wernight / docker-duplicity Goto Github PK

View Code? Open in Web Editor NEW

37.0 3.0 29.0 213 KB

Dockerize "duplicity" backup tool.

Home Page: https://hub.docker.com/r/wernight/duplicity/

License: Apache License 2.0

Dockerfile 100.00%

duplicity backup google-cloud-storage google-drive storage docker-image encrypted

docker-duplicity's Introduction

Supported tags and respective `Dockerfile` links

What is Duplicity?

duplicity backup tool.

Features of this Docker image:

Small: Built using alpine.
Simple: Most common cases are explained below and require minimal setup.
Secure: Runs non-root by default (use randomly chosen UID 1896), and meant to run as any user.

Usage

For the general command-line syntax, do:

$ docker run --rm wernight/duplicity duplicity --help

In general you...

Must mount what you want to backup or where you want to restore a backup.
Should mount /home/duplicity/.cache/duplicity as writable somewhere (if not cached, duplicity will have to recreate it from the remote repository which may require decrypting the backup contents). Note it may be quite large and contains metadata info about files you've backed up in clear text.
Should mount /home/duplicity/.gnupg as writable somewhere (that directory is used to validate incremental backups and shouldn't be necessary to restore your backup if you follows steps below).
Should specify duplicity flag --allow-source-mismatch because Docker has a random host for each container.
Could set environment variable PASSPHRASE, unless you want to type it manually in the prompt (remember then to add -it).
May have to mount a few other files for authentication (see examples below).

Example of commands you may want to run periodically to back up with good clean-up/maintenance (see below for various storage options):

 $ docker run --rm ... wernight/duplicity duplicity --full-if-older-than=6M source_directory target_url
 $ docker run --rm ... wernight/duplicity duplicity remove-older-than 6M --force target_url
 $ docker run --rm ... wernight/duplicity duplicity cleanup --force target_url

This would do:

A full backup every 6 months so that restoration is a lot faster and for cleanup to work, and incremental backups the rest of the time.
Delete backups older than 6 months (doesn't break incremental backups).
Delete files from failed sessions (if any).

Backup to Google Cloud Storage example

Google Cloud Storage nearline costs about $0.01/GB/Month.

Set up:

Sign up, create an empty project, enable billing, and create a bucket
Under "Storage" section > "Settings" > "Interoperability" tab > click "Enable interoperable access" and then "Create a new key" button and note both Access Key and Secret. Also note your Project Number (aka project ID, it's a number like 1233457890).
Run gcloud's gsutil config -a to generate the ~/.boto configuration file and give it all these info (alternatively you should be able to set environment variable GS_ACCESS_KEY_ID and GS_SECRET_ACCESS_KEY however in my tries I didn't see where to set your project ID).

You should now have a ~/.boto looking like:

[Credentials]
gs_access_key_id = MYGOOGLEACCESSKEY
gs_secret_access_key = SomeVeryLongAccessKeyXXXXXXXX

[GSUtil]
default_project_id = 1233457890

Now you're ready to perform a backup:

$ docker run --rm --user $UID \
      -e PASSPHRASE=P4ssw0rd \
      -v $PWD/.cache:/home/duplicity/.cache/duplicity \
      -v $PWD/.gnupg:/home/duplicity/.gnupg \
      -v ~/.boto:/home/duplicity/.boto:ro \
      -v /:/data:ro \
      wernight/duplicity \
      duplicity --full-if-older-than=6M --allow-source-mismatch /data gs://my-bucket-name/some_dir

To restore, you'll need:

Keep .boto or regenerate it to access your Google Cloud Storage.
The PASSPHRASE you've used.

Example:

$ docker run --rm --user $UID \
      -e PASSPHRASE=P4ssw0rd \
      -v ~/.boto:/home/duplicity/.boto:ro \
      -v /:/data:ro \
      wernight/duplicity \
      duplicity restore gs://my-bucket-name/some_dir /data

See also the note on Google Cloud Storage.

Backup to Google Drive example

Google Drive offers 15GB for free.

Set up:

Follow notes on Pydrive Backend to generate a P12 credential file (call it pydriveprivatekey.p12) and note also the associated service account email generated (e.g. [email protected]).

