This has been driving me nuts. I cannot get Restic to work inside a docker container on macos. This used to work, and I suspect either a change in MacOS security / file sandboxing or a problem with docker itself. I cannot place when it stopped working, but I suspect Sonoma upgrade.
Inside the docker container, I can read files fine from shell and from rclone (which I’m using as a backend)…but restic can’t?
/restic # restic version
restic 0.16.2 compiled with go1.21.8 on linux/arm64
/restic # restic backup -H test --tag test /backup/Restic
repository 43db434d opened (version 2, compression level auto)
no parent snapshot found, will read all files
[0:23] 100.00% 64 / 64 index files loaded
error: read /backup/Restic/test.txt: input/output error
Files: 0 new, 0 changed, 0 unmodified
Dirs: 2 new, 0 changed, 0 unmodified
Added to the repository: 726 B (581 B stored)
processed 0 files, 0 B in 0:27
snapshot 62b296bb saved
Warning: at least one source file could not be read
/restic # cat /backup/Restic/test.txt
Hello World
/restic # rclone cat /backup/Restic/test.txt
Hello World
/restic # ls -al /backup/Restic
total 4
drwxr-xr-x 3 root root 96 Mar 16 09:24 .
drwxr-xr-x 54 root root 1728 Mar 16 09:43 ..
-rw-r--r-- 1 root root 12 Mar 16 09:24 test.txt
I am using bind mounts of my home directory. docker-compose file has this bind volume, and as shown above is accesible to the container.
Try with the latest restic v0.16.4. Try with Docker v4.26.1 - it is reported by many other projects as working most reliably on Sonoma.
What is the reason to use docker here? It obviously introduces extra dependencies and opportunities to break things. Docker has long history of problems on macOS always changing sandboxing and security details (some call it “working as long as you don’t use it”). IMO it is wrong technology for the job unless your goal is fixing Docker problems on macOS. restic does not have any dependencies and running it in some container does not bring any added value.
Hm, I can’t repro this under linux (I don’t have a MacOS machine to test):
❯ sudo docker run -d -it --mount type=bind,source=/backup,target=/backup,readonly --entrypoint=/bin/sh restic/restic
...
/ # ls -lha /backup/Restic
total 4K
drwxr-xr-x 1 root root 16 Mar 17 16:47 .
drwxr-xr-x 1 root root 12 Mar 17 16:46 ..
-rw-r--r-- 1 root root 36 Mar 17 16:47 test.txt
/ # cat /backup/Restic/test.txt
Sphinx of black quartz judge my vow
/ # restic backup -r /restic-repo -H test --tag test /backup/Restic
enter password for repository:
repository e09e4b7f opened (version 2, compression level auto)
created new cache in /root/.cache/restic
no parent snapshot found, will read all files
Files: 1 new, 0 changed, 0 unmodified
Dirs: 2 new, 0 changed, 0 unmodified
Added to the repository: 1.406 KiB (1.261 KiB stored)
processed 1 files, 36 B in 0:00
snapshot 79bb7721 saved
It could be worth testing alternative paths to see if this is limited to just the /Users dir. Also, I’d try dropping the read-only flag, because simplifying the config as much as possible in the name of troubleshooting seems prudent.
I actually stumbled upon your reddit post when googling to see if there were any other reports of this sort of behaviour with other apps and docker. It might be worth also posting on the docker forums if you haven’t already to see if they have any ideas about approaching this from the docker end (I’m assuming you’re running the container using Docker CE/Docker Desktop, if not then disregard )
Beyond that, I can’t think of anything else to try right now. Perhaps someone else with MacOS or docker experience can chime in.
My reason for using docker is simply consistent configurations / deployments across many machines. This is how I have it deployed across all my Raspberry PIs
I didn’t want to get into crontabs on each host, different installed versions of rclone, restic, etc., but I guess for MacOS that’s what I will have to do, unless someone has other ideas. I guess I could go true VMs instead of Docker but that seems like overkill.
)