From 40e33ff5b93d1fda576ad4190e7eee9922cd9d58 Mon Sep 17 00:00:00 2001 From: Thilo-Alexander Ginkel Date: Wed, 3 Mar 2021 17:35:39 +0100 Subject: [PATCH 01/25] Borg 1.1.15 --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 81064b2..c5aa00e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ FROM debian:9 -ENV BORG_VERSION=1.1.14 +ENV BORG_VERSION=1.1.15 RUN set -x \ && apt-get update \ From 0431fb2c2952898989d89ffe526bbddd6cf11da1 Mon Sep 17 00:00:00 2001 From: Thilo-Alexander Ginkel Date: Fri, 11 Jun 2021 22:36:48 +0200 Subject: [PATCH 02/25] Update copyright year --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 5a0d6b2..b47f371 100644 --- a/README.md +++ b/README.md @@ -19,7 +19,7 @@ The files contained in this Git repository are licensed under the following lice * https://borgbackup.readthedocs.io/en/stable/authors.html#license * https://www.debian.org/legal/licenses/ -Copyright 2018 TG Byte Software GmbH +Copyright 2018-2021 TG Byte Software GmbH Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. From db934743aeb8c9ec87b968794a44ea613c0d93d0 Mon Sep 17 00:00:00 2001 From: Thilo-Alexander Ginkel Date: Fri, 11 Jun 2021 15:21:28 +0200 Subject: [PATCH 03/25] Automatically determine current Borg version, switch to GitLab CI build, upgrade base image to Debian 10 --- .gitlab-ci.yml | 39 +++++++++++++++++++++++++++++++++++++++ Dockerfile | 8 ++++---- borg-version.sh | 9 +++++++++ build-manifest.sh | 17 +++++++++++++++++ build.sh | 20 ++++++++++++++++++++ 5 files changed, 89 insertions(+), 4 deletions(-) create mode 100644 .gitlab-ci.yml create mode 100755 borg-version.sh create mode 100755 build-manifest.sh create mode 100755 build.sh diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml new file mode 100644 index 0000000..022f7f6 --- /dev/null +++ b/.gitlab-ci.yml @@ -0,0 +1,39 @@ +stages: + - build-image + - build-manifest + +variables: + FORCE: 0 + MULTIARCH: 1 + +.build-image-template: &build-image + stage: build-image + script: + - ./build.sh + artifacts: + expire_in: 1 day + paths: + - version.txt + - results/ + rules: + - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH + +build-image-amd64: + <<: *build-image + +build-image-arm: + <<: *build-image + variables: + ARCH: arm + +build-image-arm64: + <<: *build-image + variables: + ARCH: arm64 + +build-manifest: + stage: build-manifest + script: + - ./build-manifest.sh + rules: + - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH diff --git a/Dockerfile b/Dockerfile index c5aa00e..fc32564 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,15 +1,15 @@ -FROM debian:9 +FROM debian:10 -ENV BORG_VERSION=1.1.15 +ARG BORG_VERSION RUN set -x \ && apt-get update \ && apt-get install -y curl \ && sed -i "s/httpredir.debian.org/`curl -s -D - http://httpredir.debian.org/demo/debian/ | awk '/^Link:/ { print $2 }' | sed -e 's@;@\1@g'`/" /etc/apt/sources.list \ && apt-get update \ - && apt-get install -y openssh-server python3-pip build-essential libssl-dev libssl1.0.2 liblz4-dev liblz4-1 libacl1-dev libacl1 \ + && apt-get install -y openssh-server python3-pip build-essential libssl-dev libssl1.1 liblz4-dev liblz4-1 libacl1-dev libacl1 \ && rm -f /etc/ssh/ssh_host_* \ - && pip3 install borgbackup==$BORG_VERSION \ + && pip3 install "borgbackup==${BORG_VERSION}" \ && apt-get remove -y --purge build-essential libssl-dev liblz4-dev libacl1-dev \ && apt-get autoremove -y --purge \ && adduser --uid 500 --disabled-password --gecos "Borg Backup" --quiet borg \ diff --git a/borg-version.sh b/borg-version.sh new file mode 100755 index 0000000..84134d5 --- /dev/null +++ b/borg-version.sh @@ -0,0 +1,9 @@ +#!/bin/sh + +set -xe -o pipefail + +curl -s "https://api.github.com/repos/borgbackup/borg/tags" \ +| jq -r '.[].name' \ +| grep -v '[a-zA-z]' \ +| sort -V \ +| tail -1 diff --git a/build-manifest.sh b/build-manifest.sh new file mode 100755 index 0000000..3bf4227 --- /dev/null +++ b/build-manifest.sh @@ -0,0 +1,17 @@ +#!/bin/sh + +set -e -o pipefail + +BORG_VERSION=$(cat version.txt) +IMAGE_VERSION="${BORG_VERSION}" +export TAG="${IMAGE_VERSION}" + +if [ "$FORCE" != "1" ]; then + echo Exit if "tgbyte/borg-backup:${IMAGE_VERSION}" already exists + check-tag.sh "tgbyte/borg-backup:${IMAGE_VERSION}" && exit 0 +fi + +echo Building manifest for version "${BORG_VERSION}" + +build-manifest.sh +TAG=latest build-manifest.sh diff --git a/build.sh b/build.sh new file mode 100755 index 0000000..315e27c --- /dev/null +++ b/build.sh @@ -0,0 +1,20 @@ +#!