Merge pull request #58 from ttionya/feature/support-non-root-user

Support start the container as non-root user

Dockerfile

@@ -4,9 +4,18 @@ LABEL "repository"="https://github.com/ttionya/vaultwarden-backup" \
   "homepage"="https://github.com/ttionya/vaultwarden-backup" \
   "maintainer"="ttionya <git@ttionya.com>"
 
+ARG USER_NAME="backuptool"
+ARG USER_ID="1100"
+
+ENV LOCALTIME_FILE="/tmp/localtime"
+
 COPY scripts/*.sh /app/
 
 RUN chmod +x /app/*.sh \
-  && apk add --no-cache bash sqlite p7zip heirloom-mailx tzdata
+  && mkdir -m 777 /bitwarden \
+  && apk add --no-cache bash heirloom-mailx p7zip sqlite supercronic tzdata \
+  && ln -sf "${LOCALTIME_FILE}" /etc/localtime \
+  && addgroup -g "${USER_ID}" "${USER_NAME}" \
+  && adduser -u "${USER_ID}" -Ds /bin/sh -G "${USER_NAME}" "${USER_NAME}"
 
 ENTRYPOINT ["/app/entrypoint.sh"]

README.md

@@ -218,11 +218,23 @@ You need to use this option to specify the `sends.tar` file.
 
 ## Environment Variables
 
-> **Note:** All environment variables have default values, and you can use the docker image without setting environment variables.
+> **Note:** All environment variables have default values, you can use the docker image without setting any environment variables.
 
 #### RCLONE_REMOTE_NAME
 
-Rclone remote name, you can name it yourself.
+Rclone remote name, which needs to be consistent with the remote name in the rclone config.
+
+You can view the current remote name with the following command.
+
+```shell
+docker run --rm -it \
+  --mount type=volume,source=vaultwarden-rclone-data,target=/config/ \
+  ttionya/vaultwarden-backup:latest \
+  rclone config show
+
+# [BitwardenBackup] <- this
+# ...
+```
 
 Default: `BitwardenBackup`
 
@@ -236,25 +248,25 @@ Default: `/BitwardenBackup/`
 
 Rclone global flags, see [flags](https://rclone.org/flags/).
 
-**Do not add flags that change the output, such as `-P`, which will affect the deletion of outdated backup files.**
+**Do not add flags that will change the output, such as `-P`, which will affect the deletion of outdated backup files.**
 
 Default: `''`
 
 #### CRON
 
-Schedule run backup script, based on Linux `crond`. You can test the rules [here](https://crontab.guru/#5_*_*_*_*).
+Schedule run backup script, based on [`supercronic`](https://github.com/aptible/supercronic). You can test the rules [here](https://crontab.guru/#5_*_*_*_*).
 
 Default: `5 * * * *` (run the script at 5 minute every hour)
 
 #### ZIP_ENABLE
 
-Compress the backup file as Zip archive. When set to `'FALSE'`, only upload `.sqlite3` files without compression.
+Pack all backup files into a compressed file. When set to `'FALSE'`, each backup file will be uploaded independently.
 
 Default: `TRUE`
 
 #### ZIP_PASSWORD
 
-Set your password to encrypt Zip archive. Note that the password will always be used when compressing the backup file.
+Password for compressed file. Note that the password will always be used when packing the backup files.
 
 Default: `WHEREISMYPASSWORD?`
 

README_zh.md

@@ -218,11 +218,23 @@ docker run --rm -it \
 
 ## 环境变量
 
-> **注意：** 所有的环境变量都有默认值，你可以在不设置环境变量的情况下使用 Docker 镜像。
+> **注意：** 所有的环境变量都有默认值，你可以在不设置任何环境变量的情况下使用 Docker 镜像。
 
 #### RCLONE_REMOTE_NAME
 
-Rclone 远程名称，你可以自己修改命名。
+Rclone 远程名称，它需要和 rclone config 中的远程名称保持一致。
+
+你可以通过以下命令查看当前远程名称。
+
+```shell
+docker run --rm -it \
+  --mount type=volume,source=vaultwarden-rclone-data,target=/config/ \
+  ttionya/vaultwarden-backup:latest \
+  rclone config show
+
+# [BitwardenBackup] <- 就是它
+# ...
+```
 
 默认值：`BitwardenBackup`
 
@@ -242,19 +254,19 @@ Rclone 全局参数，详见 [flags](https://rclone.org/flags/)。
 
 #### CRON
 
-`crond` 的规则，它基于 Linux `crond`。你可以在 [这里](https://crontab.guru/#5_*_*_*_*) 进行测试。
+`crond` 的规则，它基于 [`supercronic`](https://github.com/aptible/supercronic)。你可以在 [这里](https://crontab.guru/#5_*_*_*_*) 进行测试。
 
