emberstack / docker-sftp Goto Github PK
View Code? Open in Web Editor NEWSFTP Server for Docker
License: MIT License
SFTP Server for Docker
License: MIT License
I try to overide sftp.json for create a user able to access to other users directory.
My file:
{
"Global": {
"Chroot": {
"Directory": "%h",
"StartPath": "sftp"
},
"Directories": ["sftp"]
},
"Users": [
{
"Username": "toto",
"Password": "titi"
},
{
"Username": "master",
"Password": "password",
"Chroot": {
"Directory": "/",
"StartPath": "/"
}
}
]
}
if you have sugggestion
Hi ,
After installing emberstack/sftp
helm chart , Pod is crashing with below error. Can you please helm me understand what is missing.
019-12-17 14:55:27.094 [INF] (ES.SFTP.Host.Program) Starting host
2019-12-17 14:55:27.398 [INF] (Microsoft.Hosting.Lifetime) Now listening on: http://[::]:80
2019-12-17 14:55:27.401 [DBG] (ES.SFTP.Host.HostedService) Starting
2019-12-17 14:55:27.402 [DBG] (ES.SFTP.Host.Orchestrator) Starting
2019-12-17 14:55:27.428 [FTL] (ES.SFTP.Host.Program) Host terminated unexpectedly
System.IO.FileNotFoundException: Could not find file '/app/config/sssd.conf'.
File name: '/app/config/sssd.conf'
at Interop.ThrowExceptionForIoErrno(ErrorInfo errorInfo, String path, Boolean isDirectory, Func`2 errorRewriter)
at Microsoft.Win32.SafeHandles.SafeFileHandle.Open(String path, OpenFlags flags, Int32 mode)
at System.IO.FileStream.OpenHandle(FileMode mode, FileShare share, FileOptions options)
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options)
at System.IO.FileSystem.CopyFile(String sourceFullPath, String destFullPath, Boolean overwrite)
at System.IO.File.Copy(String sourceFileName, String destFileName, Boolean overwrite)
at ES.SFTP.Host.Orchestrator.ConfigureAuthentication() in /src/ES.SFTP.Host/Orchestrator.cs:line 92
at ES.SFTP.Host.Orchestrator.Start() in /src/ES.SFTP.Host/Orchestrator.cs:line 62
at ES.SFTP.Host.HostedService.StartAsync(CancellationToken cancellationToken) in /src/ES.SFTP.Host/HostedService.cs:line 25
at Microsoft.Extensions.Hosting.Internal.Host.StartAsync(CancellationToken cancellationToken)
at Microsoft.Extensions.Hosting.HostingAbstractionsHostExtensions.RunAsync(IHost host, CancellationToken token)
at Microsoft.Extensions.Hosting.HostingAbstractionsHostExtensions.RunAsync(IHost host, CancellationToken token)
at ES.SFTP.Host.Program.Main(String[] args) in /src/ES.SFTP.Host/Program.cs:line 33
Thanks & Regards
Is it possible to set this setting ? I cant find info on the documentation.
I wonder if there is a way to not have the fingerprint change each time I restart the pod. I did specified a server private key, and I'm using a stable host name.
Hi,
I am trying to add additional volume which comes from GlusterFS with default configuration. It works.
But when I try to add custom configuration even with sample file without modifying also, it throws the error - RunContainerError.
Error msg is below
Warning Failed 25s kubelet, ip-xx-xx-xx-xx.xx-south-1.compute.internal Error: failed to start container "sftp": Error response from daemon: OCI runtime create failed: container_linux.go:348: starting container process caused "process_linux.go:402: container init caused "rootfs_linux.go:58: mounting \"/var/lib/kubelet/pods/41572663-5c97-11ea-9ad4-067a0ef083a0/volume-subpaths/sftp-json/sftp/0\" to rootfs \"/var/lib/docker/overlay2/9dc5cc60e7ffee5bd6df43b291b4ee1c4867ff98aac6ae897cd2029ea39776b4/merged\" at \"/var/lib/docker/overlay2/9dc5cc60e7ffee5bd6df43b291b4ee1c4867ff98aac6ae897cd2029ea39776b4/merged/app/config\" caused \"not a directory\""": unknown: Are you trying to mount a directory onto a file (or vice-versa)? Check if the specified host path exists and is the expected type
Warning Failed 24s kubelet, ip-x-x-x-x.xx-south-1.compute.internal Error: failed to start container "sftp": Error response from daemon: OCI runtime create failed: container_linux.go:348: starting container process caused "process_linux.go:402: container init caused "rootfs_linux.go:58: mounting \"/var/lib/kubelet/pods/41572663-5c97-11ea-9ad4-067a0ef083a0/volume-subpaths/sftp-json/sftp/0\" to rootfs \"/var/lib/docker/overlay2/686ee2e095418bac1d040fc4d069628cd8b705514c1946266acdc9d3e62e10ca/merged\" at \"/var/lib/docker/overlay2/686ee2e095418bac1d040fc4d069628cd8b705514c1946266acdc9d3e62e10ca/merged/app/config\" caused \"not a directory\""": unknown: Are you trying to mount a directory onto a file (or vice-versa)? Check if the specified host path exists and is the expected type
Normal Pulled 11s (x3 over 25s) kubelet, ip-xx-xx-xx-xx.xx-south-1.compute.internal Container image "emberstack/sftp:2.0.4" already present on machine
Normal Created 11s (x3 over 25s) kubelet, ip-xx-xx-xx-xx.xx-south-1.compute.internal Created container
Warning Failed 11s kubelet, ip-xx-xx-xx-xx.xx-south-1.compute.internal Error: failed to start container "sftp": Error response from daemon: OCI runtime create failed: container_linux.go:348: starting container process caused "process_linux.go:402: container init caused "rootfs_linux.go:58: mounting \"/var/lib/kubelet/pods/41572663-5c97-11ea-9ad4-067a0ef083a0/volume-subpaths/sftp-json/sftp/0\" to rootfs \"/var/lib/docker/overlay2/6eb97b75022fa6e565b40bbef27f82f69d6f4cb167a7b2894d4e944d90abfd60/merged\" at \"/var/lib/docker/overlay2/6eb97b75022fa6e565b40bbef27f82f69d6f4cb167a7b2894d4e944d90abfd60/merged/app/config\" caused \"not a directory\""": unknown: Are you trying to mount a directory onto a file (or vice-versa)? Check if the specified host path exists and is the expected type
Warning BackOff 3s (x2 over 4s) kubelet, ip-xx-xx-xx.xx.xx-south-1.compute.internal Back-off restarting failed container
Hi i wanted to discuss something with you in slack regarding the other issue #52 but the invite link is expired.
