docker-borgserver icon indicating copy to clipboard operation
docker-borgserver copied to clipboard
verified publisher icon Nold360

Split run.sh and add git retrival

Open abate opened this issue 5 years ago • 6 comments

This patch modularize run.sh, adding two new helper scripts and make it possible to specify a git repository for ssh keys via a new env variable BORG_SSHKEYS_REPO.

the modularization add two new files :

  • env.sh : define a few envriroment variables
  • create-client-dirs.sh : update and create user directories and re-create authorized_keys

We also add a new script update-ssh-keys.sh to be called regularly in a cron job to check if the git repository is up-to-date and eventually adding/removing users.

abate avatar Mar 23 '20 11:03 abate

hi, thanks for your contribution! :+1:

I wrote some for this some time ago, too. See: https://github.com/Nold360/docker-borgserver/tree/f_git_integration

But it just doesn't feel right to put so much complexity into a container, that should only do one job. I guess the most-containerish way would let a init-container pull the keys from git and feed the finalized authorized_keys into the borg-container.

But afaik docker-compose doesn't really support init-containers. But if the init-container never restarts, it would pull the git with every docker-compose up. which doesn't sound too bad to me right now.. :thinking:

Nold360 avatar Mar 24 '20 10:03 Nold360

I see your commit does mostly what I've done. It's handy to store your ssh keys in a git repo.

This MR does not add much more complexity. The container still works as before. The only process running is still sshD . The cronjob that runs periodically the update-ssh-keys.sh should run on the host crontab (so keeping the one process per container philosophy) :

*/5 * * * * docker exec borgserver /usr/local/bin/update-ssh-keys.sh

basically this MR split the run.sh script in 3 components to make possible to add the update-ssh-keys.sh without code replication.

abate avatar Mar 24 '20 13:03 abate

I used my C-Virus isolationtime today and tried to hack something together: https://github.com/Nold360/docker-borgserver/tree/f_init_container

I split the container up into a init and server part. Basically the init-container gets never restarted & does everything to setup the volumes incl. authorized_keys file.

The server container will sleep 5 seconds and then try to ping init unitl the init-container is not reachable anymore... I changed quite a lot including some stuff like the server now runs fully as borg-user now. The init-container still runs as root ofc.

Still needs a lot of cleanup, but it seems to work quite well right now.

The question is, which way do we want to go?

Nold360 avatar Mar 24 '20 15:03 Nold360

it seems you are adding even more complexity by splitting the init and runtime part in two containers. and duplicating a fair bit of code in the process ... not sure ...

abate avatar Mar 25 '20 17:03 abate

Yea, that's true - but only because i had to work around the limitations of docker-compose. Otherwise we could move all the logic into the init-container. so kubernetes has to wait.

So for now it seems like a good idea to merge the git feature into another branch or something, so we can tag it like "borgserver:git" or whatever. question is how can we easily maintain the code for both? might be better to have everything in one place/branch then..

//Edit: How about this: https://github.com/Nold360/docker-borgserver/compare/f_git_2

Nold360 avatar Mar 26 '20 15:03 Nold360

this looks good to me ! ref: https://github.com/Nold360/docker-borgserver/compare/f_git_2 I'll test it a bit tomorrow.

abate avatar Mar 26 '20 23:03 abate