kiwi- simple, consistent, powerful
The backup solution for kiwi-scp. Also on Docker Hub.
kiwi-backup is an image with duplicity, tailored to backup service data of kiwi-scp instances.
If you want backups in the host directory /var/local/kiwi.backup, just add this to one of your projects' docker-compose.yml to use the default configuration.
backup:
image: yavook/kiwi-backup:0.12
volumes:
- "${KIWI_INSTANCE}:/kiwi-backup/source:ro"
- "/var/local/kiwi.backup:/kiwi-backup/target"- backups the entire service data directory
- stores all backup data on the host file system
- daily incremental backups at night
- a new full backup once every 3 months
- keeps backups up to 6 months old
- keeps daily backups for two recent sets (3-6 months)
- backup jobs run at a random minute past 2 am
Be aware though -- backups will use a fair bit of storage space!
The kiwi-backup image allows for extensive customization even without creating a local image variant.
Schedules in environment variables are to be provided in cron notation. Additionally, the special value "R" is supported and will be replaced by a random value.
Being based on kiwi-cron, kiwi-backup makes changing time zones easy. Just change the container environment variable TZ to your liking, e.g. "Europe/Berlin".
kiwi-backup will backup everything in its /kiwi-backup/source directory -- change the backup scope by adjusting what's mounted into that container directory.
backup:
# ...
volumes:
# change scope here!
- "${KIWI_INSTANCE}:/kiwi-backup/source:ro"You may of course create additional sources below the /kiwi-backup/source directory to limit the backup to specific projects or services. For added safety, mount your backup source(s) read-only by appending :ro.
You may also change the container environment variable BACKUP_SOURCE, though this is discouraged.
These are the environment variables to change the basic backup policy.
backup:
# ...
environment:
# ...
# when to run backups
# default: daily at a random minute past 2 am
SCHEDULE_BACKUP: "R 2 * * *"
# when to remove leftovers from failed transactions
# default: daily at a random minute past 4 am
SCHEDULE_CLEANUP: "R 4 * * *"
# how often to opt for a full backup
# default: every 3 months
FULL_BACKUP_FREQUENCY: "3M"
# how long to keep backups at all
# default: 6 months
BACKUP_RETENTION_TIME: "6M"
# how many full backup chains with incrementals to keep
# default: 2
KEEP_NUM_FULL_CHAINS: "2"duplicity usually handles secrets by reading its environment. Some of its backends also accept secrets via environment, notably the AWS S3 backend.
There are three major ways to for inject secrets into kiwi-backup environments:
Just fire up your container using docker run -e "FTP_PASSWORD=my_secret_here" yavook/kiwi-backup:0.12
Create a simple Dockerfile from following template.
FROM yavook/kiwi-backup:0.12
ENV FTP_PASSWORD="my_secret_here"Create a shell script:
#!/bin/sh
export FTP_PASSWORD="my_secret_here"Then, include that file as /root/duplicity_secrets into your container by building a custom Dockerfile or by mounting it as a (read-only) volume.
There's more environment variables for further customization. You'll likely know if you need to change these.
backup:
# ...
environment:
# ...
# when to remove old full backup chains
# default: every Saturday at a random minute past 5 am
SCHEDULE_RMFULL: "R 5 * * SAT"
# when to remove old incremental backups
# default: every Sunday at a random minute past 5 am
SCHEDULE_RMINCR: "R 5 * * SUN"
# size of individual duplicity data volumes
# default: 1GiB
BACKUP_VOLSIZE: "1024"
# what to base backups on
# default: container directory "/kiwi-backup/source", usually mounted volume(s)
BACKUP_SOURCE: "/kiwi-backup/source"
# where to put backups
# default: container directory "/kiwi-backup/target", usually a mounted volume
BACKUP_TARGET: "file:///kiwi-backup/target"
# Additional options for all "duplicity" commands
OPTIONS_ALL: ""
# Additional options for "duplicity --full-if-older-than" command
OPTIONS_BACKUP: ""
# Additional options for "duplicity cleanup" command
OPTIONS_CLEANUP: ""
# Additional options for "duplicity remove-older-than" command
OPTIONS_RMFULL: ""
# Additional options for "duplicity remove-all-inc-of-but-n-full" command
OPTIONS_RMINCR: ""
# Webhook to be pinged on action (use "%%MSG%%" as a placeholder for a message)
WEBHOOK_URL: ""
# Webhook to be pinged on failed action (use "%%MSG%%" as a placeholder for a message)
WEBHOOK_FAIL_URL: ""
# Allow self-signed certificates on webhook target
WEBHOOK_INSECURE: "0"For effective use of GnuPG encryption, you will need a GnuPG key and a custom image.