/bin/sh + +set -e -o pipefail + +BORG_VERSION=$(./borg-version.sh) +echo "${BORG_VERSION}" > version.txt + +IMAGE_VERSION="${BORG_VERSION}" + +export ARG_BORG_VERSION="${BORG_VERSION}" +export TAG="${IMAGE_VERSION}" + +if [ "$FORCE" != "1" ]; then + echo Exit if "tgbyte/borg-backup:${IMAGE_VERSION}" already exists + check-tag.sh "tgbyte/borg-backup:${IMAGE_VERSION}" && exit 0 +fi + +echo Building version "${BORG_VERSION}" + +build-image.sh From 72e021e302338616e27a9a5d442dca142c163186 Mon Sep 17 00:00:00 2001 From: Thilo-Alexander Ginkel Date: Wed, 25 Aug 2021 13:40:30 +0200 Subject: [PATCH 04/25] Switch to Ubuntu base image --- Dockerfile | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index fc32564..a832f84 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,13 +1,10 @@ -FROM debian:10 +FROM ubuntu:20.04 ARG BORG_VERSION RUN set -x \ && apt-get update \ - && apt-get install -y curl \ - && sed -i "s/httpredir.debian.org/`curl -s -D - http://httpredir.debian.org/demo/debian/ | awk '/^Link:/ { print $2 }' | sed -e 's@;@\1@g'`/" /etc/apt/sources.list \ - && apt-get update \ - && apt-get install -y openssh-server python3-pip build-essential libssl-dev libssl1.1 liblz4-dev liblz4-1 libacl1-dev libacl1 \ + && DEBIAN_FRONTEND=noninteractive apt-get install -y openssh-server python3-pip build-essential libssl-dev libssl1.1 liblz4-dev liblz4-1 libacl1-dev libacl1 \ && rm -f /etc/ssh/ssh_host_* \ && pip3 install "borgbackup==${BORG_VERSION}" \ && apt-get remove -y --purge build-essential libssl-dev liblz4-dev libacl1-dev \ From ad7fe017aadb4fcca0c66f436de3bf67dfa1375b Mon Sep 17 00:00:00 2001 From: Thilo-Alexander Ginkel Date: Wed, 25 Aug 2021 19:31:12 +0200 Subject: [PATCH 05/25] README: Replace Debian by Ubuntu references --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index b47f371..74d4fde 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # docker-borg-backup -A dockerized Borg Backup server. For more information about Borg Backup, an excellent deduplicating backup, refer to: https://www.borgbackup.org/ +A dockerized Borg Backup server. For more information about Borg Backup, an excellent de-duplicating backup, refer to: https://www.borgbackup.org/ ## Usage @@ -14,10 +14,10 @@ Alternatively, use the Docker orchestrator of your choice. ## License -The files contained in this Git repository are licensed under the following license. This license explicitly does not cover the Borg Backup and Debian software packaged when running the Docker build. For these componensts, separate licenses apply that you can find at: +The files contained in this Git repository are licensed under the following license. This license explicitly does not cover the Borg Backup and Ubuntu software packaged when running the Docker build. For these components, separate licenses apply that you can find at: * https://borgbackup.readthedocs.io/en/stable/authors.html#license -* https://www.debian.org/legal/licenses/ +* https://ubuntu.com/licensing Copyright 2018-2021 TG Byte Software GmbH From e4c4fa08d6e1f9c9e3874f4508479f372c845b55 Mon Sep 17 00:00:00 2001 From: Thilo-Alexander Ginkel Date: Thu, 26 Aug 2021 19:56:36 +0200 Subject: [PATCH 06/25] Perform vulnerability scan --- .gitignore | 2 + .gitlab-ci.yml | 55 +++++++++++++++++++--- borg-version.sh => bin/borg-version.sh | 4 +- build-manifest.sh => bin/build-manifest.sh | 4 +- bin/build.sh | 30 ++++++++++++ bin/trivy.sh | 21 +++++++++ build.sh | 20 -------- 7 files changed, 105 insertions(+), 31 deletions(-) create mode 100644 .gitignore rename borg-version.sh => bin/borg-version.sh (80%) rename build-manifest.sh => bin/build-manifest.sh (89%) create mode 100755 bin/build.sh create mode 100755 bin/trivy.sh delete mode 100755 build.sh diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..c16ac5c --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +.trivy* +.version diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 022f7f6..1d97b0f 