Description
Hello,
I would like to propose a feature request regarding the availability of a Docker image for the Remote Storage (SSH) component.
Context
Currently, when deploying the server stack using Docker, there is a limitation similar to the one encountered with the server agent: it does not allow installing additional packages, but it does support running Docker images.
Request
It would be very helpful to have an official Docker image for the Remote Storage (SSH), ideally maintained within this project.
Use Case
[AI : Sonnet 4.6 Adaptatif]
Benefits
- Simplifies deployment by relying entirely on Docker images
- Avoids the need to manually install dependencies or packages
- Ensures consistency across environments
- Allows managing the full stack with a single "dev" workflow
Use Case
My setup includes three different NAS / storage devices running on very different platforms:
| Device |
OS / Platform |
Docker support |
| Ugreen DH2300 |
UGOS Pro (Debian-based) |
✅ Native |
| Synology DS115 |
DSM (old, armv5) |
✅ Docker (limited) |
| TrueNAS |
TrueNAS SCALE |
✅ via Apps |
None of these platforms share a common package manager or a guaranteed way to install arbitrary software. However, all three support running Docker containers. A dedicated Docker image for the Remote Storage (SSH) component would therefore be the only practical common denominator across this kind of heterogeneous environment, without requiring any platform-specific setup.
Proposed Implementation
To illustrate what such an image could look like, I put together a working proof-of-concept that could serve as a starting point or reference for an official image.
Stack overview:
- Base image:
alpine:3.21 (minimal footprint, works on amd64 / arm64 / armv7)
- Packages:
borgbackup, openssh, tini
- Dedicated non-root
borg user; no shell access for clients
- SSH hardened: public-key only, modern ciphers (
curve25519, chacha20-poly1305), all forwarding disabled
- Per-client isolation via
command="borg serve --restrict-to-path /backup/<client>" + restrict in authorized_keys
- Optional
--append-only and --storage-quota per client
- SSH host keys persisted in a dedicated Docker volume (stable fingerprint across restarts)
- Healthcheck,
cap_drop: ALL, no-new-privileges out of the box
docker-compose.yml outline:
services:
borg-server:
build: .
restart: unless-stopped
ports:
- "${SSH_PORT:-2222}:22"
volumes:
- borg-repos:/backup # persistent repositories
- ssh-host-keys:/etc/ssh/host_keys
- ./authorized_keys:/etc/borg/authorized_keys:ro
cap_drop: [ALL]
cap_add: [SETUID, SETGID, NET_BIND_SERVICE, DAC_READ_SEARCH, AUDIT_WRITE]
security_opt:
- no-new-privileges:true
volumes:
borg-repos:
ssh-host-keys:Client-side usage (once the container is running):
export BORG_RSH="ssh -p 2222 -i ~/.ssh/id_ed25519"
borg init --encryption=repokey-blake2 ssh://borg@<host>/backup/laptop
borg create ssh://borg@<host>/backup/laptop::{hostname}-{now:%Y-%m-%dT%H:%M} ~/DocumentsI am happy to share the full source (Dockerfile, sshd_config, entrypoint) if it would be useful as a reference, or to iterate on the design to align with the project's conventions.
Thank you for considering this request.
Alternatives Considered
No response
Description
Hello,
I would like to propose a feature request regarding the availability of a Docker image for the Remote Storage (SSH) component.
Context
Currently, when deploying the server stack using Docker, there is a limitation similar to the one encountered with the server agent: it does not allow installing additional packages, but it does support running Docker images.
Request
It would be very helpful to have an official Docker image for the Remote Storage (SSH), ideally maintained within this project.
Use Case
[AI : Sonnet 4.6 Adaptatif]
Benefits
Use Case
My setup includes three different NAS / storage devices running on very different platforms:
None of these platforms share a common package manager or a guaranteed way to install arbitrary software. However, all three support running Docker containers. A dedicated Docker image for the Remote Storage (SSH) component would therefore be the only practical common denominator across this kind of heterogeneous environment, without requiring any platform-specific setup.
Proposed Implementation
To illustrate what such an image could look like, I put together a working proof-of-concept that could serve as a starting point or reference for an official image.
Stack overview:
alpine:3.21(minimal footprint, works on amd64 / arm64 / armv7)borgbackup,openssh,tiniborguser; no shell access for clientscurve25519,chacha20-poly1305), all forwarding disabledcommand="borg serve --restrict-to-path /backup/<client>"+restrictinauthorized_keys--append-onlyand--storage-quotaper clientcap_drop: ALL,no-new-privilegesout of the boxdocker-compose.ymloutline:Client-side usage (once the container is running):
I am happy to share the full source (Dockerfile,
sshd_config, entrypoint) if it would be useful as a reference, or to iterate on the design to align with the project's conventions.Thank you for considering this request.
Alternatives Considered
No response