When activating TLS/SSL, I personally wanted to disable non-tls connections.
But to do this, I had to completely build the docker myself after git cloning it and modify the run.sh.

Therefore I suggest, you implement an environment variable for personal interest and maybe a default value, when not set.

Hi,

I'm testing your docker image and I'm facing off a problem.

If I use ftp in command line I can send a file with my virtual user. But when I'm trying to use a GUI tool (filezilla, Winscp, CyberDuck, ...) I have always the error "Cannot list directory" that turn into a timeout error after 20 seconds, but I can see the user is logged in.

The only thing I've changed is the home directory which is not in /home/username. I've set the rights. IpTable show me ACCEPT on each ports (21 and 3000/3009).

Do you have an idea why I can't list directory?

Thanks a lot and great job!

Yu.

The use of '-d /home/ftpusers/bob' (user chrooting) results in having this error when attempting to log in :
421 Home directory not available - aborting

If you do not intend to allow chrooting please update documentation (use of -D instead of -d)

Hello I've extended your image with a simple Dockerfile which adds a prebuild pdb

FROM stilliard/pure-ftpd
VOLUME /home/ftpusers/someone
ADD pureftpd.pdb /etc/pure-ftpd/

When I run this new container in a docker-compose port 21 is closed. The same container uses a mysql image where ports are opened on the host in the same way.
What am I doing wrong?

This is my docker-compose

fidelio-application:
  build: code
  volumes:
    - ../../../../data:/home/ftpusers/someone
  tty: true
fidelio-db:
  image: mysql
  ports:
    - 3306:3306
  volumes_from:
    - fidelio-application
ftpserver:
  build: ftp
  container_name: ftpserver
  ports:
    - 21:21
    - 30000-30009:30000-30009
  environment:
    PUBLICHOST: localhost
  volumes_from:
    - fidelio-application

BTW if i run the image directly with docker run -d --name ftpd_server -p 21:21 -p 30000-30009:30000-30009 -e "PUBLICHOST=localhost" stilliard/pure-ftpd the cointainer operates correctly.

This is my docker compose file.

ftp:
    image: stilliard/pure-ftpd:hardened
    volumes:
      - "./tests/ftp:/hostmount"
    ports:
      - "21:21"
    command: /bin/bash /hostmount/init.sh

Here is my init.sh script for adding the user and starting the ftp server

( echo "test" ; echo "test" ) | pure-pw useradd test -m -u ftpuser -d /home/ftpusers/test
pure-pw show test
sh -c /usr/sbin/pure-ftpd -c 5 -C 5 -l puredb:/etc/pure-ftpd/pureftpd.pdb -E -j -R -P localhost -p 21:21 -p 30000:30009

Here is the output in the container:

Password: 
Enter it again: 
2017-08-30T14:33:08.744521558Z 
Login              : test
Password           : $1$7X.BTw60$fXr9SwwP17gIXTyG/xDD6/
UID                : 1000 (ftpuser)
GID                : 1000 (ftpgroup)
Directory          : /home/ftpusers/test/./
Full name          : 
Download bandwidth : 0 Kb (unlimited)
Upload   bandwidth : 0 Kb (unlimited)
Max files          : 0 (unlimited)
Max size           : 0 Mb (unlimited)
Ratio              : 0:0 (unlimited:unlimited)
Allowed local  IPs : 
Denied  local  IPs : 
Allowed client IPs : 
Denied  client IPs : 
Time restrictions  : 0000-0000 (unlimited)
Max sim sessions   : 0 (unlimited)
2017-08-30T14:33:08.744762482Z 

But when i try to login it gives me an authentication error. And the /home/ftpusers directory is empty.

I configured pure-ftpd config file with these params :
PassivePortRange 49152 65534
ForcePassiveIP LINODE_SERVER_PUBLIC_IP

ftp -p LINODE_SERVER_PUBLIC_IP
Connected to LINODE_SERVER_PUBLIC_IP.

220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 1 of 50 allowed.
220-Local time is now 03:47. Server port: 21.
220-This is a private system - No anonymous login
220 You will be disconnected after 15 minutes of inactivity.
Name (LINODE_SERVER_PUBLIC_IP:xxxx): sjzzt007
331 User sjzzt007 OK. Password required
Password:
230 OK. Current directory is /
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (LINODE_SERVER_PUBLIC_IP,156,200)
ftp: connect: Connection refused

Hi

I will install a soft to update automatically the docker image when a new will be created.