Hi. As the advanced options instructions are not ready, I am wondering if you can advise.
For a sftp user if you only want to give them read-access to a different directory mounted within that server, what is the optimal way to do this?
e.g. give access to /home/user/pictures/picture5 (and everything underneath picture5)
In this example they would NOT have their "own" sftp space either, so the above is the only data to their access.
Also, is there a way to prevent password changing (think a public distribution site for data)?
(Slowly learning Docker etc, so please "be gentle" with the reply) :)
We would like create multiple users, multiple directory and single persistency. Users should share direcotories ans inside files. But the result was different. Directories was created in every users' folder separately. Could you please help?
Our helm command:
helm install sftp
--namespace=sftp
--set image.tag=latest
--set configuration.Global.Directories="{foldera,folderb,folderc}"
--set configuration.Users[0].Username=userx
--set configuration.Users[0].Password=abkft
--set configuration.Users[0].Chroot=%h
--set configuration.Users[1].Username=usery
--set configuration.Users[1].Password=iij3j
--set configuration.Users[1].Chroot=%h
--set storage.volumes[0].name=sftp-data
--set storage.volumes[0].persistentVolumeClaim.claimName=pvc-sftp
--set storage.volumeMounts[0].name=sftp-data
--set storage.volumeMounts[0].mountPath=/home/userx
Emberstack/sftp
Hi guys,
I am bit new with Helm Charts and was giving yours a try.
Installing this chart on a Minikube running in MacOS with the following configuration in the chart values:
configuration:
Global:
Chroot:
Directory: "%h"
StartPath: "sftp"
Directories: "sftp"
Users:
Username: "demo"
Password: "demo"
Just trying to reproduce your default configuration (tried other users as well) and all seems fine apart from the fact that when typing the password the login will not work.
This is the config mounted in the container:
root@sftp-646d99b78c-wrq74:/app# cat config/sftp.json
{
"Global": {
"Chroot": {
"Directory": "%h",
"StartPath": "sftp"
},
"Directories": "sftp"
},
"Users": {
"Password": "demo",
"Username": "demo"
}
This is the log message from dmesg:
[55973.919899] audit: type=1112 audit(1590171434.045:478): pid=27807 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='op=login acct=28696E76616C6964207573657229 exe="/usr/sbin/sshd" hostname=? addr=172.17.0.1 terminal=sshd res=failed'
[55974.845652] audit: type=1109 audit(1590171434.971:479): pid=27807 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='op=PAM:bad_ident grantors=? acct="?" exe="/usr/sbin/sshd" hostname=172.17.0.1 addr=172.17.0.1 terminal=ssh res=failed'
Any help appreciated to understand if I am missing something stupid.
Thanks
Marco
Hello,
this is the problem:
When i set a custom GID (33) and i create a new file with the sftp client, that file gets created with the group 1001.
On the other hand, the custom UID works, the file gets created with the owner that is being set in the config (33)
this is my config file:
{
"Global": {
"Chroot": {
"Directory": "%h",
"StartPath": "sftp"
},
"Directories": ["sftp"]
},
"Users": [
{
"Username": "user",
"Password": "pass",
"UID": "33",
"GID": "33"
}
]
}
Hi, It's feature request..
Now when we set custom username and password in the configuration section, username and password goes in plain text. Anyway to configure as secret? If not, How to store encrypted password using configuration.Users[].PasswordIsEncrypted
.
Eventhough it's sftp, why we need to keep username and password in plain text?
