- Container functionalities
- About BackupPC
- Basic usage
- Data persistency
- UI authentication/authorization
- UI SSL encryption
- SMTP configuration for notification delivery
- Upgrading
- Miscellaneous
This docker is designed to provide a ready-to-go and maintainable BackupPC instance for your backups.
- Provides a full-featured and functional BackupPC version 4.x/3.x. In particular, all backup protocols handled by BackupPC are supported.
- BackupPC Admin Web UI is exposed on 8080 port by an embedded lighttpd server. Available protocols are HTTP or HTTPS through a self-signed SSL certificate.
- Existing BackupPC configuration & pool are self-upgraded at first run of a newly created container instance. It allows for instance dockerisation of a pre-existing BackupPC v3.x instance.
- Container image is constructed on top of an Alpine distribution to reduce the footprint. Image size is below 80MB.
BackupPC is a free self-hosted backup software able to backup remote hosts through various ways like rsync, smb or tar. It supports full and incremental backups, and reconstruct automatically a usable verbatim from any backup version. Started with version 4, BackupPC uses a new way to store backups by a reverse delta approach and no hardlinks.
See BackupPC documentation for further details and how to use it.
For testing purpose, you can create a new BackupPC instance with following command. Please note that the basic usage is not suitable for production use.
docker run \
--name backuppc \
--publish 80:8080 \
adferrand/backuppc
Latest BackupPC 4.x docker image will be downloaded if needed, and started. After starting, browse http://YOUR_SERVER_IP:8080 to access the BackupPC Admin Web UI.
The default credentials are:
- username: backuppc
- password: password
Then you can test your BackupPC instance.
BackupPC configuration and pool are persisted as anonymous data containers (see Data persistency) with a weak control over it. Moreover BackupPC Admin Web UI is accessed from the unsecured HTTP protocol, exposing your user/password and data you could retrieve from the UI (see UI SSL encryption).
As we are talking about backups, you certainly want to control the data persistency of your docker instance.
It declares three volumes :
/etc/backuppc
: stores the BackupPC configuration, in particular config.pl and hosts configuration./home/backuppc
: home of the backuppc user, running your BackucPC instance, and contains in particular a .ssh directory with the SSH keys used to make backups through SSH protocol (see SSH Keys)./data/backuppc
: contains the BackupPC pool, so your backups themselves, and the logs.
It is advised to mount these volumes on the host in order to persist your backups. Assuming a host directory /var/docker-data/backuppc{etc,home,data}
, mounted on a big filesystem, you can do for instance :
docker run \
--name backuppc \
--publish 80:8080 \
--volume /var/docker-data/backuppc/etc:/etc/backuppc \
--volume /var/docker-data/backuppc/home:/home/backuppc \
--volume /var/docker-data/backuppc/data:/data/backuppc \
adferrand/backuppc
All your backuppc configuration, backup and keys will survive the container destroy/re-creation.
The mounted host directory used for data persistency needs to be accessible by the host user corresponding to the backuppc user created in container instance. By default, this backuppc user is of UUID 1000
and GUID 1000
, which should correspond to the first non-root user create on your host.
If you want to use an host user of different UUID/GUID, you can specify the container instance to use these customized values during creation with environment variables: respectively BACKUPPC_UUID (default: 1000)
and BACKUPPC_GUID (default: 1000)
.
For example:
# With user myUser (UUID 1200) and group myGroup (GUID 1300)
chown -R myUser:myGroup /var/docker-data/backuppc
docker run \
--name backuppc \
--publish 80:8080 \
--volume /var/docker-data/backuppc/etc:/etc/backuppc \
--volume /var/docker-data/backuppc/home:/home/backuppc \
--volume /var/docker-data/backuppc/data:/data/backuppc \
--env 'BACKUPPC_UUID=1200' \
--env 'BACKUPPC_GUID=1300' \
adferrand/backuppc
BackupPC can use different methods to authenticate and authorize users to access the BackupPC Admin Web UI. The method
used is controlled by the value of the AUTH_METHOD (default file)
environment variable.
At this time there are two methods:
- Credentials are defined in a httpasswd-like file. This is the default one.
- Credentials are stored in a LDAP database or an Active Directory instance, and
docker-backuppc
connects to it to validate the accesses.
In all cases the authentication process is done through the HTTP Basic Auth. If BackupPC is served through the unsecured HTTP protocol, credentials are exposed in plain text. See UI SSL encryption to secure the authentication data.
This method is enabled with AUTH_METHOD=file
.
Out of the box with this authentication method enabled, a single user with admin rights is created during the first start of
the container. Its username is backuppc and its password is password. The credentials are stored in the file /etc/backuppc/htpasswd
to allow the embedded lighttpd server to handle Basic Authentication, and the Backuppc config variable $Conf{CgiAdminUsers}
is setted to this username to instruct BackupPC to give it admin rights.
