Home
Softono
backblaze-personal-wine-container

backblaze-personal-wine-container

Open source Shell
Website GitHub
624
Stars
50
Forks
66
Issues
13
Watchers
2 weeks
Last Commit
Backup Solutions

About backblaze-personal-wine-container

Run the Backblaze personal backup client in a docker container

Platforms

Web Self-hosted Docker Linux

Languages

Shell

Links

Website Source Code
j
Published by
jonathantreffler
Visit View Profile

README.md

View on GitHub

Github License Docker Pulls Docker Image Size Maintenance GitHub last commit GitHub contributors Stand With Ukraine

Backblaze Personal Wine Community Container

This Docker container runs the Backblaze personal backup client via WINE, so that you can back up your files with the separation and portability capabilities of Docker on Linux.

It runs the Backblaze client and starts a virtual X server and a VNC server with Web GUI, so that you can interact with it.

⚠️ This project is not affiliated with Backblaze Inc. ⚠️

Table of Content

Project Status

This docker should just work for most people. But if you for example have a complex permissions setup in the filesystem you are trying to back up you will need good knowledge of docker to get it set up.

Still please be attentive during the install process: The docker by design has read/write access to all the data you are trying to back up and if you make a grave mistake you could delete stuff.

Docker Images

Content

Here are the main components of this image:

  • S6-overlay, a process supervisor for containers.
  • x11vnc, a X11 VNC server.
  • xvfb, a X virtual framebuffer display server.
  • openbox, a windows manager.
  • noVNC, a HTML5 VNC client.
  • NGINX, a high-performance HTTP server.
  • stunnel, a proxy encrypting arbitrary TCP connections with SSL/TLS.
  • WINE, a compatibility layer for windows applications on Linux
  • Winetricks is a helper script to download and install various redistributable runtime libraries needed to run some programs in Wine
  • Backblaze Personal Backup

Tags

Tag Description
latest Latest stable version of the image based on ubuntu 22.04
ubuntu22 Latest stable version of the image based on ubuntu 22.04
ubuntu24 Latest stable version of the image based on ubuntu 24.04
v1.x Versioned stable releases based on ubuntu 22.04
main Automatic build of the main branch (may be unstable) based on ubuntu 22.04

The previous ubuntu18 and ubuntu20 images are end-of-life and are no longer built.

Platforms

Platform Support
linux/amd64 Fully supported
linux/arm64 Currently no support (maybe in the future)
linux/arm/v7 No support
linux/arm/v6 No support
linux/riscv64 Currently no support (maybe in the future)
linux/s390x No support
linux/ppc64le No support
linux/386 No support

As Backblaze runs on Windows and MacOS, there is no point in supporting these platforms.

Environment Variables

Environment variables can be set by adding one or more arguments -e "<VAR>=<VALUE>" to the docker run command.