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,7 +1,17 @@ +cache: + paths: + - .trivy/ + stages: + - version + - scan - build-image - build-manifest +workflow: + rules: + - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH + variables: FORCE: 0 MULTIARCH: 1 @@ -9,14 +19,44 @@ variables: .build-image-template: &build-image stage: build-image script: - - ./build.sh + - bin/build.sh artifacts: expire_in: 1 day paths: - - version.txt + - .version - results/ - rules: - - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH + needs: + - job: version + artifacts: true + - job: trivy + artifacts: true + +version: + stage: version + script: + - bin/borg-version.sh > .version + artifacts: + expire_in: 1 day + paths: + - .version + +trivy: + stage: scan + image: + name: aquasec/trivy + entrypoint: [""] + script: + - ls -alR + - ${CI_PROJECT_DIR}/bin/trivy.sh + allow_failure: true + artifacts: + expire_in: 1 day + paths: + - .trivy-vulnerable + when: always + needs: + - job: version + artifacts: true build-image-amd64: <<: *build-image @@ -34,6 +74,7 @@ build-image-arm64: build-manifest: stage: build-manifest script: - - ./build-manifest.sh - rules: - - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH + - bin/build-manifest.sh + needs: + - job: version + artifacts: true diff --git a/borg-version.sh b/bin/borg-version.sh similarity index 80% rename from borg-version.sh rename to bin/borg-version.sh index 84134d5..6832320 100755 --- a/borg-version.sh +++ b/bin/borg-version.sh @@ -1,6 +1,6 @@ -#!/bin/sh +#!/bin/bash -set -xe -o pipefail +set -e -o pipefail curl -s "https://api.github.com/repos/borgbackup/borg/tags" \ | jq -r '.[].name' \ diff --git a/build-manifest.sh b/bin/build-manifest.sh similarity index 89% rename from build-manifest.sh rename to bin/build-manifest.sh index 3bf4227..326dc61 100755 --- a/build-manifest.sh +++ b/bin/build-manifest.sh @@ -1,8 +1,8 @@ -#!/bin/sh +#!/bin/bash set -e -o pipefail -BORG_VERSION=$(cat version.txt) +BORG_VERSION=$(cat .version) IMAGE_VERSION="${BORG_VERSION}" export TAG="${IMAGE_VERSION}" diff --git a/bin/build.sh b/bin/build.sh new file mode 100755 index 0000000..2325a45 --- /dev/null +++ b/bin/build.sh @@ -0,0 +1,30 @@ +#!/bin/bash + +set -e -o pipefail + +SOURCE="${BASH_SOURCE[0]}" +while [ -h "$SOURCE" ]; do # resolve $SOURCE until the file is no longer a symlink + DIR="$(cd -P "$(dirname "$SOURCE")" >/dev/null 2>&1 && pwd)" + SOURCE="$(readlink "$SOURCE")" + [[ $SOURCE != /* ]] && SOURCE="$DIR/$SOURCE" # if $SOURCE was a relative symlink, we need to resolve it relative to the path where the symlink file was located +done +DIR="$(cd -P "$(dirname "$SOURCE")" >/dev/null 2>&1 && pwd)" + +BORG_VERSION=$(cat .version) +IMAGE_VERSION="${BORG_VERSION}" + +export ARG_BORG_VERSION="${BORG_VERSION}" +export TAG="${IMAGE_VERSION}" + +if [ -e .trivy-vulnerable ]; then + VULNERABLE="1" +fi + +if [ "$FORCE" != "1" ] && [ -z "$VULNERABLE" ]; then + echo Exit if "tgbyte/borg-backup:${IMAGE_VERSION}" already exists + check-tag.sh "tgbyte/borg-backup:${IMAGE_VERSION}" && exit 0 +fi + +echo Building version "${BORG_VERSION}" + +build-image.sh diff --git a/bin/trivy.sh b/bin/trivy.sh new file mode 100755 index 0000000..b6da089 --- /dev/null +++ b/bin/trivy.sh @@ -0,0 +1,21 @@ +#!/bin/sh + +BORG_VERSION=$(cat .version) +IMAGE_VERSION="${BORG_VERSION}" + +trivy \ + --cache-dir .trivy \ + image \ + --severity HIGH,CRITICAL \ + --ignore-unfixed \ + --exit-code 2 \ + --no-progress \ + "tgbyte/borg-backup:${IMAGE_VERSION}" +EXITCODE=$? + +if [ $EXITCODE -eq 2 ]; then + echo "Detected vulnerable Docker image tgbyte/borg-backup:${IMAGE_VERSION} - forcing rebuild" + echo "1" > .trivy-vulnerable +fi + +exit $EXITCODE diff --git a/build.sh b/build.sh deleted file mode 100755 index 315e27c..0000000 --- a/build.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/sh - -set -e -o pipefail - -BORG_VERSION=$(./borg-version.sh) -echo "${BORG_VERSION}" > version.txt - -IMAGE_VERSION="${BORG_VERSION}" - -export ARG_BORG_VERSION="${BORG_VERSION}" -export TAG="${IMAGE_VERSION}" - -if [ "$FORCE" != "1" ]; then - echo Exit if "tgbyte/borg-backup:${IMAGE_VERSION}" already exists - check-tag.sh "tgbyte/borg-backup:${IMAGE_VERSION}" && exit 0 -fi - -echo Building version "${BORG_VERSION}" - -build-image.sh From dd5128d4e82b9b9e38906423ceaa5274c8fc3b49 Mon Sep 17 00:00:00 2001 From: Thilo-Alexander Ginkel Date: Thu, 26 Aug 2021 20:29:26 +0200 Subject: [PATCH 07/25] Fix build dependencies --- .gitlab-ci.