Overview: rsync-server

Docker: https://hub.docker.com/r/eeacms/rsync

Github: https://github.com/eea/eea.docker.rsync

 

This is a simple rsync server based on Alpine.

 

To be able to connect to this rsync server you need to add the SSH key of your client to the variable SSH_AUTH_KEY_1. You can pass multiple keys through the additional variables SSH_AUTH_KEY_2, SSH_AUTH_KEY_3, etc.

 

Example

 

The benefits of this container are:

• you can define a non-default SSH port for rsync only (default of this container is 5533)
• you can define specific paths instead of allowing access to the complete server (default is /mnt/user)
• files access is read-only (protection against ransomware)
  
   

How to create an SSH key?

Log into your client machine and create an SSH key as follows:

ssh-keygen -t rsa -b 4096

 

Press 3x ENTER to use the default location and create the key without password. Now display your SSH Key with the following command:

cat ~/.ssh/id_rsa.pub

 

Copy the complete line like "ssh-rsa AAA.... username@client" and paste it in the field "SSH_AUTH_KEY_1" and start this container.

 

You can test the connection from your client as follows (replace "tower" against your server name or domain):

rsync --dry-run --itemize-changes --archive -e 'ssh -p 5533' root@tower:/mnt/user/system/ /tmp

 

Thanks for your great Docker/rsync-server!

 

Is your rsync-server working with Back in Time?

Your target is /mnt/backup while it should be /mnt/user/backup and regarding the "no such file or directory" you need to use this fix of Back in Time:

https://github.com/bit-team/backintime/issues/1253#issuecomment-1126770876

 

The Solution:

 

Is it allowed to add more keys or is that not supported/not working?

1 hour ago, Revan335 said:

Is it allowed to add more keys

You can add an infinite amount of keys. There is a loop which reads all of them:

https://github.com/eea/eea.docker.rsync/blob/master/docker-entrypoint.sh

 

By that even SSH_AUTH_KEY_BANANA or SSH_AUTH_KEY_BABALALADINGDONG should work ^^

Hi,

Thank you for rsync docker.

When I do a dry run, I am getting the folllowing error.

I have create the key on client and pasted on SSH_AUTH_KEY_1:

 

I have added " to the beginning and to the end too. But still getting "Host key verification failed." error.

 

 

rsync --dry-run --itemize-changes --archive -e 'ssh -p 5533' root@tower:/mnt/user/system/ /tmp
The authenticity of host '[tower]:5533 ([192.168.1.175]:5533)' can't be established.
ECDSA key fingerprint is SHA256:bWkkJ3pzyzT+c8zvbt9xxNL/l2uz2tVr0Yx7QwnCm2A.
Are you sure you want to continue connecting (yes/no/[fingerprint])?
Host key verification failed.
rsync: connection unexpectedly closed (0 bytes received so far) [Receiver]
rsync error: unexplained error (code 255) at io.c(235) [Receiver=3.1.3]

 

I checked the logs.

When I start the docker, it seems it is creating a new set of keys.

 

ssh-keygen: generating new host keys: RSA DSA ECDSA ED25519
================================================================================
Running: /usr/sbin/sshd -D -e -p 22                                              
================================================================================
================================================================================
Running: /usr/sbin/sshd -D -e -p 22                                              
================================================================================
================================================================================
Running: /usr/sbin/sshd -D -e -p 22                                              
================================================================================
Connection closed by 192.168.1.180 port 51014 [preauth]
Connection closed by 192.168.1.180 port 50974 [preauth]

You must pasted the Public Key in the Docker Template. The Private Key is for the Client only.

Show at the example on documentary from@mgutt

So, when I do the following command, I get

 

ssh-keygen -t rsa -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/home/oerdem19/.ssh/id_rsa):
/home/oerdem19/.ssh/id_rsa already exists.
Overwrite (y/n)?
 

cat /home/oerdem19/.ssh/id_rsa

 

cat /home/oerdem19/.ssh/id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----

...

-----END OPENSSH PRIVATE KEY-----

 

Then I copy everything  between begin and to Key 1.

 

Does it look correct?

