add --stdin-from-command flag to backup command

[sebhoss]

What does this PR change? What problem does it solve?

This fixes #4251 by providing the requested --stdin-from-command flag to the restic backup command. It skips snapshot creation in case the given commands fails as determined by exec.Cmd.Wait() and returns the stderr of the given command as an error message back to the user.

I have not written any tests, nor documentation because I wanted to get some feedback about the path taken here wrt. upstream inclusion first. I am seeing various test failures in existing tests but these seem to be unrelated and might just occur because I'm building/testing the project within a container. Using these changes locally does look promising though:

$ ./restic backup --stdin-from-command --repo ./backup -- pg_dump -h foobar
enter password for repository: 
repository 55e7d5a0 opened (version 2, compression level auto)
using parent snapshot cc6e1dec
error: read /stdin: no data read
Fatal: unable to save snapshot: pg_dump: error: connection to database "root" failed: could not translate host name "foobar" to address: No address associated with hostname

Was the change previously discussed in an issue or on the forum?

Closes #4251

Checklist

• I have read the contribution guidelines.
• I have enabled maintainer edits.
• I have added tests for all code changes.
• I have added documentation for relevant changes (in the manual).
• There's a new file in changelog/unreleased/ that describes the changes for our users (see template).
• I have run gofmt on the code in all commits.
• All commit messages are formatted in the same style as the other commits in the repo.
• I'm done! This pull request is ready for review.

[Enrico204]

LGTM! I think that this option should be strongly suggested in the documentation in place of the current "stdin procedure".

Maybe we want to unset some sensible environment variables? (e.g., RESTIC_PASSWORD)

[sebhoss]

Thanks for the review!

That's a good point about environment variables - I completely missed that requirement from the original ticket and thus the current code executes without any environment variables. However inheriting them and unsetting some sensible ones makes sense to me!

[Enrico204]

AFAIK, exec.CommandContext is creating a exec.Cmd with the default value (nil) in the .Env field. According to the documentation, a nil value in .Env will instruct Go to inherit the current environment set. So, the current code is already passing all env to the child process (which seems the same behavior as Borg's).

A very rough way might be to remove all prefixed variables indicated in the documentation:

diff --git a/cmd/restic/cmd_backup.go b/cmd/restic/cmd_backup.go
index ee355bb42..2068d5e6b 100644
--- a/cmd/restic/cmd_backup.go
+++ b/cmd/restic/cmd_backup.go
@@ -608,6 +608,20 @@ func runBackup(ctx context.Context, opts BackupOptions, gopts GlobalOptions, ter
                        if err != nil {
                                return err
                        }
+
+                       for _, v := range os.Environ() {
+                               if !strings.HasPrefix(v, "RESTIC_") &&
+                                       !strings.HasPrefix(v, "AWS_") &&
+                                       !strings.HasPrefix(v, "ST_") &&
+                                       !strings.HasPrefix(v, "OS_") &&
+                                       !strings.HasPrefix(v, "B2_") &&
+                                       !strings.HasPrefix(v, "AZURE_") &&
+                                       !strings.HasPrefix(v, "GOOGLE_") {
+
+                                       command.Env = append(command.Env, v)
+                               }
+                       }
+
                        if err := command.Start(); err != nil {
                                return err
                        }

Note: I haven't tested this code.

Other options include:

• resetting the environment variables list to a safe default; or
• remove specific variables (e.g. RESTIC_PASSWORD), leaving others untouched

I'd argue that the the first option is too restrictive, and the second is too much maintenance burden (maintainers/developers need to remember to add new sensitive variables in the list). So, resetting variables by their prefix may be a tradeoff.

What do you think?

[sebhoss]

Ah nice, I guess I misread the docs - thanks again!

Thinking about unsetting variables a bit more I'm concerned that it might be too magical for users since they cannot influence it directly. So maybe another option like --inherit-env=true|false would make sense? Using this flag, users could control wheher the command they are executing inherits all or none of the availble env variables.

Edit: Or maybe something like --filter-env='RESTIC_*' to remove specific variables and --filter-env='*' to remove them all?