For simplicity, this guide assumes you have a kiwi-scp instance with some project where you want to put your backup service. You should have a shell opened in that project's directory.
You'll usually want to generate a new key for each
kiwi-scpinstance. If you have reasons not to, skip this section.
Reasonable defaults for a backup encryption key are:
- User ID:
Administrator <[email protected]> - 4096 bit RSA
- Doesn't expire
- Secure passphrase (Don't bother memorizing it, you will save it in your
kiwi-scpinstance!)
To quickly generate a key, use the following command, then enter a passphrase:
docker run --rm -it -v "kiwi-backup.gnupg.tmp:/root/.gnupg" yavook/kiwi-backup:0.12 gpg --quick-gen-key --yes "Administrator <[email protected]>" rsa4096 encr neverTo get a more in-depth generation wizard instead, use gpg --full-gen-key command without any more args and follow through.
This one-liner exports your generated key into a new subdirectory "kiwi-backup.gnupg":
docker run --rm -it -v "kiwi-backup.gnupg.tmp:/root/.gnupg" -v "$(pwd)/kiwi-backup.gnupg:/root/kiwi-backup.gnupg" -e "CURRENT_USER=$(id -u):$(id -g)" yavook/kiwi-backup:0.12 sh -c 'cd /root/kiwi-backup.gnupg && gpg --export-secret-keys --armor > secret.asc && gpg --export-ownertrust > ownertrust.txt && chown -R "${CURRENT_USER}" .'You'll now find the "kiwi-backup.gnupg" subdirectory with files "secret.asc" and "ownertrust.txt" in it. Check your exported files:
docker run --rm -v "$(pwd)/kiwi-backup.gnupg:/root/kiwi-backup.gnupg:ro" yavook/kiwi-backup:0.12 sh -c 'cd /root/kiwi-backup.gnupg && gpg --import --batch secret.asc 2>/dev/null && gpg --import-ownertrust ownertrust.txt 2>/dev/null && gpg -k 2>/dev/null | grep -A1 "^pub" | xargs | tail -c17'This should output your 16-digit Key-ID, so take note of it if you haven't already! Afterwards, run docker volume rm kiwi-backup.gnupg.tmp to get rid of the key generation volume.
To use a pre-generated key, you'll need to export it manually instead. These are the commands:
gpg --export-secret-keys --armor [Key-ID] > backup/secret.asc
gpg --export-ownertrust > backup/ownertrust.txtYou can still check your exported files :)
docker run --rm -v "$(pwd)/kiwi-backup.gnupg:/root/kiwi-backup.gnupg:ro" yavook/kiwi-backup:0.12 sh -c 'cd /root/kiwi-backup.gnupg && gpg --import --batch secret.asc && gpg --import-ownertrust ownertrust.txt && gpg -k'Now create a simple Dockerfile inside the "backup" directory from following template.
FROM yavook/kiwi-backup:0.12
COPY secret.asc ownertrust.txt /root/
RUN gpg --import --batch /root/secret.asc; \
gpg --import-ownertrust /root/ownertrust.txt; \
rm /root/secret.asc /root/ownertrust.txt
# fill in these values to match your data
ENV GPG_KEY_ID="changeme" \
GPG_PASSPHRASE="changeme"If applicable, commit the "backup" directory into the kiwi-scp instance repository.
All that's left is to come back to your project's docker-compose.yml, where you shorten one line. Change:
backup:
image: yavook/kiwi-backup:0.12
# ...Into:
backup:
build: ./backup
# ...That's it -- from now on, all new backups will be encrypted!
TODO