Docker container db

#1

New to Duplicati, and find it very neat.

Running most of my packages in Debian as containers, including Duplicati. Wanting to create a backup configuration with selected files, to make it quick and easy to restore for when the box crashes.

My understanding is that the packages installed are executed every so often and the .db files and others, are being written and so on. Wondering if there is a way to stop such containers before Duplicati runs the backup, and then restart such containers after the backup/verify is done.

Meaning, I see a whole lot of ‘Advance Options’, if there is something to maybe run: “docker stop sonarr radarr lidarr mylar ombi” and after the backup/verify to run “docker start …”

TIA

#2

You’ll want to look into run-script-before.
https://duplicati.readthedocs.io/en/latest/06-advanced-options/#run-script-before

However if you’re running duplicati inside docker you will need to also need to mount the docker socket into the duplicati container so you can control docker from there.

1 Like
#3

That got me somewhat going. Added the following to the compose and it is “somewhat” working… not really…

duplicati:
** volumes:**
** - /var/run/docker.sock:/var/run/docker.sock**
** - /usr/bin/docker:/usr/bin/docker**

If I go via the Portainer console or docker exec -it duplicati bash, I can run the duplicati-stop or duplicati-start files that I created, chmod +x under the /usr/local/lib. Both files will stop/start the containers if I run the command. So, outside the docker it works.

I added via Settings/Default Options the run-script-after/before and wrote the command /usr/local/bin/duplicati-start on the run-script-after, and same, but duplicati-stop on the run-script-before.

It never stopped them. The following is from the Verbose log data

The script “duplicati-stop-dockers” returned with exit code 255

The script “duplicati-start-dockers” reported error messages: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post http://%2Fvar%2Frun%2Fdocker.sock/v1.39/containers/sonarr/start: dial unix /var/run/docker.sock: connect: permission denied
Error: failed to start containers: sonarr

#4

Ah, I think we forgot one step. The container should be running as the root user so it has access but docker has some security features to prevent containers from accidentally getting too much control.

“–privileged” should allow the container to execute on the docker socket. It should just be “privileged: true” in docker compose.

#5

Nope, same error as above. This is what my docker-compose for duplicati has:

https://pastebin.com/FCBcQXcJ

Files at /usr/local/bin with chmod +x so they can be executed from anywhere:
duplicati-stop-dockers: https://pastebin.com/5THemXY2
duplicati-start-dockers: https://pastebin.com/C88TqHYq

When I run the following command at the command line: docker exec duplicati -it bash
which takes me to the specific container’s command line, I can execute: duplicati-stop-dockers and the dockers are stopped; the same with running: duplicati-start-dockers

So that shows me that within that container (duplicati) I am able to run them commands and the docker.sock is allowing the commands to work. I can do all the same if I reach the console via Portainer for the duplicati container.

At the Duplicati/Settings/Default Options: https ://imgur.com/yAmVtQh
(please copy/paste the link above, remove the blank space between https AND :// as the system wouldn’t allow me to post a 3rd link)
So any future backup always stop/start the containers that need to be backed up.

#6

Hmm, it if works when you docker exec into the container, then it’s an issue with the container user it’s running under. By default docker exec will put you into the container as root, while the docker-compose provided is asking the container to start as UID=1000.

I don’t think you need execution permissions on the socket, since it’s used for data transfer not execution. Default permissions are srw-rw----. 1 root docker, so presumably chmod 0666 should provide the correct permissions for anyone to use the docker socket.

It would probably be more secure to create a user on your host system, and then mapping the Duplicati container to that user’s ID. Then you can add that user to the docker group and have access from the container without allowing anyone to control your docker host.