Resistance is futile - Borg with Docker

• Docker Setup
  • Backup
  • Restore
  • Environment variables
    • Core variables
    • SSHFS
• Nomadic Borg

Borg is a network backup and restore program.

Docker Setup

I am using the Docker image with Borg Backup client provided by pschiffe utility and sshfs support. Borg is a deduplicating archiver with compression and authenticated encryption. It's very efficient and doesn't need regular full backups while still supporting data pruning.:

• Docker Hub

Backup

Create the Borg data structure needed by the docker container - e.g. in /opt:

borg
├── config
├── output
└── repo

And the two directories to be backed up:

temp1
└── test1.txt
temp2
└── test2.txt

Run the following command to back up both directories:

docker run \
  --rm \
  -e BORG_REPO=/opt/borg \
  -e BORG_PASSPHRASE=mypassword \
  -e BACKUP_DIRS=/data \
  -e ARCHIVE=osticket-db-$(date +%Y-%m-%d) \
  -e COMPRESSION=lz4 \
  -e PRUNE=1 \
  -v /opt/borg/config:/root \
  -v /opt/borg/repo:/opt/borg \
  -v /opt/temp1:/data/temp1:ro \
  -v /opt/temp2:/data/temp2:ro \
  --security-opt label:disable \
  --name borg-backup \
  pschiffe/borg

Run the following command to back up both directories - but only keep 1 daily backup:

docker run \
  --rm \
  -e BORG_REPO=/opt/borg \
  -e BORG_PASSPHRASE=mypassword \
  -e BACKUP_DIRS=/data \
  -e ARCHIVE=osticket-db-$(date +%Y-%m-%d) \
  -e COMPRESSION=lz4 \
  -e PRUNE=1 \
  -e KEEP_DAILY=1 \
  -e KEEP_WEEKLY=0 \
  -e KEEP_MONTHLY=0 \
  -v /opt/borg/config:/root \
  -v /opt/borg/repo:/opt/borg \
  -v /opt/temp1:/data/temp1:ro \
  -v /opt/temp2:/data/temp2:ro \
  --security-opt label:disable \
  --name borg-backup \
  pschiffe/borg

Restore

Extract everything from osticket-db-2022-11-09 into /opt/borg/output:

docker run \
  --rm \
  -e BORG_REPO=/opt/borg \
  -e ARCHIVE=osticket-db-2022-11-09 \
  -e BORG_PASSPHRASE=mypassword \
  -e EXTRACT_TO=/borg/output \
  -v /opt/borg/config:/root \
  -v /opt/borg/repo:/opt/borg \
  -v /opt/borg/output:/borg/output/data \
  --security-opt label:disable \
  --name borg-backup \
  pschiffe/borg

Extract only temp1/test1.txt into /opt/borg/output:

docker run \
  --rm \
  -e BORG_REPO=/opt/borg \
  -e ARCHIVE=osticket-db-2022-11-09 \
  -e BORG_PASSPHRASE=mypassword \
  -e EXTRACT_TO=/borg/output \
  -e EXTRACT_WHAT=data/temp1/test1.txt \
  -v /opt/borg/config:/root \
  -v /opt/borg/repo:/opt/borg \
  -v /opt/borg/output:/borg/output/data \
  --security-opt label:disable \
  --name borg-backup \
  pschiffe/borg

Environment variables

Description of all accepted environment variables follows.

Core variables

• BORG_REPO : repository location
• ARCHIVE : archive parameter for Borg repository. If empty, defaults to "${HOSTNAME}_$(date +%Y-%m-%d)". For more info see Borg documentation
• BACKUP_DIRS : directories to back up
• EXCLUDE : paths/patterns to exclude from backup. Paths must be separated by ;. For example: -e EXCLUDE='/my path/one;/path two;*.tmp'
• BORG_PARAMS : run custom borg command inside of the container. If this variable is set, default commands are not executed, only the one specified in BORG_PARAMS. For example list or list ::2016-05-26. In both examples, repo is not specified, because borg understands the BORG_REPO env var and uses it by default
• BORG_SKIP_CHECK : set to 1 if you want to skip the borg check command at the end of the backup Compression
• COMPRESSION : compression to use. Defaults to lz4. Encryption
• BORG_PASSPHRASE : repo-key mode password. Defaults to none. Only the repo-key mode encryption is supported by this Docker image. More info Extracting (restoring) files
• EXTRACT_TO : directory where to extract (restore) borg archive. If this variable is set, default commands are not executed, only the extraction is done. Repo and archive are specified with BORG_REPO and ARCHIVE variables. More info
• EXTRACT_WHAT : subset of files and directories which should be extracted Pruning
• PRUNE : if set, prune the repository after backup. Empty by default. More info
• PRUNE_PREFIX : filter data to prune by prefix of the archive. Empty by default - prune all data
• KEEP_DAILY : keep specified number of daily backups. Defaults to 7
• KEEP_WEEKLY : keep specified number of weekly backups. Defaults to 4
• KEEP_MONTHLY : keep specified number of monthly backups. Defaults to 6

SSHFS

SSHFS : sshfs destination in form of user@host:/path. When using sshfs, container needs special permissions: --cap-add SYS_ADMIN, --device /dev/fuse and if using SELinux: --security-opt label:disable or apparmor: --security-opt apparmor:unconfined SSHFS_PASSWORD : password for ssh authentication SSHFS_IDENTITY_FILE : path to ssh key SSHFS_GEN_IDENTITY_FILE : if set, generates ssh key pair if SSHFS_IDENTITY_FILE is set and the key file doesn't exist. After generating the key, the public part of the key is printed to stdout and the container stops, so you have the chance to configure the server part before creating the first backup

Nomadic Borg

See Deploying a Backup Service using Nomad.