.png)
This system is designed to be kept in two parts,
1> a docker container run on a schedule
2> a backup config/target git repo stored on a server
The docker part
The docker file is as follows, and its resultant image is intended to be run under rancher (as this provides secrets management)
FROM alpine:latest RUN mkdir /root/.ssh && chmod 700 /root/.ssh RUN echo "[git host puplic key 2]" > /root/.ssh/known_hosts RUN echo "[git host puplic key 2]" >> /root/.ssh/known_hosts ...[more server public key lines here if required]... RUN chmod 644 /root/.ssh/known_hosts RUN apk update && apk upgrade && apk add openssh git curl gnupg sshpass bash nano netcat-openbsd RUN mkdir /scripts COPY docker-scripts/pullconfigs.sh /scripts/pullconfigs.sh COPY docker-scripts/ssh-config /root/.ssh/config COPY docker-scripts/decode-sshkey.sh /scripts/decode-sshkey.sh COPY docker-scripts/seal-sshkey.sh /scripts/seal-sshkey.sh COPY resources/sshkey.ssh.gpg /root/sshkey.ssh.gpg RUN chmod 600 /root/.ssh/config RUN mkdir /secure-configyou need to set the public key strings of your target git server(s) in this file as if they are not pre-authorised then the git commands used by the created container will not work as they will prompt for key trust.
The scripts/config files added to the docker image are as follows:
pullconfigs.sh
#!/bin/bash /scripts/decode-sshkey.sh rm -rf /infrastructure-configs mkdir /infrastructure-configs export gitbackupdir="/infrastructure-configs" date=$(date +%s) cd $gitbackupdir git clone [git target for backup of configs] ./ ./backup-config/config-backup.sh /scripts/seal-sshkey.shyou need to set the git target of your backup repo in this file
This script
> triggers decoding of the ssh private key used for accessing the backup repo
> sets up the base folder for cloning the the backup repo into (including folder cleanup of any old files etc.)
> clones the backup repo
> triggers the backup script from the backup repo
> reseals the backup repo ssh access key
decode-sshkey.sh
#! /bin/sh mkdir /root/.ssh chmod 700 /root/.ssh cat /run/secrets/decode-pw | gpg --batch --passphrase-fd -d --output /root/.ssh/id_rsa /root/sshkey.ssh.gpg chmod 600 /root/.ssh/id_rsaThis script
> cleans up and makes the needed folder & file structures to host the private ssh key used to access the backup repo ssh key
> decodes the backup repo ssh key using the password provided in '/run/secrets/decode-pw' within the running docker container instance
seal-sshkey.sh
#! /bin/sh rm -f /root/.ssh/id_rsaThis script
> removes the runtime instance of the ssh private key used to access the backup repo
sshkey.ssh.gpg
This is the gpg encoded version of the private ssh key used to access the backup repo, it should be gpg encoded such that a password can be used to decode it
The backup repo part
The backup repo should have the following folder/file structure
[repo root]
|-------[backup-config]
| |------------ code.gpg
| |------------ targets
| |------------ username
| |------------ config-backup.sh
|
|-------[backups]
The folder 'backups', and files 'code.gpg', 'targets' and 'username' are all optional and dependent on what is in the 'config-backup.sh' file.
NOTE: it is strongly recommended to encode the password or access key for the target network equipment
in this version 'code.gpg' contains a gpg encoded password to login to the network equipment, targets is a list of IPs of equipment to login to and username is the username to login to the equipment with.
config-backup.sh
git config --global user.email "[email address for your backup user]"
git config --global user.name "[name for your backup user]"
file1="$gitbackupdir/backup-config/targets"
read -d $'\x04' targets < "$file1"
file2="$gitbackupdir/backup-config/username"
read -d $'\x04' username < "$file2"
password=$(cat /run/secrets/net-access-decode-pw | gpg --batch --passphrase-fd -o- -d /infrastructure-configs/backup-config/code.gpg)
echo "backing up targets - "
echo $targets
echo "using account - "
echo $username
echo ""
echo "---------------------------------"
echo "-- starting config acquisition --"
echo ""
for device in $targets ; do
# Copy startup and running config to git repo
mkdir -p $gitbackupdir/backups/$device
echo $device
sshpass -p $password scp $username@$device:system:/running-config $gitbackupdir/backups/$device/running-config
sshpass -p $password scp $username@$device:startup-config $gitbackupdir/backups/$device/startup-config
done
echo ""
echo "-- config aquisition completed --"
echo ""
echo "-- uploading configs to github --"
echo ""
cd $gitbackupdir
git add .
git commit -m "Config backup from $(date)"
git push
echo""
echo "-- upload config to git completed --"