From 4b3ca2ebb05efbefa37a94242da55831da202a63 Mon Sep 17 00:00:00 2001 From: Frederik Ring Date: Wed, 21 Feb 2024 18:43:13 +0100 Subject: [PATCH] Revert "Allow backup to be run as non-root user (#366)" (#370) This reverts commit f64aaa6e242b52ddebd0a2fd1a31f56af7b20a82. --- Dockerfile | 3 +- ...replace-deprecated-backup-from-snapshot.md | 2 +- ...-deprecated-backup-stop-container-label.md | 2 +- .../how-tos/replace-deprecated-exec-labels.md | 2 +- .../how-tos/update-deprecated-email-config.md | 2 +- docs/how-tos/use-as-non-root.md | 36 ------------------- docs/recipes/index.md | 21 ----------- test/nonroot/01conf.env | 7 ---- test/nonroot/docker-compose.yml | 33 ----------------- test/nonroot/run.sh | 27 -------------- test/util.sh | 2 +- 11 files changed, 6 insertions(+), 131 deletions(-) delete mode 100644 docs/how-tos/use-as-non-root.md delete mode 100644 test/nonroot/01conf.env delete mode 100644 test/nonroot/docker-compose.yml delete mode 100755 test/nonroot/run.sh diff --git a/Dockerfile b/Dockerfile index 7e7ec8ee..3cf6f0bb 100644 --- a/Dockerfile +++ b/Dockerfile @@ -13,8 +13,7 @@ FROM alpine:3.19 WORKDIR /root -RUN apk add --no-cache ca-certificates && \ - chmod a+rw /var/lock +RUN apk add --no-cache ca-certificates COPY --from=builder /app/cmd/backup/backup /usr/bin/backup diff --git a/docs/how-tos/replace-deprecated-backup-from-snapshot.md b/docs/how-tos/replace-deprecated-backup-from-snapshot.md index 17ff161a..036cf403 100644 --- a/docs/how-tos/replace-deprecated-backup-from-snapshot.md +++ b/docs/how-tos/replace-deprecated-backup-from-snapshot.md @@ -2,7 +2,7 @@ title: Replace deprecated BACKUP_FROM_SNAPSHOT usage layout: default parent: How Tos -nav_order: 17 +nav_order: 16 --- # Replace deprecated `BACKUP_FROM_SNAPSHOT` usage diff --git a/docs/how-tos/replace-deprecated-backup-stop-container-label.md b/docs/how-tos/replace-deprecated-backup-stop-container-label.md index adaa4632..f8841cb3 100644 --- a/docs/how-tos/replace-deprecated-backup-stop-container-label.md +++ b/docs/how-tos/replace-deprecated-backup-stop-container-label.md @@ -2,7 +2,7 @@ title: Replace deprecated BACKUP_STOP_CONTAINER_LABEL setting layout: default parent: How Tos -nav_order: 20 +nav_order: 19 --- # Replace deprecated `BACKUP_STOP_CONTAINER_LABEL` setting diff --git a/docs/how-tos/replace-deprecated-exec-labels.md b/docs/how-tos/replace-deprecated-exec-labels.md index 050acd39..7f7841ad 100644 --- a/docs/how-tos/replace-deprecated-exec-labels.md +++ b/docs/how-tos/replace-deprecated-exec-labels.md @@ -2,7 +2,7 @@ title: Replace deprecated exec-pre and exec-post labels layout: default parent: How Tos -nav_order: 18 +nav_order: 17 --- # Replace deprecated `exec-pre` and `exec-post` labels diff --git a/docs/how-tos/update-deprecated-email-config.md b/docs/how-tos/update-deprecated-email-config.md index 132524df..af1b2b58 100644 --- a/docs/how-tos/update-deprecated-email-config.md +++ b/docs/how-tos/update-deprecated-email-config.md @@ -2,7 +2,7 @@ title: Update deprecated email configuration layout: default parent: How Tos -nav_order: 19 +nav_order: 18 --- # Update deprecated email configuration diff --git a/docs/how-tos/use-as-non-root.md b/docs/how-tos/use-as-non-root.md deleted file mode 100644 index 1d2cb38f..00000000 --- a/docs/how-tos/use-as-non-root.md +++ /dev/null @@ -1,36 +0,0 @@ ---- -title: Use the image as a non-root user -layout: default -parent: How Tos -nav_order: 16 ---- - -# Use the image as a non-root user - -{: .important } -Running as a non-root user limits interaction with the Docker Daemon. -If you want to stop and restart containers and services during backup, and the host's Docker daemon is running as root, you will also need to run this tool as