Variable Description Default
DISABLE_VIRTUAL_DESKTOP Disables Wine's Virtual Desktop Mode true
DISABLE_AUTOUPDATE When true, the container never updates the installed Backblaze client (it stays on the version that was current when it was first installed). When false, the container checks Backblaze's client-version feed on start and reinstalls the latest release if a newer one is available. true
FORCE_LATEST_UPDATE Deprecated / no-op. Backblaze no longer publishes old installer versions and the Internet Archive no longer mirrors them, so there is no "pinned" version to choose anymore — the container always installs the current release from backblaze.com. Kept only for backwards compatibility. (ignored)
ENABLE_NETWORK_MOUNT_MASKING When true, network-backed mounts (NFS/SMB/CIFS) are overlaid with a local overlayfs so Backblaze treats them as fixed disks and backs them up (Backblaze otherwise refuses network drives). Requires the container to run with cap_add: SYS_ADMIN and security_opt: apparmor:unconfined. Leave unset for local mounts. See Volumes → Option 2 (network shares). (unset)
UMASK Mask that controls how file permissions are set for newly created files. The value of the mask is in octal notation. By default, this variable is not set and the default umask of 022 is used, meaning that newly created files are readable by everyone, but only writable by the owner. See the following online umask calculator: http://wintelguy.com/umask-calc.pl (unset)
TZ [TimeZone] of the container. Timezone can also be set by mapping /etc/localtime between the host and the container. Etc/UTC
APP_NICENESS Priority at which the application should run. A niceness value of -20 is the highest priority and 19 is the lowest priority. By default, niceness is not set, meaning that the default niceness of 0 is used. NOTE: A negative niceness (priority increase) requires additional permissions. In this case, the container should be run with the docker option --cap-add=SYS_NICE. (unset)
USER_ID When mounting docker-volumes, permission issues can arise between the docker host and the container. You can pass the User_ID permissions to the container with this variable. 1000
GROUP_ID When mounting docker-volumes, permission issues can arise between the docker host and the container. You can pass the Group_ID permissions to the container with this variable. 1000
CLEAN_TMP_DIR When set to 1, all files in the /tmp directory are deleted during the container startup. 1
DISPLAY_WIDTH Width (in pixels) of the virtual screen's window. (Has to be divisible by 4) 900
DISPLAY_HEIGHT Height (in pixels) of the virtual screen's window. (Has to be divisible by 4) 700
SECURE_CONNECTION When set to 1, an encrypted connection is used to access the application's GUI (either via a web browser or VNC client). See the Security section for more details. 0
VNC_PASSWORD Password needed to connect to the application's GUI. See the VNC Password section for more details. (unset)
X11VNC_EXTRA_OPTS Extra options to pass to the x11vnc server running in the Docker container. WARNING: For advanced users. Do not use unless you know what you are doing. (unset)
ENABLE_CJK_FONT When set to 1, open-source computer font WenQuanYi Zen Hei is installed. This font contains a large range of Chinese/Japanese/Korean characters. 0
STARTUP_LOGFILE The location for writing logs of the startup script, responsible for installing and starting the Backblaze app. The default path is also backed up to Backblaze. /config/wine/dosdevices/c:/backblaze-wine-startapp.log

Config Directory

Inside the container, wine's configuration and with it Backblaze's configuration is stored in the /config/wine/ directory.

This directory is also used to store the VNC password. See the VNC Pasword section for more details.

Ports

Here is the list of ports used by container. They can be mapped to the host via the -p <HOST_PORT>:<CONTAINER_PORT> parameter. The port number inside the container cannot be changed, but you are free to use any port on the host side.

Port Mapping to host Description
5800 Mandatory Port used to access the application's GUI via the web interface.
5900 Optional Port used to access the application's GUI via the VNC protocol. Optional if no VNC client is used.

Volumes

The container always needs the config volume, plus at least one drive to back up:

  • /config - where Wine and the Backblaze client are installed and keep their state. Mount a persistent volume or host directory here.
  • One or more backup drives - the data you want to back up. How you provide them depends on whether the source is a local folder or a network share - see the two options below.

Which option do I need?

  • Backing up folders on the Docker host's own disks → Option 1 (nothing special required).
  • Backing up an NFS/SMB share from a NAS (TrueNAS, Synology, Unraid user share, …) → Option 2 (a few extra lines required).

Option 1 - Local folders (default)

Mount any local host directory as /drive_<letter> (anything from d to z). It is exposed to Backblaze automatically as the matching drive letter - /drive_dD:, /drive_eE:, and so on. Nothing else is required.

Local folders must be mounted read-write (the default): Backblaze writes a small .bzvol marker into the root of every drive it backs up, so a read-only mount will not work here.

services:
  backblaze:
    image: tessypowder/backblaze-personal-wine:latest
    volumes:
      - ./config:/config
      - /srv/photos:/drive_d        # local folder, read-write
      - /srv/documents:/drive_e     # local folder, read-write
    ports:
      - "5800:5800"

After the first start, open the web UI and tick the drive(s) under Settings → "Select Hard Drives to Backup".

Option 2 - Network shares (NAS / NFS / SMB / CIFS)

Backblaze deliberately refuses to back up network drives, and Wine reports any NFS/SMB/CIFS mount as a network drive - so a plain network mount shows up but is skipped (the long-standing issues #43 / #67).

