duplicity backup tool.
Features of this Docker image:
- Small: Built using alpine.
- Simple: Most common cases are explained below and require minimal setup.
- Secure: Runs non-root by default (use randomly chosen UID
1896), and meant to run as any user.
For the general command-line syntax, do:
$ docker run --rm wernight/duplicity duplicity --help
In general you...
- Must mount what you want to backup or where you want to restore a backup.
- Should mount
/home/duplicity/.cache/duplicityas writable somewhere (if not cached, duplicity will have to recreate it from the remote repository which may require decrypting the backup contents). Note it may be quite large and contains metadata info about files you've backed up in clear text. - Should mount
/home/duplicity/.gnupgas writable somewhere (that directory is used to validate incremental backups and shouldn't be necessary to restore your backup if you follows steps below). - Should specify duplicity flag
--allow-source-mismatchbecause Docker has a random host for each container. - Could set environment variable
PASSPHRASE, unless you want to type it manually in the prompt (remember then to add-it). - May have to mount a few other files for authentication (see examples below).
Example of commands you may want to run periodically to back up with good clean-up/maintenance (see below for various storage options):
$ docker run --rm ... wernight/duplicity duplicity --full-if-older-than=6M source_directory target_url
$ docker run --rm ... wernight/duplicity duplicity remove-older-than 6M --force target_url
$ docker run --rm ... wernight/duplicity duplicity cleanup --force target_url
This would do:
- A full backup every 6 months so that restoration is a lot faster and for cleanup to work, and incremental backups the rest of the time.
- Delete backups older than 6 months (doesn't break incremental backups).
- Delete files from failed sessions (if any).
Google Cloud Storage nearline costs about $0.01/GB/Month.
Set up:
-
Sign up, create an empty project, enable billing, and create a bucket
-
Under "Storage" section > "Settings" > "Interoperability" tab > click "Enable interoperable access" and then "Create a new key" button and note both Access Key and Secret. Also note your Project Number (aka project ID, it's a number like 1233457890).
-
Run gcloud's
gsutil config -ato generate the~/.botoconfiguration file and give it all these info (alternatively you should be able to set environment variableGS_ACCESS_KEY_IDandGS_SECRET_ACCESS_KEYhowever in my tries I didn't see where to set your project ID). -
You should now have a
~/.botolooking like:[Credentials] gs_access_key_id = MYGOOGLEACCESSKEY gs_secret_access_key = SomeVeryLongAccessKeyXXXXXXXX [GSUtil] default_project_id = 1233457890
Now you're ready to perform a backup:
$ docker run --rm --user $UID \
-e PASSPHRASE=P4ssw0rd \
-v $PWD/.cache:/home/duplicity/.cache/duplicity \
-v $PWD/.gnupg:/home/duplicity/.gnupg \
-v ~/.boto:/home/duplicity/.boto:ro \
-v /:/data:ro \
wernight/duplicity \
duplicity --full-if-older-than=6M --allow-source-mismatch /data gs://my-bucket-name/some_dir
To restore, you'll need:
- Keep
.botoor regenerate it to access your Google Cloud Storage. - The
PASSPHRASEyou've used.
Example:
$ docker run --rm --user $UID \
-e PASSPHRASE=P4ssw0rd \
-v ~/.boto:/home/duplicity/.boto:ro \
-v /:/data:ro \
wernight/duplicity \
duplicity restore gs://my-bucket-name/some_dir /data
See also the note on Google Cloud Storage.
Google Drive offers 15GB for free.
Set up:
-
Follow notes on Pydrive Backend to generate a P12 credential file (call it
pydriveprivatekey.p12) and note also the associated service account email generated (e.g.[email protected]). -
Convert P12 to PEM:
$ docker run --rm -i --user $UID \ -v $PWD/pydriveprivatekey.p12:/pydriveprivatekey.p12:ro \ wernight/duplicity \ openssl pkcs12 -in /pydriveprivatekey.p12 -nodes -nocerts >pydriveprivatekey.pem Enter Import Password: notasecret
Now you're ready to perform a backup:
$ docker run --rm --user $UID \
-e PASSPHRASE=P4ssw0rd \
-e GOOGLE_DRIVE_ACCOUNT_KEY=$(cat pydriveprivatekey.pem) \
-v $PWD/.cache:/home/duplicity/.cache/duplicity \
-v $PWD/.gnupg:/home/duplicity/.gnupg \
-v /:/data:ro \
wernight/duplicity \
duplicity --full-if-older-than=6M --allow-source-mismatch /data pydrive://[email protected]/some_dir
To restore, you'll need:
- Regenerate a PEM file (or keep it somewhere).
- The
PASSPHRASEyou've used.
Supposing you've an SSH access to some machine, you can:
$ docker run --rm -it --user root \
-e PASSPHRASE=P4ssw0rd \
-v $PWD/.cache:/home/duplicity/.cache/duplicity \
-v $PWD/.gnupg:/home/duplicity/.gnupg \
-v ~/.ssh/id_rsa:/id_rsa:ro \
-v ~/.ssh/known_hosts:/etc/ssh/ssh_known_hosts:ro \
-v /:/data:ro \
wernight/duplicity \
duplicity --full-if-older-than=6M --allow-source-mismatch \
--rsync-options='-e "ssh -i /id_rsa"' \
/data rsync://[email protected]/some_dir
Note: We're running here as root to have access to ~/.ssh and also because ssh does not
allow to use a random (non-locally existing) UID. To make it safer, you can copy your ~/.ssh
and chown 1896 it (that is duplicity UID within the container). If you know a another way to avoid
the "No user exists for uid" check, please let me know.
Here is a simple alias that should work in most cases:
$ alias duplicity='docker run --rm --user=root -v ~/.ssh/id_rsa:/home/duplicity/.ssh/id_rsa:ro -v ~/.boto:/home/duplicity/.boto:ro -v ~/.gnupg:/home/duplicity/.gnupg -v /:/mnt:ro -e PASSPHRASE=$PASSPHRASE wernight/duplicity duplicity $@'
Now you should be able to run duplicity almost as if it were installed, example:
$ PASSPHRASE=123456 duplicity --progress /mnt rsync://[email protected]/some_dir
- duplicity man page
- duplicity back-up how-to - Ubuntu
- How To Use Duplicity with GPG to Securely Automate Backups on Ubuntu | DigitalOcean
Report issues/questions/feature requests on GitHub Issues.