mirror of
https://github.com/offen/docker-volume-backup.git
synced 2024-11-25 06:30:29 +01:00
Allow backup to be run as non-root user (#366)
* Allow backup to be run as non-root user * Document usage as non-root user * Also test /etc access * Choose better name for doc
This commit is contained in:
parent
dd8ff5ee0c
commit
f64aaa6e24
@ -13,7 +13,8 @@ FROM alpine:3.19
|
||||
|
||||
WORKDIR /root
|
||||
|
||||
RUN apk add --no-cache ca-certificates
|
||||
RUN apk add --no-cache ca-certificates && \
|
||||
chmod a+rw /var/lock
|
||||
|
||||
COPY --from=builder /app/cmd/backup/backup /usr/bin/backup
|
||||
|
||||
|
@ -2,7 +2,7 @@
|
||||
title: Replace deprecated BACKUP_FROM_SNAPSHOT usage
|
||||
layout: default
|
||||
parent: How Tos
|
||||
nav_order: 16
|
||||
nav_order: 17
|
||||
---
|
||||
|
||||
# Replace deprecated `BACKUP_FROM_SNAPSHOT` usage
|
||||
|
@ -2,7 +2,7 @@
|
||||
title: Replace deprecated BACKUP_STOP_CONTAINER_LABEL setting
|
||||
layout: default
|
||||
parent: How Tos
|
||||
nav_order: 19
|
||||
nav_order: 20
|
||||
---
|
||||
|
||||
# Replace deprecated `BACKUP_STOP_CONTAINER_LABEL` setting
|
||||
|
@ -2,7 +2,7 @@
|
||||
title: Replace deprecated exec-pre and exec-post labels
|
||||
layout: default
|
||||
parent: How Tos
|
||||
nav_order: 17
|
||||
nav_order: 18
|
||||
---
|
||||
|
||||
# Replace deprecated `exec-pre` and `exec-post` labels
|
||||
|
@ -2,7 +2,7 @@
|
||||
title: Update deprecated email configuration
|
||||
layout: default
|
||||
parent: How Tos
|
||||
nav_order: 18
|
||||
nav_order: 19
|
||||
---
|
||||
|
||||
# Update deprecated email configuration
|
||||
|
36
docs/how-tos/use-as-non-root.md
Normal file
36
docs/how-tos/use-as-non-root.md
Normal file
@ -0,0 +1,36 @@
|
||||
---
|
||||
title: Use the image as a non-root user
|
||||
layout: default
|
||||
parent: How Tos
|
||||
nav_order: 16
|
||||
---
|
||||
|
||||
# Use the image as a non-root user
|
||||
|
||||
{: .important }
|
||||
Running as a non-root user limits interaction with the Docker Daemon.
|
||||
If you want to stop and restart containers and services during backup, and the host's Docker daemon is running as root, you will also need to run this tool as root.
|
||||
|
||||
By default, this image executes backups using the `root` user.
|
||||
In case you prefer to use a different user, you can use Docker's [`user`](https://docs.docker.com/engine/reference/run/#user) option, passing the user and group id:
|
||||
|
||||
```console
|
||||
docker run --rm \
|
||||
-v data:/backup/data \
|
||||
--env AWS_ACCESS_KEY_ID="<xxx>" \
|
||||
--env AWS_SECRET_ACCESS_KEY="<xxx>" \
|
||||
--env AWS_S3_BUCKET_NAME="<xxx>" \
|
||||
--entrypoint backup \
|
||||
--user 1000:1000 \
|
||||
offen/docker-volume-backup:v2
|
||||
```
|
||||
|
||||
or in a compose file:
|
||||
|
||||
```yml
|
||||
services:
|
||||
backup:
