duplicity backup tool.
Features of this Docker image:
- Small: Built using alpine.
- Simple: Most common cases are explained below and require minimal setup.
- Secure: Runs non-root by default (use randomly chosen UID
1896
), and meant to run as any user.
For the general command-line syntax, do:
$ docker run --rm wernight/duplicity duplicity --help
In general you...
- Must mount what you want to backup or where you want to restore a backup.
- Should mount
/home/duplicity/.cache/duplicity
as writable somewhere (if not cached, duplicity will have to recreate it from the remote repository which may require decrypting the backup contents). Note it may be quite large and contains metadata info about files you've backed up in clear text. - Should mount
/home/duplicity/.gnupg
as writable somewhere (that directory is used to validate incremental backups and shouldn't be necessary to restore your backup if you follows steps below). - Should specify duplicity flag
--allow-source-mismatch
because Docker has a random host for each container. - Could set environment variable
PASSPHRASE
, unless you want to type it manually in the prompt (remember then to add-it
). - May have to mount a few other files for authentication (see examples below).
Example of commands you may want to run periodically to back up with good clean-up/maintenance (see below for various storage options):
$ docker run --rm ... wernight/duplicity duplicity --full-if-older-than=6M source_directory target_url
$ docker run --rm ... wernight/duplicity duplicity remove-older-than 6M --force target_url
$ docker run --rm ... wernight/duplicity duplicity cleanup --force target_url
This would do:
- A full backup every 6 months so that restoration is a lot faster and for cleanup to work, and incremental backups the rest of the time.
- Delete backups older than 6 months (doesn't break incremental backups).
- Delete files from failed sessions (if any).
Google Cloud Storage nearline costs about $0.01/GB/Month.
Set up:
-
Sign up, create an empty project, enable billing, and create a bucket
-
Under "Storage" section > "Settings" > "Interoperability" tab > click "Enable interoperable access" and then "Create a new key" button and note both Access Key and Secret. Also note your Project Number (aka project ID, it's a number like 1233457890).
-
Run gcloud's
gsutil config -a
to generate the~/.boto
configuration file and give it all these info (alternatively you should be able to set environment variableGS_ACCESS_KEY_ID
andGS_SECRET_ACCESS_KEY
however in my tries I didn't see where to set your project ID). -
You should now have a
~/.boto
looking like:[Credentials] gs_access_key_id = MYGOOGLEACCESSKEY gs_secret_access_key = SomeVeryLongAccessKeyXXXXXXXX [GSUtil] default_project_id = 1233457890
Now you're ready to perform a backup:
$ docker run --rm --user $UID \
-e PASSPHRASE=P4ssw0rd \
-v $PWD/.cache:/home/duplicity/.cache/duplicity \
-v $PWD/.gnupg:/home/duplicity/.gnupg \
-v ~/.boto:/home/duplicity/.boto:ro \
-v /:/data:ro \
wernight/duplicity \
duplicity --full-if-older-than=6M --allow-source-mismatch /data gs://my-bucket-name/some_dir
To restore, you'll need:
- Keep
.boto
or regenerate it to access your Google Cloud Storage. - The
PASSPHRASE
you've used.
Example:
$ docker run --rm --user $UID \
-e PASSPHRASE=P4ssw0rd \
-v ~/.boto:/home/duplicity/.boto:ro \
-v /:/data:ro \
wernight/duplicity \
duplicity restore gs://my-bucket-name/some_dir /data
See also the note on Google Cloud Storage.
Google Drive offers 15GB for free.
Set up:
-
Follow notes on Pydrive Backend to generate a P12 credential file (call it
pydriveprivatekey.p12
) and note also the associated service account email generated (e.g.duplicity@developer.gserviceaccount.com
). -
Convert P12 to PEM:
$ docker run --rm -i --user $UID \ -v $PWD/pydriveprivatekey.p12:/pydriveprivatekey.p12:ro \ wernight/duplicity \ openssl pkcs12 -in /pydriveprivatekey.p12 -nodes -nocerts >pydriveprivatekey.pem Enter Import Password: notasecret
Now you're ready to perform a backup:
$ docker run --rm --user $UID \
-e PASSPHRASE=P4ssw0rd \
-e GOOGLE_DRIVE_ACCOUNT_KEY=$(cat pydriveprivatekey.pem) \
-v $PWD/.cache:/home/duplicity/.cache/duplicity \
-v $PWD/.gnupg:/home/duplicity/.gnupg \
-v /:/data:ro \
wernight/duplicity \
duplicity --full-if-older-than=6M --allow-source-mismatch /data pydrive://duplicity@developer.gserviceaccount.com/some_dir
To restore, you'll need:
- Regenerate a PEM file (or keep it somewhere).
- The
PASSPHRASE
you've used.
Supposing you've an SSH access to some machine, you can:
$ docker run --rm -it --user root \
-e PASSPHRASE=P4ssw0rd \
-v $PWD/.cache:/home/duplicity/.cache/duplicity \
-v $PWD/.gnupg:/home/duplicity/.gnupg \
-v ~/.ssh/id_rsa:/id_rsa:ro \
-v ~/.ssh/known_hosts:/etc/ssh/ssh_known_hosts:ro \
-v /:/data:ro \
wernight/duplicity \
duplicity --full-if-older-than=6M --allow-source-mismatch \
--rsync-options='-e "ssh -i /id_rsa"' \
/data rsync://user@example.com/some_dir
Note: We're running here as root
to have access to ~/.ssh
and also because ssh does not
allow to use a random (non-locally existing) UID. To make it safer, you can copy your ~/.ssh
and chown 1896
it (that is duplicity
UID within the container). If you know a another way to avoid
the "No user exists for uid" check, please let me know.
Here is a simple alias that should work in most cases:
$ alias duplicity='docker run --rm --user=root -v ~/.ssh/id_rsa:/home/duplicity/.ssh/id_rsa:ro -v ~/.boto:/home/duplicity/.boto:ro -v ~/.gnupg:/home/duplicity/.gnupg -v /:/mnt:ro -e PASSPHRASE=$PASSPHRASE wernight/duplicity duplicity $@'
Now you should be able to run duplicity almost as if it were installed, example:
$ PASSPHRASE=123456 duplicity --progress /mnt rsync://user@example.com/some_dir
- duplicity man page
- duplicity back-up how-to - Ubuntu
- How To Use Duplicity with GPG to Securely Automate Backups on Ubuntu | DigitalOcean
Report issues/questions/feature requests on GitHub Issues.