When ENABLE_NETWORK_MOUNT_MASKING=true, the container works around this by transparently overlaying the network mount with a local overlayfs, so Wine - and therefore Backblaze - sees a normal fixed disk and backs it up.

Mount the share as /drive_<letter> just like a local folder, and add the three highlighted lines:

services:
  backblaze:
    image: tessypowder/backblaze-personal-wine:latest
    volumes:
      - ./config:/config
      - /mnt/nas/media:/drive_d:ro        # NFS/SMB share, mounted read-only
    ports:
      - "5800:5800"
    environment:
      - ENABLE_NETWORK_MOUNT_MASKING=true # <-- enables the workaround
    cap_add:
      - SYS_ADMIN                         # <-- required to perform the overlay mount
    security_opt:
      - apparmor:unconfined               # <-- required to perform the overlay mount

Important:

  • Only network shares need this. If you back up local folders (Option 1), do not add these privileges.
  • SYS_ADMIN + apparmor:unconfined are required so the container is allowed to run the overlay mount(2). They widen the container's privileges - add them only when you actually back up a network share.
  • Mount network shares read-only (:ro) - recommended. The share is only ever read, and Backblaze's own bookkeeping (the .bzvol marker) is written into /config, never onto the share. Mounting read-only guarantees Backblaze can never modify or delete your NAS data.
  • If the feature is left off (or the privileges are missing), the container still starts normally and local drives keep working - the network share is just skipped.

Mounting a drive at a custom path (advanced)

If your data is mounted somewhere other than /drive_<letter>, you can link it into Wine manually instead:

  1. Add your storage path as a wine drive, so Backblaze can access it

     docker exec --user app backblaze_personal_backup ln -s /backup_volume/ /config/wine/dosdevices/d:

  2. Restart the docker to get Backblaze to recognize the new drive

     docker restart backblaze_personal_backup

  3. Reload the Web Interface

    Bildschirmfoto von 2022-01-16 14-49-45

Accessing the GUI

Assuming that container's ports are mapped to the same host's ports, the graphical interface of the application can be accessed via:

  • A web browser:

    http://<HOST IP ADDR>:5800

  • Any VNC client:

    <HOST IP ADDR>:5900

Security

By default, access to the application's GUI is done over an unencrypted connection (HTTP or VNC).

Secure connection can be enabled via the SECURE_CONNECTION environment variable. See the Environment Variables section for more details on how to set an environment variable.

When enabled, application's GUI is performed over an HTTPs connection when accessed with a browser. All HTTP accesses are automatically redirected to HTTPs.

When using a VNC client, the VNC connection is performed over SSL. Note that few VNC clients support this method. SSVNC is one of them.

SSVNC

SSVNC is a VNC viewer that adds encryption security to VNC connections.

While the Linux version of SSVNC works well, the Windows version has some issues. At the time of writing, the latest version 1.0.30 is not functional, as a connection fails with the following error:

ReadExact: Socket error while reading

However, for your convienence, an unoffical and working version is provided here:

https://github.com/jlesage/docker-baseimage-gui/raw/master/tools/ssvnc_windows_only-1.0.30-r1.zip

The only difference with the offical package is that the bundled version of stunnel has been upgraded to version 5.49, which fixes the connection problems.

Certificates

Here are the certificate files needed by the container. By default, when they are missing, self-signed certificates are generated and used. All files have PEM encoded, x509 certificates.

Container Path Purpose Content
/config/certs/vnc-server.pem VNC connection encryption. VNC server's private key and certificate, bundled with any root and intermediate certificates.
/config/certs/web-privkey.pem HTTPs connection encryption. Web server's private key.
/config/certs/web-fullchain.pem HTTPs connection encryption. Web server's certificate, bundled with any root and intermediate certificates.

NOTE: To prevent any certificate validity warnings/errors from the browser or VNC client, make sure to supply your own valid certificates.

NOTE: Certificate files are monitored and relevant daemons are automatically restarted when changes are detected.

VNC Password

To restrict access to your application, a password can be specified. This can be done via two methods:

  • By using the VNC_PASSWORD environment variable.
  • By creating a .vncpass_clear file at the root of the /config volume. This file should contains the password in clear-text. During the container startup, content of the file is obfuscated and moved to .vncpass.