As you can understand, the problem is about the users authorized which are inside the image ...

Do you think if it's possible to create the users via the read of a file ( using -v option of docker) ?

Thank you

I've searched for what I'm missing but I can't seem to get the build to allow anonymous access.

I've removed the -E flag, and even changed the /etc/pure-ftpd/conf/NoAnonymous but nothing seems to allow anonymous.

Response is always error 421

What do I need to do to allow anonymous user access?

I'm currently deploying wordpress app with docker.

On my filezilla client, I am having troubles with following:

1. I am not able to change permission of wp-content directory .

I get the following logs when I try to modify it using filezilla

 Command:	SITE CHMOD 777 wp-content
 Response:	550 Could not change perms on wp-content

Is there an option to allow user to change file permission. I created my ftpuser using the command below:

 pure-pw useradd jim -f /etc/pure-ftpd/passwd/pureftpd.passwd -m -u ftpuser -d /home/ftpusers/jim

2. Dot files are not showing. (I have enabled "Force showing hiddle files" in filezilla)

This is my first time using pureftpd. Hope someone could help me.
Thanks in advance :)

Hello,

I used this docker and it works great. I mean, I can connect using command line but when I use a real ftp client, I have error like :

• 113 : Passive mode failed
• Very long time before to connect...

I also have limit to 5 connections :

$ ftp 192.168.99.100
Connected to 192.168.99.100.
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 2 of 5 allowed.
220-Local time is now 10:28. Server port: 21.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.

In my docker-composer I have :

ftp:
  image: stilliard/pure-ftpd:latest
  env_file: docker/ftp.env
  ports:
    - "21:21"
    - "30000-30009:30000-30009"
  volumes:
    - ./ftp:/home/ftpusers/bob
    - ./vsftpd:/etc/pure-ftpd/passwd

ps aux on machine give me :

/bin/sh -c /run.sh -c 50 -C 10 -l puredb:/etc/pure-ftpd/pureftpd.pdb -E -j -R -P $PUBLICHOST -p 30000:30009

Any idea?

What's the license of this project? There is no LICENSE file, nor license in description.

Hi guys,

I'm a docker newb. I used it for the first time yesterday. I'm trying to install this docker on my UnRaid server.

The passive mode is working perfectly from an external ip / client. However, if I try to connect to my FTP server in my local network, i'm still getting this error "The data connection could not be established"

Status: Connecting to 192.168.1.216:21...
Status: Connection established, waiting for welcome message...
Status: Insecure server, it does not support FTP over TLS.
Status: Logged in
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is your current location
Command: TYPE I
Response: 200 TYPE is now 8-bit binary
Command: PASV
Response: 227 Entering Passive Mode (127,0,0,1,117,55)
Command: MLSD
Error: The data connection could not be established: ECONNREFUSED - Connection refused by server

Thank you for your help

Hi,

I've created a ftp server, mounted a folder in my docker host as the /home/ftpusers directory

I ran the
a folder has been created there for the user by this command (a .sh script):
pure-pw useradd $1 -f /etc/pure-ftpd/passwd/pureftpd.passwd -m -u ftpuser -d /home/ftpusers/$1

the directory was created. The user cannot upload any files to the home folder (access denied).. i guess theres something wrong with the access the the folder (is created by root):
drwxr-xr-x 2 root root 4096 Mar 30 14:07 testuser

???????

Hope for some help

/OhmegaStar

Hello.
I run below command to create a container
docker run -d --name ftp_server -p 21 -e "PUBLICHOST=localhost" stilliard/pure-ftpd:hardened
pure-pw useradd RALLIPROD -f /etc/pure-ftpd/passwd/pureftpd.passwd -m -u ftpuser -d /home/ftpusers/RALLIPROD

Now I am trying to connect from another container but my issue is how to pass username and credential in on FTP command

[root@aefd3ba6593e /]# ftp -p ftp_server
Connected to ftp_server (10.0.108.6).
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 2 of 5 allowed.
220-Local time is now 14:36. Server port: 21.
220-This is a private system - No anonymous login
220 You will be disconnected after 15 minutes of inactivity.
Name (ftp_server:root): RALLIPROD
331 User RALLIPROD OK. Password required
Password:
230 OK. Current directory is /
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> exit
221-Goodbye. You uploaded 0 and downloaded 0 kbytes.
221 Logout.

