← 返回 Skills 市场

Docker Volume Backup Or Restore

Name: Docker Volume Backup Or Restore
Author: ugvfpdcuwfnh

作者 HongWei Jiang · GitHub ↗ · v2.0.0 · MIT-0

cross-platform ⚠ suspicious

总下载

当前安装

版本数

在 OpenClaw 中安装

/install docker-volume-backup-or-restore

功能描述

Robust Docker volume migration and backup using per-volume encrypted archives and registry-based transport. Supports dry-runs, container exclusion, and safe...

使用说明 (SKILL.md)

Docker Volume Backup Or Restore (v2.0)

Overview

This skill provides a secure, registry-backed workflow for migrating or backing up Docker volumes. Version 2.0 introduces a per-volume encryption architecture, creating separate encrypted archives for each volume. This improves reliability for large volume sets and eliminates path-parsing ambiguities during restoration.

Key features:

Zero-Trust Restore: Files are copied out of the backup image using docker cp. The backup image's code is never executed.
Per-Volume Encryption: Each volume is encrypted separately with AES-256-CBC (PBKDF2).
Container Safety: Automatically stops containers to ensure data consistency, with an --exclude-stop flag for critical infrastructure (like proxies or AI providers).
Registry Transport: Uses standard Docker registries as storage, making it easy to move data between any Docker-enabled hosts.
Dry-Run Support: Preview actions before stopping containers or pushing data.

Workflow

1. Prerequisites

Docker: Must be installed and running.
Registry Login: Ensure you are logged in to your target registry (e.g., docker login).
Helper Image: The script uses a pinned alpine image for crypto operations. It must be pre-pulled for safety.

2. Backup Mode

Creates encrypted archives of all local volumes and pushes them as a single multi-layer image.

# Basic backup (auto-derives image name from hostname)
bash docker_volume_backup_or_restore.sh --backup --encrypt-password 'your-password'

# Backup with specific image and excluded containers
bash docker_volume_backup_or_restore.sh --backup-image user/repo:tag --encrypt-password 'pass' --exclude-stop proxy,db

What happens:

Identifies all local volumes and running containers.
Stops containers (except those in --exclude-stop).
Mounts volumes into a trusted Alpine container.
New in v2.0: Packages and encrypts each volume into its own .tar.gz.enc file.
Builds a scratch-based image containing only these encrypted archives.
Pushes the image to the registry.
Restarts the stopped containers.

3. Restore Mode

Pulls a backup image and restores volumes to the local host.

bash docker_volume_backup_or_restore.sh --restore user/repo:tag --encrypt-password 'your-password'

What happens:

Pulls the backup image.
Creates a temporary container to docker cp the archives out (safely).
Discovers volume names from the archive filenames.
Creates missing local volumes.
For each volume: decrypts the archive and copies data into the volume using a trusted helper.

Arguments

--backup [IMAGE]: Start backup mode. Optional IMAGE override.
--backup-image IMAGE: Explicit backup image reference.
--restore IMAGE: Start restore mode using the specified image.
--encrypt-password PASS: Required. Password for AES-256 encryption/decryption.
--exclude-stop LIST: Comma-separated list of containers to keep running during backup.
--dry-run: Show planned actions without executing them.

Safety and Tradeoffs

Encryption: Uses openssl AES-256-CBC with PBKDF2. Passwords are never stored in the image.
Data Integrity: Stopping containers is highly recommended to prevent partial writes.
Storage: Large volumes will result in large images. Ensure your registry has sufficient quota and bandwidth.
Overwrites: Restore mode will overwrite existing data if a volume with the same name already exists.

安全使用建议

Review the script before use, pre-test with `--dry-run`, specify an explicit private registry image, and avoid running it on shared hosts. Consider replacing the runtime `apk add` step with a reviewed helper image that already includes pinned tools before using it for sensitive Docker volumes.

功能分析

Type: OpenClaw Skill Name: docker-volume-backup-or-restore Version: 2.0.0 The skill provides a utility for backing up and restoring Docker volumes using encrypted archives pushed to a Docker registry. It implements several security best practices, including AES-256-CBC encryption with PBKDF2, the use of a pinned Alpine helper image by digest (alpine@sha256:48b030...), and a 'Zero-Trust' restore mechanism that extracts data via 'docker cp' to avoid executing untrusted code from backup images. The script (docker_volume_backup_or_restore.sh) and documentation (SKILL.md) are transparent about their operations, including stopping containers for data consistency and requiring explicit user-provided passwords.

能力标签

crypto

能力评估

ℹ Purpose & Capability

The skill’s Docker-volume backup and restore behavior matches its stated purpose, but it intentionally handles all local Docker volumes, pushes encrypted backups to a registry, and can overwrite restored volume data.

ℹ Instruction Scope

The instructions disclose stopping containers, pushing backup images, dry-run support, and restore overwrite risk; users should still treat backup and restore commands as high-impact operations.

⚠ Install Mechanism

Although the documentation emphasizes a fixed-digest, pre-pulled helper image, the script runs an automatic `apk add --no-cache openssl tar` inside that helper container, introducing unpinned runtime package provenance.

ℹ Credentials

Docker daemon access, registry authentication, container stopping, image push/pull, and volume creation are powerful but generally proportional to Docker volume migration.

ℹ Persistence & Privilege

The skill creates persistent registry images and local Docker volume changes; this is disclosed, but users should confirm image destinations and restore targets before running.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install docker-volume-backup-or-restore
安装完成后，直接呼叫该 Skill 的名称或使用 /docker-volume-backup-or-restore 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v2.0.0

Version 2.0.0 — Major update with per-volume encryption and safer workflows - Encrypts and stores each Docker volume as a separate AES-256-CBC (PBKDF2) archive in the backup image. - Ensures secure "zero-trust" restores: restores never execute code from the backup image, only copying files out via `docker cp`. - Adds `--dry-run` mode to preview actions before performing backup or restore. - Improves backup consistency with optional exclusion of critical containers via `--exclude-stop`. - Updates argument handling: `--encrypt-password` is now required for all operations. - Images are now built from scratch to minimize attack surface and contain only encrypted data.

v1.0.0

Initial public release: backup/restore all Docker volumes via encrypted registry image; add --dry-run; auto default image naming; fix backup workdir/output conflict; support --exclude-stop for proxy containers; fix restore volume-name parsing for ./prefix tar paths.

元数据

Slug docker-volume-backup-or-restore

版本 2.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 2

常见问题