You can modify the admin user credentials by setting the environment variables BACKUPPC_WEB_USER (default backuppc)
and BACKUPPC_WEB_PASSWD (default password)
when creating the container.
The admin user credentials can be modified on an existing container by modifying the relevant environment variables, then re-creating the container. However please note that if you modify the username, you will need to manually remove the old username from the file /etc/backuppc/htpasswd
in the container after its re-creation.
This method is enabled with AUTH_METHOD=ldap
.
You can also authorize against an Active Directory / LDAP. The following Parameter are required to use this authorize method:
ENV Parameter | Description | Example |
---|---|---|
LDAP_HOSTNAME |
LDAP Hostname / IP with Port | ad.example.com:389 |
LDAP_BASE_DN |
LDAP Base DN | DC=example,DC=com |
LDAP_FILTER |
LDAP Filter | (&(objectClass=user)(sAMAccountName=$))' |
LDAP_BIND_DN |
LDAP Bind DN | cn=backuppc,cn=users,DC==example,DC=com |
LDAP_BIND_PW |
LDAP Password | SuperSecretPassword |
LDAP_BACKUPPC_ADMIN |
LDAP user with with backuppc admin rights | backuppcadmin |
One may need more advanced authentication/authorization on Backuppc Web UI, for instance several normal users allowing operations on backups, and an admin user to parameterize BackupPC.
In theses cases, authentication and admin granting must be configured manually.
- If
file
authentication method is used, you should use Apachehtpasswd
utility to fill content of the file/etc/backuppc/htpasswd
. You can also disable the default admin user creation by unsetting environment variablesBACKUPPC_WEB_USER
andBACKUPPC_WEB_PASSWD
, and reconfigure admin rights inconfig.pl
. - All authenticated users are considered as normal users if not telling otherwise. Add a username in the
$Conf{CgiAdminUsers}
variable of/etc/backuppc/config.pl
file to grant this user admin rights, or useLDAP_BACKUPPC_ADMIN
with theldap
authentication method.
For instance, with two normal users user1
and user2
+ one admin user admin
, using the file
authentication method, you can do the following steps on the host. It is assumed that /etc/backuppc
is mounted on /var/docker-data/backuppc/etc
on the host and Apache htpasswd
utility is installed on it.
htpasswd -b -c /var/docker-data/backuppc/etc/htpasswd admin admin_password
htpasswd -b /var/docker-data/backuppc/etc/htpasswd user1 user1_password
htpasswd -b /var/docker-data/backuppc/etc/htpasswd user2 user2_password
sed -ie "s/^\$Conf{CgiAdminUsers}\s*=\s*'\w*'/\$Conf{CgiAdminUsers} = 'admin'/g" \
/var/docker-data/backuppc/etc/config.pl
docker run \
--name backuppc \
--publish 80:8080 \
--volume /var/docker-data/backuppc/etc:/etc/backuppc \
--volume /var/docker-data/backuppc/home:/home/backuppc \
--volume /var/docker-data/backuppc/data:/data/backuppc \
adferrand/backuppc
By default, BackupPC Admin Web UI is exposed on the non secured HTTP protocol. Two advised ways to secure this are proposed.
Set the environment variable USE_SSL (default: false)
to true
, and the embedded lighttpd server will expose the UI by HTTPS protocol, using a self-signed certificate generated during first run of the container instance.
docker run \
--name backuppc \
--publish 443:8080 \
--env 'USE_SSL=true'
Then you can access the UI through the secured URL https://YOUR_SERVER_IP/. Of course, as the SSL certificate is self-signed, your browser will alert you about this unsecured certificate.
NB: You can also use your own SSL certificate: merge together the private key and the certificate into a server.pem
file (eg. cat server.key server.crt > server.pem
), and mount certificate.pem
on the container path /etc/lighttpd/server.pem
(eg. --volume /you/path/to/certificate.pem:/etc/lighttpd/server.pem
).
Instead of providing a very advanced SSL configuration in this Docker, and reinvent the wheel, it is advised to run your backuppc instance without SSL and without exposing the 8080 port, and launch a second container with a secured SSL reverse-proxy pointing to the BackupPC instance.
You will be able to make routing based on DNS, use certificates signed by Let's Encrypt and so on. See nginx-proxy + letsencrypt-nginx-proxy-companion or traefik for more information.
BackupPC can send notifications by mail to inform users about backups state. This docker include the MSMTP utility, which basically relays all mails to a pre-existing SMTP server.
Two configuration approaches are available.
