(len(matches)),
}
pruneErr := b.DoPrune(b.Name(), len(matches), numCandidates, deadline, func() error {
for _, match := range matches {
p := path.Join(b.DestinationPath, match)
if err := b.sftpClient.Remove(p); err != nil {
return errwrap.Wrap(err, fmt.Sprintf("error removing file %s", p))
}
}
return nil
})
return stats, pruneErr
}

65
internal/storage/storage.go
View File

@@ -1,65 +0,0 @@
// Copyright 2022 - offen.software <hioffen@posteo.de>
// SPDX-License-Identifier: MPL-2.0
package storage
import (
"time"
"github.com/offen/docker-volume-backup/internal/errwrap"
)
// Backend is an interface for defining functions which all storage providers support.
type Backend interface {
Copy(file string) error
Prune(deadline time.Time, pruningPrefix string) (*PruneStats, error)
Name() string
}
// StorageBackend is a generic type of storage. Everything here are common properties of all storage types.
type StorageBackend struct {
DestinationPath string
Log Log
}
type LogLevel int
const (
LogLevelInfo LogLevel = iota
LogLevelWarning
)
type Log func(logType LogLevel, context string, msg string, params ...any)
// PruneStats is a wrapper struct for returning stats after pruning
type PruneStats struct {
Total uint
Pruned uint
}
// DoPrune holds general control flow that applies to any kind of storage.
// Callers can pass in a thunk that performs the actual deletion of files.
func (b *StorageBackend) DoPrune(context string, lenMatches, lenCandidates int, deadline time.Time, doRemoveFiles func() error) error {
if lenMatches != 0 && lenMatches != lenCandidates {
if err := doRemoveFiles(); err != nil {
return err
}
formattedDeadline, err := deadline.Local().MarshalText()
if err != nil {
return errwrap.Wrap(err, "error marshaling deadline")
}
b.Log(LogLevelInfo, context,
"Pruned %d out of %d backups as they were older than the given deadline of %s.",
lenMatches,
lenCandidates,
string(formattedDeadline),
)
} else if lenMatches != 0 && lenMatches == lenCandidates {
b.Log(LogLevelWarning, context, "The current configuration would delete all %d existing backups.", lenMatches)
b.Log(LogLevelWarning, context, "Refusing to do so, please check your configuration.")
} else {
b.Log(LogLevelInfo, context, "None of %d existing backups were pruned.", lenCandidates)
}
return nil
}

120
internal/storage/webdav/webdav.go
View File

@@ -1,120 +0,0 @@
// Copyright 2022 - offen.software <hioffen@posteo.de>
// SPDX-License-Identifier: MPL-2.0
package webdav
import (
"fmt"
"io/fs"
"net/http"
"os"
"path"
"strings"
"time"
"github.com/offen/docker-volume-backup/internal/errwrap"
"github.com/offen/docker-volume-backup/internal/storage"
"github.com/studio-b12/gowebdav"
)
type webDavStorage struct {
*storage.StorageBackend
client *gowebdav.Client
url string
}
// Config allows to configure a WebDAV storage backend.
type Config struct {
URL string
RemotePath string
Username string
Password string
URLInsecure bool
}
// NewStorageBackend creates and initializes a new WebDav storage backend.
func NewStorageBackend(opts Config, logFunc storage.Log) (storage.Backend, error) {
if opts.Username == "" || opts.Password == "" {
return nil, errwrap.Wrap(nil, "WEBDAV_URL is defined, but no credentials were provided")
} else {
webdavClient := gowebdav.NewClient(opts.URL, opts.Username, opts.Password)
if opts.URLInsecure {
defaultTransport, ok := http.DefaultTransport.(*http.Transport)
if !ok {
return nil, errwrap.Wrap(nil, "unexpected error when asserting type for http.DefaultTransport")
}
webdavTransport := defaultTransport.Clone()
webdavTransport.TLSClientConfig.InsecureSkipVerify = opts.URLInsecure
webdavClient.SetTransport(webdavTransport)
}
return &webDavStorage{
StorageBackend: &storage.StorageBackend{
DestinationPath: opts.RemotePath,
Log: logFunc,
},
client: webdavClient,
}, nil
}
}
// Name returns the name of the storage backend
func (b *webDavStorage) Name() string {
return "WebDAV"
}
// Copy copies the given file to the WebDav storage backend.
func (b *webDavStorage) Copy(file string) error {
_, name := path.Split(file)
if err := b.client.MkdirAll(b.DestinationPath, 0644); err != nil {
return errwrap.Wrap(err, fmt.Sprintf("error creating directory '%s' on server", b.DestinationPath))
}
r, err := os.Open(file)
if err != nil {
return errwrap.Wrap(err, "error opening the file to be uploaded")
}
if err := b.client.WriteStream(path.Join(b.DestinationPath, name), r, 0644); err != nil {
return errwrap.Wrap(err, "error uploading the file")
}
b.Log(storage.LogLevelInfo, b.Name(), "Uploaded a copy of backup '%s' to '%s' at path '%s'.", file, b.url, b.DestinationPath)
return nil
}
// Prune rotates away backups according to the configuration and provided deadline for the WebDav storage backend.
func (b *webDavStorage) Prune(deadline time.Time, pruningPrefix string) (*storage.PruneStats, error) {
candidates, err := b.client.ReadDir(b.DestinationPath)
if err != nil {
return nil, errwrap.Wrap(err, "error looking up candidates from remote storage")
}
var matches []fs.FileInfo
var numCandidates int
for _, candidate := range candidates {
if candidate.IsDir() || !strings.HasPrefix(candidate.Name(), pruningPrefix) {
continue
}
numCandidates++
if candidate.ModTime().Before(deadline) {
matches = append(matches, candidate)
}
}
stats := &storage.PruneStats{
Total: uint(numCandidates),
Pruned: uint(len(matches)),
}
pruneErr := b.DoPrune(b.Name(), len(matches), numCandidates, deadline, func() error {
for _, match := range matches {
if err := b.client.Remove(path.Join(b.DestinationPath, match.Name())); err != nil {
return errwrap.Wrap(err, "error removing file")
}
}
return nil
})
return stats, pruneErr
}

