mirror of
https://github.com/offen/docker-volume-backup.git
synced 2024-11-10 00:30:29 +01:00
Allow backup to be run as non-root user (#366)
* Allow backup to be run as non-root user * Document usage as non-root user * Also test /etc access * Choose better name for doc
This commit is contained in:
parent
dd8ff5ee0c
commit
f64aaa6e24
@ -13,7 +13,8 @@ FROM alpine:3.19
|
|||||||
|
|
||||||
WORKDIR /root
|
WORKDIR /root
|
||||||
|
|
||||||
RUN apk add --no-cache ca-certificates
|
RUN apk add --no-cache ca-certificates && \
|
||||||
|
chmod a+rw /var/lock
|
||||||
|
|
||||||
COPY --from=builder /app/cmd/backup/backup /usr/bin/backup
|
COPY --from=builder /app/cmd/backup/backup /usr/bin/backup
|
||||||
|
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
title: Replace deprecated BACKUP_FROM_SNAPSHOT usage
|
title: Replace deprecated BACKUP_FROM_SNAPSHOT usage
|
||||||
layout: default
|
layout: default
|
||||||
parent: How Tos
|
parent: How Tos
|
||||||
nav_order: 16
|
nav_order: 17
|
||||||
---
|
---
|
||||||
|
|
||||||
# Replace deprecated `BACKUP_FROM_SNAPSHOT` usage
|
# Replace deprecated `BACKUP_FROM_SNAPSHOT` usage
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
title: Replace deprecated BACKUP_STOP_CONTAINER_LABEL setting
|
title: Replace deprecated BACKUP_STOP_CONTAINER_LABEL setting
|
||||||
layout: default
|
layout: default
|
||||||
parent: How Tos
|
parent: How Tos
|
||||||
nav_order: 19
|
nav_order: 20
|
||||||
---
|
---
|
||||||
|
|
||||||
# Replace deprecated `BACKUP_STOP_CONTAINER_LABEL` setting
|
# Replace deprecated `BACKUP_STOP_CONTAINER_LABEL` setting
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
title: Replace deprecated exec-pre and exec-post labels
|
title: Replace deprecated exec-pre and exec-post labels
|
||||||
layout: default
|
layout: default
|
||||||
parent: How Tos
|
parent: How Tos
|
||||||
nav_order: 17
|
nav_order: 18
|
||||||
---
|
---
|
||||||
|
|
||||||
# Replace deprecated `exec-pre` and `exec-post` labels
|
# Replace deprecated `exec-pre` and `exec-post` labels
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
title: Update deprecated email configuration
|
title: Update deprecated email configuration
|
||||||
layout: default
|
layout: default
|
||||||
parent: How Tos
|
parent: How Tos
|
||||||
nav_order: 18
|
nav_order: 19
|
||||||
---
|
---
|
||||||
|
|
||||||
# Update deprecated email configuration
|
# Update deprecated email configuration
|
||||||
|
36
docs/how-tos/use-as-non-root.md
Normal file
36
docs/how-tos/use-as-non-root.md
Normal file
@ -0,0 +1,36 @@
|
|||||||
|
---
|
||||||
|
title: Use the image as a non-root user
|
||||||
|
layout: default
|
||||||
|
parent: How Tos
|
||||||
|
nav_order: 16
|
||||||
|
---
|
||||||
|
|
||||||
|
# Use the image as a non-root user
|
||||||
|
|
||||||
|
{: .important }
|
||||||
|
Running as a non-root user limits interaction with the Docker Daemon.
|
||||||
|
If you want to stop and restart containers and services during backup, and the host's Docker daemon is running as root, you will also need to run this tool as root.
|
||||||
|
|
||||||
|
By default, this image executes backups using the `root` user.
|
||||||
|
In case you prefer to use a different user, you can use Docker's [`user`](https://docs.docker.com/engine/reference/run/#user) option, passing the user and group id:
|
||||||
|
|
||||||
|
```console
|
||||||
|
docker run --rm \
|
||||||
|
-v data:/backup/data \
|
||||||
|
--env AWS_ACCESS_KEY_ID="<xxx>" \
|
||||||
|
--env AWS_SECRET_ACCESS_KEY="<xxx>" \
|
||||||
|
--env AWS_S3_BUCKET_NAME="<xxx>" \
|
||||||
|
--entrypoint backup \
|
||||||
|
--user 1000:1000 \
|
||||||
|
offen/docker-volume-backup:v2
|
||||||
|
```
|
||||||
|
|
||||||
|
or in a compose file:
|
||||||
|
|
||||||
|
```yml
|
||||||
|
services:
|
||||||
|
backup:
