Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adds docker image. #4372

Closed
wants to merge 1 commit into from
Closed

Conversation

pierreozoux
Copy link

Relates to #4364

This is the first step, and then once you detail what is the release process, we can add that later.

It always build latest, but if you want we can add an ARG with the version.

@@ -0,0 +1,20 @@
FROM debian:stretch
Copy link
Member

@ThomasWaldmann ThomasWaldmann Feb 16, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

docker-library/official-images#1516

ends with:

So for most of us there is no way to run verified trusted
docker images in production. Very unfortunate.

I am not familiar with docker, but sounds pretty bad?

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're not wrong, but in order for an attack like this to happen a malicious user would have to:

  • Steal the Docker corporation's login credentials
  • Point the Docker library repo from the official debian repo to somewhere else (or compromise the Debian repo)
  • Put it up for review and hope nobody notices the alarm bells that will be going off everywhere
  • Wait for the automated build to push the official image up (yet again that would throw a fit)
  • Clean any cached images on a user's disks
  • Re-pull and re-run images

All content (official and not) served from Docker is done so via HTTPS/TLS so stealing credentials should be the only vector of attack.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

well, my idea of security is not to rely on some infrastructure being secure and nothing going wrong, but to just check a gpg signature. it doesn't matter how or from where you get the stuff as long as you can verify the sig.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You could pin to a sha256 hash of the base image instead of a tag, but then you'd have the maintenance burden of verifying every new version manually and updating this hash.

Gpg is no magic security fairy dust either, in Debian you also rely on the infrastructure of whoever created and distributes the signature. Unfortunately Docker images are not created in a deterministic way themselves (and this Dockerfile also adds additional nondeterminism on top by using whatever package version is current at build time).

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@MarkusTeufelberger if you have the correct public key of the release maintainer, you can verify all releases with their signature, no matter how you get the release or the release signature. you can not do that just with sha256.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is a new feature Docker content trust, I'm not familiar with it yet, and this is an "enterprise feature" (at least in docker)... But other container runtime use it also (like cri-o) and other docker registry too (like quay.io). I propose that we investigate that in a future iteration.

Dockerfile Outdated Show resolved Hide resolved
Dockerfile Outdated Show resolved Hide resolved
Dockerfile Outdated Show resolved Hide resolved
@ThomasWaldmann
Copy link
Member

one general thing: the whole docker image building should run inside the stretch64 vagrant vm.

@DarrienG
Copy link

I vote for versioned building. We're asking for trouble always building the latest.

@ThomasWaldmann
Copy link
Member

Maybe it could be also moved to scripts/Dockerfile? There are already too many files in ..

@ThomasWaldmann
Copy link
Member

@pierreozoux are you still working on this?

@codecov-io
Copy link

codecov-io commented Mar 10, 2019

Codecov Report

Merging #4372 into master will increase coverage by 0.67%.
The diff coverage is n/a.

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #4372      +/-   ##
==========================================
+ Coverage   83.71%   84.38%   +0.67%     
==========================================
  Files          37       37              
  Lines        9567     9826     +259     
  Branches     1596     1611      +15     
==========================================
+ Hits         8009     8292     +283     
+ Misses       1090     1074      -16     
+ Partials      468      460       -8
Impacted Files Coverage Δ
src/borg/archive.py 82.96% <0%> (+0.63%) ⬆️
src/borg/archiver.py 83.72% <0%> (+3.02%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 85b010a...4396a8d. Read the comment docs.

@pierreozoux
Copy link
Author

Sorry for the delay, holiday.. ;)

I put some brain juice on it. And about your questions, I think this PR is the best possible way to tackle that.

Don't install third party in the VM

docker is a third party repo in debian.

Copying from VM to local machine would have been a hassle, so I though it is just pain easier to build it from your dev machine. (as anyway you'll need the client for pushing to the hub).

use `scripts` folder for Dockerfile

I think I like that the Dockerfile is at the root. As a docker user, in a quick look, I can see docker support of a repo, but no strong opinion there.
If you run the build_and_publish script from the root of the repo, all should work.
You'd need a docker hub account thought. I created the org already, once you have your docker handle, give it to me, and I make you admin (and then you can remove me, I'm fine).

pip vs setup.py vs pyinstaller

I could have choosen another method, but I'm not really familiar with python. And so I though that the fat binary was equivalent to any other method. But I have no strong opinion there. If you have a strong opinion, we can change that.

borgbackup and borgserver

It is just an attempt, if it creates too much debate, I'd prefer to not ship it with this PR, and open a separate PR

Copy link
Member

@ThomasWaldmann ThomasWaldmann left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

some stuff i found.

scripts/docker/README.md Outdated Show resolved Hide resolved
scripts/docker/README.md Outdated Show resolved Hide resolved
scripts/docker/README.md Outdated Show resolved Hide resolved
scripts/docker/README.md Outdated Show resolved Hide resolved
scripts/docker/README.md Outdated Show resolved Hide resolved
scripts/docker/build_and_publish.sh Outdated Show resolved Hide resolved
scripts/docker/borgbackup Outdated Show resolved Hide resolved
scripts/docker/README.md Outdated Show resolved Hide resolved
scripts/docker/README.md Outdated Show resolved Hide resolved
scripts/docker/README.md Outdated Show resolved Hide resolved
--entrypoint=/usr/bin/borgbackup \
--name borg-backup \
borgbackup/borg
docker rm borg-backup
Copy link