root. - -By default, this image executes backups using the `root` user. -In case you prefer to use a different user, you can use Docker's [`user`](https://docs.docker.com/engine/reference/run/#user) option, passing the user and group id: - -```console -docker run --rm \ - -v data:/backup/data \ - --env AWS_ACCESS_KEY_ID="" \ - --env AWS_SECRET_ACCESS_KEY="" \ - --env AWS_S3_BUCKET_NAME="" \ - --entrypoint backup \ - --user 1000:1000 \ - offen/docker-volume-backup:v2 -``` - -or in a compose file: - -```yml -services: - backup: - image: offen/docker-volume-backup:v2 - user: 1000:1000 - # further configuration omitted ... -``` diff --git a/docs/recipes/index.md b/docs/recipes/index.md index 3b4045e9..5a2220c0 100644 --- a/docs/recipes/index.md +++ b/docs/recipes/index.md @@ -371,24 +371,3 @@ volumes: data_1: data_2: ``` - -## Running as a non-root user - -```yml -version: '3' - -services: - # ... define other services using the `data` volume here - backup: - image: offen/docker-volume-backup:v2 - user: 1000:1000 - environment: - AWS_S3_BUCKET_NAME: backup-bucket - AWS_ACCESS_KEY_ID: AKIAIOSFODNN7EXAMPLE - AWS_SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY - volumes: - - data:/backup/my-app-backup:ro - -volumes: - data: -``` diff --git a/test/nonroot/01conf.env b/test/nonroot/01conf.env deleted file mode 100644 index 07fe3dfd..00000000 --- a/test/nonroot/01conf.env +++ /dev/null @@ -1,7 +0,0 @@ -AWS_ACCESS_KEY_ID="test" -AWS_SECRET_ACCESS_KEY="GMusLtUmILge2by+z890kQ" -AWS_ENDPOINT="minio:9000" -AWS_ENDPOINT_PROTO="http" -AWS_S3_BUCKET_NAME="backup" -BACKUP_CRON_EXPRESSION="0 0 5 31 2 ?" -BACKUP_FILENAME="test.tar.gz" diff --git a/test/nonroot/docker-compose.yml b/test/nonroot/docker-compose.yml deleted file mode 100644 index f3ee99af..00000000 --- a/test/nonroot/docker-compose.yml +++ /dev/null @@ -1,33 +0,0 @@ -version: '3' - -services: - minio: - image: minio/minio:RELEASE.2020-08-04T23-10-51Z - environment: - MINIO_ROOT_USER: test - MINIO_ROOT_PASSWORD: test - MINIO_ACCESS_KEY: test - MINIO_SECRET_KEY: GMusLtUmILge2by+z890kQ - entrypoint: /bin/ash -c 'mkdir -p /data/backup && minio server /data' - volumes: - - ${LOCAL_DIR:-local}:/data - - backup: - image: offen/docker-volume-backup:${TEST_VERSION:-canary} - user: 1000:1000 - depends_on: - - minio - restart: always - volumes: - - app_data:/backup/app_data:ro - - ./01conf.env:/etc/dockervolumebackup/conf.d/01conf.env - - offen: - image: offen/offen:latest - labels: - - docker-volume-backup.stop-during-backup=true - volumes: - - app_data:/var/opt/offen - -volumes: - app_data: diff --git a/test/nonroot/run.sh b/test/nonroot/run.sh deleted file mode 100755 index 79fbb942..00000000 --- a/test/nonroot/run.sh +++ /dev/null @@ -1,27 +0,0 @@ -#!/bin/sh - -set -e - -cd "$(dirname "$0")" -. ../util.sh -current_test=$(basename $(pwd)) - -export LOCAL_DIR=$(mktemp -d) - -docker compose up -d --quiet-pull -sleep 5 - -docker compose logs backup - -# conf.d is used to confirm /etc files are also accessible for non-root users -docker compose exec backup /bin/sh -c 'set -a; source /etc/dockervolumebackup/conf.d/01conf.env; set +a && backup' - -sleep 5 - -expect_running_containers "3" - -if [ ! -f "$LOCAL_DIR/backup/test.tar.gz" ]; then - fail "Could not find archive." -fi -pass "Archive was created." - diff --git a/test/util.sh b/test/util.sh index ee7aedfc..6de8606e 100644 --- a/test/util.sh +++ b/test/util.sh @@ -22,7 +22,7 @@ skip () { expect_running_containers () { if [ "$(docker ps -q | wc -l)" != "$1" ]; then - fail "Expected $1 containers to be running, instead seen: "$(docker ps -q | wc -l)"" + fail "Expected $1 containers to be running, instead seen: "$(docker ps -a | wc -l)"" fi pass "$1 containers running." }