eea · MorganLindqvist · May 20, 2022 · May 20, 2022 · May 21, 2022 · May 21, 2022
diff --git a/Dockerfile b/Dockerfile
@@ -1,8 +1,14 @@
-FROM alpine:3.12
+FROM alpine:3.15
 MAINTAINER "EEA: IDM2 A-Team" <[email protected]>
 
-RUN apk add --no-cache --virtual .run-deps rsync openssh tzdata curl ca-certificates && rm -rf /var/cache/apk/*
+RUN apk add --no-cache --virtual .run-deps rsync openssh tzdata curl ca-certificates && \
+    rm -rf /var/cache/apk/* && \
+    mkdir -p /data
+
 COPY docker-entrypoint.sh /
 
+VOLUME [ "/data" ]
+EXPOSE 22
+
 ENTRYPOINT ["/docker-entrypoint.sh"]
 CMD ["sh"]
diff --git a/Readme.md b/Readme.md
@@ -28,6 +28,15 @@ Start client to pack and sync every night:
 
 Copy the client SSH public key printed found in console
 
+or use a second volume to store client ssh keys between restarts, not re-created evvery time
+
+    $ docker run --name=rsync_client -v client_vol_to_sync:/data \
+                 -v storage_of_client_ssh_keys:/ssh_keys \
+                 -e CRON_TASK_1="0 1 * * * /data/pack-db.sh" \
+                 -e CRON_TASK_2="0 3 * * * rsync -e 'ssh -p 2222' -aqx --numeric-ids [email protected]:/data/ /data/" \
+             eeacms/rsync client
+
+
 ### Server setup
 
 Start server on `foo.bar.com`
@@ -37,6 +46,16 @@ Start server on `foo.bar.com`
                  -e SSH_AUTH_KEY_n="<SSH KEY FROM rsync_client_n>" \
              eeacms/rsync server
 
+or use a second volume to store client ssh keys between restarts, no need to upload keys every time
+
+    # docker run --name=rsync_server -d -p 2222:22 -v server_vol_to_sync:/data \
+                 -v storage_of_client_ssh_keys:/ssh_keys \
+                 -e SSH_AUTH_KEY_1="<SSH KEY FROM rsync_client>" \
+                 -e SSH_AUTH_KEY_n="<SSH KEY FROM rsync_client_n>" \
+             eeacms/rsync server
+
+The keys in the "SSH_AUTH_KEY_n" is appended to the keys in the file "authrozed_keys" in the volume. The resulting file is then used in the container.
+
 ### Verify that it works
 
 Add `test` file on server:

diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
@@ -4,22 +4,45 @@
 # INIT
 ################################################################################
 
-mkdir -p /root/.ssh
-> /root/.ssh/authorized_keys
-chmod go-rwx /root/.ssh/authorized_keys
-sed -i "s/.*PasswordAuthentication .*/PasswordAuthentication no/g" /etc/ssh/sshd_config
+sed -i "s/#\s*PasswordAuthentication .*/PasswordAuthentication no/g" /etc/ssh/sshd_config
 sed -i 's/root:!/root:*/' /etc/shadow
 
+# Create list of authorized keys
+mkdir -p /root/.ssh
+if [ -e /ssh_keys/authorized_keys ]; then
+  echo "Starting with existing authorized keys"
+  cp /ssh_keys/authorized_keys /root/.ssh/.
+else
+  echo "No existing authorized keys, starting with empty file"
+  > /root/.ssh/authorized_keys
+fi
+
 # Provide SSH_AUTH_KEY_* via environment variable
 for item in `env`; do
    case "$item" in
        SSH_AUTH_KEY*)
             ENVVAR=`echo $item | cut -d \= -f 1`
+            echo "Adding key `printenv $ENVVAR`"
             printenv $ENVVAR >> /root/.ssh/authorized_keys
             ;;
    esac
 done
 
+# Remove any duplicates
+echo "Removing duplicate keys if present"
+sort -u /root/.ssh/authorized_keys > /tmp/u
+mv -f /tmp/u /root/.ssh/authorized_keys
+chmod go-rwx /root/.ssh/authorized_keys
+
+# Store the keys if possible
+if [ -d /ssh_keys ] ; then
+  # Using updated authorization keys
+  echo "Saving keys for the future"
+  cp -u /root/.ssh/authorized_keys /ssh_keys/
+else
+  echo "Keys not saved for the future"
+fi
+
 # Provide CRON_TASK_* via environment variable
 > /etc/crontabs/root
 for item in `env`; do
@@ -33,22 +56,55 @@ for item in `env`; do
 done
 
 # Generate host SSH keys
-if [ ! -e /etc/ssh/ssh_host_rsa_key.pub ]; then
+if [ -e /ssh_keys/ssh_host_rsa_key.pub ]; then
+  # Copy persistent host keys
+  echo "Using existing SSH host keys"
+  cp -u /ssh_keys/ssh_host* /etc/ssh/
+else
+  # Generate host SSH keys
+  echo "Generating SSH host keys"
   ssh-keygen -A
+  if [ -d /ssh_keys ]; then
+    # Store generated keys on persistent volume
+    echo "Persisting SSH host keys"
+    cp -u /etc/ssh/ssh_host_* /ssh_keys/
+  fi
 fi
 
 # Generate root SSH key
-if [ ! -e /root/.ssh/id_rsa.pub ]; then
-  ssh-keygen -q -N "" -f /root/.ssh/id_rsa
+if [ -e /ssh_keys/id_ed25519.pub ] ; then
+  # Copy persistent host keys
+  echo "Using existing SSH root keys"
+  cp -u /ssh_keys/id* /root/.ssh/.
+else
+  # Generate host SSH keys
+  echo "Generating SSH root keys"
+  ssh-keygen -a 100 -t ed25519 -q -N "" -f /root/.ssh/id_ed25519
+  if [ -d /ssh_keys ]; then
+    # Store generated keys on persistent volume
+    echo "Persisting SSH root keys"
+    cp -u /root/.ssh/id_ed25519* /ssh_keys/.
+  fi
+fi
+
+##############################################################################
+# Display ssh key if not in server mode
+##############################################################################
+
+if [ "$1" != "server" ] ; then
+  echo "Please add this ssh key to your server /home/user/.ssh/authorized_keys        "
+  echo "================================================================================"
+  echo "`cat /root/.ssh/id_*.pub`"
+  echo "================================================================================"
 fi
 
 ################################################################################
 # START as SERVER
 ################################################################################
 
-if [ "$1" == "server" ]; then
+if [ "$1" == "server" ] ; then
   AUTH=`cat /root/.ssh/authorized_keys`
-  if [ -z "$AUTH" ]; then
+  if [ -z "$AUTH" ] ; then
     echo "=================================================================================="
     echo "ERROR: No SSH_AUTH_KEY provided, you'll not be able to connect to this container. "
     echo "=================================================================================="
@@ -63,20 +119,18 @@ if [ "$1" == "server" ]; then
   exec /usr/sbin/sshd -D $SSH_PARAMS
 fi
 
-echo "Please add this ssh key to your server /home/user/.ssh/authorized_keys        "
-echo "================================================================================"
-echo "`cat /root/.ssh/id_rsa.pub`"
-echo "================================================================================"
-
 ################################################################################
 # START as CLIENT via crontab
 ################################################################################
 
-if [ "$1" == "client" ]; then
+if [ "$1" == "client" ] ; then
   exec /usr/sbin/crond -f
 fi
 
 ################################################################################
 # Anything else
 ################################################################################
-exec "$@"
+
+if [[ "$1" != "client" && "$1" != "server" ]] ; then
+  exec "$@"
+fi