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 1d97b0f..a3e1d04 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -78,3 +78,9 @@ build-manifest: needs: - job: version artifacts: true + - job: build-image-amd64 + artifacts: true + - job: build-image-arm + artifacts: true + - job: build-image-arm64 + artifacts: true From 1dd71e6fbf3ff14caa33da53b67aa3bd4f72defc Mon Sep 17 00:00:00 2001 From: Thilo-Alexander Ginkel Date: Thu, 26 Aug 2021 20:31:19 +0200 Subject: [PATCH 08/25] Cleanup --- .gitlab-ci.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index a3e1d04..43ecf28 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -46,8 +46,7 @@ trivy: name: aquasec/trivy entrypoint: [""] script: - - ls -alR - - ${CI_PROJECT_DIR}/bin/trivy.sh + - bin/trivy.sh allow_failure: true artifacts: expire_in: 1 day From a15a18dc258fc04018ae26a670737d1491fccd77 Mon Sep 17 00:00:00 2001 From: Thilo-Alexander Ginkel Date: Thu, 26 Aug 2021 21:29:06 +0200 Subject: [PATCH 09/25] Format code --- Dockerfile | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index a832f84..3dde548 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,11 +3,26 @@ FROM ubuntu:20.04 ARG BORG_VERSION RUN set -x \ - && apt-get update \ - && DEBIAN_FRONTEND=noninteractive apt-get install -y openssh-server python3-pip build-essential libssl-dev libssl1.1 liblz4-dev liblz4-1 libacl1-dev libacl1 \ + && apt-get update -qq \ + && DEBIAN_FRONTEND=noninteractive apt-get install -qq -y \ + build-essential \ + libacl1 \ + libacl1-dev \ + liblz4-1 \ + liblz4-dev \ + libssl1.1 \ + libssl-dev \ + openssh-server \ + python3 \ + python3-pip \ + python3-setuptools \ && rm -f /etc/ssh/ssh_host_* \ - && pip3 install "borgbackup==${BORG_VERSION}" \ - && apt-get remove -y --purge build-essential libssl-dev liblz4-dev libacl1-dev \ + && pip3 install -v "borgbackup==${BORG_VERSION}" \ + && apt-get remove -y --purge \ + build-essential \ + libacl1-dev \ + liblz4-dev \ + libssl-dev \ && apt-get autoremove -y --purge \ && adduser --uid 500 --disabled-password --gecos "Borg Backup" --quiet borg \ && mkdir /var/run/sshd \ From 1667c6a04dbcc42a7f76a07eb6aa10e7d9688029 Mon Sep 17 00:00:00 2001 From: Thilo-Alexander Ginkel Date: Fri, 27 Aug 2021 12:13:07 +0200 Subject: [PATCH 10/25] Don't omit manifest build for vulnerability fixes --- .gitlab-ci.yml | 2 ++ bin/build-manifest.sh | 6 +++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 43ecf28..c06d387 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -77,6 +77,8 @@ build-manifest: needs: - job: version artifacts: true + - job: trivy + artifacts: true - job: build-image-amd64 artifacts: true - job: build-image-arm diff --git a/bin/build-manifest.sh b/bin/build-manifest.sh index 326dc61..ae01d6b 100755 --- a/bin/build-manifest.sh +++ b/bin/build-manifest.sh @@ -6,7 +6,11 @@ BORG_VERSION=$(cat .version) IMAGE_VERSION="${BORG_VERSION}" export TAG="${IMAGE_VERSION}" -if [ "$FORCE" != "1" ]; then +if [ -e .trivy-vulnerable ]; then + VULNERABLE="1" +fi + +if [ "$FORCE" != "1" ] && [ -z "$VULNERABLE" ]; then echo Exit if "tgbyte/borg-backup:${IMAGE_VERSION}" already exists check-tag.sh "tgbyte/borg-backup:${IMAGE_VERSION}" && exit 0 fi From 6dff6d58de0fce32d90c625079981e9935207043 Mon Sep 17 00:00:00 2001 From: Thilo-Alexander Ginkel Date: Sat, 28 Aug 2021 00:58:44 +0200 Subject: [PATCH 11/25] Install setuptools_scm --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index 3dde548..02d4cca 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,6 +16,7 @@ RUN set -x \ python3 \ python3-pip \ python3-setuptools \ + python3-setuptools-scm \ && rm -f /etc/ssh/ssh_host_* \ && pip3 install -v "borgbackup==${BORG_VERSION}" \ && apt-get remove -y --purge \ From 21c0d6964fd10d9412c6ce9944b97ed45034d335 Mon Sep 17 00:00:00 2001 From: Thilo-Alexander Ginkel Date: Sun, 5 Sep 2021 18:29:56 +0200 Subject: [PATCH 12/25] Persist SSH host keys (closes #1) --- Dockerfile | 9 +++------ README.md | 3 ++- entrypoint.sh | 18 +++++++++++++----- 3 files changed, 18 insertions(+), 12 deletions(-) diff --git a/Dockerfile b/Dockerfile index 02d4cca..bdc1e6a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -26,12 +26,9 @@ RUN set -x \ libssl-dev \ && apt-get autoremove -y --purge \ && adduser --uid 500 --disabled-password --gecos "Borg Backup" --quiet borg \ - && mkdir /var/run/sshd \ - && mkdir /var/backups/borg \ - && chown borg.borg /var/backups/borg \ - && mkdir /home/borg/.ssh \ + && mkdir -p /var/run/sshd /var/backups/borg /var/lib/docker-borg/ssh mkdir /home/borg/.ssh \ + && chown borg.borg /var/backups/borg /home/borg/.ssh \ && chmod 700 /home/borg/.ssh \ - && chown borg.borg /home/borg/.ssh \ && rm -rf /var/lib/apt/lists/* RUN set -x \ @@ -42,7 +39,7 @@ RUN set -x \ -e 's/^#LogLevel .*$/LogLevel ERROR/g' \ /etc/ssh/sshd_config -VOLUME /var/backups/borg +VOLUME ["/var/backups/borg", "/var/lib/docker-borg"] ADD ./entrypoint.sh / diff --git a/README.md b/README.md index 74d4fde..ac072ca 100644 --- a/README.md +++ b/README.md @@ -10,8 +10,9 @@ docker run -e BORG_AUTHORIZED_KEYS= -e BORG_UID= -e BOR Alternatively, use the Docker orchestrator of your choice. -**Caution:** Do NOT forget to mount a volume into the Borg container. Otherwise your backups will vanish into thin air when you update the Borg container. +**Caution:** Do NOT forget to mount a volume as `/var/backups/borg` to host the backups. Otherwise your backups will vanish into thin air when you update the Borg container. +To persist the container's SSH host keys across container updates, mount a volume to `/var/lib/docker-borg`. ## License The files contained in this Git repository are licensed under the following license. This license explicitly does not cover the Borg Backup and Ubuntu software packaged when running the Docker build. For these components, separate licenses apply that you can find at: diff --git a/entrypoint.sh b/entrypoint.sh index 50efa07..5b5c681 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,18 +1,26 @@ #!/bin/bash -dpkg-reconfigure openssh-server +mkdir -p /var/lib/docker-borg/ssh > /dev/null 2>&1 + +if [ ! -f /var/lib/docker-borg/ssh/ssh_host_rsa_key ]; then + echo "Creating SSH keys. To persist keys across container updates, mount a volume to /var/lib/docker-borg..." + ssh-keygen -A + mv /etc/ssh/ssh*key* /var/lib/docker-borg/ssh/ +fi + +ln -sf /var/lib/docker-borg/ssh/* /etc/ssh > /dev/null 2>&1 if [ -n "${BORG_UID}" ]; then - usermod -u ${BORG_UID} borg + usermod -u "${BORG_UID}" borg fi if [ -n "${BORG_GID}" ]; then - groupmod -o -g ${BORG_GID} borg - usermod -g ${BORG_GID} borg + groupmod -o -g "${BORG_GID}" borg + usermod -g "${BORG_GID}" borg fi if [ ! -z ${BORG_AUTHORIZED_KEYS+x} ]; then - echo -e $BORG_AUTHORIZED_KEYS > /home/borg/.ssh/authorized_keys + echo -e "${BORG_AUTHORIZED_KEYS}" > /home/borg/.ssh/authorized_keys chown borg.borg /home/borg/.ssh/authorized_keys chmod og-rwx /home/borg/.ssh/authorized_keys fi From 60536996006c8970c8a0ac9c3da3d852e33de51c Mon Sep 17 00:00:00 2001 From: Thilo-Alexander Ginkel Date: Mon, 6 Sep 2021 12:13:28 +0200 Subject: [PATCH 13/25] Cleanup --- .gitlab-ci.yml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index c06d387..66d6894 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -27,9 +27,7 @@ variables: - results/ needs: - job: version - artifacts: true - job: trivy - artifacts: true version: stage: version @@ -55,7 +53,6 @@ trivy: when: always needs: - job: version - artifacts: true build-image-amd64: <<: *build-image @@ -76,12 +73,7 @@ build-manifest: - bin/build-manifest.sh needs: - job: version - artifacts: true - job: trivy - artifacts: true - job: build-image-amd64 - artifacts: true - job: build-image-arm - artifacts: true - job: build-image-arm64 - artifacts: true From b44f5dfa3d64270c41389fb660e472c05036feed Mon Sep 17 00:00:00 2001 From: Thilo-Alexander Ginkel Date: Fri, 10 Sep 2021 22:27:32 +0200 Subject: [PATCH 14/25] Re-use shared build pipeline --- .gitlab-ci.yml | 81 ++------------------ .gitlab-ci/build-image.sh | 8 ++ .gitlab-ci/build-manifest.sh | 8 ++ bin/borg-version.sh => .gitlab-ci/version.sh | 0 README.md | 4 + bin/build-manifest.sh | 21 ----- bin/build.sh | 30 -------- bin/trivy.sh | 21 ----- 8 files changed, 25 insertions(+), 148 deletions(-) create mode 100755 .gitlab-ci/build-image.sh create mode 100755 .gitlab-ci/build-manifest.sh rename bin/borg-version.sh => .gitlab-ci/version.sh (100%) delete mode 100755 bin/build-manifest.sh delete mode 100755 bin/build.sh delete mode 100755 bin/trivy.sh diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 66d6894..98c635f 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,79 +1,8 @@ -cache: - paths: - - .trivy/ - -stages: - - version - - scan - - build-image - - build-manifest - -workflow: - rules: - - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH +include: + - project: 'docker/builder' + file: '/templates/.gitlab-ci.yml' variables: - FORCE: 0 + BUILD_IMAGE_SCRIPT: .gitlab-ci/build-image.sh + BUILD_MANIFEST_SCRIPT: .gitlab-ci/build-manifest.sh MULTIARCH: 1 - -.build-image-template: &build-image - stage: build-image - script: - - bin/build.sh - artifacts: - expire_in: 1 day - paths: - - .version - - results/ - needs: - - job: version - - job: trivy - -version: - stage: version - script: - - bin/borg-version.sh > .version - artifacts: - expire_in: 1 day - paths: - - .version - -trivy: - stage: scan - image: - name: aquasec/trivy - entrypoint: [""] - script: - - bin/trivy.sh - allow_failure: true - artifacts: - expire_in: 1 day - paths: - - .trivy-vulnerable - when: always - needs: - - job: version - -build-image-amd64: - <<: *build-image - -build-image-arm: - <<: *build-image - variables: - ARCH: arm - -build-image-arm64: - <<: *build-image - variables: - ARCH: arm64 - -build-manifest: - stage: build-manifest - script: - - bin/build-manifest.sh - needs: - - job: version - - job: trivy - - job: build-image-amd64 - - job: build-image-arm - - job: build-image-arm64 diff --git a/.gitlab-ci/build-image.sh b/.gitlab-ci/build-image.sh new file mode 100755 index 0000000..2ce22e4 --- /dev/null +++ b/.gitlab-ci/build-image.sh @@ -0,0 +1,8 @@ +#!/bin/bash + +source /usr/local/share/build-functions.sh + +exit_if_image_present + +export ARG_BORG_VERSION="${VERSION}" +build-image.sh diff --git a/.gitlab-ci/build-manifest.sh b/.gitlab-ci/build-manifest.sh new file mode 100755 index 0000000..f9acaad --- /dev/null +++ b/.gitlab-ci/build-manifest.sh @@ -0,0 +1,8 @@ +#!/bin/bash + +source /usr/local/share/build-functions.sh + +exit_if_image_present + +build-manifest.sh +TAG=latest build-manifest.sh diff --git a/bin/borg-version.sh b/.gitlab-ci/version.sh similarity index 100% rename from bin/borg-version.sh rename to .gitlab-ci/version.sh diff --git a/README.md b/README.md index ac072ca..ac54e28 100644 --- a/README.md +++ b/README.md @@ -13,6 +13,10 @@ Alternatively, use the Docker orchestrator of your choice. **Caution:** Do NOT forget to mount a volume as `/var/backups/borg` to host the backups. Otherwise your backups will vanish into thin air when you update the Borg container. To persist the container's SSH host keys across container updates, mount a volume to `/var/lib/docker-borg`. + +## Supported Architectures + +This image is available for the `amd64` and `arm64` architectures. ## License The files contained in this Git repository are licensed under the following license. This license explicitly does not cover the Borg Backup and Ubuntu software packaged when running the Docker build. For these components, separate licenses apply that you can find at: diff --git a/bin/build-manifest.sh b/bin/build-manifest.sh deleted file mode 100755 index ae01d6b..0000000 --- a/bin/build-manifest.sh +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash - -set -e -o pipefail - -BORG_VERSION=$(cat .version) -IMAGE_VERSION="${BORG_VERSION}" -export TAG="${IMAGE_VERSION}" - -if [ -e .trivy-vulnerable ]; then - VULNERABLE="1" -fi - -if [ "$FORCE" != "1" ] && [ -z "$VULNERABLE" ]; then - echo Exit if "tgbyte/borg-backup:${IMAGE_VERSION}" already exists - check-tag.sh "tgbyte/borg-backup:${IMAGE_VERSION}" && exit 0 -fi - -echo Building manifest for version "${BORG_VERSION}" - -build-manifest.sh -TAG=latest build-manifest.sh diff --git a/bin/build.sh b/bin/build.sh deleted file mode 100755 index 2325a45..0000000 --- a/bin/build.sh +++ /dev/null @@ -1,30 +0,0 @@ -#!