16
test/Dockerfile
View File

@@ -1,16 +0,0 @@
FROM docker:28-dind
RUN apk add \
age \
coreutils \
curl \
expect \
gpg \
gpg-agent \
jq \
moreutils \
tar \
zstd \
--no-cache
WORKDIR /code/test

72
test/README.md
View File

@@ -1,72 +0,0 @@
# Integration Tests
## Running tests
The main entry point for running tests is the `./test.sh` script.
It can be used to run the entire test suite, or just a single test case.
### Run all tests
```sh
./test.sh
```
### Run a single test case
```sh
./test.sh <directory-name>
```
### Configuring a test run
In addition to the match pattern, which can be given as the first positional argument, certain behavior can be changed by setting environment variables:
#### `BUILD_IMAGE`
When set, the test script will build an up-to-date `docker-volume-backup` image from the current state of your source tree, and run the tests against it.
```sh
BUILD_IMAGE=1 ./test.sh
```
The default behavior is not to build an image, and instead look for a version on your host system.
#### `IMAGE_TAG`
Setting this value lets you run tests against different existing images, so you can compare behavior:
```sh
IMAGE_TAG=v2.30.0 ./test.sh
```
By default, two local images are created that persist the image data and provide it to containers at runtime.
## Understanding the test setup
The test setup runs each test case in an isolated Docker container, which itself is running an otherwise unused Docker daemon.
This means, tests can rely on noone else using that daemon, making expectations about the number of running containers and so forth.
As the sandbox container is also expected to be torn down post test, the scripts do not need to do any clean up or similar.
## Anatomy of a test case
The `test.sh` script looks for all exectuable files in each directory.
When found, all of them are executed in series and are expected to signal success by returning a 0 exit code.
Any other exit code is considered a failure and will halt execution of further tests.
There is an `util.sh` file containing a few commonly used helpers which can be used by putting the following prelude to a new test case:
```sh
cd "$(dirname "$0")"
. ../util.sh
current_test=$(basename $(pwd))
```
### Running tests in swarm mode
A test case can signal it wants to run in swarm mode by placing an empty `.swarm` file inside the directory.
In case the swarm setup should be compose of multiple nodes, a `.multinode` file can be used.
A multinode setup will contain one manager (`manager`) and two worker nodes (`worker1` and `worker2`).
If a test is expected to run in the context of a node other than the `manager`, you can create a `.context` file containing the name of the node you want the test to run in.
E.g. if your script `02run.sh` is expected to be run on `worker2`, create a file called `02run.sh.context` with the content `worker2`

