|
|
@@ -1,57 +1,51 @@
|
|
|
# Borg Backup
|
|
|
-Container image for creating cron scheduled backups with [borg backup](https://www.borgbackup.org/) based on Alpine Linux.
|
|
|
+Container image for creating cron-scheduled backups with [borg backup](https://www.borgbackup.org/) based on Alpine Linux.
|
|
|
|
|
|
## Borg key features
|
|
|
- Space efficient storage through deduplication and compression.
|
|
|
- Fast backup runs and pruning of old backups.
|
|
|
- - Encrypted allows backup storage in insecure offsite locations.
|
|
|
+ - Encryption to allow backup storage in insecure offsite locations.
|
|
|
- FUSE mount support for easy recovery.
|
|
|
- Focus on local backups. (For cloud backups [restic](https://restic.net/) offers more options.)
|
|
|
|
|
|
-## Security considerations
|
|
|
- - This container will run with root priveliges in order to access all data for backup.
|
|
|
- - The backup source volume is mounted read-only to avoid alering data by mistake.
|
|
|
- - Simplified feature set for sake of simplicity, compared to [borgmatic](https://torsion.org/borgmatic/)
|
|
|
- - py3-llfuse and bash are included for comfort during backup restore and could be potentially removed
|
|
|
- - curl is included to push Promethous metrics and could be removed if this functionality is not used
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
-## Build
|
|
|
- - Alpine and borg version are hard-coded in docker compose so we don't mess up backups due to version upgrades
|
|
|
- - Run `docker compose build` to build the container image from `./build/Dockerfile`
|
|
|
-
|
|
|
## Installation & Setup
|
|
|
+ - Build: Run `docker compose build` to build the container image from `./build/Dockerfile`
|
|
|
- Configuration: `cp .env.template .env ` and adapt `.env` (parameters are explained in the template file)
|
|
|
- Init the backup archive: `docker exec --rm -it borg bash -c "borg init --encryption repokey-blake2"`
|
|
|
- Start the container: `docker-compose up -d`
|
|
|
+ - Upgrade: Alpine and borg version are hard-coded in `docker-compose.yml` so we don't mess up backups due to version upgrades
|
|
|
|
|
|
-## Preparing for disaster recovery
|
|
|
+## Preparation for disaster recovery
|
|
|
Very important: The following files MUST be stored along with the backup to enable decryption of the backup data
|
|
|
- `.env`-file file containing the passphrase
|
|
|
- Keyfiles, stored in ./data/.config/borg/keys/
|
|
|
|
|
|
## Backup restore
|
|
|
1. Stop the backup container: `docker compose down`
|
|
|
- 2. Run an interactive shell: `docker compose -f docker-compose.yml -f docker-compose.restore.yml run borg bash`
|
|
|
+ 2. Run an interactive shell in the recovery: `docker compose -f docker-compose.yml -f docker-compose.restore.yml run borg bash`
|
|
|
3. Fuse-mount the backup: `borg mount $BORG_REPO <mount_point>`
|
|
|
4. Restore your files
|
|
|
- 5. Finally unmount and exit: `borg umount <mount_point> && exit`.
|
|
|
+ 5. Unmount and exit: `borg umount <mount_point> && exit`.
|
|
|
+ 6. Start the backup container: `docker-compose up -d`
|
|
|
|
|
|
## Monitoring
|
|
|
- - Status and statistics are sent to Prometheus using a simple bash script and curl
|
|
|
-
|
|
|
+ - Status and statistics are sent to Prometheus push-gateway using a simple bash-script and curl
|
|
|
|
|
|
+## Security considerations
|
|
|
+ - This container will run with root priveliges in order to access all data for backup.
|
|
|
+ - The backup source-volume is mounted read-only to avoid alering data by mistake.
|
|
|
+ - This image as a reduced feature set for sake of simplicity.
|
|
|
+ - [borgmatic](https://torsion.org/borgmatic/) offers more features such as notifications and backup of databases.
|
|
|
+ - py3-llfuse and bash are included for comfort during backup restore and could be potentially removed
|
|
|
+ - curl is included to push Promethous metrics and could be removed if this functionality is not used
|
|
|
|
|
|
## Progam flow
|
|
|
- `/scripts/entry.sh` is called during container startup
|
|
|
and installs the cronjob defined in `.env` variable $CRON
|
|
|
- crond starts `/scripts/do-backup.sh` which
|
|
|
- - notifies prometheus about the status and stats
|
|
|
+ - notifies Prometheus about the backup status and stats
|
|
|
- executes borg backup
|
|
|
- - prunes and compacts old backups in
|
|
|
-
|
|
|
+ - prunes and compacts old backups
|
|
|
|
|
|
-
|
|
|
# Failure handling
|
|
|
- In case Borg fails to create/acquire a lock: `borg break-lock /mnt/repository`
|