[root@aefd3ba6593e /]# ftp ftp_server RALLIPROD/abc123
ftp: ftp_server RALLIPROD/abc123: Servname not supported for ai_socktype

I am running Docker version 1.3.3 on Debian 8 Jessie.

When trying to run the example from the docs I receive an error message

sudo docker run -d --name ftpd_server -p 21:21 -p 30000-30009:30000-30009 -e "PUBLICHOST=localhost" stilliard/pure-ftpd
Invalid containerPort: 30000-30009

Do I need to address the ports individually instead? That seems to work.
-p 21:21 -p 30000:30000 -p 30001:30001 -p 30002:30002 ...

How to watch the log of ftp server ?

Thanks

Hi,

I'm having some trouble connecting to the docker with python ftplib.
I've tried to run the docker with -p 2221:21 which worked and when I create the connection using the FTP command line everything works great.
When using python lib ftplib to create connection it worked but as soon as I try to download a file or run dir the entire python get stuck and no more packets are running from the client or the server.
Is there any explanation for this behavior?

Just to be clear, if I create the docker with -p 21:21 everything work with the python lib.

Thanks

Following on from #15 which defines two system accounts for pureftp use it starts to make little sense to place the pureftp root directory under /home/user at all.

There is a debate to be had where this data should be stored in a the traditional Linux filesystem hierarchy however in docker land I propose that it could possibly be /ftp.

This makes the command to volume mount this directly to the host OS if necessary shorter and probably better fits the appliance model of docker.

This change will necessitate the creation of the directory and the setting of the permissions within the dockerfile but combined with #15 allows users the power of debian system user security for RO/RW.

I tried to use ftps but I found that your version of pure-ftpd simply won't run at all. After checking with pure-ftpd's tls readme file, it said:

To support TLS, the OpenSSL library must already be installed on your system. This is a common requirement so your operating system probably already ships with it.

Pure-FTPd also has to be configured with the --with-tls switch before compilation :
./configure --with-tls ...

In order to support ftps, you may need to add a line in your build from source section:

# build from source
RUN mkdir /tmp/pure-ftpd/ && \
    cd /tmp/pure-ftpd/ && \
    apt-get source pure-ftpd && \
    cd pure-ftpd-* && \
    ./configure --with-tls && \    # to add tls support
    sed -i '/^optflags=/ s/$/ --without-capabilities/g' ./debian/rules && \
    dpkg-buildpackage -b -uc

and the startup CMD should become:

# startup
CMD /usr/sbin/pure-ftpd -c 50 -C 10 -l puredb:/etc/pure-ftpd/pureftpd.pdb -E -j -R -P $PUBLICHOST -p 30000:30009 --tls=2

Pureftp logging by default is pretty bad. It makes no sense that a log file with a date in the filename would actually contain a mix of differnt days data most of which is the previous day. It is also is surprising to find that most of the logs contain no information to identify which host the log data came from (useless if you run more than one FTP server and they all produce identically named log files).

Unfortunately the fixes for these issues are relatively ugly.

List of known fixes so far (open to better suggestions):

• Set a random unique hostname on first start of the docker which we can use each instance to differentiate logs. This will probably require a restart of docker to take effect though.
• Change to CLF format and use the hostname in the log file name echo "clf:/var/log/pure-ftpd/transfer-FTP-$hostn.log" > /etc/pure-ftpd/conf/AltLog
• Make rsylog aware of this custom logging

   echo "" >>  /etc/rsyslog.conf
   echo "#PureFTP Custom Logging" >>  /etc/rsyslog.conf
   echo "ftp.*                           /var/log/pure-ftpd/pureftpd-FTP-$hostn.log" >>  /etc/rsyslog.conf
   echo "Updated /etc/rsyslog.conf with /var/log/pure-ftpd/pureftpd-FTP-$hostn.log"

• Alter logrotate to not throw away logs and make use of the recent feature of naming logs based on yesterdays date

cat > /etc/logrotate.d/pure-ftpd-common <<- EOM
/var/log/pure-ftpd/pureftpd-FTP-$hostn.log
/var/log/pure-ftpd/transfer-FTP-$hostn.log
{
        daily
        dateext
        dateyesterday
        missingok
        rotate 365
        compress
        postrotate
                /usr/sbin/pure-ftpd-control restart >/dev/null
        endscript
}

• Ugly fix /etc/crontab cron.daily to run at 00:01 so that logs contains predominately one day of data sed -i "s@25 6@01 0@" /etc/crontab
• There are other rsylsog fixes that are beyond my sed skills to fix as the config format is convoluted and multiline. Will post details once we agree a general approach.