 默认值：`5 * * * *` (每小时的 05 分自动备份)
 
 #### ZIP_ENABLE
 
-将备份文件打包为 Zip 文件。当设置为 `'FALSE'` 时，会单独上传备份文件。
+将所有备份文件打包为压缩文件。当设置为 `'FALSE'` 时，会单独上传每个备份文件。
 
 默认值：`TRUE`
 
 #### ZIP_PASSWORD
 
-使用密码加密打包的备份文件。请注意，打包备份文件时将始终使用密码。
+压缩文件的密码。请注意，打包备份文件时始终会使用密码。
 
 默认值：`WHEREISMYPASSWORD?`
 

docs/run-as-non-root-user.md

@@ -0,0 +1,92 @@
+# Run as non-root user
+
+By default the container runs the backup script as root user. There are few things you need to set to run the container as non-root user if you wish to do so.
+
+You can use the built-in non-root user and group, named `backuptool`, uid and gid are `1100`.
+
+<br>
+
+
+
+## Backup
+
+1. Make sure that the rclone config file in the mounted `vaultwarden-rclone-data` volume is writable by `backuptool` user.
+
+```shell
+# enter the container
+docker run --rm -it \
+  --mount type=volume,source=vaultwarden-rclone-data,target=/config/ \
+  --entrypoint=bash \
+  ttionya/vaultwarden-backup:latest
+
+# modify the rclone config file owner in the container
+chown -R 1100:1100 /config/
+
+# exit the container
+exit
+```
+
+2. If you want a full backup of the `rsa_key*`, you need to allow `backuptool` user to read the `rsa_key*`.
+
+**With Docker Compose**
+
+```shell
+# enter the container
+docker run --rm -it \
+  --mount type=volume,source=vaultwarden-data,target=/bitwarden/data/ \
+  --entrypoint=bash \
+  ttionya/vaultwarden-backup:latest
+
+# make files readable for all users in the container
+chmod -R +r /bitwarden/data/
+
+# exit the container
+exit
+```
+
+**With Automatic Backups**
+
+```shell
+# enter the container
+docker run --rm -it \
+  --volumes-from=vaultwarden \
+  --entrypoint=bash \
+  ttionya/vaultwarden-backup:latest
+
+# make files readable for all users in the container
+chmod -R +r /data/
+
+# exit the container
+exit
+```
+
+3. Start the container with proper parameters.
+
+**With Docker Compose**
+
+```shell
+# docker-compose.yml
+services:
+  backup:
+    image: ttionya/vaultwarden-backup:latest
+    user: 'backuptool:backuptool'
+    ...
+```
+
+**With Automatic Backups**
+
+```shell
+docker run -d \
+  ...
+  --user backuptool:backuptool \
+  ...
+  ttionya/vaultwarden-backup:latest
+```
+
+<br>
+
+
+
+## Restore
+
+Do the restore normally, nothing special.

scripts/entrypoint.sh

@@ -37,16 +37,13 @@ if [[ "$1" == "restore" ]]; then
 fi
 
 function configure_timezone() {
-    if [[ ! -f /etc/localtime || ! -f /etc/timezone ]]; then
-        cp -f "/usr/share/zoneinfo/${TIMEZONE}" /etc/localtime
-        echo "${TIMEZONE}" > /etc/timezone
-    fi
+    ln -sf "/usr/share/zoneinfo/${TIMEZONE}" "${LOCALTIME_FILE}"
 }
 
 function configure_cron() {
-    local FIND_CRON_COUNT=$(crontab -l | grep -c 'backup.sh')
-    if [[ ${FIND_CRON_COUNT} -eq 0 ]]; then
-        echo "${CRON} bash /app/backup.sh > /dev/stdout" >> /etc/crontabs/root
+    local FIND_CRON_COUNT="$(grep -c 'backup.sh' "${CRON_CONFIG_FILE}" 2> /dev/null)"
+    if [[ "${FIND_CRON_COUNT}" -eq 0 ]]; then
+        echo "${CRON} bash /app/backup.sh" >> "${CRON_CONFIG_FILE}"
     fi
 }
 
@@ -56,4 +53,4 @@ configure_timezone
 configure_cron
 
 # foreground run crond
-crond -l 2 -f
+supercronic -passthrough-logs -quiet "${CRON_CONFIG_FILE}"

scripts/includes.sh

@@ -1,6 +1,7 @@
 #!/bin/bash
 
 ENV_FILE="/.env"
+CRON_CONFIG_FILE="${HOME}/crontabs"
 BACKUP_DIR="/bitwarden/backup"
 RESTORE_DIR="/bitwarden/restore"
 RESTORE_EXTRACT_DIR="/bitwarden/extract"

version

@@ -1 +1 @@
-v1.11.2-beta.0
+v1.12.0-beta.1