This is a Docker container for CrashPlan.
The GUI of the application is accessed through a modern web browser (no installation or configuration needed on the client side) or via any VNC client.
IMPORTANT: CrashPlan for Home, the version implemented by this container, is being decommissioned. One of the choice users have is to migrate to CrashPlan PRO (aka CrashPlan for Small Business).
To do so, the jlesage/crashplan-pro Docker container can be used. Make sure to read the related documentation for a smooth transition.
CrashPlan makes it easy to protect your digital life, so you can get back to what’s important in real life. Only CrashPlan offers totally free local and offsite backup. A subscription to the cloud backup service gets you continuous backup, mobile file access and lots more. For the ultimate in computer backup, get all three, from the same easy application.
- Docker container for CrashPlan
NOTE: The Docker command provided in this quick start is given as an example and parameters should be adjusted to your need.
Launch the CrashPlan docker container with the following command:
docker run -d \
--name=crashplan \
-p 5800:5800 \
-v /docker/appdata/crashplan:/config:rw \
-v $HOME:/storage:ro \
jlesage/crashplan
Where:
/docker/appdata/crashplan: This is where the application stores its configuration, log and any files needing persistency.$HOME: This location contains files from your host that need to be accessible by the application.
Browse to http://your-host-ip:5800 to access the CrashPlan GUI.
Files from the host appear under the /storage folder in the container.
docker run [-d] \
--name=crashplan \
[-e <VARIABLE_NAME>=<VALUE>]... \
[-v <HOST_DIR>:<CONTAINER_DIR>[:PERMISSIONS]]... \
[-p <HOST_PORT>:<CONTAINER_PORT>]... \
jlesage/crashplan
| Parameter | Description |
|---|---|
| -d | Run the container in the background. If not set, the container runs in the foreground. |
| -e | Pass an environment variable to the container. See the Environment Variables section for more details. |
| -v | Set a volume mapping (allows to share a folder/file between the host and the container). See the Data Volumes section for more details. |
| -p | Set a network port mapping (exposes an internal container port to the host). See the Ports section for more details. |
To customize some properties of the container, the following environment
variables can be passed via the -e parameter (one for each variable). Value
of this parameter has the format <VARIABLE_NAME>=<VALUE>.
| Variable | Description | Default |
|---|---|---|
USER_ID |
ID of the user the application runs as. See User/Group IDs to better understand when this should be set. | 1000 |
GROUP_ID |
ID of the group the application runs as. See User/Group IDs to better understand when this should be set. | 1000 |
SUP_GROUP_IDS |
Comma-separated list of supplementary group IDs of the application. | (unset) |
UMASK |
Mask that controls how file permissions are set for newly created files. The value of the mask is in octal notation. By default, this variable is not set and the default umask of 022 is used, meaning that newly created files are readable by everyone, but only writable by the owner. See the following online umask calculator: http://wintelguy.com/umask-calc.pl |
(unset) |
TZ |
TimeZone of the container. Timezone can also be set by mapping /etc/localtime between the host and the container. |
Etc/UTC |
KEEP_APP_RUNNING |
When set to 1, the application will be automatically restarted if it crashes or if a user quits it. |
0 |
APP_NICENESS |
Priority at which the application should run. A niceness value of -20 is the highest priority and 19 is the lowest priority. By default, niceness is not set, meaning that the default niceness of 0 is used. NOTE: A negative niceness (priority increase) requires additional permissions. In this case, the container should be run with the docker option --cap-add=SYS_NICE. |
(unset) |
CLEAN_TMP_DIR |
When set to 1, all files in the /tmp directory are deleted during the container startup. |
1 |
DISPLAY_WIDTH |
Width (in pixels) of the application's window. | 1280 |
DISPLAY_HEIGHT |
Height (in pixels) of the application's window. | 768 |
SECURE_CONNECTION |
When set to 1, an encrypted connection is used to access the application's GUI (either via a web browser or VNC client). See the Security section for more details. |
0 |
VNC_PASSWORD |
Password needed to connect to the application's GUI. See the VNC Password section for more details. | (unset) |
X11VNC_EXTRA_OPTS |
Extra options to pass to the x11vnc server running in the Docker container. WARNING: For advanced users. Do not use unless you know what you are doing. | (unset) |
ENABLE_CJK_FONT |
When set to 1, open-source computer font WenQuanYi Zen Hei is installed. This font contains a large range of Chinese/Japanese/Korean characters. |
0 |
CRASHPLAN_SRV_MAX_MEM |
Maximum amount of memory the CrashPlan Engine is allowed to use. One of the following memory unit (case insensitive) should be added as a suffix to the size: G, M or K. By default, when this variable is not set, a maximum of 1024MB (1024M) of memory is allowed. NOTE: Setting this variable as the same effect as running the java mx VALUE, restart command from the CrashPlan command line. |
(unset) |
The following table describes data volumes used by the container. The mappings
are set via the -v parameter. Each mapping is specified with the following
format: <HOST_DIR>:<CONTAINER_DIR>[:PERMISSIONS].