Check the recommendations for handling layers in the images.
Try to reduce the size of the image by combining layers and doing clean up in the end of each.
Remove APT cache, temporary directories, source files (needed only for compilation), *-dev packages, also needed only for compilation.

Hi Andrew, i've been trying to use your container as a base for a gitlab continuous integration service. however, there are two issues,

1. during startup of the container, gitlab-ci runs into a timeout

Waiting for services to be up and running...

*** WARNING: Service runner-0f9980e5-project-711-concurrent-0-.....__...__ftpd_env probably didn't start properly.

service runner-0f9980e5-project-711-concurrent-0-.....__...__ftpd_env did timeout

*********

which is probably more of a gitlab-ci issue though. i need to find out what exactly it expects a service container to do to prevent the timeout. but this is just a minor issue and not a show-stopper.

2. the ftpd inside the service container can be reached but when trying to log in, i get this error:
   421 Illegal forced IP for passive connections
   i've set the PUBLICHOST matchingly to the adress that i actually connect to, according to
   https://docs.gitlab.com/ce/ci/docker/using_docker_images.html#accessing-the-services

do you have any suggestions?

the -o as modification in the launch command in the dockerfile doesn't work by the way... So I do'nt have any log for verify the problem. But I have some Ideas I will try that first... can you just watch the -0 option?

For some reason, I'm unable to rename directories/files inside a FTP user's home folder. First some information about what I do:

• Start container: docker run -d --name ftpd_server -p 21:21 -p 30000-30009:30000-30009 -e "PUBLICHOST=localhost" -e "ADDED_FLAGS=-d -d" stilliard/pure-ftpd:hardened
• Enter running container: docker exec -it ftpd_server /bin/bash
• Add user: pure-pw useradd blabla -f /etc/pure-ftpd/passwd/pureftpd.passwd -m -u ftpuser -d /home/ftpusers/blabla with password

Now I can login using user blabla and see the contents of directory (/home/ftpusers/blabla). Here I can upload files to, download from, but for some reason I'm unable to rename files/directories. I get this:

Any idea what I'm doing wrong?

Hi Guys,

I'm trying to start the container with the tls flag but for some reason the container terminates on start. Here's what I'm doing; I build my own image, add passwords, *.pem files and run:

#Dockerfile
FROM stilliard/pure-ftpd:hardened

RUN mkdir -p /etc/ssl/private
RUN rm -rf /etc/pure-ftpd/passwd/*
ADD private/* /etc/ssl/private/
ADD passwd/* /etc/pure-ftpd/passwd/
RUN chmod 600 /etc/ssl/private/*.pem

# e.g. you could change the defult command run:
CMD /run.sh -c 30 -C 5 -l puredb:/etc/pure-ftpd/pureftpd.pdb -E -j -R #-tls 1

Build:
docker build -t gag-ftpd-server:latest .
Run:
docker run -d --name ftpd_server6 -e "PUBLICHOST=localhost" gag-ftpd-server
So far so good

Now when I add the -tls flag in the Dockerfile:
CMD /run.sh -c 30 -C 5 -l puredb:/etc/pure-ftpd/pureftpd.pdb -E -j -R -tls 1
The container terminates with no logs (docker logs [container]).

I can run it with environmental variable "-e "ADDED_FLAGS=--tls=2", omitting the -tls 1 flag and it starts but doesn't work. I was wondering if you could help me to understand why it's not working with the -tls 1 flag or what am I doing wrong.

Any words of wisdom?

Thank you.

Our webshop-team needs a server to upload pictures via ftp (explicit ftp over tls, Port 21 as far as I know) with passive ftp (ports 30000 - 30009) and get them via https. Don't ask me why...

So I have been trying to set up docker via one docker-compose.yml and some Dockerfiles. And I am stuck at this pure-ftpd-image. Therefore I have some questions...

