-
Notifications
You must be signed in to change notification settings - Fork 34
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
docs: schedule inside a container using a non-root user (#348)
* contrib: schedule inside a container with a non-root user * moved contrib to documentation instead * reword documentation
- Loading branch information
1 parent
3b8613e
commit 8297f50
Showing
7 changed files
with
122 additions
and
231 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -33,3 +33,5 @@ status.json | |
| /docs/static/jsonschema | ||
| /public | ||
| .hugo_build.lock | ||
|
|
||
| .env | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,25 @@ | ||
| FROM alpine:latest | ||
|
|
||
| LABEL org.opencontainers.image.documentation="https://creativeprojects.github.io/resticprofile/" | ||
| LABEL org.opencontainers.image.source="https://github.com/creativeprojects/resticprofile" | ||
|
|
||
|
|
||
| ARG ARCH=amd64 | ||
| ENV TZ=Etc/UTC | ||
|
|
||
| COPY build/restic-${ARCH} /usr/bin/restic | ||
| COPY build/rclone-${ARCH} /usr/bin/rclone | ||
| COPY resticprofile /usr/bin/resticprofile | ||
|
|
||
| RUN apk add --no-cache openssh-client-default curl tzdata ca-certificates supercronic && \ | ||
| chmod +x /usr/bin/restic /usr/bin/rclone /usr/bin/resticprofile && \ | ||
| adduser -D -h /resticprofile resticprofile && \ | ||
| mkdir -p /resticprofile && \ | ||
| touch /resticprofile/crontab && \ | ||
| chown -R resticprofile:resticprofile /resticprofile | ||
|
|
||
| VOLUME /resticprofile | ||
| WORKDIR /resticprofile | ||
|
|
||
| ENTRYPOINT ["resticprofile"] | ||
| CMD ["--help"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,35 +1,3 @@ | ||
| # resticprofile deployment using ansible | ||
|
|
||
| This is very much work in progress. Once I get a stable ansible script I should publish it to Ansible Galaxy. | ||
|
|
||
| The playbook is installing (or upgrading): | ||
|
|
||
| * latest restic binary to `/usr/local/bin` | ||
| * latest resticprofile binary to `/usr/local/bin` | ||
| * the resticprofile configuration file from a template file found in `./resticprofile/{{ inventory_hostname }}/profiles.*` to `/root/resticprofile/profiles.*` | ||
| * password files that can be encrypted using ansible vault. These files are located in `./resticprofile/{{ inventory_hostname }}/keys/*`: they will be decrypted and saved to `/root/resticprofile/`. | ||
| * other files (like files needed for `--exclude-file`, `--files-from` or anything else you need) from `./resticprofile/{{ inventory_hostname }}/copy/*` to `/root/resticprofile/` | ||
|
|
||
| ### Requirement | ||
|
|
||
| Each target machine must have one variable named `arch` containing the resticprofile OS & Arch. You can see a list of all the available OS & Arch couples on the [releases page](https://github.com/creativeprojects/resticprofile/releases). | ||
|
|
||
| Typically, a binary will be distributed using this convention: | ||
|
|
||
| `resticprofile-[VERSION]_[OS]_[ARCH].tar.gz` | ||
|
|
||
| Your host variables file should declare a `arch` variable containing the `[OS]_[ARCH]` part of the file name. | ||
|
|
||
| #### Examples: | ||
|
|
||
| ``` | ||
| arch: linux_amd64 | ||
| ``` | ||
|
|
||
| or for a Raspberry pi 3+: | ||
|
|
||
| ``` | ||
| arch: linux_armv7 | ||
| ``` | ||
|
|
||
| Note: _I might find a way to detect this automatically at some point_ | ||
| Contribution moved to the documentation: https://creativeprojects.github.io/resticprofile/installation/ansible/ |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,93 @@ | ||
| --- | ||
| title: "User schedule in container" | ||
| weight: 150 | ||
| tags: ["v0.27.0"] | ||
| --- | ||
|
|
||
|
|
||
| You can schedule your backups with resticprofile by running `crond` inside a container. | ||
|
|
||
| This configuration uses [supercronic](https://github.com/aptible/supercronic) to run scheduled backups as a non-root user. | ||
|
|
||
| You can create a container with this modified version from the [official image](https://github.com/creativeprojects/resticprofile/blob/master/build/Dockerfile): | ||
|
|
||
| ```Dockerfile | ||
| FROM alpine:latest | ||
|
|
||
| LABEL org.opencontainers.image.documentation="https://creativeprojects.github.io/resticprofile/" | ||
| LABEL org.opencontainers.image.source="https://github.com/creativeprojects/resticprofile" | ||
|
|
||
|
|
||
| ARG ARCH=amd64 | ||
| ENV TZ=Etc/UTC | ||
|
|
||
| COPY build/restic-${ARCH} /usr/bin/restic | ||
| COPY build/rclone-${ARCH} /usr/bin/rclone | ||
| COPY resticprofile /usr/bin/resticprofile | ||
|
|
||
| RUN apk add --no-cache openssh-client-default curl tzdata ca-certificates supercronic && \ | ||
| chmod +x /usr/bin/restic /usr/bin/rclone /usr/bin/resticprofile && \ | ||
| adduser -D -h /resticprofile resticprofile && \ | ||
| mkdir -p /resticprofile && \ | ||
| touch /resticprofile/crontab && \ | ||
| chown -R resticprofile:resticprofile /resticprofile | ||
|
|
||
| VOLUME /resticprofile | ||
| WORKDIR /resticprofile | ||
|
|
||
| ENTRYPOINT ["resticprofile"] | ||
| CMD ["--help"] | ||
| ``` | ||
|
|
||
| Here's a `docker-compose` example loading configuration from a `.env` file: | ||
|
|
||
| ```yaml | ||
| version: '2' | ||
|
|
||
| services: | ||
| scheduled-backup: | ||
| image: creativeprojects/resticprofile:${RP_VERSION:-latest} | ||
| container_name: backup_container | ||
| hostname: backup_container | ||
| user: resticprofile:resticprofile | ||
| entrypoint: '/bin/sh' | ||
| command: | ||
| - '-c' | ||
| - 'resticprofile schedule --all && supercronic /resticprofile/crontab' | ||
| volumes: | ||
| - '${RP_CONFIG}:/resticprofile/profiles.yaml:ro' | ||
| - '${RP_KEYFILE}:/resticprofile/key:ro' | ||
| - '${BACKUP_SOURCE}:/source:ro' | ||
| - '${RP_REPOSITORY}:/restic_repo' | ||
| environment: | ||
| - TZ=${TIMEZONE:-Etc/UTC} | ||
|
|
||
| ``` | ||
|
|
||
| with the corresponding resticprofile configuration running a backup every 15 minutes: | ||
|
|
||
| ```yaml | ||
|
|
||
| global: | ||
| scheduler: crontab:-:/resticprofile/crontab | ||
|
|
||
| default: | ||
| password-file: key | ||
| repository: "local:/restic_repo" | ||
| initialize: true | ||
| backup: | ||
| source: /source | ||
| exclude-caches: true | ||
| one-file-system: true | ||
| schedule: "*:00,05,10,15,20,25,30,35,40,45,50,55" | ||
| schedule-permission: user | ||
| check-before: true | ||
|
|
||
| ``` | ||
|
|
||
| ## More information | ||
|
|
||
| [Discussion on Supercronic](https://github.com/creativeprojects/resticprofile/issues/288) | ||
|
|
||
| [Discussion on non-root container](https://github.com/creativeprojects/resticprofile/issues/321) | ||
|
|
Submodule hugo-theme-relearn
updated
65 files