Docker-sftp doesn't work inside pod on Openshift 4
I have below exception during docker-sftp start on Openshift 4 (but it works fine on Openshift 3) :
2020-09-15 12:17:05.747 [INF] (ES.SFTP.Host.Program) Starting host
2020-09-15 12:17:06.091 [WRN] (Microsoft.AspNetCore.Server.Kestrel) Overriding address(es) 'http://+:80'. Binding to endpoints defined in UseKestrel() instead.
2020-09-15 12:17:06.100 [INF] (Microsoft.Hosting.Lifetime) Now listening on: http://0.0.0.0:25080
2020-09-15 12:17:06.101 [DBG] (ES.SFTP.Host.HostedService) Starting
2020-09-15 12:17:06.102 [DBG] (ES.SFTP.Host.Orchestrator) Starting
2020-09-15 12:17:06.153 [FTL] (ES.SFTP.Host.Program) Host terminated unexpectedly
System.UnauthorizedAccessException: Access to the path '/etc/sssd/sssd.conf' is denied.
---> System.IO.IOException: Permission denied
--- End of inner exception stack trace ---
at Interop.ThrowExceptionForIoErrno(ErrorInfo errorInfo, String path, Boolean isDirectory, Func`2 errorRewriter)
at Microsoft.Win32.SafeHandles.SafeFileHandle.Open(String path, OpenFlags flags, Int32 mode)
at System.IO.FileStream.OpenHandle(FileMode mode, FileShare share, FileOptions options)
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options)
at System.IO.FileSystem.CopyFile(String sourceFullPath, String destFullPath, Boolean overwrite)
at System.IO.File.Copy(String sourceFileName, String destFileName, Boolean overwrite)
at ES.SFTP.Host.Orchestrator.ConfigureAuthentication() in /src/ES.SFTP.Host/Orchestrator.cs:line 93
at ES.SFTP.Host.Orchestrator.Start() in /src/ES.SFTP.Host/Orchestrator.cs:line 63
at ES.SFTP.Host.HostedService.StartAsync(CancellationToken cancellationToken) in /src/ES.SFTP.Host/HostedService.cs:line 25
at Microsoft.Extensions.Hosting.Internal.Host.StartAsync(CancellationToken cancellationToken)
at Microsoft.Extensions.Hosting.HostingAbstractionsHostExtensions.RunAsync(IHost host, CancellationToken token)
at Microsoft.Extensions.Hosting.HostingAbstractionsHostExtensions.RunAsync(IHost host, CancellationToken token)
at ES.SFTP.Host.Program.Main(String[] args) in /src/ES.SFTP.Host/Program.cs:line 33
Can I some configure docker-sftp to store all its files inside "/tmp" directory? It seems that in Openshift 4 there are rights to create and edit files only inside "/tmp" directory
Hello,
the hooks is not running on Pod startup with the last version of Helm charts
Config section on values.yaml
Global:
Hooks:
- OnServerStartup:
- onStartup.sh : |
#!/bin/bash
echo "SSH service startup hook completed."
startup logs
2020-12-30 12:18:02.513 [INF] (ES.SFTP.Host.Program) Starting host
2020-12-30 12:18:03.083 [WRN] (Microsoft.AspNetCore.Server.Kestrel) Overriding address(es) 'http://+:80'. Binding to endpoints defined in UseKestrel() instead.
2020-12-30 12:18:03.098 [INF] (Microsoft.Hosting.Lifetime) Now listening on: http://0.0.0.0:25080
2020-12-30 12:18:03.099 [DBG] (ES.SFTP.Host.Configuration.ConfigurationService) Starting
2020-12-30 12:18:03.103 [DBG] (ES.SFTP.Host.Configuration.ConfigurationService) Validating and updating configuration
2020-12-30 12:18:03.116 [INF] (ES.SFTP.Host.Configuration.ConfigurationService) Configuration contains '6' user(s)
2020-12-30 12:18:03.117 [INF] (ES.SFTP.Host.Configuration.ConfigurationService) Started
2020-12-30 12:18:03.119 [DBG] (ES.SFTP.Host.Security.AuthenticationService) Starting
2020-12-30 12:18:03.119 [DBG] (ES.SFTP.Host.Security.AuthenticationService) Stopping SSSD service
2020-12-30 12:18:03.138 [DBG] (ES.SFTP.Host.Security.AuthenticationService) Applying SSSD configuration
2020-12-30 12:18:03.143 [DBG] (ES.SFTP.Host.Security.AuthenticationService) Installing PAM hook
2020-12-30 12:18:03.178 [DBG] (ES.SFTP.Host.Security.AuthenticationService) Restarting SSSD service
2020-12-30 12:18:03.286 [INF] (ES.SFTP.Host.Security.AuthenticationService) Started
2020-12-30 12:18:03.288 [DBG] (ES.SFTP.Host.Security.UserManagementService) Starting
2020-12-30 12:18:03.288 [DBG] (ES.SFTP.Host.Security.UserManagementService) Ensuring '/home' directory exists and has correct permissions
2020-12-30 12:18:03.290 [DBG] (ES.SFTP.Host.Security.UserManagementService) Ensuring group 'sftp-user-inventory' exists
2020-12-30 12:18:03.293 [INF] (ES.SFTP.Host.Security.UserManagementService) Creating group 'sftp-user-inventory'
2020-12-30 12:18:03.369 [INF] (ES.SFTP.Host.Security.UserManagementService) Synchronizing users and groups