24
test/age-passphrase/docker-compose.yml
View File

@@ -1,24 +0,0 @@
services:
backup:
image: offen/docker-volume-backup:${TEST_VERSION:-canary}
restart: always
environment:
BACKUP_CRON_EXPRESSION: 0 0 5 31 2 ?
BACKUP_FILENAME: test.tar.gz
BACKUP_LATEST_SYMLINK: test-latest.tar.gz.age
BACKUP_RETENTION_DAYS: ${BACKUP_RETENTION_DAYS:-7}
AGE_PASSPHRASE: "Dance.0Tonight.Go.Typical"
volumes:
- ${LOCAL_DIR:-./local}:/archive
- app_data:/backup/app_data:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
offen:
image: offen/offen:latest
labels:
- docker-volume-backup.stop-during-backup=true
volumes:
- app_data:/var/opt/offen
volumes:
app_data:

39
test/age-passphrase/run.sh
View File

@@ -1,39 +0,0 @@
#!/bin/sh
set -e
cd "$(dirname "$0")"
. ../util.sh
current_test=$(basename "$(pwd)")
export LOCAL_DIR="$(mktemp -d)"
docker compose up -d --quiet-pull
sleep 5
docker compose exec backup backup
expect_running_containers "2"
TMP_DIR=$(mktemp -d)
# complex usage of expect(1) due to age not have a way to programmatically
# provide the passphrase
expect -i <<EOL
spawn age --decrypt -o "$LOCAL_DIR/decrypted.tar.gz" "$LOCAL_DIR/test.tar.gz.age"
expect -exact "Enter passphrase: "
send -- "Dance.0Tonight.Go.Typical\r"
sleep 1
EOL
tar -xf "$LOCAL_DIR/decrypted.tar.gz" -C "$TMP_DIR"
if [ ! -f "$TMP_DIR/backup/app_data/offen.db" ]; then
fail "Could not find expected file in untared archive."
fi
rm -vf "$LOCAL_DIR/decrypted.tar.gz"
pass "Found relevant files in decrypted and untared local backup."
if [ ! -L "$LOCAL_DIR/test-latest.tar.gz.age" ]; then
fail "Could not find local symlink to latest encrypted backup."
fi

1
test/age-publickey/.gitignore vendored
View File

@@ -1 +0,0 @@
pk-*.txt

24
test/age-publickey/docker-compose.yml
View File

@@ -1,24 +0,0 @@
services:
backup:
image: offen/docker-volume-backup:${TEST_VERSION:-canary}
restart: always
environment:
BACKUP_CRON_EXPRESSION: 0 0 5 31 2 ?
BACKUP_FILENAME: test.tar.gz
BACKUP_LATEST_SYMLINK: test-latest.tar.gz.age
BACKUP_RETENTION_DAYS: ${BACKUP_RETENTION_DAYS:-7}
AGE_PUBLIC_KEYS: "${BACKUP_AGE_PUBLIC_KEYS}"
volumes:
- ${LOCAL_DIR:-./local}:/archive
- app_data:/backup/app_data:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
offen:
image: offen/offen:latest
labels:
- docker-volume-backup.stop-during-backup=true
volumes:
- app_data:/var/opt/offen
volumes:
app_data:

47
test/age-publickey/run.sh
View File

@@ -1,47 +0,0 @@
#!/bin/sh
set -e
cd "$(dirname "$0")"
. ../util.sh
current_test=$(basename "$(pwd)")
export LOCAL_DIR="$(mktemp -d)"
age-keygen >"$LOCAL_DIR/pk-a.txt"
PK_A="$(grep -E 'public key' <"$LOCAL_DIR/pk-a.txt" | cut -d: -f2 | xargs)"
age-keygen >"$LOCAL_DIR/pk-b.txt"
PK_B="$(grep -E 'public key' <"$LOCAL_DIR/pk-b.txt" | cut -d: -f2 | xargs)"
ssh-keygen -t ed25519 -m pem -f "$LOCAL_DIR/id_ed25519" -C "docker-volume-backup@local"
PK_C="$(cat $LOCAL_DIR/id_ed25519.pub)"
export BACKUP_AGE_PUBLIC_KEYS="$PK_A,$PK_B,$PK_C"
docker compose up -d --quiet-pull
sleep 5
docker compose exec backup backup
expect_running_containers "2"
do_decrypt() {
TMP_DIR=$(mktemp -d)
age --decrypt -i "$1" -o "$LOCAL_DIR/decrypted.tar.gz" "$LOCAL_DIR/test.tar.gz.age"
tar -xf "$LOCAL_DIR/decrypted.tar.gz" -C "$TMP_DIR"
if [ ! -f "$TMP_DIR/backup/app_data/offen.db" ]; then
fail "Could not find expected file in untared archive."
fi
rm -vf "$LOCAL_DIR/decrypted.tar.gz"
pass "Found relevant files in decrypted and untared local backup."
if [ ! -L "$LOCAL_DIR/test-latest.tar.gz.age" ]; then
fail "Could not find local symlink to latest encrypted backup."
fi
}
do_decrypt "$LOCAL_DIR/pk-a.txt"
do_decrypt "$LOCAL_DIR/pk-b.txt"
do_decrypt "$LOCAL_DIR/id_ed25519"