| Container path | Permissions | Description |
|---|---|---|
/config |
rw | This is where the application stores its configuration, log and any files needing persistency. |
/storage |
ro | This location contains files from your host that need to be accessible by the application. |
/backupArchives |
rw | This is where inbound backups are stored. |
Here is the list of ports used by the container. They can be mapped to the host
via the -p parameter (one per port mapping). Each mapping is defined in the
following format: <HOST_PORT>:<CONTAINER_PORT>. The port number inside the
container cannot be changed, but you are free to use any port on the host side.
| Port | Mapping to host | Description |
|---|---|---|
| 5800 | Mandatory | Port used to access the application's GUI via the web interface. |
| 5900 | Optional | Port used to access the application's GUI via the VNC protocol. Optional if no VNC client is used. |
| 4242 | Optional | Port used by CrashPlan for computer-to-computer backups. No need to expose this port if this feature is not used. NOTE: Because this port is reported by CrashPlan to other devices signed to your account, the port mapped on the host side must be the same (i.e. 4242). |
As can be seen, environment variables, volume and port mappings are all specified while creating the container.
The following steps describe the method used to add, remove or update parameter(s) of an existing container. The general idea is to destroy and re-create the container:
- Stop the container (if it is running):
docker stop crashplan
- Remove the container:
docker rm crashplan
- Create/start the container using the
docker runcommand, by adjusting parameters as needed.
NOTE: Since all application's data is saved under the /config container
folder, destroying and re-creating a container is not a problem: nothing is lost
and the application comes back with the same state (as long as the mapping of
the /config folder remains the same).
Here is an example of a docker-compose.yml file that can be used with
Docker Compose.
Make sure to adjust according to your needs. Note that only mandatory network ports are part of the example.
version: '3'
services:
crashplan:
image: jlesage/crashplan
ports:
- "5800:5800"
volumes:
- "/docker/appdata/crashplan:/config:rw"
- "$HOME:/storage:ro"Because features are added, issues are fixed, or simply because a new version of the containerized application is integrated, the Docker image is regularly updated. Different methods can be used to update the Docker image.
The system used to run the container may have a built-in way to update containers. If so, this could be your primary way to update Docker images.
An other way is to have the image be automatically updated with Watchtower. Watchtower is a container-based solution for automating Docker image updates. This is a "set and forget" type of solution: once a new image is available, Watchtower will seamlessly perform the necessary steps to update the container.
Finally, the Docker image can be manually updated with these steps:
- Fetch the latest image:
docker pull jlesage/crashplan
- Stop the container:
docker stop crashplan
- Remove the container:
docker rm crashplan
- Create and start the container using the
docker runcommand, with the the same parameters that were used when it was deployed initially.
For owners of a Synology NAS, the following steps can be used to update a container image.
- Open the Docker application.
- Click on Registry in the left pane.
- In the search bar, type the name of the container (
jlesage/crashplan). - Select the image, click Download and then choose the
latesttag. - Wait for the download to complete. A notification will appear once done.
- Click on Container in the left pane.
- Select your CrashPlan container.
- Stop it by clicking Action->Stop.
- Clear the container by clicking Action->Reset (or Action->Clear if you don't have the latest Docker application). This removes the container while keeping its configuration.
- Start the container again by clicking Action->Start. NOTE: The container may temporarily disappear from the list while it is re-created.
For unRAID, a container image can be updated by following these steps:
- Select the Docker tab.
- Click the Check for Updates button at the bottom of the page.
- Click the update ready link of the container to be updated.
When using data volumes (-v flags), permissions issues can occur between the
host and the container. For example, the user within the container may not
exist on the host. This could prevent the host from properly accessing files
and folders on the shared volume.
To avoid any problem, you can specify the user the application should run as.
This is done by passing the user ID and group ID to the container via the
USER_ID and GROUP_ID environment variables.
To find the right IDs to use, issue the following command on the host, with the user owning the data volume on the host:
id <username>
Which gives an output like this one:
uid=1000(myuser) gid=1000(myuser) groups=1000(myuser),4(adm),24(cdrom),27(sudo),46(plugdev),113(lpadmin)
The value of uid (user ID) and gid (group ID) are the ones that you should
be given the container.
Assuming that container's ports are mapped to the same host's ports, the graphical interface of the application can be accessed via:
- A web browser:
http://<HOST IP ADDR>:5800
- Any VNC client:
<HOST IP ADDR>:5900
By default, access to the application's GUI is done over an unencrypted connection (HTTP or VNC).