/bin/bash - -set -e -o pipefail - -SOURCE="${BASH_SOURCE[0]}" -while [ -h "$SOURCE" ]; do # resolve $SOURCE until the file is no longer a symlink - DIR="$(cd -P "$(dirname "$SOURCE")" >/dev/null 2>&1 && pwd)" - SOURCE="$(readlink "$SOURCE")" - [[ $SOURCE != /* ]] && SOURCE="$DIR/$SOURCE" # if $SOURCE was a relative symlink, we need to resolve it relative to the path where the symlink file was located -done -DIR="$(cd -P "$(dirname "$SOURCE")" >/dev/null 2>&1 && pwd)" - -BORG_VERSION=$(cat .version) -IMAGE_VERSION="${BORG_VERSION}" - -export ARG_BORG_VERSION="${BORG_VERSION}" -export TAG="${IMAGE_VERSION}" - -if [ -e .trivy-vulnerable ]; then - VULNERABLE="1" -fi - -if [ "$FORCE" != "1" ] && [ -z "$VULNERABLE" ]; then - echo Exit if "tgbyte/borg-backup:${IMAGE_VERSION}" already exists - check-tag.sh "tgbyte/borg-backup:${IMAGE_VERSION}" && exit 0 -fi - -echo Building version "${BORG_VERSION}" - -build-image.sh diff --git a/bin/trivy.sh b/bin/trivy.sh deleted file mode 100755 index b6da089..0000000 --- a/bin/trivy.sh +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/sh - -BORG_VERSION=$(cat .version) -IMAGE_VERSION="${BORG_VERSION}" - -trivy \ - --cache-dir .trivy \ - image \ - --severity HIGH,CRITICAL \ - --ignore-unfixed \ - --exit-code 2 \ - --no-progress \ - "tgbyte/borg-backup:${IMAGE_VERSION}" -EXITCODE=$? - -if [ $EXITCODE -eq 2 ]; then - echo "Detected vulnerable Docker image tgbyte/borg-backup:${IMAGE_VERSION} - forcing rebuild" - echo "1" > .trivy-vulnerable -fi - -exit $EXITCODE From 0961fe71c5687eb68cde3b5c9743b89d603d45d8 Mon Sep 17 00:00:00 2001 From: Thilo-Alexander Ginkel Date: Sat, 11 Sep 2021 20:18:10 +0200 Subject: [PATCH 15/25] Fix regexp --- .gitlab-ci/version.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitlab-ci/version.sh b/.gitlab-ci/version.sh index 6832320..24209a5 100755 --- a/.gitlab-ci/version.sh +++ b/.gitlab-ci/version.sh @@ -4,6 +4,6 @@ set -e -o pipefail curl -s "https://api.github.com/repos/borgbackup/borg/tags" \ | jq -r '.[].name' \ -| grep -v '[a-zA-z]' \ +| grep -v '[a-zA-Z]' \ | sort -V \ | tail -1 From 9142cfe5e9162bad0d6c64dccaa0b4225b25ec2f Mon Sep 17 00:00:00 2001 From: Thilo-Alexander Ginkel Date: Tue, 21 Sep 2021 10:05:10 +0200 Subject: [PATCH 16/25] Use Ubuntu base image with applied security updates --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index bdc1e6a..897420e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM ubuntu:20.04 +FROM tgbyte/ubuntu:20.04 ARG BORG_VERSION From 38ff9796db7daf8bb3d3aaac136a78b04037da52 Mon Sep 17 00:00:00 2001 From: Thilo-Alexander Ginkel Date: Wed, 9 Mar 2022 22:18:46 +0100 Subject: [PATCH 17/25] Fix build for Borg >= 1.2.0 --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index 897420e..fa01ad5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -15,6 +15,7 @@ RUN set -x \ openssh-server \ python3 \ python3-pip \ + python3-pkgconfig \ python3-setuptools \ python3-setuptools-scm \ && rm -f /etc/ssh/ssh_host_* \ From 2be49f7be6e3a77b34635bf1e694228a3176aee0 Mon Sep 17 00:00:00 2001 From: Thilo-Alexander Ginkel Date: Wed, 9 Mar 2022 22:21:03 +0100 Subject: [PATCH 18/25] It's 2022 --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index ac54e28..9e771e9 100644 --- a/README.md +++ b/README.md @@ -24,7 +24,7 @@ The files contained in this Git repository are licensed under the following lice * https://borgbackup.readthedocs.io/en/stable/authors.html#license * https://ubuntu.com/licensing -Copyright 2018-2021 TG Byte Software GmbH +Copyright 2018-2022 TG Byte Software GmbH Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. From bd4e12c65b748e0ee5fc762f528139aeeb15dbcc Mon Sep 17 00:00:00 2001 From: Thilo-Alexander Ginkel Date: Tue, 23 May 2023 18:31:36 +0200 Subject: [PATCH 19/25] It's 2023 --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 9e771e9..3c0b958 100644 --- a/README.md +++ b/README.md @@ -24,7 +24,7 @@ The files contained in this Git repository are licensed under the following lice * https://borgbackup.readthedocs.io/en/stable/authors.html#license * https://ubuntu.com/licensing -Copyright 2018-2022 TG Byte Software GmbH +Copyright 2018-2023 TG Byte Software GmbH Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. From 0357d287668fdfffce15b833ab63d74f71707ebc Mon Sep 17 00:00:00 2001 From: Thilo-Alexander Ginkel Date: Wed, 14 Jun 2023 15:14:46 +0200 Subject: [PATCH 20/25] .gitignore .vscode --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index c16ac5c..5c1b04d 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ .trivy* .version +.vscode/ From 82a2b9d8b8de050d263b5fdb746d230f6a1ed048 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20B=C3=BCsgen?