Allow backup to be run as non-root user (#366)

* Allow backup to be run as non-root user * Document usage as non-root user * Also test /etc access * Choose better name for doc
2025-11-23 21:44:40 +02:00 · 2024-02-21 17:44:24 +01:00
parent dd8ff5ee0c
commit f64aaa6e24
11 changed files with 131 additions and 6 deletions
--- a/docs/how-tos/replace-deprecated-backup-from-snapshot.md
+++ b/docs/how-tos/replace-deprecated-backup-from-snapshot.md
@@ -2,7 +2,7 @@
 title: Replace deprecated BACKUP_FROM_SNAPSHOT usage
 layout: default
 parent: How Tos
-nav_order: 16
+nav_order: 17
 ---

 # Replace deprecated `BACKUP_FROM_SNAPSHOT` usage
--- a/docs/how-tos/replace-deprecated-backup-stop-container-label.md
+++ b/docs/how-tos/replace-deprecated-backup-stop-container-label.md
@@ -2,7 +2,7 @@
 title: Replace deprecated BACKUP_STOP_CONTAINER_LABEL setting
 layout: default
 parent: How Tos
-nav_order: 19
+nav_order: 20
 ---

 # Replace deprecated `BACKUP_STOP_CONTAINER_LABEL` setting
--- a/docs/how-tos/replace-deprecated-exec-labels.md
+++ b/docs/how-tos/replace-deprecated-exec-labels.md
@@ -2,7 +2,7 @@
 title: Replace deprecated exec-pre and exec-post labels
 layout: default
 parent: How Tos
-nav_order: 17
+nav_order: 18
 ---

 # Replace deprecated `exec-pre` and `exec-post` labels
--- a/docs/how-tos/update-deprecated-email-config.md
+++ b/docs/how-tos/update-deprecated-email-config.md
@@ -2,7 +2,7 @@
 title: Update deprecated email configuration
 layout: default
 parent: How Tos
-nav_order: 18
+nav_order: 19
 ---

 # Update deprecated email configuration
--- a/docs/how-tos/use-as-non-root.md
+++ b/docs/how-tos/use-as-non-root.md
@@ -0,0 +1,36 @@
+---
+title: Use the image as a non-root user
+layout: default
+parent: How Tos
+nav_order: 16
+---
+
+# Use the image as a non-root user
+
+{: .important }
+Running as a non-root user limits interaction with the Docker Daemon.
+If you want to stop and restart containers and services during backup, and the host's Docker daemon is running as root, you will also need to run this tool as root.
+
+By default, this image executes backups using the `root` user.
+In case you prefer to use a different user, you can use Docker's [`user`](https://docs.docker.com/engine/reference/run/#user) option, passing the user and group id:
+
+```console
+docker run --rm \
+  -v data:/backup/data \
+  --env AWS_ACCESS_KEY_ID="<xxx>" \
+  --env AWS_SECRET_ACCESS_KEY="<xxx>" \
+  --env AWS_S3_BUCKET_NAME="<xxx>" \
+  --entrypoint backup \
+  --user 1000:1000 \
+  offen/docker-volume-backup:v2
+```
+
+or in a compose file:
+
+```yml
+services:
+  backup:
+    image: offen/docker-volume-backup:v2
+    user: 1000:1000
+    # further configuration omitted ...
+```
--- a/docs/recipes/index.md
+++ b/docs/recipes/index.md
@@ -371,3 +371,24 @@ volumes:
  data_1:
  data_2:
 ```
+
+## Running as a non-root user
+
+```yml
+version: '3'
+
+services:
+  # ... define other services using the `data` volume here
+  backup:
+    image: offen/docker-volume-backup:v2
+    user: 1000:1000
+    environment:
+      AWS_S3_BUCKET_NAME: backup-bucket
+      AWS_ACCESS_KEY_ID: AKIAIOSFODNN7EXAMPLE
+      AWS_SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
+    volumes:
+      - data:/backup/my-app-backup:ro
+
+volumes:
+  data:
+```