Closed jtagcat closed 4 years ago
I'm sorry, but your description of the problem is a bit vague in terms of what actually happens and when.
Can you please update your post to include the complete commands to reproduce the problem (preferrably under the heading "Actual Behavior" which is currently missing even though it's in the issue template)?
I have run the rest-server without encryption, even when having had a .htpasswd, and have not seen the .htpasswd get deleted. So I'm a bit surprised by what you say :)
You're right, in the entrypoint.sh
, the htpasswd file gets deleted when no authentication is requested. I've removed the line from the Shell script so it won't remove the file when we rebuild the docker container the next time.
Output of
rest-server --version
da93e5693693
How did you run rest-server exactly?
My main instance uses authentication and operates on append-only mode.
I planned to run a secondary instance, what is only accessible locally, for forgetting and pruning some older backups. Since I would like to automate the process (by the script listing repositories by
ls
-ing the mapped/data
directory, then forgetting and pruning according to a policy on all repositories) and not store clear-text passwords, I would run the secondary instance with authentication disabled.Expected behaviour
.htpasswd
file not getting deleted (and for whom not notice, stop all clients from backing up)Do you have an idea how to solve the issue?
So, the primary instance maps like this:
/mnt/storage/restic-data:/data
Since the instances share data directories, the first one needs to be the same, but I tried mapping the.htpasswd
to a different location:/mnt/storage/restic-data:/data
/mnt/storage/restic-secondary.htpasswd:/data/.htpasswd
I needed totouch /mnt/storage/restic-secondary.htpasswd
, since you can't map a directory to a file (docker would assumerestic-secondary.htpasswd
to be a directory otherwise) my main concern would be that before every time the secondary instance gets started by docker, the file would need to betouch
ed again (or the container will error).But this somehow prevents the secondary instance from successfully booting. I suspect the secondary instance is trying to delete the file, but since the file is directly mapped, docker doesn't allow deletion.
I would expect the best solution would be to have
.htpasswd
's location (name) as an environment variable. Another solution could be to handle it with nginx (I think it was nginx), since it is looking for the hardcoded/data/.htpasswd
file.The easiest? Moving
.htpasswd
to a separate directory (/data/restic-configuration/.htpasswd
for example). Having a separate directory brings up a problem: you must not have a repository named (in this example)restic-configuration
(somebody could be backing up restic configurations here!). Probably the best directory name should start with a dot (but repos beginning with dots are allowed!).If nothing is done, at the very least there should be a warning that disabling authentication deletes this file! If somebody is not backing up their backups (or not storing the passwords in plaintext (hopefully in encrypted, keepass or something)) elsewhere, this could mean that hundreds of clients need to be updated and could motivate IT to use one password for all the laptops, or worse, use these!
Edit addressing @rawtaz's comment
This is what I'm normally running:
Added users with
docker-compose exec restic-server create_user
command, whilerestic-server
is running, start up this:And right after starting
restic-server-local
up,/mnt/storage/restic-data/.htpasswd
gets deleted.