Secure connection can be enabled via the SECURE_CONNECTION environment
variable. See the Environment Variables section for
more details on how to set an environment variable.
When enabled, application's GUI is performed over an HTTPs connection when accessed with a browser. All HTTP accesses are automatically redirected to HTTPs.
When using a VNC client, the VNC connection is performed over SSL. Note that few VNC clients support this method. SSVNC is one of them.
SSVNC is a VNC viewer that adds encryption security to VNC connections.
While the Linux version of SSVNC works well, the Windows version has some
issues. At the time of writing, the latest version 1.0.30 is not functional,
as a connection fails with the following error:
ReadExact: Socket error while reading
However, for your convenience, an unofficial and working version is provided here:
https://github.com/jlesage/docker-baseimage-gui/raw/master/tools/ssvnc_windows_only-1.0.30-r1.zip
The only difference with the official package is that the bundled version of
stunnel has been upgraded to version 5.49, which fixes the connection
problems.
Here are the certificate files needed by the container. By default, when they are missing, self-signed certificates are generated and used. All files have PEM encoded, x509 certificates.
| Container Path | Purpose | Content |
|---|---|---|
/config/certs/vnc-server.pem |
VNC connection encryption. | VNC server's private key and certificate, bundled with any root and intermediate certificates. |
/config/certs/web-privkey.pem |
HTTPs connection encryption. | Web server's private key. |
/config/certs/web-fullchain.pem |
HTTPs connection encryption. | Web server's certificate, bundled with any root and intermediate certificates. |
NOTE: To prevent any certificate validity warnings/errors from the browser or VNC client, make sure to supply your own valid certificates.
NOTE: Certificate files are monitored and relevant daemons are automatically restarted when changes are detected.
To restrict access to your application, a password can be specified. This can be done via two methods:
- By using the
VNC_PASSWORDenvironment variable. - By creating a
.vncpass_clearfile at the root of the/configvolume. This file should contain the password in clear-text. During the container startup, content of the file is obfuscated and moved to.vncpass.
The level of security provided by the VNC password depends on two things:
- The type of communication channel (encrypted/unencrypted).
- How secure the access to the host is.
When using a VNC password, it is highly desirable to enable the secure connection to prevent sending the password in clear over an unencrypted channel.
ATTENTION: Password is limited to 8 characters. This limitation comes from the Remote Framebuffer Protocol RFC (see section 7.2.2). Any characters beyond the limit are ignored.
The following sections contain NGINX configurations that need to be added in order to reverse proxy to this container.
A reverse proxy server can route HTTP requests based on the hostname or the URL path.
In this scenario, each hostname is routed to a different application/container.
For example, let's say the reverse proxy server is running on the same machine
as this container. The server would proxy all HTTP requests sent to
crashplan.domain.tld to the container at 127.0.0.1:5800.
Here are the relevant configuration elements that would be added to the NGINX configuration:
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
upstream docker-crashplan {
# If the reverse proxy server is not running on the same machine as the
# Docker container, use the IP of the Docker host here.
# Make sure to adjust the port according to how port 5800 of the
# container has been mapped on the host.
server 127.0.0.1:5800;
}
server {
[...]
server_name crashplan.domain.tld;
location / {
proxy_pass http://docker-crashplan;
}
location /websockify {
proxy_pass http://docker-crashplan;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_read_timeout 86400;
}
}
In this scenario, the hostname is the same, but different URL paths are used to route to different applications/containers.
For example, let's say the reverse proxy server is running on the same machine
as this container. The server would proxy all HTTP requests for
server.domain.tld/crashplan to the container at 127.0.0.1:5800.
Here are the relevant configuration elements that would be added to the NGINX configuration:
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
upstream docker-crashplan {
# If the reverse proxy server is not running on the same machine as the
# Docker container, use the IP of the Docker host here.
# Make sure to adjust the port according to how port 5800 of the
# container has been mapped on the host.
server 127.0.0.1:5800;
}
server {
[...]
location = /crashplan {return 301 $scheme://$http_host/crashplan/;}
location /crashplan/ {
proxy_pass http://docker-crashplan/;
location /crashplan/websockify {
proxy_pass http://docker-crashplan/websockify/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_read_timeout 86400;
}
}
}
To get shell access to the running container, execute the following command:
docker exec -ti CONTAINER sh
Where CONTAINER is the ID or the name of the container used during its
creation (e.g. crashplan-pro).
By default, the container runs in bridge mode networking. This is the best way to go, unless your CrashPlan container is the backup destination of other devices on your local network (LAN).
In this network mode, a private IP address on an isolated subnet is assigned to
containers. For example, devices on your LAN may have IP addresses in the
192.168.1.x subnet, while containers have IP addresses in the 172.17.x.x
range. Thus, CrashPlan detects and reports a local/internal IP address in the
172.17.x.x subnet, something that other devices on your LAN cannot reach.
