Skip to content

Instantly share code, notes, and snippets.

@aacater

aacater/Dockerfile

Last active May 16, 2023 16:22
Show Gist options
  • Save aacater/6086b51732dfdd9a6ef0db6fa7d316d4 to your computer and use it in GitHub Desktop.
Save aacater/6086b51732dfdd9a6ef0db6fa7d316d4 to your computer and use it in GitHub Desktop.
Download ZIP
Dockerfile for BorgWarehouse
Raw
Dockerfile
FROM node:18-slim
ARG USERNAME=borgwarehouse
ARG USER_UID=1001
ARG USER_GID=$USER_UID
ARG SUDO_LINE="$USERNAME ALL=(ALL) NOPASSWD: /usr/sbin/useradd,/bin/mkdir,/usr/bin/touch,/bin/chmod,/bin/chown,/bin/bash,/usr/bin/jc,/usr/bin/jq,/bin/sed,/bin/grep,/usr/bin/stat,/usr/bin/borg,/bin/echo,/usr/sbin/userdel,/usr/sbin/service"
ENV DEBIAN_FRONTEND=noninteractive
RUN apt update && apt install -y --no-install-recommends \
jc jq sudo borgbackup openssh-server openssl \
&& rm -rf /var/lib/apt/lists/* /var/cache/apt
RUN addgroup --gid $USER_GID $USERNAME \
&& adduser --disabled-login --disabled-password --uid $USER_UID --ingroup $USERNAME --gecos BorgWarehouse $USERNAME \
&& echo $SUDO_LINE > /etc/sudoers.d/10-$USERNAME \
&& chmod 0440 /etc/sudoers.d/10-$USERNAME
RUN echo -e "* * * * * root curl --request POST --url '$NEXTAUTH_URL/api/cronjob/checkStatus' --header 'Authorization: Bearer $CRONJOB_KEY' \n\
* * * * * root curl --request POST --url '$NEXTAUTH_URL/api/cronjob/getStorageUsed' --header 'Authorization: Bearer $CRONJOB_KEY' \
" > /etc/cron.d/borgwarehouse
USER $USERNAME
WORKDIR /app
COPY --chown=$USER_UID:$USER_GID package*.json .
RUN npm ci --only=production
COPY --chown=$USER_UID:$USER_GID . .
RUN chmod 700 /app/helpers/shells/*
RUN npm run build
EXPOSE 22 3000
VOLUME /app/config
VOLUME /var/borgwarehouse
COPY entrypoint.sh /entrypoint.sh
ENTRYPOINT ["/entrypoint.sh"]
CMD ["init"]
Raw
entrypint.sh
#!/bin/bash
CONFIG_DIR="/app/config"
sudo service ssh start &> /dev/null
if [ ! -f "$CONFIG_DIR/users.json" ];then
echo '[{"id":0,"email":"[email protected]","username":"admin","password":"$2a$12$20yqRnuaDBH6AE0EvIUcEOzqkuBtn1wDzJdw2Beg8w9S.vEqdso0a","roles":["admin"]}]' > "$CONFIG_DIR/users.json"
fi
if [ ! -f "$CONFIG_DIR/repo.json" ];then
echo '[]' > "$CONFIG_DIR/repo.json"
fi
if [ "$1" == "init" ] ; then
npm run start
exit
fi
exec "$@"
@tagdara
Copy link

tagdara commented Apr 2, 2023
edited
Loading

I've been looking at this after trying to get borgwarehouse working in docker, and I think trying to persist the passwd and shadow will be fraught with problems.

Instead I've been testing a "recreateRepo" script which can be called during entrypoint to create the users based off of the data in repos.json. Now when the docker is reset, we effectively recreate the users and update their authorized keys from the json to make sure it's all intact.

First I have the overall recreateRepos (note that jq is already being added in the dockerfile to the node-18:slim image being used):

#!/bin/bash
mapfile -t newValue < <(
  jq -c -r '.[]' /app/config/repo.json
)

for item in "${newValue[@]}"; do
    unixUser=$( echo ${item} | jq -c -r '.unixUser')
    sshPublicKey=$( echo ${item} | jq -c -r '.sshPublicKey')
    echo "user $unixUser / $sshPublicKey"
    /app/recreateRepo.sh $unixUser "$sshPublicKey"
done

which then calls recreateRepo.sh (a trimmed down version of createRepo):

set -e
if [ "$1" == "" ] || [ "$2" == "" ];then
    echo "This shell takes 2 arguments : Reponame, SSH Public Key"
    exit 1
fi

pattern='(ssh-ed25519 AAAAC3NzaC1lZDI1NTE5|[email protected] AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29t|ssh-rsa AAAAB3NzaC1yc2)[0-9A-Za-z+/]+[=]{0,3}(\s.*)?'
if [[ ! "$2" =~ $pattern ]]
then
    echo "Invalid public SSH KEY format. Provide a key in OpenSSH format (rsa, ed25519, ed25519-sk)"
    exit 2
fi

user=$1
group="${user}"
home="/var/borgwarehouse/${user}"
pool="${home}/repos"
authorized_keys="${home}/.ssh/authorized_keys"
sudo useradd -d ${home} -s "/bin/bash" -m --badname ${user}
sudo mkdir -p ${home}/.ssh
sudo touch ${authorized_keys}
sudo chmod 777 ${authorized_keys}
sudo echo $2 > ${authorized_keys}
sudo mkdir -p "${pool}/$1"
sudo chmod -R 750 ${home}
sudo chmod 600 ${authorized_keys}
sudo chown -R ${user}:borgwarehouse ${home}

if [ ! -f "${authorized_keys}" ];then
    echo "${authorized_keys} must be present"
    exit 4
fi

echo ${user}

Then the modifed entrypoint.sh (this is already a mess anyway and the hardcoded user defaults should be moved to another helper script):

#!/bin/bash

CONFIG_DIR="/app/config"

sudo service ssh start &> /dev/null

if [ ! -f "$CONFIG_DIR/users.json" ];then
    echo '[{"id":0,"email":"[email protected]","username":"admin","password":"$2a$12$20yqRnuaDBH6AE0EvIUcEOzqkuBtn1wDzJdw2Beg8w9S.vEqdso0a","roles":["admin"]}]' > "$CONFIG_DIR/users.json"
fi

if [ ! -f "$CONFIG_DIR/repo.json" ];then
    echo '[]' > "$CONFIG_DIR/repo.json"
fi

/app/recreateRepos.sh

if [ "$1" == "init" ] ; then
    npm run start
    exit
fi

exec "$@"

and finally the Dockerfile (added adduser as well as one or two others that were causing sudo hangs during testing):

FROM node:18-slim

ARG USERNAME=borgwarehouse
ARG USER_UID=1900
ARG USER_GID=$USER_UID

ARG SUDO_LINE="$USERNAME ALL=(ALL) NOPASSWD: /usr/sbin/adduser,/usr/sbin/useradd,/bin/mkdir,/usr/bin/touch,/bin/chmod,/bin/chown,/bin/bash,/usr/bin/jc,/usr/bin/jq,/bin/sed,/bin/grep,/usr/bin/stat,/usr/bin/tee,/usr/bin/borg,/bin/echo,/usr/sbin/userdel,/usr/sbin/service"

ENV DEBIAN_FRONTEND=noninteractive

RUN apt update && apt install -y --no-install-recommends \
    jc jq sudo borgbackup openssh-server openssl \
    && rm -rf /var/lib/apt/lists/* /var/cache/apt

RUN addgroup --gid $USER_GID $USERNAME \
    && adduser --disabled-login --disabled-password --uid $USER_UID --ingroup $USERNAME --gecos BorgWarehouse $USERNAME \
    && echo $SUDO_LINE > /etc/sudoers.d/10-$USERNAME \
    && chmod 0440 /etc/sudoers.d/10-$USERNAME

RUN echo -e "* * * * * root curl --request POST --url '$NEXTAUTH_URL/api/cronjob/checkStatus' --header 'Authorization: Bearer $CRONJOB_KEY' \n\
* * * * * root curl --request POST --url '$NEXTAUTH_URL/api/cronjob/getStorageUsed' --header 'Authorization: Bearer $CRONJOB_KEY' \
" > /etc/cron.d/borgwarehouse
    

WORKDIR /app

RUN chown $USER_UID:$USER_GID /app

USER $USERNAME

COPY --chown=$USER_UID:$USER_GID package*.json ./

RUN npm ci --only=production

COPY --chown=$USER_UID:$USER_GID . .

RUN chmod 700 /app/helpers/shells/*

RUN npm run build

EXPOSE 22 3000

VOLUME /app/config

VOLUME /var/borgwarehouse

COPY --chown=$USER_UID:$USER_GID docker/entrypoint.sh /app/entrypoint.sh
COPY --chown=$USER_UID:$USER_GID docker/recreateRepo.sh /app/recreateRepo.sh
COPY --chown=$USER_UID:$USER_GID docker/recreateRepos.sh /app/recreateRepos.sh

RUN chmod +x /app/entrypoint.sh
RUN chmod +x /app/recreateRepo.sh
RUN chmod +x /app/recreateRepos.sh

ENTRYPOINT ["/app/entrypoint.sh"]

CMD ["init"]

@Ravinou
Copy link

Ravinou commented Apr 10, 2023

I've been digging the question and indeed the main problem that prevents me for the moment to propose a dockerfile is the persistence of unix users...

It is impossible to use a persistent mount on /etc/passwd or /etc/shadow files, UNIX does not support that, certainly for obvious security reasons.

I have not yet taken the time to think about how to overcome this problem. I have one or two ideas but it's not easy to do it without breaking changes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment