Doc improvement: using custom CA with docker installation.

Question

Doc improvement: using custom CA with docker installation.

Opened this issue a month ago · 2 comments

First of all thanks a lot for the excellent work.

Why
Usage of on-premise S3 services is often linked to either self signed certificates (not so good), or to certificates signed by a Custom CA (much better).
If Backrest is installed directly on the server it will use the system CA --> no issue.
If Backrest is installed in Docker with the sample compose file, custom CA will not be available in the container, therefore it will not be possible to connect to the local S3 repository.
However, it is possible to use RESTIC_CACERT environment variable...

Solution description
No changes to the code or to the docker image are required.
Simply I'd suggest to improve the documentation by adding the info on how to use a custom CA.

Example: docker-compose with custom CA support.

version: "3.2"
services:
  backrest:
    image: garethgeorge/backrest:latest-alpine
    container_name: backrest
    hostname: backrest
    volumes:
      - ./backrest/data:/data
      - ./backrest/config:/config
      - ./backrest/cache:/cache
      - /usr/local/share/ca-certificates:/ca-certificates:ro # [optional] mount path where custom CA is stored
      - /MY-BACKUP-DATA:/userdata # [optional] mount local paths to backup here.
      - /MY-REPOS:/repos # [optional] mount repos if using local storage, not necessary for remotes e.g. B2, S3, etc.
    environment:
      - BACKREST_DATA=/data # path for backrest data. restic binary and the database are placed here.
      - BACKREST_CONFIG=/config/config.json # path for the backrest config file.
      - XDG_CACHE_HOME=/cache # path for the restic cache which greatly improves performance.
      - TZ=Europe/Rome # set the timezone for the container, used as the timezone for cron jobs.
      - RESTIC_CACERT=/ca-certificates/$CA_CERT_FILENAME # [optional] should specify the filename of the custom CA to be used
    restart: unless-stopped
    ports:
      - 9898:9898

$CA_CERT_FILENAME should be defined in the environment variables.

Answer 1 · 2024-06-24T17:39:38.000Z

Interesting issue -- I think this is something that could make a lot of sense for the cookbooks section of the docs https://github.com/garethgeorge/backrest/tree/main/docs/content/3.cookbooks if you're interested in elaborating on / sharing your setup w/ self hosted S3 (I'm assuming minio or similar) and custom certificates. It'd be a great pull request.

Answer 2 · 2024-06-24T18:53:39.000Z

Hi,
atm I've my hands full at work... but as soon as I'll have some spare time I think it could be possible (if I finally decide to learn how to properly use GitHub... ;-) ).

Just FYI:

About custom certificates, I use a Custom CA, with an intermediate CA given to a Step-CA instance (https://smallstep.com/docs/step-ca/) that generates and distributes TLS certificates to all local applications (this is for security, but also to avoid modern browser's complaints... :-D )
Concerning local self hosted S3, I'm currently testing Garage (https://garagehq.deuxfleurs.fr). I've been trying also minio, which is fantastic, but also quite resource intensive... So far Garage seems to be very promising and stable. There is no web interface yet, and running a cluster in different Docker machines requires some knowledge of Docker and bash... positive aspects are that it's very light, but still performant, written in Go (so usable on any device from an Enterprise server to an old Raspberry), and supports HA clusters distributed in different subnets/locations with different architectures...