|
||||||
|
image: offen/docker-volume-backup:v2
|
||||||
|
user: 1000:1000
|
||||||
|
# further configuration omitted ...
|
||||||
|
```
|
@ -371,3 +371,24 @@ volumes:
|
|||||||
data_1:
|
data_1:
|
||||||
data_2:
|
data_2:
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Running as a non-root user
|
||||||
|
|
||||||
|
```yml
|
||||||
|
version: '3'
|
||||||
|
|
||||||
|
services:
|
||||||
|
# ... define other services using the `data` volume here
|
||||||
|
backup:
|
||||||
|
image: offen/docker-volume-backup:v2
|
||||||
|
user: 1000:1000
|
||||||
|
environment:
|
||||||
|
AWS_S3_BUCKET_NAME: backup-bucket
|
||||||
|
AWS_ACCESS_KEY_ID: AKIAIOSFODNN7EXAMPLE
|
||||||
|
AWS_SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
|
||||||
|
volumes:
|
||||||
|
- data:/backup/my-app-backup:ro
|
||||||
|
|
||||||
|
volumes:
|
||||||
|
data:
|
||||||
|
```
|
||||||
|
7
test/nonroot/01conf.env
Normal file
7
test/nonroot/01conf.env
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
AWS_ACCESS_KEY_ID="test"
|
||||||
|
AWS_SECRET_ACCESS_KEY="GMusLtUmILge2by+z890kQ"
|
||||||
|
AWS_ENDPOINT="minio:9000"
|
||||||
|
AWS_ENDPOINT_PROTO="http"
|
||||||
|
AWS_S3_BUCKET_NAME="backup"
|
||||||
|
BACKUP_CRON_EXPRESSION="0 0 5 31 2 ?"
|
||||||
|
BACKUP_FILENAME="test.tar.gz"
|
33
test/nonroot/docker-compose.yml
Normal file
33
test/nonroot/docker-compose.yml
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
version: '3'
|
||||||
|
|
||||||
|
services:
|
||||||
|
minio:
|
||||||
|
image: minio/minio:RELEASE.2020-08-04T23-10-51Z
|
||||||
|
environment:
|
||||||
|
MINIO_ROOT_USER: test
|
||||||
|
MINIO_ROOT_PASSWORD: test
|
||||||
|
MINIO_ACCESS_KEY: test
|
||||||
|
MINIO_SECRET_KEY: GMusLtUmILge2by+z890kQ
|
||||||
|
entrypoint: /bin/ash -c 'mkdir -p /data/backup && minio server /data'
|
||||||
|
volumes:
|
||||||
|
- ${LOCAL_DIR:-local}:/data
|
||||||
|
|
||||||
|
backup:
|
||||||
|
image: offen/docker-volume-backup:${TEST_VERSION:-canary}
|
||||||
|
user: 1000:1000
|
||||||
|
depends_on:
|
||||||
|
- minio
|
||||||
|
restart: always
|
||||||
|
volumes:
|
||||||
|
- app_data:/backup/app_data:ro
|
||||||
|
- ./01conf.env:/etc/dockervolumebackup/conf.d/01conf.env
|
||||||
|
|
||||||
|
offen:
|
||||||
|
image: offen/offen:latest
|
||||||
|
labels:
|
||||||
|
- docker-volume-backup.stop-during-backup=true
|
||||||
|
volumes:
|
||||||
|
- app_data:/var/opt/offen
|
||||||
|
|
||||||
|
volumes:
|
||||||
|
app_data:
|
27
test/nonroot/run.sh
Executable file
27
test/nonroot/run.sh
Executable file
@ -0,0 +1,27 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
set -e
|
||||||
|
|
||||||
|
cd "$(dirname "$0")"
|
||||||
|
. ../util.sh
|
||||||
|
current_test=$(basename $(pwd))
|
||||||
|
|
||||||
|
export LOCAL_DIR=$(mktemp -d)
|
||||||
|
|
||||||
|
docker compose up -d --quiet-pull
|
||||||
|
sleep 5
|
||||||
|
|
||||||
|
docker compose logs backup
|
||||||
|
|
||||||
|
# conf.d is used to confirm /etc files are also accessible for non-root users
|
||||||
|
docker compose exec backup /bin/sh -c 'set -a; source /etc/dockervolumebackup/conf.d/01conf.env; set +a && backup'
|
||||||
|
|
||||||
|
sleep 5
|
||||||
|
|
||||||
|
expect_running_containers "3"
|
||||||
|
|
||||||
|
if [ ! -f "$LOCAL_DIR/backup/test.tar.gz" ]; then
|
||||||
|
fail "Could not find archive."
|
||||||
|
fi
|
||||||
|
pass "Archive was created."
|
||||||
|
|
@ -22,7 +22,7 @@ skip () {
|
|||||||
|
|
||||||
expect_running_containers () {
|
expect_running_containers () {
|
||||||
if [ "$(docker ps -q | wc -l)" != "$1" ]; then
|
if [ "$(docker ps -q | wc -l)" != "$1" ]; then
|
||||||
fail "Expected $1 containers to be running, instead seen: "$(docker ps -a | wc -l)""
|
fail "Expected $1 containers to be running, instead seen: "$(docker ps -q | wc -l)""
|
||||||
fi
|
fi
|
||||||
pass "$1 containers running."
|
pass "$1 containers running."
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user