55
test/azure/docker-compose.yml
View File

@@ -1,55 +0,0 @@
services:
storage:
image: mcr.microsoft.com/azure-storage/azurite:3.35.0
volumes:
- ${DATA_DIR:-./data}:/data
command: azurite-blob --blobHost 0.0.0.0 --blobPort 10000 --location /data
healthcheck:
test: nc 127.0.0.1 10000 -z
interval: 1s
retries: 30
az_cli:
image: mcr.microsoft.com/azure-cli:2.78.0
volumes:
- ${LOCAL_DIR:-./local}:/dump
command:
- /bin/sh
- -c
- |
az storage container create --name test-container
depends_on:
storage:
condition: service_healthy
environment:
AZURE_STORAGE_CONNECTION_STRING: DefaultEndpointsProtocol=http;AccountName=devstoreaccount1;AccountKey=Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw==;BlobEndpoint=http://storage:10000/devstoreaccount1;
backup:
image: offen/docker-volume-backup:${TEST_VERSION:-canary}
hostname: hostnametoken
restart: always
environment:
AZURE_STORAGE_ACCOUNT_NAME: devstoreaccount1
AZURE_STORAGE_PRIMARY_ACCOUNT_KEY: Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw==
AZURE_STORAGE_CONTAINER_NAME: test-container
AZURE_STORAGE_ENDPOINT: http://storage:10000/{{ .AccountName }}/
AZURE_STORAGE_PATH: 'path/to/backup'
AZURE_STORAGE_ACCESS_TIER: Hot
BACKUP_FILENAME: test.tar.gz
BACKUP_CRON_EXPRESSION: 0 0 5 31 2 ?
BACKUP_RETENTION_DAYS: ${BACKUP_RETENTION_DAYS:-7}
BACKUP_PRUNING_LEEWAY: 5s
BACKUP_PRUNING_PREFIX: test
volumes:
- app_data:/backup/app_data:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
offen:
image: offen/offen:latest
labels:
- docker-volume-backup.stop-during-backup=true
volumes:
- app_data:/var/opt/offen
volumes:
app_data:

86
test/azure/run.sh
View File

@@ -1,86 +0,0 @@
#!/bin/sh
set -e
cd "$(dirname "$0")"
. ../util.sh
current_test=$(basename $(pwd))
export LOCAL_DIR=$(mktemp -d)
export TMP_DIR=$(mktemp -d)
export DATA_DIR=$(mktemp -d)
download_az () {
docker compose run --rm az_cli \
az storage blob download -f /dump/$1.tar.gz -c test-container -n path/to/backup/$1.tar.gz
}
docker compose up -d --quiet-pull
sleep 5
docker compose exec backup backup
sleep 5
expect_running_containers "3"
download_az "test"
tar -xvf "$LOCAL_DIR/test.tar.gz" -C $TMP_DIR
if [ ! -f "$TMP_DIR/backup/app_data/offen.db" ]; then
fail "Could not find expeced file in untared backup"
fi
pass "Found relevant files in untared remote backups."
rm "$LOCAL_DIR/test.tar.gz"
# The second part of this test checks if backups get deleted when the retention
# is set to 0 days (which it should not as it would mean all backups get deleted)
BACKUP_RETENTION_DAYS="0" docker compose up -d
sleep 5
docker compose exec backup backup
download_az "test"
if [ ! -f "$LOCAL_DIR/test.tar.gz" ]; then
fail "Remote backup was deleted"
fi
pass "Remote backups have not been deleted."
# The third part of this test checks if old backups get deleted when the retention
# is set to 7 days (which it should)
BACKUP_RETENTION_DAYS="7" docker compose up -d
sleep 5
info "Create first backup with no prune"
docker compose exec backup backup
docker compose run --rm az_cli \
az storage blob upload -f /dump/test.tar.gz -c test-container -n path/to/backup/test-old.tar.gz
docker compose down
rm "$LOCAL_DIR/test.tar.gz"
back_date="$(date "+%Y-%m-%dT%H:%M:%S%z" -d "14 days ago" | rev | cut -c 3- | rev):00"
jq --arg back_date "$back_date" '(.collections[] | select(.name=="$BLOBS_COLLECTION$") | .data[] | select(.name=="path/to/backup/test-old.tar.gz") | .properties.creationTime = $back_date)' "$DATA_DIR/__azurite_db_blob__.json" | sponge "$DATA_DIR/__azurite_db_blob__.json"
docker compose up -d
sleep 5
info "Create second backup and prune"
docker compose exec backup backup
info "Download first backup which should be pruned"
download_az "test-old" || true
if [ -f "$LOCAL_DIR/test-old.tar.gz" ]; then
fail "Backdated file was not deleted"
fi
download_az "test" || true
if [ ! -f "$LOCAL_DIR/test.tar.gz" ]; then
fail "Recent file was not found"
fi
pass "Old remote backup has been pruned, new one is still present."