2020-12-30 12:18:03.373 [INF] (ES.SFTP.Host.Security.UserManagementService) Processing user 'user1'
2020-12-30 12:18:03.376 [DBG] (ES.SFTP.Host.Security.UserManagementService) Creating user 'user1'
2020-12-30 12:18:03.480 [DBG] (ES.SFTP.Host.Security.UserManagementService) Adding user 'user1' to 'sftp-user-inventory'
2020-12-30 12:18:03.509 [DBG] (ES.SFTP.Host.Security.UserManagementService) Updating the password for user 'user1'
2020-12-30 12:18:03.534 [DBG] (ES.SFTP.Host.Security.UserManagementService) Updating the UID for user 'user1'
2020-12-30 12:18:03.650 [DBG] (ES.SFTP.Host.Security.UserManagementService) Creating group 'sftp-gid-1001' with GID '1001'
2020-12-30 12:18:03.678 [DBG] (ES.SFTP.Host.Security.UserManagementService) Adding user 'user1' to 'sftp-gid-1001'
2020-12-30 12:18:04.690 [INF] (ES.SFTP.Host.Security.UserManagementService) Started
2020-12-30 12:18:04.692 [DBG] (ES.SFTP.Host.SSH.SSHService) Starting
2020-12-30 12:18:04.701 [DBG] (ES.SFTP.Host.SSH.SSHService) Updating host key files
2020-12-30 12:18:04.702 [DBG] (ES.SFTP.Host.SSH.SSHService) Generating host key file '/etc/ssh/keys/ssh_host_ed25519_key'
2020-12-30 12:18:04.709 [DBG] (ES.SFTP.Host.SSH.SSHService) Generating host key file '/etc/ssh/keys/ssh_host_rsa_key'
2020-12-30 12:18:05.530 [DBG] (ES.SFTP.Host.SSH.SSHService) Copying '/etc/ssh/keys/ssh_host_ed25519_key' to '/etc/ssh/ssh_host_ed25519_key'
2020-12-30 12:18:05.534 [DBG] (ES.SFTP.Host.SSH.SSHService) Copying '/etc/ssh/keys/ssh_host_rsa_key' to '/etc/ssh/ssh_host_rsa_key'
2020-12-30 12:18:05.536 [DBG] (ES.SFTP.Host.SSH.SSHService) Copying '/etc/ssh/keys/ssh_host_ed25519_key.pub' to '/etc/ssh/ssh_host_ed25519_key.pub'
2020-12-30 12:18:05.539 [DBG] (ES.SFTP.Host.SSH.SSHService) Copying '/etc/ssh/keys/ssh_host_rsa_key.pub' to '/etc/ssh/ssh_host_rsa_key.pub'
2020-12-30 12:18:05.566 [INF] (ES.SFTP.Host.SSH.SSHService) Starting 'sshd' process
2020-12-30 12:18:05.576 [INF] (ES.SFTP.Host.SSH.SSHService) Started
2020-12-30 12:18:05.576 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - Server listening on 0.0.0.0 port 22.
2020-12-30 12:18:05.576 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - Server listening on :: port 22.
First of all, thank you for this useful image.
My only concern is if there is a workaround to store the password differently as it is stored in plain text on /app/config/sftp.json?
Thanks in advance,
William.
With SFTP we would like to connect to ftp server using ssh key file. Reading README.md giving us no instruction on how to config key for demo
user to connect.
Please share as you know how, thank you!
Add PVC object and integrate into deployment
Due to auto-creation of UIDs and GIDs in the container, permissions could be incorrectly mapped when files are persisted on the host.
Consider this example:
Host has the following users and groups
UID | Name |
---|---|
1000 | root |
1001 | admin1 |
1002 | admin2 |
1003 | user1 |
1004 | user2 |
GID | Name |
---|---|
1000 | root |
1001 | admin_grp |
1002 | user_grp |
If this container is launched with a config specifying 2 users like this:
"Users": [
{
"Username": "user1",
"Password": "pass1"
},
{
"Username": "user2",
"Password": "pass2"
}
]
Then the container will contain the following groups:
GID | Name |
---|---|
1000 | sftp-user-inventory |
1001 | user1 |
1002 | user2 |
Files created by user1 in the container will be owned by admin1:admin_grp on the host.
Files created by user2 in the container will be owned by admin2:user_grp on the host.
Is possible to set the Banner message in SFTP at login (at sftp.json)?
With the below config, I am not able to login as the user sftp-consumer-user
storage:
volumeMounts:
- name: sftp-persistent-volume
mountPath: /home/sftp-consumer-user
volumes:
- name: sftp-persistent-volume
persistentVolumeClaim:
claimName: sftp-persistent-volume-claim
It seems that the Helm package version doesn't update values and trigger pod deployment properly. I am trying to update user list through my values.yaml file. When run with '-f values.yaml' with updated user list, it does pick up the new user list when I examine with 'helm get values', but the pod was not replaced and deployed with new users. I will need to comment out my changes in the values yaml file to get the new pod created with default 'demo' user first, and than update my user list again to create all my sftp users accounts?