The level of security provided by the VNC password depends on two things:

  • The type of communication channel (encrypted/unencrypted).
  • How secure access to the host is.

When using a VNC password, it is highly desirable to enable the secure connection to prevent sending the password in clear over an unencrypted channel.

Access to the host by unexpected users with sufficient privileges can be dangerous as they can retrieve the password with the following methods:

  • By looking at the VNC_PASSWORD environment variable value via the docker inspect command. By defaut, the docker command can be run only by the root user. However, it is possible to configure the system to allow the docker command to be run by any users part of a specific group.
  • By decrypting the /config/.vncpass file. This requires the user to have the appropriate permission to read the file: it has to be root or be the user defined by the USER_ID environment variable. Also, to be able to retrieve the correct decryption key, one needs to know that the content of the file was generated by x11vnc.

DH Parameters

Diffie-Hellman (DH) parameters define how the DH key-exchange is performed. More details about this algorithm can be found on the OpenSSL Wiki.

DH Parameters are saved into the PEM encoded file located inside the container at /config/certs/dhparam.pem. By default, when this file is missing, 2048 bits DH parameters are automatically generated. Note that this one-time operation takes some time to perform and increases the startup time of the container.

Installation Guide:

  1. Understand, that this docker is a volunteer project, not a commercial product. Some thinkering is to be expected, community based solution finding is encouraged in the issues. If something does not work: look for an open issue about the topic, if there isn't create one. If there is one read through it to see if somebody has found a workaround/fix. If you are a developer I highly encourage you to turn your fix into a Pull Request to allow others to benefit from it.

  2. Check for yourself if using this docker complies with the Backblaze terms of service

  3. Modify the following for your setup (in terms of ports, volumes and environment variables) and run it

    (for Unraid users, instead of running this command navigate to the Apps tab, search for this docker and install it)

    NOTE: root priviliges may be needed

     docker run \
     -p 8080:5800 \
     --init \
     --name backblaze_personal_backup \
     -v "[backup folder]/:/drive_d/" \
     -v "[config folder]/:/config/" \
     tessypowder/backblaze-personal-wine:latest

  4. Open the Web Interface (on the port you specified in the docker run command, in this example 8080):

  5. On the very first start the container downloads and installs the Backblaze client. The Wine environment with .NET is already prepared inside the image, so this only takes a couple of minutes. The screen may be black/empty while this runs.

  6. The UI of the first step of the Backblaze installer is broken on wine, but it doesn't matter, just insert the email to your backblaze account into the input field. (If the UI does not load for you, look in the top left corner for a white pixel. Move your mouse pointer over that pixel, the pixel will go away, and the UI should load.)

    Bildschirmfoto von 2022-01-16 14-51-16

  7. Press Enter

    Bildschirmfoto von 2022-01-16 14-52-27

  8. Insert your password (important: keyboard locale mismatches can mess up your inputs)

    • TIP: You can use the clipboard function of the web interface, but some passwords will still not get transferred correctly, i would reccommend setting your backblaze password to a long string without special characters

    Bildschirmfoto von 2022-01-16 14-57-31

  9. Press Enter

    Bildschirmfoto von 2022-01-16 15-00-44

  10. Wait for Backblaze to analyze your drives

    Bildschirmfoto von 2022-01-16 15-00-49

  11. Click Ok

    Bildschirmfoto von 2022-01-16 15-01-00

  12. If your [config folder] is somewehere inside the [backup folder] on the docker host side (which is the case for the Unraid template) in order to prevent an infinite loop of config file uploads, because those uploads change bz_done* files in [config folder]/wine/drive_c/ProgramData/Backblaze/bzdata/bzbackup/bzdatacenter open the web interface, open the Backblaze settings, open the "Exclusions" tab, click on "Add Folder" and in the popup navigate to My Computer -> (D:) and naviagate to the config folder inside. For unraid template installs this is My Computer -> (D:) -> appdata -> backblaze_personal_backup. Click on OK and close the Backblaze Settings.