46
test/certs/docker-compose.yml
View File

@@ -1,46 +0,0 @@
services:
minio:
hostname: minio.local
image: minio/minio:RELEASE.2020-08-04T23-10-51Z
environment:
MINIO_ROOT_USER: test
MINIO_ROOT_PASSWORD: test
MINIO_ACCESS_KEY: test
MINIO_SECRET_KEY: GMusLtUmILge2by+z890kQ
entrypoint: /bin/ash -c 'mkdir -p /data/backup && minio server --certs-dir "/certs" --address ":443" /data'
volumes:
- minio_backup_data:/data
- ${CERT_DIR:-.}/minio.crt:/certs/public.crt
- ${CERT_DIR:-.}/minio.key:/certs/private.key
backup:
image: offen/docker-volume-backup:${TEST_VERSION:-canary}
depends_on:
- minio
restart: always
environment:
BACKUP_FILENAME: test.tar.gz
AWS_ACCESS_KEY_ID: test
AWS_SECRET_ACCESS_KEY: GMusLtUmILge2by+z890kQ
AWS_ENDPOINT: minio.local:443
AWS_ENDPOINT_CA_CERT: /root/minio-rootCA.crt
AWS_S3_BUCKET_NAME: backup
BACKUP_CRON_EXPRESSION: 0 0 5 31 2 ?
BACKUP_RETENTION_DAYS: ${BACKUP_RETENTION_DAYS:-7}
BACKUP_PRUNING_LEEWAY: 5s
volumes:
- app_data:/backup/app_data:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ${CERT_DIR:-.}/rootCA.crt:/root/minio-rootCA.crt
offen:
image: offen/offen:latest
labels:
- docker-volume-backup.stop-during-backup=true
volumes:
- app_data:/var/opt/offen
volumes:
minio_backup_data:
name: minio_backup_data
app_data:

43
test/certs/run.sh
View File

@@ -1,43 +0,0 @@
#!/bin/sh
set -e
cd "$(dirname "$0")"
. ../util.sh
current_test=$(basename $(pwd))
export CERT_DIR=$(mktemp -d)
openssl genrsa -des3 -passout pass:test -out "$CERT_DIR/rootCA.key" 4096
openssl req -passin pass:test \
-subj "/C=DE/ST=BE/O=IntegrationTest, Inc." \
-x509 -new -key "$CERT_DIR/rootCA.key" -sha256 -days 1 -out "$CERT_DIR/rootCA.crt"
openssl genrsa -out "$CERT_DIR/minio.key" 4096
openssl req -new -sha256 -key "$CERT_DIR/minio.key" \
-subj "/C=DE/ST=BE/O=IntegrationTest, Inc./CN=minio" \
-out "$CERT_DIR/minio.csr"
openssl x509 -req -passin pass:test \
-in "$CERT_DIR/minio.csr" \
-CA "$CERT_DIR/rootCA.crt" -CAkey "$CERT_DIR/rootCA.key" -CAcreateserial \
-extfile san.cnf \
-out "$CERT_DIR/minio.crt" -days 1 -sha256
openssl x509 -in "$CERT_DIR/minio.crt" -noout -text
docker compose up -d --quiet-pull
sleep 5
docker compose exec backup backup
sleep 5
expect_running_containers "3"
docker run --rm \
-v minio_backup_data:/minio_data \
alpine \
ash -c 'tar -xvf /minio_data/backup/test.tar.gz -C /tmp && test -f /tmp/backup/app_data/offen.db'
pass "Found relevant files in untared remote backups."

