Allow backup to be run as non-root user (#366)

* Allow backup to be run as non-root user

* Document usage as non-root user

* Also test /etc access

* Choose better name for doc
This commit is contained in:
Frederik Ring 2024-02-21 17:44:24 +01:00 committed by GitHub
parent dd8ff5ee0c
commit f64aaa6e24
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
11 changed files with 131 additions and 6 deletions

View File

@ -13,7 +13,8 @@ FROM alpine:3.19
WORKDIR /root WORKDIR /root
RUN apk add --no-cache ca-certificates RUN apk add --no-cache ca-certificates && \
chmod a+rw /var/lock
COPY --from=builder /app/cmd/backup/backup /usr/bin/backup COPY --from=builder /app/cmd/backup/backup /usr/bin/backup

View File

@ -2,7 +2,7 @@
title: Replace deprecated BACKUP_FROM_SNAPSHOT usage title: Replace deprecated BACKUP_FROM_SNAPSHOT usage
layout: default layout: default
parent: How Tos parent: How Tos
nav_order: 16 nav_order: 17
--- ---
# Replace deprecated `BACKUP_FROM_SNAPSHOT` usage # Replace deprecated `BACKUP_FROM_SNAPSHOT` usage

View File

@ -2,7 +2,7 @@
title: Replace deprecated BACKUP_STOP_CONTAINER_LABEL setting title: Replace deprecated BACKUP_STOP_CONTAINER_LABEL setting
layout: default layout: default
parent: How Tos parent: How Tos
nav_order: 19 nav_order: 20
--- ---
# Replace deprecated `BACKUP_STOP_CONTAINER_LABEL` setting # Replace deprecated `BACKUP_STOP_CONTAINER_LABEL` setting

View File

@ -2,7 +2,7 @@
title: Replace deprecated exec-pre and exec-post labels title: Replace deprecated exec-pre and exec-post labels
layout: default layout: default
parent: How Tos parent: How Tos
nav_order: 17 nav_order: 18
--- ---
# Replace deprecated `exec-pre` and `exec-post` labels # Replace deprecated `exec-pre` and `exec-post` labels

View File

@ -2,7 +2,7 @@
title: Update deprecated email configuration title: Update deprecated email configuration
layout: default layout: default
parent: How Tos parent: How Tos
nav_order: 18 nav_order: 19
--- ---
# Update deprecated email configuration # Update deprecated email configuration

View File

@ -0,0 +1,36 @@
---
title: Use the image as a non-root user
layout: default
parent: How Tos
nav_order: 16
---
# Use the image as a non-root user
{: .important }
Running as a non-root user limits interaction with the Docker Daemon.
If you want to stop and restart containers and services during backup, and the host's Docker daemon is running as root, you will also need to run this tool as root.
By default, this image executes backups using the `root` user.
In case you prefer to use a different user, you can use Docker's [`user`](https://docs.docker.com/engine/reference/run/#user) option, passing the user and group id:
```console
docker run --rm \
-v data:/backup/data \
--env AWS_ACCESS_KEY_ID="<xxx>" \
--env AWS_SECRET_ACCESS_KEY="<xxx>" \
--env AWS_S3_BUCKET_NAME="<xxx>" \
--entrypoint backup \
--user 1000:1000 \
offen/docker-volume-backup:v2
```
or in a compose file:
```yml
services:
backup:
image: offen/docker-volume-backup:v2
user: 1000:1000
# further configuration omitted ...
```

View File

@ -371,3 +371,24 @@ volumes:
data_1: data_1:
data_2: data_2:
``` ```
## Running as a non-root user
```yml
version: '3'
services:
# ... define other services using the `data` volume here
backup:
image: offen/docker-volume-backup:v2
user: 1000:1000
environment:
AWS_S3_BUCKET_NAME: backup-bucket
AWS_ACCESS_KEY_ID: AKIAIOSFODNN7EXAMPLE
AWS_SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
volumes:
- data:/backup/my-app-backup:ro
volumes:
data:
```

7
test/nonroot/01conf.env Normal file
View File

@ -0,0 +1,7 @@
AWS_ACCESS_KEY_ID="test"
AWS_SECRET_ACCESS_KEY="GMusLtUmILge2by+z890kQ"
AWS_ENDPOINT="minio:9000"
AWS_ENDPOINT_PROTO="http"
AWS_S3_BUCKET_NAME="backup"
BACKUP_CRON_EXPRESSION="0 0 5 31 2 ?"
BACKUP_FILENAME="test.tar.gz"

View File

@ -0,0 +1,33 @@
version: '3'
services:
minio:
image: minio/minio:RELEASE.2020-08-04T23-10-51Z
environment:
MINIO_ROOT_USER: test
MINIO_ROOT_PASSWORD: test
MINIO_ACCESS_KEY: test
MINIO_SECRET_KEY: GMusLtUmILge2by+z890kQ
entrypoint: /bin/ash -c 'mkdir -p /data/backup && minio server /data'
volumes:
- ${LOCAL_DIR:-local}:/data
backup:
image: offen/docker-volume-backup:${TEST_VERSION:-canary}
user: 1000:1000
depends_on:
- minio
restart: always
volumes:
- app_data:/backup/app_data:ro
- ./01conf.env:/etc/dockervolumebackup/conf.d/01conf.env
offen:
image: offen/offen:latest
labels:
- docker-volume-backup.stop-during-backup=true
volumes:
- app_data:/var/opt/offen
volumes:
app_data:

27
test/nonroot/run.sh Executable file
View File

@ -0,0 +1,27 @@
#!/bin/sh
set -e
cd "$(dirname "$0")"
. ../util.sh
current_test=$(basename $(pwd))
export LOCAL_DIR=$(mktemp -d)
docker compose up -d --quiet-pull
sleep 5
docker compose logs backup
# conf.d is used to confirm /etc files are also accessible for non-root users
docker compose exec backup /bin/sh -c 'set -a; source /etc/dockervolumebackup/conf.d/01conf.env; set +a && backup'
sleep 5
expect_running_containers "3"
if [ ! -f "$LOCAL_DIR/backup/test.tar.gz" ]; then
fail "Could not find archive."
fi
pass "Archive was created."

View File

@ -22,7 +22,7 @@ skip () {
expect_running_containers () { expect_running_containers () {
if [ "$(docker ps -q | wc -l)" != "$1" ]; then if [ "$(docker ps -q | wc -l)" != "$1" ]; then
fail "Expected $1 containers to be running, instead seen: "$(docker ps -a | wc -l)"" fail "Expected $1 containers to be running, instead seen: "$(docker ps -q | wc -l)""
fi fi
pass "$1 containers running." pass "$1 containers running."
} }