|
||||
image: offen/docker-volume-backup:v2
|
||||
user: 1000:1000
|
||||
# further configuration omitted ...
|
||||
```
|
@ -371,3 +371,24 @@ volumes:
|
||||
data_1:
|
||||
data_2:
|
||||
```
|
||||
|
||||
## Running as a non-root user
|
||||
|
||||
```yml
|
||||
version: '3'
|
||||
|
||||
services:
|
||||
# ... define other services using the `data` volume here
|
||||
backup:
|
||||
image: offen/docker-volume-backup:v2
|
||||
user: 1000:1000
|
||||
environment:
|
||||
AWS_S3_BUCKET_NAME: backup-bucket
|
||||
AWS_ACCESS_KEY_ID: AKIAIOSFODNN7EXAMPLE
|
||||
AWS_SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
|
||||
volumes:
|
||||
- data:/backup/my-app-backup:ro
|
||||
|
||||
volumes:
|
||||
data:
|
||||
```
|
||||
|
7
test/nonroot/01conf.env
Normal file
7
test/nonroot/01conf.env
Normal file
@ -0,0 +1,7 @@
|
||||
AWS_ACCESS_KEY_ID="test"
|
||||
AWS_SECRET_ACCESS_KEY="GMusLtUmILge2by+z890kQ"
|
||||
AWS_ENDPOINT="minio:9000"
|
||||
AWS_ENDPOINT_PROTO="http"
|
||||
AWS_S3_BUCKET_NAME="backup"
|
||||
BACKUP_CRON_EXPRESSION="0 0 5 31 2 ?"
|
||||
BACKUP_FILENAME="test.tar.gz"
|
33
test/nonroot/docker-compose.yml
Normal file
33
test/nonroot/docker-compose.yml
Normal file
@ -0,0 +1,33 @@
|
||||
version: '3'
|
||||
|
||||
services:
|
||||
minio:
|
||||
image: minio/minio:RELEASE.2020-08-04T23-10-51Z
|
||||
environment:
|
||||
MINIO_ROOT_USER: test
|
||||
MINIO_ROOT_PASSWORD: test
|
||||
MINIO_ACCESS_KEY: test
|
||||
MINIO_SECRET_KEY: GMusLtUmILge2by+z890kQ
|
||||
entrypoint: /bin/ash -c 'mkdir -p /data/backup && minio server /data'
|
||||
volumes:
|
||||
- ${LOCAL_DIR:-local}:/data
|
||||
|
||||
backup:
|
||||
image: offen/docker-volume-backup:${TEST_VERSION:-canary}
|
||||
user: 1000:1000
|
||||
depends_on:
|
||||
- minio
|
||||
restart: always
|
||||
volumes:
|
||||
- app_data:/backup/app_data:ro
|
||||
- ./01conf.env:/etc/dockervolumebackup/conf.d/01conf.env
|
||||
|
||||
offen:
|
||||
image: offen/offen:latest
|
||||
labels:
|
||||
- docker-volume-backup.stop-during-backup=true
|
||||
volumes:
|
||||
- app_data:/var/opt/offen
|
||||
|
||||
volumes:
|
||||
app_data:
|
27
test/nonroot/run.sh
Executable file
27
test/nonroot/run.sh
Executable file
@ -0,0 +1,27 @@
|
||||
#!/bin/sh
|
||||
|
||||
set -e
|
||||
|
||||
cd "$(dirname "$0")"
|
||||
. ../util.sh
|
||||
current_test=$(basename $(pwd))
|
||||
|
||||
export LOCAL_DIR=$(mktemp -d)
|
||||
|
||||
docker compose up -d --quiet-pull
|
||||
sleep 5
|
||||
|
||||
docker compose logs backup
|
||||
|
||||
# conf.d is used to confirm /etc files are also accessible for non-root users
|
||||
docker compose exec backup /bin/sh -c 'set -a; source /etc/dockervolumebackup/conf.d/01conf.env; set +a && backup'
|
||||
|
||||
sleep 5
|
||||
|
||||
expect_running_containers "3"
|
||||
|
||||
if [ ! -f "$LOCAL_DIR/backup/test.tar.gz" ]; then
|
||||
fail "Could not find archive."
|
||||
fi
|
||||
pass "Archive was created."
|
||||
|
@ -22,7 +22,7 @@ skip () {
|
||||
|
||||
expect_running_containers () {
|
||||
if [ "$(docker ps -q | wc -l)" != "$1" ]; then
|
||||
fail "Expected $1 containers to be running, instead seen: "$(docker ps -a | wc -l)""
|
||||
fail "Expected $1 containers to be running, instead seen: "$(docker ps -q | wc -l)""
|
||||
fi
|
||||
pass "$1 containers running."
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user