1
test/certs/san.cnf
View File

@@ -1 +0,0 @@
subjectAltName = DNS:minio.local

22
test/cli/run.sh
View File

@@ -3,8 +3,6 @@
set -e
cd $(dirname $0)
. ../util.sh
current_test=$(basename $(pwd))
docker network create test_network
docker volume create backup_data
@@ -13,7 +11,7 @@ docker volume create app_data
# correctly. It is not supposed to hold any data.
docker volume create empty_data
docker run -d -q \
docker run -d \
--name minio \
--network test_network \
--env MINIO_ROOT_USER=test \
@@ -25,7 +23,7 @@ docker run -d -q \
docker exec minio mkdir -p /data/backup
docker run -d -q \
docker run -d \
--name offen \
--network test_network \
-v app_data:/var/opt/offen/ \
@@ -33,11 +31,11 @@ docker run -d -q \
sleep 10
docker run --rm -q \
docker run --rm \
--network test_network \
-v app_data:/backup/app_data \
-v empty_data:/backup/empty_data \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
-v /var/run/docker.sock:/var/run/docker.sock \
--env AWS_ACCESS_KEY_ID=test \
--env AWS_SECRET_ACCESS_KEY=GMusLtUmILge2by+z890kQ \
--env AWS_ENDPOINT=minio:9000 \
@@ -48,15 +46,21 @@ docker run --rm -q \
--entrypoint backup \
offen/docker-volume-backup:${TEST_VERSION:-canary}
docker run --rm -q \
docker run --rm -it \
-v backup_data:/data alpine \
ash -c 'tar -xvf /data/backup/test.tar.gz && test -f /backup/app_data/offen.db && test -d /backup/empty_data'
pass "Found relevant files in untared remote backup."
echo "[TEST:PASS] Found relevant files in untared remote backup."
# This test does not stop containers during backup. This is happening on
# purpose in order to cover this setup as well.
expect_running_containers "2"
if [ "$(docker ps -q | wc -l)" != "2" ]; then
echo "[TEST:FAIL] Expected all containers to be running post backup, instead seen:"
docker ps
exit 1
fi
echo "[TEST:PASS] All containers running post backup."
docker rm $(docker stop minio offen)
docker volume rm backup_data app_data

0
test/collision/.swarm
View File

26
test/collision/docker-compose.yml
View File

@@ -1,26 +0,0 @@
# Copyright 2020-2021 - offen.software <hioffen@posteo.de>
# SPDX-License-Identifier: Unlicense
services:
backup:
image: offen/docker-volume-backup:${TEST_VERSION:-canary}
environment:
BACKUP_FILENAME: test.tar.gz
volumes:
- offen_data:/backup/offen_data:ro
- ${LOCAL_DIR:-./local}:/archive
- /var/run/docker.sock:/var/run/docker.sock:ro
offen:
image: offen/offen:latest
labels:
- docker-volume-backup.stop-during-backup=true
deploy:
labels:
- docker-volume-backup.stop-during-backup=true
replicas: 2
volumes:
- offen_data:/var/opt/offen
volumes:
offen_data:

32
test/collision/run.sh
View File

@@ -1,32 +0,0 @@
#!/bin/sh
set -e
cd $(dirname $0)
. ../util.sh
current_test=$(basename $(pwd))
export LOCAL_DIR=$(mktemp -d)
docker stack deploy --compose-file=docker-compose.yml test_stack
while [ -z $(docker ps -q -f name=backup) ]; do
info "Backup container not ready yet. Retrying."
sleep 1
done
sleep 20
set +e
docker exec $(docker ps -q -f name=backup) backup
if [ $? = "0" ]; then
fail "Expected script to exit with error code."
fi
if [ -f "${LOCAL_DIR}/test.tar.gz" ]; then
fail "Found backup file that should not have been created."
fi
expect_running_containers "3"
pass "Script did not perform backup as there was a label collision."

Some files were not shown because too many files have changed in this diff Show More