  13. The Installation is done 🎉

  14. Buy a license for your Computer in the Backblaze Dashboard, just like for a normal Windows/Mac installation

Troubleshooting

  • The Backblaze Installer says it recognized a server operating system

    Bildschirmfoto von 2022-01-16 14-41-04

    • Explanation: I don't know what can cause this, it seems to randomly occur on some installations

    • Solution: Stop the docker, delete the config directory, restart installation from beginning

    • (Speculation: I think this only happens, when no volume is mounted at /config/ and docker manages the folder instead of the volume)

  • The backup folder mounted as drive D is not being backed up

    • Explanation: Depending on when you added drive D to your wine configuration, the Backblaze installer might not recognize it

    • Solution:

      • Open the Backblaze settings
      • In the section "Hard Drives" in the first tab "Settings" enable the checkbox for next to the drive D:\

    • Still not working:

      • Run

        docker exec --user app backblaze_personal_backup ls -la /config/wine/dosdevices/

      • The output should look like this:

          drwxr-xr-x 2 app app 4096 Jan 16 13:43 .
  drwxr-xr-x 4 app app 4096 Jan 16 14:08 ..
  lrwxrwxrwx 1 app app   10 Jan 16 13:43 c: -> ../drive_c
  lrwxrwxrwx 1 app app   10 Jan 16 13:43 d: -> /drive_d/
  lrwxrwxrwx 1 app app    1 Jan 16 13:43 z: -> /

      • If it doesn't confirm you've mounted the volume in the container correctly for automatic attachment or followed the manual instructions in volumes

  • I can only see a black screen when I start the container

    • Explanation: The Docker container may have insufficient permissions to download and install Backblaze.

    • Solution:

      • Try a different run command where you explicitly pass the root ID 0 to the container:
      docker run \
    -p 8080:5800 \
    --init \
    -e USER_ID=0 \
    -e GROUP_ID=0 \
    --name backblaze_personal_backup \
    -v "[backup folder]/:/drive_d/" \
    -v "[config folder]/:/config/" \
    tessypowder/backblaze-personal-wine:latest

    • Additional 'black screen' troubleshooting for Synology devices:

      • It may be necessary to run the container with even higher permissions (--privileged)
      docker run \
    -p 8080:5800 \
    --init \
    --privileged \
    -e USER_ID=0 \
    -e GROUP_ID=0 \
    --name backblaze_personal_backup \
    -v "[backup folder]/:/drive_d/" \
    -v "[config folder]/:/config/" \
    tessypowder/backblaze-personal-wine:latest

    • For More Information: See #98, #99

Additional Information

  1. Warning: The Backblaze client is not an init system (who knew) and doesn't clean up its zombie children. This will cause it to fill up your system's PID limit within a few hours which prevents new processes from being created system-wide, would not recommend.
    The --init flag installs a tiny process that can actually do a few init things like wait()ing children in place of the backblaze client as PID 1.
  2. Backblaze will create a .bzvol directory in the root of every hard drive it's configured to back up in which it'll store a full copy of files >100M split into 10M parts. Mount accordingly if you want to preserve SSD erase cycles.
  3. You can browse the files accessible to Backblaze using:
     docker exec --user app backblaze_personal_backup wine explorer
  4. You can open the Wine Config using:
     docker exec --user app backblaze_personal_backup winecfg
  5. Wine's virtual desktop mode is disabled by default (DISABLE_VIRTUAL_DESKTOP=true); the Backblaze window is shown directly. If you enable it (DISABLE_VIRTUAL_DESKTOP=false), a virtual desktop of 900x700 pixels is used (larger than the Backblaze UI window to leave room for the restore app). You can change the size with DISPLAY_WIDTH and DISPLAY_HEIGHT:
     docker run ... -e "DISPLAY_WIDTH=1280" -e "DISPLAY_HEIGHT=800" ...

Credits

This was originally developed by @Atemu (https://github.com/Atemu/backblaze-personal-wine-container).

The Backblaze name, logo and application is the property of Backblaze, Inc.

This docker does not redistribute the Backblaze application. It gets downloaded from the official Backblaze Servers during the install process.

This docker image is based on @jlesage 's excellent base image.

Contributors:

This project was made by: