Borg Backup

Container image to create cron scheduled backups using borg backup based on Alpine Linux.

Why to use Borg Backup

Space efficient storage due to deduplication and compression
Quick backup runs including pruning of old backups on disk
Encryption allows storing in insecure offsite locations
Fuse-mount of backups ease restore
For remote backups, you may take a look in restic

Security considerations:

This container will run with root priveliges in order to access all data for backup
The backup source volume is mounted read-only to avoid alering data by mistake

Prepare for backup restore

Following files MUST be stored along with the backup to enable encryption of backup data

.env-file which contains the Passphrase
Keyfiles, stored in ./data/.config/borg/keys/

Monitoring

Status and statistics are sent to Prometheus using a simple bash script and curl

Build

Alpine and borg version are hard-coded in docker compose so we don't mess up backups due to version upgrades
Run docker compose build to build the container image from ./build/Dockerfile

Installation & Setup

Configuration: cp .env.template .env and adapt .env (parameters are explained in the template file)
Init the backup archive: docker exec --rm -it borg bash -c "borg init --encryption repokey-blake2"
Start the container: docker-compose up -d

Progam flow

/scripts/entry.sh is called during container startup and installs the cronjob defined in .env variable $CRON
crond starts /scripts/do-backup.sh which
- notifies prometheus about the status and stats
- executes borg backup
- prunes and compacts old backups in

Backup restore

Stop the backup container: docker compose down
Run an interactive shell: docker compose -f docker-compose.yml -f docker-compose.restore.yml run borg bash
Fuse-mount the backup: borg mount $BORG_REPO <mount_point>
Restore your files
Finally unmount and exit: borg umount <mount_point> && exit.

Failure handling

In case Borg fails to create/acquire a lock: borg break-lock /mnt/repository