It is as if it only refresh the deployment when configuration/users change from 'null' but NOT on updating members? I also noticed that when I tried producing new Helm release with updated 'configuration\users', it always issues a warning of
coalesce.go:160: warning: skipped value for configuration: Not a table.
Is there something wrong with detecting changes in YAML array data type like
configuration:
Users:
- Username: demo1
Password: "demo1"
- Username: demo2
Password: "demo2"
Above should be properly indent for yaml.
Please look at my Pull Request #51 before it gets closed
We used docker-sftp helm chart and recognized that the configuration changes were not automatically applied when we deployed the helm chart.
A good solution would be to add a config checksum like described here https://helm.sh/docs/howto/charts_tips_and_tricks/
like in atmoz/sftp
it is possible to add a string of user:pass as a command to the container
can the same be possible here
Here is my configuration file.
{
"Global": {
"Chroot": {
"Directory": "%h",
"StartPath": "sftp"
},
"Directories": ["sftp"]
},
"Users": [
{
"Username": "demo",
"Password": "demo"
},
{
"Username": "test",
"Password": "test1234",
"Chroot": {
"Directory": "/data/assets",
"StartPath": "sftp"
}
}
]
}
FYI following works:
{
"Global": {
"Chroot": {
"Directory": "%h",
"StartPath": "sftp"
},
"Directories": ["sftp"]
},
"Users": [
{
"Username": "demo",
"Password": "demo"
},
{
"Username": "test",
"Password": "test1234",
"Chroot": {
"Directory": "/data",
"StartPath": "assets"
}
}
]
}
I want to make. base directory as /data/assets not /data
Running the Docker on a QNAP NAS (Container Station)
Problem is when i connect with my user from Acronis Backup and and start an backup job the backup runs a few min and after that it will fail with an network error:
either with sshd - Received signal 15; terminating
or just
2020-07-14 06:50:24.878 [WRN] (ES.SFTP.Host.SSH.SSHService) 'sshd' process has stopped. Restarting process.
2020-07-14 06:50:24.878 [DBG] (ES.SFTP.Host.SSH.SSHService) Stopping 'sshd' process
2020-07-14 06:50:24.880 [INF] (ES.SFTP.Host.SSH.SSHService) Stopped 'sshd' process
Anyone has a hint or tipp for me ?
How can I use storageClass for persist my data? I can not find any setting about that
I need logs related sftp actions. for example: rename, delete, upload and etc.
Is there any way to get this types logs?
In service.yaml
the service type NodePort
can be set. However, this will assign a random port.
In order to specify a fixed port within the allowed port range it is required to set the nodePort
in the values.yaml
and render it in the template (see https://kubernetes.io/docs/concepts/services-networking/service/#nodeport).
values.yaml:
service:
type: NodePort
nodePort: 32222
service.yaml:
ports:
- port: {{ .Values.service.port }}
targetPort: ssh
protocol: TCP
name: ssh
{{- if .Values.service.nodePort }}
nodePort: {{ .Values.service.nodePort }}
{{- end }}
I'd like to use your image as a sidecar to an existing web server container which already listen to port 80.
Is there any reason to EXPOSE port 80 here :
docker-sftp/src/ES.SFTP.Host/Dockerfile
Line 22 in f926252
Hello,
I'm currently trying to make atmoz/sftp
containers to work which fails to work without each user having it's own Azure File share mounted into respective home directory (/home/user1, home/user2). If I try to use single share mounted as /Home then I'm getting bad ownership or modes for chroot directory component "/home/"
error when trying to authorization. Is it SFTP issue and not worth trying with this implementation since it will end up with the same issue or it's doable to do this?
Is there a solution for using Azure FIles mount in AKS? Getting error below when trying to
sshd - bad ownership or modes for chroot directory component "/home/". Config is below
containers:
- name: sftp
# change this
image: emberstack/sftp:latest
imagePullPolicy: Always
ports:
- containerPort: 22
volumeMounts:
- name: sftp-config
mountPath: "/app/config/sftp.json"
subPath: sftp.json
readOnly: true
- name: sftp
mountPath: "/home/"
readOnly: false
volumes:
- name: sftp
azureFile:
secretName: fileshare-secret
shareName: sftp
readOnly: false
- name: sftp-config
secret:
defaultMode: 0600
secretName: sftp-secret
items:
- key: sftp.json
path: sftp.json
I created the user public
inside sftp.json
and binded the volume on docker run with this option -v /host/Public:/home/public/sftp:ro \
Please note the :ro option.
