Persistent SSH host keys

[leopignataro]

Hey, there!

First of all, congratulations on the excellent work. This image fits my needs almost perfectly!

I said almost because there is one issue: the SSH host keys are regenerated every time the container is recreated. This is a problem on my stack because then I have to manually add the new public key to the client servers's known_hosts file (which ultimately results in downtime for my users).

To solve this, I created an image from your image with a slight variation: it checks a certain directory for existing SSH host keys and, if present, use those keys instead of generating new keys. It also copies the keys it generates on the first run over to this directory. This allows me to add a volume on the docker-compose file and map it to this directory, so that the SSH host keys are generated on the first run and then backed up to persistent storage. When the container is recreated, the previous keys are used instead of generating new keys, thus achieving "persistent SSH host keys".

Would you consider adding this to your image? If so, and if you are interested in how I implemented it, here follows.

I basically changed this part of the original docker-entrypoint.sh:

# Generate host SSH keys
if [ ! -e /etc/ssh/ssh_host_rsa_key.pub ]; then
  ssh-keygen -A
fi

To this:

if [ -e /ssh_host_keys/ssh_host_rsa_key.pub ]; then
  # Copy persistent host keys
  echo "Using existing SSH host keys"
  cp /ssh_host_keys/* /etc/ssh/
elif [ ! -e /etc/ssh/ssh_host_rsa_key.pub ]; then
  # Generate host SSH keys
  echo "Generating SSH host keys"
  ssh-keygen -A
  if [ -d /ssh_host_keys ]; then
    # Store generated keys on persistent volume
    echo "Persisting SSH host keys"
    cp -u /etc/ssh/ssh_host_* /ssh_host_keys/
  fi
fi

My docker-compose.yml file looks like this:

...
volumes:
  transfer:
  rsync_ssh_host_keys:
...
services:
  rsync_server:
    image: custom-rsync:latest
    volumes:
      - transfer:/data
      - rsync_ssh_host_keys:/ssh_host_keys
    environment:
      SSH_AUTH_KEY_1: "ssh-rsa ..."
    ports:
      - "2222:22"
    command: server

I am by no means a bash script expert, so feel free to point out any shortcomings :)

[leopignataro]

marking authors @avoinea and @valentinab25

[tatycs]

Really nice @leopignataro ! This is exactly what I was looking for. Thanks!

[domi-a]

@leopignataro that you very much. could not get the simple example to work.

to get better control over the known_hosts file - wich one may empty after FU a ssh key once - or using this original image and recreating the server container - i suggest in addition mounting the /root/.ssh to a volume too.

just testet it by killing and recreating client and host multiple times.
not sure if that was neccessary back in the days aka 2.5 years before today.

i addition to the code changes i noticed that the subsequential lokal build instantly works on armv8 aka raspberry4 too. awesome.

so for future visitors:

• clone this repo
• do the fix from @leopignataro
• build the image - i did that directly with the docker-compose.yml like that

services:
    rsync:
        container_name: rsync_client
        command: client
        build:
            context: .
            dockerfile: Dockerfile     
        volumes:
            - ./ssh_host_keys:/ssh_host_keys
            - ./ssh:/root/.ssh
            - ./test:/data/test
        environment:
            - CRON_TASK_1=....and so on like in the example

• client container first, copy complete ssh key from output
• server container second, with that very key like in example

[valentinab25]

I added the requested changes in Release 2.6 - eeacms/rsync:2.6 and eeacms/rsync:latest