From fa4f399740c48c5b34ce9fa785b8faf468fa0df9 Mon Sep 17 00:00:00 2001
From: Werner Beroux <werner@beroux.com>
Date: Sat, 23 Jan 2016 02:18:13 +0100
Subject: [PATCH] Run a random user by default and add rsync support and
 example.

---
 Dockerfile |  5 ++++-
 README.md  | 17 +++++++++++++++--
 2 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index bf19ec0..d859de0 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,14 +1,17 @@
 FROM alpine:3.3
 
-RUN apk add --update duplicity openssl py-crypto py-pip \
+RUN apk add --update duplicity openssh openssl py-crypto py-pip rsync \
  && pip install pydrive==1.0.1 \
  && apk del --purge py-pip \
  && rm /var/cache/apk/* \
+ && adduser -D -u 1896 duplicity \
  && mkdir -p /home/duplicity/.cache/duplicity \
  && chmod go+rwx /home/duplicity/.cache/duplicity
 
 ENV HOME=/home/duplicity
 
 VOLUME /home/duplicity/.cache/duplicity
+
+USER duplicity
  
 CMD ["duplicity"]
diff --git a/README.md b/README.md
index 4ee993e..581f189 100644
--- a/README.md
+++ b/README.md
@@ -6,7 +6,7 @@ Features of this Docker image:
 
   * **Small**: Built using [alpine](https://hub.docker.com/_/alpine/).
   * **Simple**: Most common cases are explained below and require minimal setup.
-  * **Secure**: Runs as any user (so pic any random UID or run as your user which avoids to run as `root` which isn't the safest).
+  * **Secure**: Runs non-root by default (use randomly chosen UID `1896`), and meant to run as any user.
 
 
 ## Usage
@@ -77,7 +77,20 @@ To **restore**, you'll need:
 
 ### Backup via rsync example
 
-**TODO**
+Supposing you've an **SSH** access to some machine, you can:
+
+    $ docker run --rm -it --user root \
+          -e PASSPHRASE=P4ssw0rd \
+          -v /:/data:ro \
+          -v ~/.ssh/id_rsa:/id_rsa:ro \
+          -v ~/.ssh/known_hosts:/etc/ssh/ssh_known_hosts:ro \
+          wernight/duplicity \
+          duplicity --rsync-options='-e "ssh -i /id_rsa"' /data rsync://user@example.com/some_dir
+
+Note: We're running here as `root` to have access to `~/.ssh` and also because ssh does not
+allow to use a random (non-locally existing) UID. To make it safer, you can copy your `~/.ssh`
+and `chown 1896` it (that is `duplicity` UID within the container). If you know a another way to avoid
+the "No user exists for uid" check, please let me know.
 
 
 ### More help