Home Explore Help
Register Sign In
fphammerle
/
docker-mysqldump-sshd
mirror of https://github.com/fphammerle/docker-mysqldump-sshd
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

init mysqldump-sshd from rsync-sshd repo

Fabian Peter Hammerle 4 years ago
parent
74b7d04201
commit
8cec374dcd
6 changed files with 108 additions and 70 deletions
Split View Show Diff Stats
  1. 22 12
      Dockerfile
  2. 21 24
      README.md
  3. 42 0
      docker-compose.yml
  4. 2 21
      entrypoint.sh
  5. 3 5
      rsnapshot.conf.example
  6. 18 8
      sshd_config

+ 22 - 12
Dockerfile
View File 

@@ -1,18 +1,28 @@
 
-FROM alpine:3.8
 
+FROM alpine:3.11
 
 
-RUN apk add --no-cache rsync rrsync openssh-server
 
+ARG DUMB_INIT_PACKAGE_VERSION=1.2.2-r1
 
+ARG MARIADB_CLIENT_PACKAGE_VERSION=10.4.10-r0
 
+ARG OPENSSH_PACKAGE_VERSION=8.1_p1-r0
 
+RUN apk add --no-cache \
 
+        dumb-init=$DUMB_INIT_PACKAGE_VERSION \
 
+        mariadb-client=$MARIADB_CLIENT_PACKAGE_VERSION \
 
+        openssh-server=$OPENSSH_PACKAGE_VERSION \
 
+    && adduser -S dump
 
 
-ENV SSHD_HOST_KEYS_DIR /etc/ssh/host_keys
 
-VOLUME $SSHD_HOST_KEYS_DIR
 
-
 
-COPY sshd_config /etc/ssh/sshd_config
 
-
 
-# comma-separated list of usernames
 
-ENV USERS ""
 
-
 
-EXPOSE 22/tcp
 
+# RUN apk add --no-cache man openssh-doc=$OPENSSH_PACKAGE_VERSION
 
 
 COPY entrypoint.sh /
 
-ENTRYPOINT ["/entrypoint.sh"]
 
+ENTRYPOINT ["dumb-init", "--", "/entrypoint.sh"]
 
+COPY sshd_config /etc/ssh/sshd_config
 
+ENV SSHD_HOST_KEYS_DIR /etc/ssh/host_keys
 
+ENV MYSQLDUMP_ARGS --help
 
+RUN chmod a=rx /entrypoint.sh \
 
+    && chmod a=r /etc/ssh/sshd_config \
 
+    && sed -i 's#^\(dump:.*\):/sbin/nologin$#\1:/tmp/mysqldump.sh#' /etc/passwd \
 
+    && mkdir $SSHD_HOST_KEYS_DIR \
 
+    && chown dump $SSHD_HOST_KEYS_DIR
 
+VOLUME $SSHD_HOST_KEYS_DIR
 
 
+USER dump
 
+EXPOSE 2222/tcp
 
 CMD ["/usr/sbin/sshd", "-D", "-e"]

+ 21 - 24
README.md
View File 

@@ -1,31 +1,28 @@
 
-# docker: openssh-server restricted to rsync 🐳
 
+# docker: openssh-server invoking mysqldump 🐳
 
 
-repo: https://github.com/fphammerle/docker-rsync-sshd
 
+Whenever a SSH client connects `mysqldump` will be executed.
 
 
-docker hub: https://hub.docker.com/r/fphammerle/rsync-sshd
 
-
 
-SSH clients are restricted to `rsync --server` commands via [rrsync](https://download.samba.org/pub/unpacked/rsync/support/rrsync).
 
-
 
-rrsync prefixes `/data` to all paths (e.g., `rsync ... host:/src /backup` downloads `/data/src`).
 
-
 
-## example 1
 
+Useful to fetch backups via [rsnapshot](https://rsnapshot.org/).
 
+See [rsnapshot.conf.example](rsnapshot.conf.example).
 
 
 ```sh
 
-$ docker run --name=rsync-sshd -p 2022:22 -e USERS=alice,bob -v rsync-data:/data:ro fphammerle/rsync-sshd
 
-$ docker cp alice-keys rsync-sshd:/home/alice/.ssh/authorized_keys
 
-$ docker cp bob-keys rsync-sshd:/home/bob/.ssh/authorized_keys
 
+$ sudo docker run --rm \
 
+    -p 2222:2222 \
 
+    -v /some/path/authorized_keys:/home/dump/.ssh/authorized_keys:ro \
 
+    -e MYSQLDUMP_ARGS='--user dbhost --user=dbuser --password=dbpass --all-databases' \
 
+    fphammerle/mysqldump-sshd
 
+$ ssh -p 2222 -T dump@localhost
 
+-- MariaDB dump 10.17  Distrib 10.4.10-MariaDB, for Linux (x86_64)
 
+--
 
+-- Host: database    Database: demo
 
+-- ------------------------------------------------------
 
+[…]
 
 ```
 
 
-## example 2
 
+### Docker Compose 🐙
 
 
-```
 
-$ docker run --name rsync-sshd \
 
-    --publish 2022:22 --env USERS=alice,bob \
 
-    --volume accessible-data:/data:ro \
 
-    --volume host-keys:/etc/ssh/host_keys \
 
-    --volume alice-ssh-config:/home/alice/.ssh:ro \ 
-    --volume bob-ssh-config:/home/bob/.ssh:ro \ 
-    --init --rm \
 
-    fphammerle/rsync-sshd
 
-$ rsync -av --rsh='ssh -p 2022' alice@localhost:/source /target
 
-```
 
+1. `git clone https://github.com/fphammerle/docker-mysqldump-sshd`
 
+2. `cd docker-mysqldump-sshd`
 
+3. Adapt `$MYSQLDUMP_ARGS` in `docker-compose.yml`
 
+4. `docker-compose up --build`
 
+5. Add `authorized_keys` to docker volume `mysqldumpsshd_authorized_keys`.

