3

I am trying to setup a server for team note taking, and I am wondering what is the best way to backup its data, A.K.A my notes, automatically.

Currently I plan to run the server in a docker image.
The docker image will be hosted by a hosting service (such as Google).
I found a free hosting service that fits my need, but it does not allow mounting volumes to a docker image.
Therefore, I think the only way for me to backup my data is to transfer them to some other cloud services.
However, this requires that I have to store some sort of sensitive data for authentication in my docker image, apparently this is not cool.

So:

  1. Is it possible to transfer data from a docker image to a cloud service without taking the risk of leaking password/private key?

  2. Is there any other way to backup my data?
    I don't have to use docker as all I need is actually Node.js.
    But the server must be hosted on some remote machines because I don't have the ability/time/money to host a machine on my own...

eLRuLL
  • 18,488
  • 9
  • 73
  • 99
YAC
  • 405
  • 4
  • 14
  • You can use a solution like this: https://github.com/lvthillo/docker-backup-s3 This will start a docker container on your server, backup the data you specify in the path and store it on s3 – lvthillo Jan 02 '18 at 13:57
  • Wouldn't that be dangerous to put the key in the environment? I am not asserting that it is definitely not safe. I just don't know if it is okay to do so. – YAC Jan 02 '18 at 14:23
  • 1
    https://docs.docker.com/engine/swarm/secrets/#defining-and-using-secrets-in-compose-files – lvthillo Jan 02 '18 at 18:36
  • Thanks for the suggestion! And it turns out the hosting service I use can set a config for my image, which seems to serve as docker secret. So I guess it is considered to be safe to let a running image holds sensitive data as its environment variables or serializes them to file system in the image? – YAC Jan 03 '18 at 00:45
  • 'A running image' = a container. And I would try to start the container with a secret parameter. After that try to commit the container, try to access the secret, etc. If all of that isn't possible it is save. (Like in the simple example in the docs) – lvthillo Jan 03 '18 at 06:35

2 Answers2

4

I use borg backup to backup our servers (including docker volumes) ... and it's saved the day many times due to failure and stupidity.

It transfers over SSH so comms are encrypted. The repositories it uses are also encrypted on disk so that makes all your data safe. It de-duplicates, snapshots, prunes, compresses ... the feature list is quite large.

After the first backup, subsequent backups are much faster because it only submits the changes since the previous backup.

You can also mount the snapshots as filesystems so you can hunt down the single file you deleted or just restore the whole lot. The mounts can also be done remotely.

I've configured ours to backup /home, /etc and the /var/lib/docker/volumes directories (among others).

We rent a few cheap storage VPSs and send the data up to them nightly. They're in different geographic locations with different hosting providers, you know, because we're paranoid.

Dudeskeeroo
  • 56
  • 3
1

Beside docker swarm secrets, don't forget bind mounts strategies: you could have your data in a volume.

In that case, you can have a backup strategy done on the host (instead of the container at runtime), which would take that volume, compress it and save it elsewhere. See for instance this answer or this one.

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250