Convert P12 to PEM:

$ docker run --rm -i --user $UID \
      -v $PWD/pydriveprivatekey.p12:/pydriveprivatekey.p12:ro \
      wernight/duplicity \
      openssl pkcs12 -in /pydriveprivatekey.p12 -nodes -nocerts >pydriveprivatekey.pem
Enter Import Password: notasecret

Now you're ready to perform a backup:

$ docker run --rm --user $UID \
      -e PASSPHRASE=P4ssw0rd \
      -e GOOGLE_DRIVE_ACCOUNT_KEY=$(cat pydriveprivatekey.pem) \
      -v $PWD/.cache:/home/duplicity/.cache/duplicity \
      -v $PWD/.gnupg:/home/duplicity/.gnupg \
      -v /:/data:ro \
      wernight/duplicity \
      duplicity --full-if-older-than=6M --allow-source-mismatch /data pydrive://[email protected]/some_dir

To restore, you'll need:

Regenerate a PEM file (or keep it somewhere).
The PASSPHRASE you've used.

Backup via rsync example

Supposing you've an SSH access to some machine, you can:

$ docker run --rm -it --user root \
      -e PASSPHRASE=P4ssw0rd \
      -v $PWD/.cache:/home/duplicity/.cache/duplicity \
      -v $PWD/.gnupg:/home/duplicity/.gnupg \
      -v ~/.ssh/id_rsa:/id_rsa:ro \
      -v ~/.ssh/known_hosts:/etc/ssh/ssh_known_hosts:ro \
      -v /:/data:ro \
      wernight/duplicity \
      duplicity --full-if-older-than=6M --allow-source-mismatch \
      --rsync-options='-e "ssh -i /id_rsa"' \
      /data rsync://[email protected]/some_dir

Note: We're running here as root to have access to ~/.ssh and also because ssh does not allow to use a random (non-locally existing) UID. To make it safer, you can copy your ~/.ssh and chown 1896 it (that is duplicity UID within the container). If you know a another way to avoid the "No user exists for uid" check, please let me know.

Alias

Here is a simple alias that should work in most cases:

$ alias duplicity='docker run --rm --user=root -v ~/.ssh/id_rsa:/home/duplicity/.ssh/id_rsa:ro -v ~/.boto:/home/duplicity/.boto:ro -v ~/.gnupg:/home/duplicity/.gnupg -v /:/mnt:ro -e PASSPHRASE=$PASSPHRASE wernight/duplicity duplicity $@'

Now you should be able to run duplicity almost as if it were installed, example:

$ PASSPHRASE=123456 duplicity --progress /mnt rsync://[email protected]/some_dir

Feedbacks

Report issues/questions/feature requests on GitHub Issues.

docker-duplicity's People

Contributors

Stargazers

Watchers

docker-duplicity's Issues

"not a tty" when signing

Hi,
I'm trying to get an image up an running which is close to this one, but can't get gpg to sign, did you or any user of this image encounter the same problem? Encryption seems to work, but when signing gpg just fails

http://stackoverflow.com/questions/36356924/not-a-tty-error-in-alpine-based-duplicity-image

Stable and latest point to the same docker hash without paramiko

@wernight I am using the docker-duplicity image with paramiko for remote backup. Since the last commits, the image does not contain paramiko anymore and duplicity fails.

According to https://hub.docker.com/r/wernight/duplicity/tags, the digest for stable and latest are the same and point to the docker image available in the stable folder (without paramiko).

See picture

For now, it seems the images are pushed manually . I can provide some automation using Github actions for updating the images if you are interested

No arguments expected for "shell" command, got "duplicity"

On any command I run with the latest Docker container, I get the error:

No arguments expected for "shell" command, got "duplicity"

This seems to be because the ENTRYPOINT is poetry shell and then the CMD duplicity is not allowed.

B2: Certificate verification failed

I get the below error when trying to backup to B2. Could seem like the container doesn't have an up to date certificates file.