+ 42 - 0
docker-compose.yml
View File 

@@ -0,0 +1,42 @@
 
+version: '2'
 
+
 
+volumes:
 
+  database:
 
+  host_keys:
 
+  authorized_keys:
 
+
 
+services:
 
+  database:
 
+    image: mariadb:10.4
 
+    environment:
 
+      MYSQL_RANDOM_ROOT_PASSWORD: 'yes'
 
+      MYSQL_USER: someone
 
+      MYSQL_PASSWORD: secret
 
+      MYSQL_DATABASE: demo
 
+      # https://github.com/docker-library/mariadb/issues/251
 
+      # https://github.com/docker-library/mariadb/issues/262#issuecomment-536405303
 
+      MYSQL_INITDB_SKIP_TZINFO: 1
 
+    volumes:
 
+    - database:/var/lib/mysql:rw
 
+  sshd:
 
+    build: .
 
+    image: fphammerle/mysqldump-sshd
 
+    environment:
 
+      MYSQLDUMP_ARGS: >-
 
+        --host=database
 
+        --user=someone
 
+        --password=secret
 
+        --skip-add-drop-table
 
+        --skip-comments
 
+        --skip-dump-date
 
+        --databases demo
 
+    volumes:
 
+    - host_keys:/etc/ssh/host_keys:rw
 
+    - authorized_keys:/home/dump/.ssh:ro
 
+    ports:
 
+    - 127.0.0.1:2222:2222
 
+    security_opt: ['no-new-privileges']
 
+    # strace
 
+    # cap_add: [SYS_PTRACE]
 
+
 
+# https://docs.docker.com/compose/compose-file/compose-file-v2/

+ 2 - 21
entrypoint.sh
View File 

@@ -5,26 +5,7 @@ if [ ! -f "$SSHD_HOST_KEYS_DIR/rsa" ]; then
 
     ssh-keygen -t rsa -b 4096 -N '' -C '' -f "$SSHD_HOST_KEYS_DIR/rsa"
 
 fi
 
 
-if [ -z "$USERS" ]; then
 
-    echo '$USERS is not set'
 
-    exit 1
 
-fi
 
-
 
-IFS=','
 
-for USER in $USERS; do
 
-    if ! id "$USER" 2>/dev/null >/dev/null ; then
 
-        (set -x; adduser -D "$USER")
 
-        # default after `adduser -D`: !
 
-        # > User alice not allowed because account is locked
 
-        # `passwd -u` sets an empty password,
 
-        # so better insert '*' manually
 
-        # https://unix.stackexchange.com/a/193131/155174
 
-        sed -i "s/^${USER}:!:/${USER}:*:/" /etc/shadow
 
-    fi
 
-done
 
-
 
-set -x
 
-
 
-sed -i "s/^AllowUsers .*/AllowUsers ${USERS//,/ }/" /etc/ssh/sshd_config
 
+echo -e "#!/bin/sh\nexec mysqldump $MYSQLDUMP_ARGS" > /tmp/mysqldump.sh
 
+chmod u+x /tmp/mysqldump.sh
 
 
 exec "$@"

+ 3 - 5
rsnapshot.conf.example
View File 

@@ -12,7 +12,7 @@ cmd_ssh	/usr/bin/ssh
 
 retain	alpha	16
 
 retain	beta	8
 
 retain	gamma	8
 
-retain	delta	8	
+retain	delta	8
 
 
 # 1     Quiet           Print fatal errors only
 
 # 2     Default         Print errors and warnings only
 
@@ -25,8 +25,6 @@ verbose		3
 
 # potentially messing up $snapshot_root
 
 lockfile	/tmp/rsnapshot.pid
 
 
-ssh_args	-p 2022
 
+#sync_first	1
 
 
-sync_first	1
 
-
 
-backup	alice@localhost:/		data-volume
 
+backup_script	/usr/bin/ssh -T -p 2222 dump@localhost > dump.sql		mysqldump

+ 18 - 8
sshd_config
View File 

@@ -1,6 +1,9 @@
 
-Protocol 2
 
+PidFile none
 
+#LogLevel VERBOSE
 
+#LogLevel DEBUG1
 
 
-# LogLevel VERBOSE
 
+Protocol 2
 
+Port 2222
 
 
 HostKey /etc/ssh/host_keys/rsa
 
 
@@ -9,17 +12,24 @@ KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
 
 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
 
 MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
 
 
-PermitRootLogin no
 
+AllowUsers dump
 
+AuthenticationMethods publickey
 
+PubkeyAuthentication yes
 
 PasswordAuthentication no
 
+ChallengeResponseAuthentication no
 
+# dont check file permissions
 
 StrictModes no
 
-# separated by spaces
 
-AllowUsers _
 
 
-ForceCommand /usr/bin/rrsync /data
 
 AllowAgentForwarding no
 
+AllowStreamLocalForwarding no
 
 AllowTcpForwarding no
 
+DisableForwarding yes
 
 GatewayPorts no
 
-X11Forwarding no
 
-PermitUserEnvironment no
 
 PermitTTY no
 
+PermitTunnel no
 
+PermitUserEnvironment no
 
 PrintMotd no
 
+X11Forwarding no
 
+
 
+# sshd invokes shell set in /etc/passwd
 
+ForceCommand exit 1