After running it, in the log of the container I find this exception
2020-05-14 22:18:38.292 [INF] (ES.SFTP.Host.Orchestrator) Processing user 'public'
2020-05-14 22:18:38.301 [DBG] (ES.SFTP.Host.Orchestrator) Creating user 'public'
2020-05-14 22:18:38.994 [DBG] (ES.SFTP.Host.Orchestrator) Adding user 'public' to 'sftp-user-inventory'
2020-05-14 22:18:39.127 [DBG] (ES.SFTP.Host.Orchestrator) Updating the password for user 'public'
2020-05-14 22:18:39.326 [WRN] (ES.SFTP.Host.Orchestrator) Exception occured while setting permissions for '/home/public/sftp'
System.Exception: Process failed with exit code '1.
chown: changing ownership of '/home/public/sftp': Read-only file system'
at ES.SFTP.Host.Business.Interop.ProcessUtil.QuickRun(String filename, String arguments, Boolean throwOnError) in /src/ES.SFTP.Host/Business/Interop/ProcessUtil.cs:line 42
at ES.SFTP.Host.Orchestrator.PrepareUserForSftp(String username) in /src/ES.SFTP.Host/Orchestrator.cs:line 396
2020-05-14 22:18:39.448 [INF] (ES.SFTP.Host.Orchestrator) Starting 'sshd' process
Is there any other way to set a read only folder for a user?
Am I doing something wrong?
I am trying to mount a local directory with a structure as follows:
test/
-a/
-b/
--c/
Using the default configurations, I am starting my container like so:
docker run -p 22:22 emberstack/sftp --name sftp -v ./test:/home/demo/sftp
Everything spins up nicely but when I sftp into my demo user, the expected test/ directory structure is nowhere to be seen. What am I doing wrong?
The sftp connection succeeds randomly when the chart is used in big Kubernetes cluster. This is very reproductible. It succeeds in less than 50% of cases.
Here are the logs:
$ sftp -v -P 222 XXXXX@YYYYYY
OpenSSH_8.1p1, LibreSSL 2.7.3
debug1: Reading configuration data /Users/louisjulien/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 47: Applying options for *
debug1: Connecting to YYYYY port 222.
debug1: Connection established.
debug1: identity file /Users/louisjulien/.ssh/id_rsa type 0
debug1: identity file /Users/louisjulien/.ssh/id_rsa-cert type -1
debug1: identity file /Users/louisjulien/.ssh/id_dsa type -1
debug1: identity file /Users/louisjulien/.ssh/id_dsa-cert type -1
debug1: identity file /Users/louisjulien/.ssh/id_ecdsa type -1
debug1: identity file /Users/louisjulien/.ssh/id_ecdsa-cert type -1
debug1: identity file /Users/louisjulien/.ssh/id_ed25519 type -1
debug1: identity file /Users/louisjulien/.ssh/id_ed25519-cert type -1
debug1: identity file /Users/louisjulien/.ssh/id_xmss type -1
debug1: identity file /Users/louisjulien/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.1``
When it succeeds, it is followed by
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.9p1 Debian-10+deb10u2
debug1: match: OpenSSH_7.9p1 Debian-10+deb10u2 pat OpenSSH* compat 0x04000000
debug1: Authenticating to YYYY:222 as 'XXX'
...[truncated]
When it fails, it is followed by
kex_exchange_identification: Connection closed by remote host
Connection closed
It happens when connecting from both outside and inside the docker or cluster.
It turns out it is due to the MaxStartups
being too low. In fact, as the kubernetes opens lots of connections to check that the SFTP is still up. As the connection pool is quite small by default (10), new connections are rejected most of the time.
https://man7.org/linux/man-pages/man5/sshd_config.5.html
This has been confirmed by changing the MaxStartups inside the config file i the docekr and sending a SIGHUP to sshd.
Here are the logs to get an idea of the load.
2021-01-25 12:23:36.059 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - Did not receive identification string from 10.1.1.29 port 7
512
2021-01-25 12:23:36.324 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - Did not receive identification string from 10.244.17.1 port
58670
2021-01-25 12:23:36.421 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - Did not receive identification string from 10.1.1.8 port 38
032
2021-01-25 12:23:36.476 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - Did not receive identification string from 10.1.1.31 port 2
1439
2021-01-25 12:23:36.736 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - Did not receive identification string from 10.1.1.25 port 1
420
2021-01-25 12:23:37.130 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - Did not receive identification string from 10.1.1.18 port 4
7016
2021-01-25 12:23:37.427 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - Did not receive identification string from 10.1.1.17 port 2
353
2021-01-25 12:23:37.506 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - Did not receive identification string from 10.1.1.7 port 38
729
2021-01-25 12:23:38.109 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - Did not receive identification string from 10.244.17.1 port
32443
2021-01-25 12:23:38.241 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - Did not receive identification string from 10.1.1.32 port 8
374
2021-01-25 12:23:38.313 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - Did not receive identification string from 10.1.1.24 port 6
3714
2021-01-25 12:23:38.520 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - Did not receive identification string from 10.1.1.6 port 30
649
2021-01-25 12:23:39.422 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - Did not receive identification string from 10.1.1.19 port 3
2828
2021-01-25 12:23:39.799 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - Did not receive identification string from 10.1.1.33 port 4
8112
2021-01-25 12:23:40.471 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - Did not receive identification string from 10.1.1.22 port 2
3678
2021-01-25 12:23:40.633 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - Did not receive identification string from 10.1.1.28 port 4
Could it be possible to add MaxStartups as an option to the Helm charts? It seems not to be possible currently. Maybe it is worth adding others option at the same time. Propagating environment variables could also be an option.
Hi, is it the intended behavior to let the user upload a new authorized_keys
file under it's home folder?