I am using stilliard/pure-ftpd:hardened.
Inside the container, the ftp-server-daemon is running with:

root@6dfbbafdd741:/etc/pure-ftpd# ps faux | grep pure

/bin/sh -c /run.sh -E -c 5 -C 5 -j -R -p 30000:30009 -P $PUBLICHOST -l puredb:/etc/pure-ftpd/db/pureftpd.pdb -e "ADDED_FLAGS=-d -d -O w3c:/var/log/pure-ftpd/transfer.log"
root  7  0.0  0.0  19788  4104 ?  S 12:00 0:00 pure-ftpd (SERVER) -d -O w3c:/var/log/pure-ftpd/transfer.log --tls=1

root@6dfbbafdd741:/# echo $PUBLICHOST
localhost

...but the puredb seems to be located in /etc/pure-ftpd/, not in /etc/pure-ftpd/db/. Why?

And even with changing my Dockerfile-entry:

CMD /run.sh -E -c 5 -C 5 -j -R -p 30000:30009 -P $PUBLICHOST -l puredb:/etc/pure-ftpd/pureftpd.pdb -e "ADDED_FLAGS=-d -d -O w3c:/var/log/pure-ftpd/transfer.log"

(without adding db in the puredb-path), I always get:

Status:	Connection established
Return:	220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
Return:	220-You are user number 1 of 5 allowed.
Return:	220-Local time is now 11:57. Server port: 21.
Return:	220-Only anonymous FTP is allowed here
Return:	220-IPv6 connections are also welcome on this server.
Return:	220 You will be disconnected after 15 minutes of inactivity.
Cmd:	AUTH TLS
Return:	234 AUTH TLS OK.
Status:	Initialising TLS...
Status:	Check Certificates...
Status:	TLS-Connection established.
Cmd:	USER [user]
Return:	421 Unable to set up secure anonymous FTP
Fail:	Connection to the server could not be established

Why is "Only anonymous FTP allowed here"? I use the -E-flag, my [user] is stored in the /etc/pure-ftpd/passwd/pureftpd.passwd-file, repeating exactly the steps you describe here on GitHub (of course with another username and pwd):

[user]:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:1000:1000::/home/ftpusers/[user]/./::::::::::::

Maybe there is some error with the -P-flag?

And the third question is: if I only want to allow pureftpd-virtual-users, can I delete PAMAuthentication in /etc/pure-ftpd/conf or set it to "no"?

The docker-container runs on CentOS 7 with kernel 4.13.2-1.el7.elrepo.x86_64, the firewall looks like:

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0 enp6s0
  sources:
  services: dhcpv6-client docker-registry ssh http https ftp
  ports: 30000-30009/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

and docker ps -a tells me:

CONTAINER ID        IMAGE                   COMMAND                  CREATED             STATUS              PORTS                                                      NAMES
6dfbbafdd741        gen_ftps.[xxx].net   "/bin/sh -c '/run...."   27 minutes ago      Up 26 minutes       0.0.0.0:21->21/tcp, 0.0.0.0:30000-30009->30000-30009/tcp   gen_ftps.[xxx].net_1
84b576317d74        nginx                   "nginx -g 'daemon ..."   4 hours ago         Up 4 hours          80/tcp, 443/tcp                                            gen_sslimages.[xxx].net_1
13bf2cfac987        gen_reverseproxy        "nginx -g 'daemon ..."   4 hours ago         Up 4 hours          0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp                   gen_reverseproxy_1
e05fa187eade        nginx                   "nginx -g 'daemon ..."   4 hours ago         Up 4 hours          80/tcp, 443/tcp                                            gen_www.[xxx].com_1
1a3bf3f5b90a        nginx                   "nginx -g 'daemon ..."   4 hours ago         Up 4 hours          80/tcp                                                     gen_service.[xxx].com_1

The docker-compose.yml contains (snippet):

version: '3.3'
services:
  ftps.[xxx].net:
    build: ../ftps.[xxx].net/.
    volumes:
    - type: volume
      source: vol-ssldata
      target: /home/ftpusers
      volume:
        nocopy: true
    - type: volume
      source: vol-ftpsusers
      target: /etc/pure-ftpd/passwd
      volume:
        nocopy: true
    - type: volume
      source: vol-ftplogs
      target: /var/log/pure-ftpd
      volume:
        nocopy: true
    - type: volume
      source: vol-ftp-db
      target: /etc/pure-ftpd/db
      volume:
        nocopy: true
    expose:
      - "21"
      - "30000-30009"
    networks:
    - net_ftps.[xxx].net
    ports:
      - "21:21"
      - "30000-30009:30000-30009"

[...], and I use vol-ssldata in another nginx-container for https.