[Enrico204]

While I agree that it might seem magical, I think too many knobs are equally bad. I don't see any use case for RESTIC_* variables to be passed to the child program, and, in any case, one can still "restore" variables for the child command using env. For example:

$ restic backup \
   --stdin-from-command \
   --repo ./backup \
   -- env RESTIC_REPOSITORY=$RESTIC_REPOSITORY pg_dump -h foobar

So, if a variable is removed, it can be re-added explicitly (it's safe - a pattern might match more/fewer variables tomorrow).

This needs to be clearly documented, of course :-)

[sebhoss]

Yeah I agree that too many knobs do not feel that good either. I think in the end I would probably just leave this as-is given that 1) borg seems to be fine with that 2) the current --stdin procedure works like that as well and 3) users can overwrite/unset variables as you have shown in your last snippet anyway.

[Enrico204]

I am testing your branch for some real world backup in my personal/lab. For now, everything is working as expected :-)

[MichaelEischer]

I'm in favor of adding a --stdin-from-command option (or maybe --content-from-command). Implementation-wise, it shouldn't be necessary to modify the archiver at all; the fs.FS interface should be generic enough to abstract away everything.

[MichaelEischer]

please use && !opts.StdinCommand

[MichaelEischer]

This will deadlock if a process writes too much data to stderr. Please handle stderr similar as in the rclone/sftp backend.

[MichaelEischer]

There's no need to modify the archiver. Instead, the Close() error part of the ReadCloser of fs.Reader should wait for the command to exit and return an error if necessary.

[MichaelEischer]

cmdErr should not be dropped. It should at least be part of the returned error message.

[MichaelEischer]

Please move as much of the code that sets up the stdinCommand as possible out of runBackup. The latter function is already far too long.

[MichaelEischer]

I wonder whether --content-from-command (as in Borg) would be a better name or not. stdin-from-command somewhat contradicts its own description...

[sebhoss]

Implementation-wise, it shouldn't be necessary to modify the archiver at all; the fs.FS interface should be generic enough to abstract away everything.

Ok thanks for the pointer - that was exactly what I was looking for! So the idea here would be to :

1. create an implementation of fs.FS that handles command execution and related errors
2. refactor the code in runBackup to create an instance of that implementation
3. pass it in as the targetFS to the existing archiver methods

Is that correct? Should that fs.FS implementation live in the same fs package? Is this and that how you would like to handle stderr output?

[MichaelEischer]

Ok thanks for the pointer - that was exactly what I was looking for! So the idea here would be to :

1. create an implementation of `fs.FS` that handles command execution and related errors

Judging from https://github.com/restic/restic/pull/4254/files#diff-30d8672eafa9c0585766b6f437530377563cd1aac5606674c366f3ede4abea9eR618 an fs.FS implementation that wraps fs.Reader might work here.

2. refactor the code in `runBackup` to create an instance of that implementation

3. pass it in as the `targetFS` to the existing archiver methods

Yes.

Should that fs.FS implementation live in the same fs package? Is this and that how you would like to handle stderr output?

The fs package is probably the best place for now. And yep, I was referring to the goroutine that reads from stderr of the subprocess.

[MichaelEischer]

@sebhoss Are you still interested in working on this PR?

[sebhoss]

Yes & no - we don't have any immediate pressure at work to get this in anymore, so I put this on my ever growing todo list. I still think that this would be a nice addition but I'm not sure when I'll be able to finish this. I'm fine with closing this PR in case you are doing some summer cleanups or re-assigning this to someone else(?)

[Enrico204]

I can take over this PR. I am using the code here on a daily basis at home for backups, and I will be happy to have it merged :-)

However, don't I think I will be able to continue in this PR as the branch is from @sebhoss's repo, so maybe I can fork & create a new pull request with the same code, and then apply the suggestions from @MichaelEischer. What do you think?

[MichaelEischer]

@Enrico204 Sounds good. Go ahead and create a new PR, I'll close the old PR afterwards.

[MichaelEischer]

Superseded by #4410.