 

When I dry run, I am still getting the following error:

 

The authenticity of host '[192.168.1.175]:5533 ([192.168.1.175]:5533)' can't be established.
ECDSA key fingerprint is SHA256:AnXlxkDI82ozd7TEIYiq9osc+9R080KgCVgsavKT8YY.
Are you sure you want to continue connecting (yes/no/[fingerprint])?
Host key verification failed.
rsync: connection unexpectedly closed (0 bytes received so far) [Receiver]
rsync error: unexplained error (code 255) at io.c(235) [Receiver=3.1.3]

 

 

You copy the Private Key to rsync Docker Template. You must used the Public Key without

1 hour ago, oerdem19 said:

-----BEGIN OPENSSH PRIVATE KEY-----

...

-----END OPENSSH PRIVATE KEY-----

 

This is most named by _pub in the filename or a equivalent of this.

Thank you for your answer. I was able to connect to the server.

I am getting permission error now. What I would like to do is, copy files from remote client to home unraid server.

 

 

rsync: chown "/mnt/user/Taq/2022/." failed: Read-only file system (30)
rsync: mkstemp "/mnt/user/Taq/2022/.testdelete.txt.XXXXXX" failed: Read-only file system (30)

 

Anything that I can do to give write permission to write to the server?

Is the Privileged: option for that purpose?

 

Thank you.

 

 

36 minutes ago, oerdem19 said:

Anything that I can do to give write permission to write to the server?

Edit the path in the container settings and change to read/write. But note: With great power comes great responsibility. If you use this container to write backups to unRAID, you should think about what an attacker could do if they control your source machine (like deleting all backups etc).

 

Thank you very much for your advice. I will turn it on and off when I need to write a file to the server only.

Thank you again for Rsync server.

 

 

 

Hi @mgutt!
I'm thinking about using this container, to make my Unraid-Server a Hyper Backup target for my Synology NAS.

Is this possible?

 

Right now I'm using this solution:

Works good, except the fact, that my Unraid-server occasionally runs out of memory, when connecting via rsync...

 

Thanks!

Edited February 14, 20232 yr by Jaytie

I just installed rsync using some nerd-pack. Way easier.. Entire docker engines plus its dependencies for just rsync is way overkill. Plus you have to work around the fact that the actual server is not the actual server, but behind a bridge/vnode with translated ports etc.

6 hours ago, fluisterben said:

Entire docker engines plus its dependencies for just rsync is way overkill

The Docker Engine is already running or don't you have any dockers? And a container itself does not produce any relevant overhead as processes are executed natively on the host. Which means: It's absolutelly the same running an application inside a container or on the host. But there is a major impact in security. Using the Unraid root login on an external server is kinda risky, not to say dumb. Even if you use SSH public key exchange, you finally allow the external machine to act as root user on your Unraid server. One of the reasons why I'm using the rsync container is to mount any path read-only. By that I'm able to pull all files, without being able to delete/change them, which makes it safe against ransomware attacks. Conclusion: Security > Comfort.

 Permission denied (publickey,keyboard-interactive).
rsync: connection unexpectedly closed (0 bytes received so far) [Receiver]
rsync error: unexplained error (code 255) at io.c(231) [Receiver=3.2.7]

not able to sign in after i add the pub key to the docker image 

 

Is this still being updated? The last update looks to have been about a year and a half ago, making the Alpine version it's based on rather old now. It's using 3.12 when current is 3.19. I'd like to use this for my off-site backup but am a bit apprehensive due to this.

 

There looks to be someone maintaining a fork with a bot that updates the Alpine version which the EEA doesn't appear to have done for 4 years. https://github.com/mtandersson/eea.docker.rsync

I don't really understand why they even limit the version so exactly. But yes, you are right, there is a more recent version available:

https://hub.docker.com/r/mtand/rsync

 

If course you can easily change the source in the docker template to use this version.

Yes, I can confirm switching to that repository works, not sure how I missed it on docker hub before. Thanks!

15 hours ago, mgutt said:

I don't really understand why they even limit the version so exactly. But yes, you are right, there is a more recent version available:

https://hub.docker.com/r/mtand/rsync

 

If course you can easily change the source in the docker template to use this version.

Can you update the Template for all? Or is there something against it and is that why you chose the current source back then?

I am looking for a viable solution to do a local backup of data on my Synology NAS to my Unraid box. I'd like to test the rsync options, but the setup on the Synology requests a user/password. I've noticed that some of the other docker images for an rsync-server include username/password fields. thoughts?