Allow backup to be run as non-root user (#366)

* Allow backup to be run as non-root user * Document usage as non-root user * Also test /etc access * Choose better name for doc
2025-11-23 21:44:40 +02:00 · 2024-02-21 17:44:24 +01:00
parent dd8ff5ee0c
commit f64aaa6e24
11 changed files with 131 additions and 6 deletions
--- a/test/nonroot/01conf.env
+++ b/test/nonroot/01conf.env
@@ -0,0 +1,7 @@
+AWS_ACCESS_KEY_ID="test"
+AWS_SECRET_ACCESS_KEY="GMusLtUmILge2by+z890kQ"
+AWS_ENDPOINT="minio:9000"
+AWS_ENDPOINT_PROTO="http"
+AWS_S3_BUCKET_NAME="backup"
+BACKUP_CRON_EXPRESSION="0 0 5 31 2 ?"
+BACKUP_FILENAME="test.tar.gz"
--- a/test/nonroot/docker-compose.yml
+++ b/test/nonroot/docker-compose.yml
@@ -0,0 +1,33 @@
+version: '3'
+
+services:
+  minio:
+    image: minio/minio:RELEASE.2020-08-04T23-10-51Z
+    environment:
+      MINIO_ROOT_USER: test
+      MINIO_ROOT_PASSWORD: test
+      MINIO_ACCESS_KEY: test
+      MINIO_SECRET_KEY: GMusLtUmILge2by+z890kQ
+    entrypoint: /bin/ash -c 'mkdir -p /data/backup && minio server /data'
+    volumes:
+      - ${LOCAL_DIR:-local}:/data
+
+  backup:
+    image: offen/docker-volume-backup:${TEST_VERSION:-canary}
+    user: 1000:1000
+    depends_on:
+      - minio
+    restart: always
+    volumes:
+      - app_data:/backup/app_data:ro
+      - ./01conf.env:/etc/dockervolumebackup/conf.d/01conf.env
+
+  offen:
+    image: offen/offen:latest
+    labels:
+      - docker-volume-backup.stop-during-backup=true
+    volumes:
+      - app_data:/var/opt/offen
+
+volumes:
+  app_data:
--- a/test/nonroot/run.sh
+++ b/test/nonroot/run.sh
@@ -0,0 +1,27 @@
+#!/bin/sh
+
+set -e
+
+cd "$(dirname "$0")"
+. ../util.sh
+current_test=$(basename $(pwd))
+
+export LOCAL_DIR=$(mktemp -d)
+
+docker compose up -d --quiet-pull
+sleep 5
+
+docker compose logs backup
+
+# conf.d is used to confirm /etc files are also accessible for non-root users
+docker compose exec backup /bin/sh -c 'set -a; source /etc/dockervolumebackup/conf.d/01conf.env; set +a && backup'
+
+sleep 5
+
+expect_running_containers "3"
+
+if [ ! -f "$LOCAL_DIR/backup/test.tar.gz" ]; then
+  fail "Could not find archive."
+fi
+pass "Archive was created."
+
--- a/test/util.sh
+++ b/test/util.sh
@@ -22,7 +22,7 @@ skip () {

 expect_running_containers () {
  if [ "$(docker ps -q | wc -l)" != "$1" ]; then
-    fail "Expected $1 containers to be running, instead seen: "$(docker ps -a | wc -l)""
+    fail "Expected $1 containers to be running, instead seen: "$(docker ps -q | wc -l)""
  fi
  pass "$1 containers running."
 }