= Date: Wed, 22 Mar 2023 08:54:08 +0100 Subject: [PATCH 21/25] fix(container): :lock: Ensure correct permissions for server SSH-Keys Closes https://github.com/tgbyte/docker-borg-backup/issues/7#issue-1266419417 --- entrypoint.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/entrypoint.sh b/entrypoint.sh index 5b5c681..9e8376b 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -8,6 +8,9 @@ if [ ! -f /var/lib/docker-borg/ssh/ssh_host_rsa_key ]; then mv /etc/ssh/ssh*key* /var/lib/docker-borg/ssh/ fi +# Ensure correct permissions for ssh keys +chmod -R og-rwx /var/lib/docker-borg/ssh/ + ln -sf /var/lib/docker-borg/ssh/* /etc/ssh > /dev/null 2>&1 if [ -n "${BORG_UID}" ]; then From 6ccc7849290bdb61ce8798a6d6614bbbe844986d Mon Sep 17 00:00:00 2001 From: Thilo-Alexander Ginkel Date: Thu, 4 Jul 2024 21:48:42 +0200 Subject: [PATCH 22/25] Upgrade base image to Ubuntu 24.04 --- Dockerfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index fa01ad5..7dc7594 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM tgbyte/ubuntu:20.04 +FROM tgbyte/ubuntu:24.04 ARG BORG_VERSION @@ -19,6 +19,7 @@ RUN set -x \ python3-setuptools \ python3-setuptools-scm \ && rm -f /etc/ssh/ssh_host_* \ + && python3 --version \ && pip3 install -v "borgbackup==${BORG_VERSION}" \ && apt-get remove -y --purge \ build-essential \ From 603fb98ec7a89303a4d8a45b6c92fa94b564eef0 Mon Sep 17 00:00:00 2001 From: Thilo-Alexander Ginkel Date: Thu, 4 Jul 2024 22:54:44 +0200 Subject: [PATCH 23/25] Borg 1.4 --- Dockerfile | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 7dc7594..cb6e3f1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -10,8 +10,12 @@ RUN set -x \ libacl1-dev \ liblz4-1 \ liblz4-dev \ - libssl1.1 \ + libssl3t64 \ libssl-dev \ + libxxhash0 \ + libxxhash-dev \ + libzstd1 \ + libzstd-dev \ openssh-server \ python3 \ python3-pip \ @@ -20,12 +24,14 @@ RUN set -x \ python3-setuptools-scm \ && rm -f /etc/ssh/ssh_host_* \ && python3 --version \ - && pip3 install -v "borgbackup==${BORG_VERSION}" \ + && pip3 install --break-system-packages -v "borgbackup==${BORG_VERSION}" \ && apt-get remove -y --purge \ build-essential \ libacl1-dev \ liblz4-dev \ libssl-dev \ + libxxhash-dev \ + libzstd-dev \ && apt-get autoremove -y --purge \ && adduser --uid 500 --disabled-password --gecos "Borg Backup" --quiet borg \ && mkdir -p /var/run/sshd /var/backups/borg /var/lib/docker-borg/ssh mkdir /home/borg/.ssh \ From e9ada52799d92d9ea9c8d59ef2d3d396f544fb30 Mon Sep 17 00:00:00 2001 From: Thilo-Alexander Ginkel Date: Sat, 22 Feb 2025 15:23:47 +0100 Subject: [PATCH 24/25] Fix chown warnings (closes #11) --- entrypoint.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index 9e8376b..14041bb 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -24,11 +24,11 @@ fi if [ ! -z ${BORG_AUTHORIZED_KEYS+x} ]; then echo -e "${BORG_AUTHORIZED_KEYS}" > /home/borg/.ssh/authorized_keys - chown borg.borg /home/borg/.ssh/authorized_keys + chown borg:borg /home/borg/.ssh/authorized_keys chmod og-rwx /home/borg/.ssh/authorized_keys fi -chown -R borg.borg /home/borg -chown -R borg.borg /home/borg/.ssh +chown -R borg:borg /home/borg +chown -R borg:borg /home/borg/.ssh exec /usr/sbin/sshd -D -e From 9a197c9e6548d2c76f857eecb103bf3676b58e7c Mon Sep 17 00:00:00 2001 From: Thilo-Alexander Ginkel Date: Sat, 22 Feb 2025 15:26:37 +0100 Subject: [PATCH 25/25] It's 2025 --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 3c0b958..c268535 100644 --- a/README.md +++ b/README.md @@ -24,7 +24,7 @@ The files contained in this Git repository are licensed under the following lice * https://borgbackup.readthedocs.io/en/stable/authors.html#license * https://ubuntu.com/licensing -Copyright 2018-2023 TG Byte Software GmbH +Copyright 2018-2025 TG Byte Software GmbH Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.