NOTE: The problem described here doesn't affect the scenario where your CrashPlan container is the backup destination of other devices located outside your LAN (i.e. over the Internet). In this case, CrashPlan uses your public IP address, which is properly detected no matter the networking mode.
The first solution to this issue is to add a static route on your router to allow other devices to reach your CrashPlan container. The way to configure routes is different for each router, but here is the route information you will need:
Subnet IP address: 172.17.0.0
Subnet mask: 255.255.0.0
Subnet prefix size: /16
Gateway: IP address of your Docker host
The second solution is to run the container in host mode networking. This mode
effectively disables network isolation of a Docker container. The container
shares the networking namespace of the host, meaning that it shares the same IP
address and is directly exposed to your LAN. Consequently, port mappings are
note used/needed. Note that this mode increases chances to conflict with other
containers or services running on the host. To enable the host mode networking,
run the container with the --net=host parameter.
For more information, see the Docker container networking documentation.
If this container is replacing a CrashPlan installation (from Linux, Windows, MAC or another Docker container), your existing backup can be taken over to avoid re-uploading all your data.
To proceed, make sure to carefully read the official documentation.
Here is a summary of what needs to be done:
- Start CrashPlan Docker container. Make sure the configuration directory if not mapped to a folder used by a different CrashPlan container.
- Sign in to your account.
- Perform an adoption. There is a gray banner asking you to do so.
- Once done, you will probably see missing items in the file selection. This is normal, since path to your files is different in the container.
- Update the file selection by re-adding your files. Do not unselect missing items yet.
- Perform a backup. Because of deduplication, files will not be uploaded again.
- Once the backup is terminated, you can remove missing items if you don't care about file versions. Else, keep missing items.
- If you are the destination for other computers, you have to adjust the
location of previous backup archives. In the
Inboundsection, if some of your friends have the messageBackup disabled - backup location is not accessible: click on the name, then update the location. It should be under/backupArchives/<Computer ID>.
If CrashPlan crashes unexpectedly with large backups, try to increase the maximum amount of memory CrashPlan is allowed to use. This can be done by:
- Setting the
CRASHPLAN_SRV_MAX_MEMenvironment variable. See the Environment Variables section for more details. - Using the solution provided by CrashPlan from its support site.
If CrashPlan exceeds inotify's max watch limit, real-time file watching cannot work properly and the inotify watch limit needs to be increased on the host, not the container.
For more details, see the CrashPlan's Linux real-time file watching errors article.
On Synology NAS, the instuctions provided by the article mentioned in the
previous section apply, except that the inotify's max watch limit must be set in
/etc.defaults/sysctl.conf (instead of /etc/sysctl.conf) to make the setting
permanent.
NOTE: After an upgrade of the DSM software, verify that the content of the file has not been overwritten.
If you have connection issues between your computers, make sure to read the [Connection between computers] article from CrashPlan support site.
When changing the inbound backup port from CrashPlan settings, don't forget to
also add the proper port mapping when running the container. For example, if
the listening port is changed to 12345, the option -p 12345:12345 needs to
be added to the docker run command.
After entering a command in the command-line interface, the window immediately disappear. This is a known issue, but it should be noted that the requested command is still executed as requested.
If the result and/or output of the command is needed, consult the log file
located at log/service.log.0 in the config directory of container. Here is
an example of log messages produced when running the version command:
[03.05.18 06:03:17.179 INFO MQ-UI-1 backup42.service.ui.UIController] UserActionRequest: CommandMessage[version]
[03.05.18 06:03:17.179 INFO MQ-UI-1 kup42.common.command.CliExecutor] RUN COMMAND: version > CommandResult@1111973668[ version, success=true, result=4.8.4 - 1436674800484 (2015-07-12T04:20:00:484+0000) - Build: 15 ]
The list of available commands can be consulted online.
CrashPlan can be configured to require a password to access the application. Enabling this option ensures no one else can make changes to settings or restore files without the account password.
Sign-in is needed when the application is started. Since the application is always running in this container, a manual step is required to replace the action of closing the application:
- Double click on the CrashPlan logo to open the command-line interface.
- Type
exitand then press the Enter key.
After a few seconds, the CrashPlan application closes and then automatically restarts. At this point, password of the account is required to continue.
Because the CrashPlan's self-upgrade feature is disabled in this container, an error message about failed upgrade can be seen when a new CrashPlan version is released.
To fix this, updating the container's image to the latest version will also bring the latest version of CrashPlan.
Having troubles with the container or have questions? Please create a new issue.
For other great Dockerized applications, see https://jlesage.github.io/docker-apps.