As far as I can think (which can't be too far ;-) the problem lies in the pureftp-container.

Thanks for your good work and your answers in advance!

Sincerely,

Jochen

Several suggestion in one as they are all interrelated.

I suggest the following

groupadd --gid 1010 ftpgroup
useradd --uid 1011 --gid ftpgroup -d /dev/null -r -s /usr/sbin/nologin ftpuser-rw
useradd --uid 1012 --gid ftpgroup -d /dev/null -r -s /usr/sbin/nologin ftpuser-ro

This is different to what we do currently:

• We explicitly set UID and GID rather than implicitly trusting the OS to set it the same each build. This would be a rare edge case problem but its trivial to head off and ensure portability of the data to installs outside docker which are more likely to have users setup before pureftp.
• -r tells useradd that it is a system user only
• -s /usr/sbin/nologin is perhaps defunct with the -r switch but to be safe we use the standard means to say no shell for these users
• -d /dev/null is also perhaps defunct but it ensures the user has no home directory
• We have two users, one for read only pureftp alias accounts ftpuser-ro and one for accounts that can write ftpuser-rw (pureftp has no means to set accounts RO and relys on system acounts to do this)

Debians Pureftpd Wrapper has a somewhat unusual way of defining a number of settings by requiring that a bunch of files be created/edited to contain yes/no/number variables

My current non docker Pureftpd install has most of these set.

Do you have any interest if I document here what I believe are sane settings with a view to explicitly setting them in this docker?

Hello, I am having a problem with changing the passivports.

I simpely just run:

docker run -d --name ftpd_server -p 21:21 -p 30000-30009:30000-30009 -e "PUBLICHOST=x.x.x.x" stilliard/pure-ftpd:hardened

and I guess 30000-30009 are the passiv ports? but the ftpd server uses port 117xx.

If i look in filezilla I can see:

227 Entering Passive Mode (x,x,x,x,117,49)

anyone having the same problem?

Use pure-ftp transt file use ftp proxy in docker。I can see the transfer log in /var/log/pure-ftpd，but it like this:
#Software: Pure-FTPd 1.0.43 #Version: 1.0 #Date: 2018-04-04 07:46:45 #Fields: date time c-ip cs-method cs-uri-stem sc-status cs-username sc-bytes 2018-04-04 07:53:15 bogon []created /behb/diqu/umsg/test.txt 226 hrb 8
the IP is bogon，It is not my need.I need the ture clinet ip like 172.19.112.3.what can i do?

Hi, i have this issue:

Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is your current location
Command: TYPE I
Response: 200 TYPE is now 8-bit binary
Command: PASV
Error: Connection timed out after 20 seconds of inactivity
Error: Failed to retrieve directory listing

I try to connect with FileZilla. any idea?

Hello,

I'm trying to setup this docker on my server so that I can serve a folder via FTP.

I have forwarded the port 10021 -> docker 21, as well as a range of ports for the passive connection (11000-11100)
I set the /etc/pure-ftpd/conf/PassivePortRange to "11000 11100" and .../ForcePassiveIP to my (host) server IP.

Connecting from the host with the host external IP is fine, but connecting from the host to localhost gives me "I won't open a connection to 127.0.0.1, only to <container_IP>".
Connecting from outside to the host:10021 checks the credentials alright, but when doing an ls, it hangs on "Entering passive mode".

Any idea how I can make it work?

Thanks

i tried to adapt the Dockerfile to provide ldap support, following these instructions :
https://download.pureftpd.org/pub/pure-ftpd/doc/README.LDAP

FROM debian:jessie

# feel free to change this ;)
MAINTAINER Andrew Stilliard <[email protected]>

# properly setup debian sources
ENV DEBIAN_FRONTEND noninteractive
RUN echo "deb http://http.debian.net/debian jessie main\n\
deb-src http://http.debian.net/debian jessie main\n\
deb http://http.debian.net/debian jessie-updates main\n\
deb-src http://http.debian.net/debian jessie-updates main\n\
deb http://security.debian.org jessie/updates main\n\
deb-src http://security.debian.org jessie/updates main\n\
" > /etc/apt/sources.list
RUN apt-get -y update