@DarrienG DarrienG Mar 12, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It probably makes sense to just run with docker run --rm so you don't have to run docker rm afterwards. Nothing is saved inside the container (which is good), so it's best to be a good citizen and remove it afterwards.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it is using docker volumes, so it would delete the associated volume.


```
docker pull borgbackup/borg
docker run \
Copy link

@DarrienG DarrienG Mar 12, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As long as you use json syntax (which we are) for the entrypoint, you don't need to do anything weird to pass arguments to the container.

You could use docker run --rm borgbackup/borg -v $YOUR_MOUNTS $NORMAL_BORG_OPTIONS as if it were a binary.

@dargmuesli
Copy link

Let me add a quick thank you for working on this guys! :)

@pierreozoux
Copy link
Author

Ok, I separated the documentation from the binary and the convenience scripts (borgbackup and borgserver), I clearly tagged them as beta.
I think we are now good to get started like this, and improve in an iterative manner.
(I'll also use the convenience script in my production, once I use them, I'll probably add some fix and remove the beta flag :) )

@@ -0,0 +1,177 @@
## CLient side

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Client

@pierreozoux
Copy link
Author

pierreozoux commented Aug 25, 2020

@ThomasWaldmann if I remove all the client and server scripts, would you feel better about it?

I can spend a bit of time to rework this to have a basic docker image at least.

I'll be able to maintain it as well, as I'm still using this.

@ThomasWaldmann
Copy link
Member

Yeah, would feel better with a very basic thing. But as I don't use docker, I can't comment much about how that should look like.

But there were some other reviewers here, maybe you can discuss about how a basic docker image for borg should look like, so that it is generally useful.

@Nielio
Copy link

Nielio commented Dec 22, 2020

Any updates on this? Would be nice to have an official containerd borg !

@pascaldornfeld
Copy link

I am looking for an official image too

@@ -0,0 +1,9 @@
FROM debian:stretch

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No sure this program needs Debian
You should use Alpine

Docker content trust works fine, you can read how to automate or use it here: https://github.com/sudo-bot/action-docker-sign

-e 's/^#PasswordAuthentication yes$/PasswordAuthentication no/g' \
-e 's/^PermitRootLogin without-password$/PermitRootLogin no/g' \
/etc/ssh/sshd_config
if [[ $(ls /etc/ssh-keys/ssh_host_*) ]]; then
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AFAIK one should not use ls in scripts/parse it. Okay, maybe there is not much parsing happening, but I you may anyway get crazy edge-cases/it is just not clean when you e.g. have spaces or so in there…
What I wanna say: Maybe there is a better solution? 🙂

Also, were these scripts tested with shellcheck? (Just pasted this script and it did not complain to my surprise, so yeah,hmm…)

from the borg command line to continue this Quick Start.

Note that this example is using the `latest` version of borg, and we recommend you
to pin the version by appending version e.g. `borgbackup/borg:1.0.7` to use `1.0.7`.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm why would you recommend it?

I mean, maybe to not break setups the major version could be pinned aka borgbackup/borg:1, but semantic versioning says everything else should not break the API…


To start a borg server:
- generate an ssh-key
- `ssh-keygen -f ./id_rsa -N '' -t rsa`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's 2021, not sure whether recommending RSA keys is still what we need. ED25519 could be used just as that, is shorter and at least as secure…

chmod 400 /etc/ssh-keys/ssh_host_*
sed -i 's|/ssh/|/ssh-keys/|' /etc/ssh/sshd_config
sed -i '/^#HostKey/s/^#//' /etc/ssh/sshd_config
sed -e "s#SSH_KEY#${SSH_KEY}#g" /home/borg/authorized_keys.sample > /home/borg/.ssh/authorized_keys
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, where does this sample file come from? Debian I guess?
'
Okay, then it is empty.

Anyway, you should really suggest to save this file/dir in some (persistent) volume or prefill it (and not only SSHFS_IDENTITY_FILE), because otherwise you can get client connection errors…
Or oh well, this is the server part, nevermind I comment above…

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But should not this be configurable via a command-line, too? Otherwise, clients cannot connect if they are not authorized.

Also you'd like to restrict the commands to borg serve for security reasons.
See https://borgbackup.readthedocs.io/en/stable/deployment/central-backup-server.html#restrictions and https://borgbackup.readthedocs.io/en/stable/deployment/hosting-repositories.html

The script here could do that too/configure it properly…

if [ -n "${SSHFS:-}" ]; then
if [ -n "${SSHFS_IDENTITY_FILE:-}" ]; then
if [ ! -f "$SSHFS_IDENTITY_FILE" ] && [ -n "${SSHFS_GEN_IDENTITY_FILE:-}" ]; then
ssh-keygen -t rsa -b 4096 -N '' -f "$SSHFS_IDENTITY_FILE"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Again in 2021, we maybe should use ed25519 instead of RSA…

SSHFS_PASSWORD_OPT=''
fi
mkdir -p /mnt/sshfs
eval "${SSHFS_PASSWORD} sshfs -o StrictHostKeyChecking=no ${SSHFS} /mnt/sshfs ${SSHFS_IDENTITY_FILE} ${SSHFS_PASSWORD_OPT}"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

StrictHostKeyChecking=no? Please, by all means, do not do this. This image is likely intended to be used as a client with remote servers, so not checking the server key could allow MITM attacks…

So better pass in the host key either as a variable or just use SSH's default TOFU security scheme, at least – with allowing the user to confirm the step/check the key manually. After all, they will run this manually one time at least, so that should work.

@pierreozoux
Copy link
Author

Sorry, I'll close this PR, feel free to make your own PR based on this code or not.
(I'm not using borg any more)

It was a really nice software, I really enjoyed it! We are now using s3 and minio, using versionning and mirroring of s3, basically our requirements changed from let's have our backups encrypted to let's have a mirror site that can start fast in case of emergency.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

10 participants