Traceback (most recent call last):
  File "/usr/bin/duplicity", line 1537, in <module>
    with_tempdir(main)
  File "/usr/bin/duplicity", line 1531, in with_tempdir
    fn()
  File "/usr/bin/duplicity", line 1369, in main
    action = commandline.ProcessCommandLine(sys.argv[1:])
  File "/usr/lib/python2.7/site-packages/duplicity/commandline.py", line 1117, in ProcessCommandLine
    backup, local_pathname = set_backend(args[0], args[1])
  File "/usr/lib/python2.7/site-packages/duplicity/commandline.py", line 1006, in set_backend
    globals.backend = backend.get_backend(bend)
  File "/usr/lib/python2.7/site-packages/duplicity/backend.py", line 223, in get_backend
    obj = get_backend_object(url_string)
  File "/usr/lib/python2.7/site-packages/duplicity/backend.py", line 209, in get_backend_object
    return factory(pu)
  File "/usr/lib/python2.7/site-packages/duplicity/backends/b2backend.py", line 73, in __init__
    response = urllib2.urlopen(request)
  File "/usr/lib/python2.7/urllib2.py", line 154, in urlopen
    return opener.open(url, data, timeout)
  File "/usr/lib/python2.7/urllib2.py", line 429, in open
    response = self._open(req, data)
  File "/usr/lib/python2.7/urllib2.py", line 447, in _open
    '_open', req)
  File "/usr/lib/python2.7/urllib2.py", line 407, in _call_chain
    result = func(*args)
  File "/usr/lib/python2.7/urllib2.py", line 1241, in https_open
    context=self._context)
  File "/usr/lib/python2.7/urllib2.py", line 1198, in do_open
    raise URLError(err)
URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)>

Use docker-duplicity on Raspberry Pi

It seems the base alpine:3.8 is not working on Raspberry Pi hardware:

standard_init_linux.go:211: exec user process caused "exec format error"

Alpine does support ARM architecture, is there a way to make your dockerfile multiplatform?

Update container image

Hi.

Could you please update the duplicity version to fix the following issue https://bugs.launchpad.net/duplicity/+bug/1883893?

SSH backend does not work anymore

Duplicity requires paramiko or pexpect for ssh support. Recent commits removed py3-paramiko package thus there is no support for ssh/sftp anymore.

Second problem: docker repo does not contain version tags, so it's not possible to just pull an older image without this issue.

Upgrade to 0.7.17

http://duplicity.nongnu.org/

New in v0.7.17 (2018/02/26)
---------------------------
* Removed changes made in bug #1044715 Provide a file history feature
  - Changes required too much memory to carry in the manifest
  - The option --file-changed in collection-status is now invalid
  - This will close bugs: #1730451, #896728, #1526557, #1550176
  - Starting a full backup will be needed to fully utilize this fix
* Fix update of Launchpad Translations.  Translations were not being picked
  up on a daily basis and we got several months behind.


New in v0.7.16 (2018/01/12)
---------------------------
* Fixed bug #1733057 AttributeError: 'GPGError' object has no attribute 'decode'
  - Replaced call to util.ufn() with call to util.uexc().  Stupid typo!
* More fixes for Unicode handling
  - Default to 'utf-8' if sys.getfilesystemencoding() returns 'ascii' or None
  - Fixed bug #1386373 with suggestion from Eugene Morozov
* Patched in lp:~crosser/duplicity/fix-oauth-flow
  - Fixed bug #1638236 "BackendException with oauth2client 4.0.0"
* Patched in lp:~crosser/duplicity/dpbx-fix-file-listing
  - Fixed bug #1639664 "Dropbox support needs to be updated for Dropbox SDK v7.1"
* Patched in lp:~crosser/duplicity/fix-small-file-upload
  - Fixed small file upload changes made in Dropbox SDK v7.1
* Fix pylint error in webdavbackend.py