If you are using BackupPC to backup your IT architecture, it is likely that you have already a SMTP server configured on your host or local network. Or you can instantiate a dockerised full-featured SMTP server (like namshi/smtp) on the same network than the backuppc container.
In both cases, the SMTP server should be accessible to the backuppc container through YOUR_SMTP_FQDN on port 25. Set the environment variable SMTP_HOST
(default: mail.example.org) to YOUR_SMTP_FQDN before creating the BackupPC container, and all mails emitted by BackupPC will be relayed on this SMTP server.
You should also set the optional environment variable SMTP_MAIL_DOMAIN (default empty)
to the domain you manage, in order to resolve automatically the right part of the email sender to this domain if it is not specified by BackupPC. Indeed by default, sender mail of BackupPC notifications is only 'backuppc', without right part: these emails are likely to be refused by most SMTP servers.
docker run \
--name backuppc \
--publish 80:8080 \
--env SMTP_HOST=smtp.my-domain.org \
--env SMTP_MAIL_DOMAIN=my-domain.org \
adferrand/backuppc
In more complex scenarios, like sending notifications through a TLS-secured SMTP server with authentication (eg. Google SMTP), you can use any advanced configuration supported by MSMTP. To do so, mount your custom msmtprc
configuration file on the Docker path /etc/msmtprc
. This configuration will be used for any email sent by BackupPC.
See MSMTP documentation, in particular its configuration examples, to see how to build the configuration which suits your needs.
To update the BackupPC version of this container:
- pull the new image version of this Docker,
- recreate the container.
At first start, configure.pl
script of BackupPC will be called. It will detect your existing configuration (under /etc/backuppc
), your existing backup pool (under /data/backuppc
), and will proceed any changes needed to match the new BackupPC version requirement.
This sub-section is under Upgrading section because the process is very similar to a container upgrade.
Because configure.pl script is called on first run of your container instance, you can dockerise and upgrade to v4.X a pre-existing BackupPC v3.x installation.
To do so, let's assume that your BackupPC v3.x installed on your host:
- has its configuration in
/etc/backuppc
- has its backup pool in
/var/lib/backuppc
- has the user home running your BackupPC (typically backuppc) in
/home/backuppc
- has its log files in
/var/log/backuppc
Check UUID/GUID of your backuppc user on host. If they are not 1000/1000, you will need to put environment variables to customize theses values in the container instance (see POSIX rights).
Then launch a container instance, mounting your existing BackupPC installation assets in the relevant volumes.
docker run \
--name backuppc \
--publish 80:8080 \
--volume /etc/backuppc:/etc/backuppc \
--volume /home/backuppc:/home/backuppc \
--volume /var/lib/backuppc:/data/backuppc \
--volume /var/log/backuppc:/data/backuppc/log \
adferrand/backuppc
The configure.pl script will detect a v3.x version under /etc/backuppc, and will run appropriate upgrade operations (in particular enabling legacy v3.x pool to access it from a BackupPC v4.x).
The backuppc host name will default to the container's hostname. You can modify this by setting --hostname
in your docker run
command like so:
docker run \
--name backuppc \
--hostname backuppc.example.org \
--publish 80:8080 \
adferrand/backuppc
Metrics are available on a dedicated endpoint. For example, if the URL to access the BackupPC Admin Web UI is http://YOUR_SERVER_IP:8080
, then use:
http://YOUR_SERVER_IP:8080/BackupPC_Admin?action=metrics&format=json
to get the metrics in JSON formathttp://YOUR_SERVER_IP:8080/BackupPC_Admin?action=metrics&format=rss
to get the metrics in RSS formathttp://YOUR_SERVER_IP:8080/BackupPC_Admin?action=metrics&format=prometheus
to get the metrics in Prometheus format
By default the timezone of this docker is set to UTC. To modify it, you can specify a tzdata-compatible timezone in the environment variable TZ
.
# For Paris time (including daylight)
docker run \
--name backuppc \
--publish 80:8080 \
--env TZ=Europe/Paris \
adferrand/backuppc
Alternatively, depending on the host OS, you can sync the container timezone to its host by mounting the host file /etc/localtime
to the container path /etc/localtime
.
docker run \
--name backuppc \
--publish 80:8080 \
--mount /etc/localtime:/etc/localtime:ro \
adferrand/backuppc
For debugging and maintenance purpose, you may need to start a shell in your running container. With a Docker of version 1.3.0 or higher, you can do:
docker exec -it backuppc /bin/sh
You will obtain a shell with the standard tools of an Alpine distribution.
Legacy version of BackupPC (v3.x) is available on the legacy tag 3
, or with explicit version tag (eg. 3.3.2
).
docker run \
--name backuppc \
--publish 80:8080 \
adferrand/backuppc:3