Read-write permissions are set on the file.
https://github.com/emberstack/docker-sftp/blob/master/src/ES.SFTP.Host/Orchestrator.cs#L419
Thanks!
Hi,
When I upload files in the standard configuration, the files being set to uid/gid 1000:1001. I changed the json config to use 444:444 instead, but when I upload files they get 444:1001. Why is the gid ignored, please?
My config:
cat /etc/sftp/sftpamsnor.json
{
"Global": {
"Chroot": {
"Directory": "%h",
"StartPath": "upload"
},
"Directories": ["upload"]
},
"Users": [
{
"Username": "amsnor",
"Password": "xxyyzz",
"UID": "444",
"GID": "444"
}
]
}
cat /etc/init.d/sftpamsnor.sh
#!/bin/bash
#
# Start docker container for amsnor sftp upload
#
docker run \
-p 10328:22 \
-d \
--name sftpamsnor \
-v /etc/sftp/sftpamsnor.json:/app/config/sftp.json:ro \
-v /data/nfs/assets/amsnor:/home/amsnor/upload/assets \
-v /data/nfs/compliance/amsnor:/home/amsnor/upload/compliance \
-v /data/nfs/schedules/amsnor:/home/amsnor/upload/schedules \
emberstack/sftp
Hi!
I set up emberstack/sftp as an Azure container Instance. I tried to configure public key authentication, but as soon as I set the password to ""
or null
I can't login anymore.
Here is my configuration:
{
"Global": {
"Chroot": {
"Directory": "%h",
"StartPath": "sftp"
},
"Directories": [
"sftp"
],
"HostKeys": {
"Ed25519": "[MY HOST ED25519 PRIVATE KEY]",
"Rsa": "[MY HOST RSA PRIVATE KEY]"
}
},
"Users": [
{
"Username": "myuser",
"Password": "",
"PublicKeys": [
"[MY USER PUBLIC KEY]"
]
}
]
}
Log output when using sshfs
:
2020-06-19 14:41:05.388 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - PAM: Authentication failure for myuser from 10.240.255.56
2020-06-19 14:41:05.455 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - Connection closed by authenticating user myuser 10.240.255.56 port 46479 [preauth]
2020-06-19 14:41:18.675 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - PAM: Authentication failure for myuser from 10.240.255.56
2020-06-19 14:41:20.855 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - PAM: Authentication failure for myuser from 10.240.255.56
2020-06-19 14:41:20.895 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - Postponed keyboard-interactive for myuser from 10.240.255.56 port 59492 ssh2 [preauth]
2020-06-19 14:41:23.242 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - PAM: Authentication failure for myuser from 10.240.255.56
2020-06-19 14:41:23.589 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - Failed none for myuser from 10.240.255.56 port 59492 ssh2
2020-06-19 14:41:24.117 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - Failed password for myuser from 10.240.255.56 port 59492 ssh2
2020-06-19 14:41:24.126 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - maximum authentication attempts exceeded for myuser from 10.240.255.56 port 59492 ssh2 [preauth]
2020-06-19 14:41:24.126 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - Disconnecting authenticating user myuser 10.240.255.56 port 59492: Too many authentication failures [preauth]
When I use Filezilla, more or less the same thing happens.
EDIT: shortened log
Impossible to add file because folders have been created by root in my KUBERNETES cluster
root
# Default values for sftp.
replicaCount: 1
image:
repository: emberstack/sftp
pullPolicy: Always
configuration:
Users:
- Username: "foo"
Password: "pass"
Chroot: "%h"
StartPath: "IOTA"
Directories: ["exo"]
Global:
#Chroot:
# StartPath: "IOTA"
Directories:
- "IOTA/IN"
- "IOTA/OK"
- "IOTA/KO"
- "IOTA/LOG"
storage:
volumeMounts:
- name: sftp-data
mountPath: /home/foo/IOTA
volumes:
- name: sftp-data
persistentVolumeClaim:
claimName: sftp-data-pvc
service:
type: ClusterIP
port: 22
resources:
limits:
cpu: 400m
memory: 300Mi
requests:
cpu: 100m
memory: 128Mi
Can instructions be provided for vanilla Kubernetes deployments (without Helm).
I tried so many set of config about chroot (directory/startpath + Directories) and I'm unable to match my basic requirements:
I think more examples of config based on defined use case could help.
I have my user set : USER
I mount in the container a folder from my disk : -v /home/USER:/mnt/user/share/SFTP
My folder /mnt/user/share
is also accessed locally by Samba
When I start the emberstack/docker-sftp
container, it is changing the permissions of my folder /mnt/user/share/SFTP
to 711
with owner root:root
so it is not accessible anymore through Samba.
How can I force which user the container is running as? (so I can set it to be my Samba user)
or
How can I set the permissions to remain unchanged or force them to 777
or 755
?
At the moment it is needed to mount the config file as follows:
-v /host/sftp.json:/app/config/sftp.json:ro
Problem: Docker will create an empty dir name "sftp.json/" if the file is not present.
Instead I would like to see mounting the config dir:
-v /host/config/:/app/config/:rw
And if no sftp.json is present, it should create an example of sftp.json and sssd.conf in this dir.
By that it would be easier to use this container.