# install package building helpers
RUN apt-get -y --force-yes --fix-missing install dpkg-dev debhelper

# install dependancies
RUN apt-get -y build-dep pure-ftpd

RUN echo $LD_LIBRARY_PATH > /libpath

RUN apt-get install -y wget db-util libdb-dev libpq5 libpq-dev 

RUN wget ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.4.45.tgz && \
gunzip -c openldap-2.4.45.tgz | tar xf - && \
cd openldap-2.4.45 && \
./configure  && \
make depend && \
make && \
make install


# build from source
RUN mkdir /tmp/pure-ftpd/ && \
        cd /tmp/pure-ftpd/ && \
        apt-get source pure-ftpd && \
        cd pure-ftpd-* && \
        export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/lib/x86_64-linux-gnu/ && \
        ./configure --with-tls --with-ldap && \
        sed -i '/^optflags=/ s/$/ --without-capabilities/g' ./debian/rules && \
        dpkg-buildpackage -b -uc

# install the new deb files
RUN dpkg -i /tmp/pure-ftpd/pure-ftpd-common*.deb
RUN apt-get -y install openbsd-inetd
RUN dpkg -i /tmp/pure-ftpd/pure-ftpd_*.deb

# Prevent pure-ftpd upgrading
RUN apt-mark hold pure-ftpd pure-ftpd-common

# setup ftpgroup and ftpuser
RUN groupadd ftpgroup
RUN useradd -g ftpgroup -d /home/ftpusers -s /dev/null ftpuser

# rsyslog for logging (ref https://github.com/stilliard/docker-pure-ftpd/issues/17)
RUN apt-get install -y rsyslog && \
        echo "" >> /etc/rsyslog.conf && \
        echo "#PureFTP Custom Logging" >> /etc/rsyslog.conf && \
        echo "ftp.* /var/log/pure-ftpd/pureftpd.log" >> /etc/rsyslog.conf && \
        echo "Updated /etc/rsyslog.conf with /var/log/pure-ftpd/pureftpd.log"

# setup run/init file
COPY run.sh /run.sh
RUN chmod u+x /run.sh

# default publichost, you'll need to set this for passive support
ENV PUBLICHOST ftp.foo.com

# couple available volumes you may want to use
VOLUME ["/home/ftpusers", "/etc/pure-ftpd/passwd"]

# startup
CMD /run.sh -c 50 -C 10 -l puredb:/etc/pure-ftpd/pureftpd.pdb -E -j -R -P $PUBLICHOST -p 30000:30009

EXPOSE 21 30000-30009

COPY ldap.conf /ldap.conf
RUN chmod 777 /ldap.conf

but i'm having these logs :

Starting Pure-FTPd:
pure-ftpd -c 50 -C 10 -l puredb:/etc/pure-ftpd/pureftpd.pdb -E -j -R -P 10.56.160.56 -p 30000:30009 -d -l ldap:/ldap.conf -B
421 Unknown authentication method: ldap:/ldap.conf

I don't really know how to make this work. does somebody have an idea. The problem seems to be during the configure or the build :/ but there is so much log i can't find why it fails.

The container has been fine until a few days ago FileZilla client had this error when using the Default as the Transfer mode. If I switched to Active, then the connection is fine.

Filezilla version 3.24.1

Here's my docker-compose.yml

version: '2'
networks:
  app_net:
    driver: bridge
    ipam:
      driver: default
      config:
      - subnet: 172.16.3.0/24
        gateway: 172.16.3.1
services:
  newcomftp:
    build: .
    image: myftp:latest
    container_name: myftp
    environment:
      - PUBLICHOST=ftp.mydomain.com
    ports:
      - "21:21"
      - "30000-30009:30000-30009"
    volumes:
      - /home/me/ftp:/home/ftpusers
      - /home/me/config/ftp/passwd:/etc/pure-ftpd/passwd
    networks:
      app_net:
        ipv4_address: 172.16.3.3

Dockerfile

FROM stilliard/pure-ftpd:hardened
CMD /run.sh -c 30 -C 5 -l puredb:/etc/pure-ftpd/pureftpd.pdb -E -j -R

sudo docker-compose up -d --build

It was working before without any changes. But now it doesn't work.