New in v0.7.15 (2017/11/13)
---------------------------
* Fixed bug introduced in new megabackend.py where process_commandline()
  takes a string not a list.  Now it takes both.
* Updated web page for new megabackend requirements.
* Patched in lp:~mterry/duplicity/more-decode-issues
  - Here's some fixes for another couple UnicodeDecodeErrors.
  - The duplicity/dup_time.py fixes when a user passes a utf8 date string (or a string with bogus
    utf8 characters, but they have to really try to do that). This is bug 1334436.
  - The bin/duplicity change from str(e) to util.uexc(e) fixes bug 1324188.
  - The rest of the changes (util.exception_traceback and bin/duplicity changes to use it) are to
    make the printing of exceptions prettier. Without this, if you see a French exception, you see
    "accept\xe9es" instead of "acceptÃ©es".
  - You can test all of these changes in one simple line:
    $ LANGUAGE=fr duplicity remove-older-than $'accept\xffÃ©es'
* Fix backend.py to allow string, list, and tuple types to support megabackend.py.
* Fixed bug #1715650 with patch from Mattheww S
  - Fix to make duplicity attempt a get first, then create, a container
    in order to support container ACLs.
* Fixed bug #1714663 "Volume signed by XXXXXXXXXXXXXXXX, not XXXXXXXX"
  - Normalized comparison length to min length of compared keys before comparison
  - Avoids comparing mix of short, long, or fingerprint size keys.
* Merged in lp:~mterry/duplicity/rename-dep
  - Make rename command a dependency for LP build
* Fixed bug #1654756 with new b2backend.py module from Vincent Rouille
  - Faster (big files are uploaded in chunks)
  - Added upload progress reporting support
* Fixed bug #1448094 with patch from Wolfgang Rohdewald
  - Don't log incremental deletes for chains that have no incrementals
* Fixed bug #1724144 "--gpg-options unused with some commands"
  - Add --gpg-options to get version run command
* Fixed bug #1720159 - Cannot allocate memory with large manifest file since 0.7.03
  - filelist is not read if --file-changed option in collection-status not present
  - This will keep memory usage lower in non collection-status operations
* Fixed bug #1723890 with patch from Killian Lackhove
  - Fixes error handling in pydrivebackend.py
* Fixed bug #1730902 GPG Error Handling
  - use util.ufn() not str() to handle encoding


New in v0.7.14 (2017/08/31)
---------------------------
* Merged in lp:~dawgfoto/duplicity/skip_sync_collection_status
  - collection-status should not sync metadata
  - up-to-date local metadata is not needed as collection-status is
    generated from remote file list
  - syncing metadata might require to download several GBs
* Fixed slowness in 'collection-status' by basing the status on the
  remote system only.  The local cache is treated as empty.
* Fixed encrypted remote manifest handling to merely put out a non-fatal
  error message and continue if the private key is not available.
* Patched in lp:~mterry/duplicity/giobackend-display-name
  - giobackend: handle a wider variety of gio backends by making less assumptions;
    in particular, this fixes the google-drive: backend
* Fixed bug #1709047 with suggestion from Gary Hasson
  - fixed so default was to use original filename
* Fixed PEP8 errors in bin/duplicity
* Merged in lp:~mterry/duplicity/gio_child_for_display_name_0.7
  - gio: be slightly more correct and get child GFiles based on display name
* Fixed bug #1711905 with suggestion from Schneider
  - log.Warn was invoked with log.warn in webdavbackend.py
* Merged in lp:~mterry/duplicity/gpg-tag-versions
  - Support gpg versions numbers that have tags on them.
  - This can happen if you build gpg from git trunk (e.g. 2.1.15-beta20). Or if you run
    against the freedesktop flatpak runtime (e.g. 2.1.14-unknown).
* Fixed bug #1394386 with new module megabackend.py from Tomas Vondra
  - uses megatools from https://megatools.megous.com/ instead of mega.py library
    which has been deprecated
  - fixed copyright and PEP8 issues
  - replaced subprocess.call() with self.subprocess_popen() to standardize
* Fixed bug #1713640 with patch from Aleksandar Ivanisevic
  - replace 2.7 syntax with 2.6 equivalent
* Fixed bug #1538333 Assertion error in manifest.py: assert filecount == ...
  - Made sure to never pass .part files as true manifest files
  - Changed assert to log.Error to warn about truncated/corrupt filelist
  - Added unit test to make sure detection works
  - Note: while this condition is serious, it will not affect the basic backup and restore
    functions.  Interactive options like --list-files-changed and --file-changed will not
    work correctly for this backup set, so it is advised to run a full backup as soon as
    possible after this error occurs.
* Fixed bug #1638033 Remove leading slash on --file-to-restore
  - code already used rstrip('/') so change to just strip('/')

PyDrive backend not working due to missing imports

Attempting a backup with the PyDrive backend gives the following error:

$ docker run --rm --user $UID -e GOOGLE_DRIVE_ACCOUNT_KEY -v /home/austin/.cache:/home/duplicity/.cache/duplicity -v /home/austin/.gnupg:/home/duplicity/.gnupg -v /home/austin/data:/data:ro wernight/duplicity duplicity --allow-source-mismatch --full-if-older-than=6M --no-encryption /data pydrive://[email protected]/duplicity
BackendException: PyDrive backend requires PyDrive and Google API client installation.                                                                                                                             
Please read the manpage for setup details.                                                                                                                                                                         
Exception: No module named 'pkg_resources'

Upgrade to latest version

Thanks for maintaining this repository.