Hellow discover this nice server, unfortunaly the advance configuration is not write now.
How i can add another user with different path acces ?
Hi,
I'm trying to change default login/password using Helm. I use this values file :
configuration:
Users:
- Username : toto
Password : toto
I can login but when I try to create a directory, I got :
sftp> mkdir test
Couldn't create directory: Permission denied
What stupid mistake did I do ?
Thanks
Trying to find a good way to do a healthcheck with docker compose for this image. Anyone have a good check?
I started using docker-sftp
with docker-compose
last week. It works well, thanks for making it !
Although, it sometimes stop and I don't understand why. Here is the output of docker-compose logs -f
:
sftp_1 | 2021-03-05 10:42:24.615 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - Accepted keyboard-interactive/pam for kevin from 172.21.0.1 port 36426 ssh2
sftp_1 | 2021-03-05 10:42:24.709 [DBG] (ES.SFTP.Host.Api.PamEventsController) Received event for user 'kevin' with type 'open_session', sshd
sftp_1 | 2021-03-05 10:42:24.710 [DBG] (ES.SFTP.Host.SSH.SessionHandler) Configuring session for user 'kevin'
sftp_1 | 2021-03-05 10:42:24.724 [INF] (ES.SFTP.Host.SSH.SessionHandler) Session ready for user 'kevin'
sftp_1 | 2021-03-05 10:42:25.026 [DBG] (ES.SFTP.Host.Api.PamEventsController) Received event for user 'kevin' with type 'close_session', sshd
sftp_1 | 2021-03-05 10:42:25.661 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - Accepted keyboard-interactive/pam for kevin from 172.21.0.1 port 36432 ssh2
sftp_1 | 2021-03-05 10:42:25.748 [DBG] (ES.SFTP.Host.Api.PamEventsController) Received event for user 'kevin' with type 'open_session', sshd
sftp_1 | 2021-03-05 10:42:25.750 [DBG] (ES.SFTP.Host.SSH.SessionHandler) Configuring session for user 'kevin'
sftp_1 | 2021-03-05 10:42:25.765 [INF] (ES.SFTP.Host.SSH.SessionHandler) Session ready for user 'kevin'
sftp_1 | 2021-03-05 10:42:26.204 [DBG] (ES.SFTP.Host.Api.PamEventsController) Received event for user 'kevin' with type 'close_session', sshd
sftp_1 | 2021-03-05 14:41:02.441 [DBG] (ES.SFTP.Host.SSH.SSHService) Stopping
sftp_1 | 2021-03-05 14:41:02.441 [DBG] (ES.SFTP.Host.SSH.SSHService) Stopping 'sshd' process
sftp_1 | 2021-03-05 14:41:02.517 [INF] (ES.SFTP.Host.SSH.SSHService) Stopped 'sshd' process
sftp_1 | 2021-03-05 14:41:02.519 [INF] (ES.SFTP.Host.SSH.SSHService) Stopped
sftp_1 | 2021-03-05 14:41:02.521 [DBG] (ES.SFTP.Host.Security.UserManagementService) Stopping
sftp_1 | 2021-03-05 14:41:02.521 [INF] (ES.SFTP.Host.Security.UserManagementService) Stopped
sftp_1 | 2021-03-05 14:41:02.526 [DBG] (ES.SFTP.Host.Security.AuthenticationService) Stopping
sftp_1 | 2021-03-05 14:41:02.593 [INF] (ES.SFTP.Host.Security.AuthenticationService) Stopped
sftp_1 | 2021-03-05 14:41:02.594 [DBG] (ES.SFTP.Host.Configuration.ConfigurationService) Stopping
sftp_1 | 2021-03-05 14:41:02.597 [INF] (ES.SFTP.Host.Configuration.ConfigurationService) Stopped
The sftp.json
file :
{
"Global": {
"Chroot": {
"Directory": "%h",
"StartPath": "sftp"
},
"Directories": ["sftp"]
},
"Users": [
{
"Username": "...",
"Password": "..."
},
{
"Username": "...",
"Password": "..."
}
]
}
The docker-compose.yml
file :
version: '3'
services:
sftp:
image: "emberstack/sftp"
ports:
- "2222:22"
volumes:
- ./config.sftp.json:/app/config/sftp.json:ro
Few things to note, we have been playing with firewall lately (some ufw reload
commands have been issued), and we have a traefik
container running.
This is maybe not so much of an Issue, but more like a feature request.
My problem: When running this service in docker I have a clash with another service already running on port 22. Therefore it would be neat to be able to specify which port to start the service on. If there already is a way to do this, I couldn't find any documentation for it so please advise.
From my docker-compose.yaml
image: "emberstack/sftp"
ports:
- "2222:2222"
volumes:
- ./sftp/config.json:/app/config/sftp.json:ro
```
Output from docker
```sftp_1 | [INF] (ES.SFTP.Host.SSH.SSHService) Starting 'sshd' process
sftp_1 | [INF] (ES.SFTP.Host.SSH.SSHService) Started
sftp_1 | [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - Server listening on 0.0.0.0 port 22.
sftp_1 | [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - Server listening on :: port 22.
Even though I specify which port I want to run it on it gets ignored.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.