Could you upgrade alpine to the latest version? A lot of bugs have been fixed in duplicity in the meantime, particularly one that causes duplicity to consume a lot of memory.

wrong username being used on rsync server

Per the documentation, I am attempting to backup a directory on the machine host to be transfered via rsync with the "net-backup" user account, unfortunately the wrong username "root" is being passed for authentication to the rsync server.

core@coreos ~ $ docker run --rm -it \
>   --user root -e PASSPHRASE=P4ssw0rd \
>   -v $PWD/.cache:/home/duplicity/.cache/duplicity \
>   -v $PWD/.gnupg:/home/duplicity/.gnupg \
>   -v /backups/scripts/net-backup.key:/id_rsa:ro \
>   -v ~/.ssh/known_hosts:/etc/ssh/ssh_known_hosts:ro \
>   -v /data:/bak:ro \
>   wernight/duplicity \
>   duplicity --full-if-older-than=6M --allow-source-mismatch \
>   --rsync-options='-e "ssh -i /id_rsa"' \
>   /bak rsync://[email protected]::NetBackup/cerb 
gpg: WARNING: unsafe permissions on homedir '/home/duplicity/.gnupg'
[email protected]'s password:

Any assistance would be appreciated

Swift backend requires

I try to run duplicity with swift protocol but "python-swiftclient" library is absent even if this library is present inside Pipfile.

$ docker run ... wernight/duplicity:latest FILENAME swift://test
gpg: WARNING: unsafe ownership on homedir '/home/duplicity/.gnupg'
BackendException: Swift backend requires the python-swiftclient library.
Exception: No module named 'pkg_resources'

Does s3 location eu-central-1 work for anybody?

Hi,

tried to get the image to work with backup to s3 location eu-central-1. Is this working for anybody? I always get a InvalidLocationConstraint error. It seems there are quite a lot bugs in boto3 about that topic.

It would be nice if someone could share a working backup command line.

Thx

Error on .cache dir

Hello,
thanks for this useful image. I followed the readme for google drive but I am stuck on this error.

Specified archive directory '/home/duplicity/.cache/duplicity/9dab3bb458bb65e6ad73d147c338aec2' does not exist, or is not a directory

Seems like duplicity cannot use the mounted .cache directory properly, have you ever experienced such error?

Thank you
Regards

PyDrive

I'm getting the following error when using pydrive

BackendException: PyDrive backend requires PyDrive installationPlease read the manpage to fix.

Container fails to connect to scp or sftp using default backend

It seems like some required module for the default scp / sftp backend used by duplicity is missing in the container. When I try to connect to some scp scheme url, I get the following:

user@host:~# docker run --rm wernight/duplicity duplicity /root scp://192.168.0.1/test 
BackendException: Could not initialize backend: No module named paramiko

In this example, a scp url is used, but the error is the same for sftp urls. Also, the host doesn't have to be available for an actual connection, because the docker image is obviously missing the required package.

OneDrive support

Hello,
Would you please to include py-requests py-requests-oauthlib packages in order to support OneDrive service?

Google Cloud fails with UnsupportedBackendScheme

23 days ago, my backups to Google Cloud stopped working with the following error:

UnsupportedBackendScheme: scheme not supported in url: gs://...

Because the issue appeared 23 days ago, I assume it must have been caused by one of the 4 commits since then. However, I couldn’t find a cause from the diff. Neither pip install boto nor apk add --no-cache py3-six helped.

One can reproduce the issue by running:

> docker run --rm --user $UID \
      -e PASSPHRASE=P4ssw0rd \
      wernight/duplicity \
      duplicity --full-if-older-than=6M --allow-source-mismatch /data gs://my-bucket-name/some_dir

gpg: WARNING: unsafe ownership on homedir '/home/duplicity/.gnupg'
UnsupportedBackendScheme: scheme not supported in url: gs://my-bucket-name/some_dir