Hello,

I'm reading the documentation, but it is unclear to me how to achieve what I want.
I have the ftp container running, user created, user has a home directory in ftpusers directory (directory mounted from the host)

-v /dockerserver/folder/ftpusers:/home/ftpusers

in the ftp users directory i have a user directory eg. [email protected]

in this folder (placed here: /dockerserver/folder/ftpusers/[email protected])
I need to mount another folder from the host inside this folder, (eg. a folder representing a dev server filesystem) which the ftp user needs access to.

I've tried with a symlink this does not work, i've tried with a mount --bind, but this does not work either, as both commands are made on the host os..

Is there a way to achieve this ?

Best Regards

OhmegaStar

Hi Guys,

First, thanks for this fantastic container and all your hard work.

I followed the guide, tried to run in as hardened, latest, build my own image, added the user, but when I try to ftp and list folders I get error 421 Service not available.

Maybe you can help me to troubleshoot the problem?

Commands I run on t2.medium AWS node (all ports open for my IP):

docker pull stilliard/pure-ftpd:hardened
docker run -d --name ftpd_server -p 21:21 -p 30000-30009:30000-30009 -e "PUBLICHOST=localhost" stilliard/pure-ftpd:hardened
docker exec -it ftpd_server /bin/bash
pure-pw useradd bob -f /etc/pure-ftpd/passwd/pureftpd.passwd -m -u ftpuser -d /home/ftpusers/bob

out of the container:
ftp -p IP 21
response:

gjanak@CSD006446-D:~$ ftp -p IP
Connected to IP.
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 1 of 5 allowed.
220-Local time is now 13:40. Server port: 21.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
Name (IP:gjanak): xxx
331 User xxx OK. Password required
Password:
230 OK. Current directory is /
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> mdir test
(local-file) test
output to local-file: test? 
227 Entering Passive Mode (34,251,145,53,117,48)
**421 Service not available, remote server has closed connection**
ftp> 

Any help is much appreciated.

Thanks

I was wondering if there was some built in way to have it running in foreground instead ?
Otherwise I'll manage one
Thanks !

I opened the docker for some friend which in turn had a nice problem ... (whereas I used the ftp with a simple ftp command ... )

Test log
Status: Resolving address of ******
Status: Connecting to ******
Warning: The entered address does not resolve to an IPv6 address.
Status: Connected, waiting for welcome message...
Reply: 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
Reply: 220-You are user number 2 of 30 allowed.
Reply: 220-Local time is now 20:48. Server port: 21.
Reply: 220-This is a private system - No anonymous login
Reply: 220-IPv6 connections are also welcome on this server.
Reply: 220 You will be disconnected after 15 minutes of inactivity.
Command: CLNT https://ftptest.net on behalf of ******
Reply: 530 You aren't logged in
Command: USER ******
Reply: 331 User ****** OK. Password required
Command: PASS ********************************
Reply: 230 OK. Current directory is /
Command: SYST
Reply: 215 UNIX Type: L8
Command: FEAT
Reply: 211-Extensions supported:
Reply: EPRT
Reply: IDLE
Reply: MDTM
Reply: SIZE
Reply: MFMT
Reply: REST STREAM
Reply: MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
Reply: MLSD
Reply: AUTH TLS
Reply: PBSZ
Reply: PROT
Reply: UTF8
Reply: TVFS
Reply: ESTA
Reply: PASV
Reply: EPSV
Reply: SPSV
Reply: ESTP
Reply: 211 End.
Command: PWD
Reply: 257 "/" is your current location
Status: Current path is /
Command: TYPE I
Reply: 200 TYPE is now 8-bit binary
Command: PASV
Reply: 227 Entering Passive Mode (172,17,0,124,95,104)
Error: Server returned unroutable private IP address in PASV reply


Results
Error: Server returned unroutable private IP address in PASV reply
Make sure the server is configured to allow passive mode connections.
If the server is behind a NAT router, make sure the server knows its external IP address.
The range of ports used for passive mode must be opened in all involved firewalls.
The range of ports used for passive mode must be forwarded by all involved NAT routers.
Try uninstalling all firewalls and plug your computer directly into your modem, thus bypassing the router.

From what I understand of docker this might become troublesome to resolve won't it ? :p I dont know how to enter in passive mode with ftp command ... when I hit passive, it work nice enough... but i guess it fails back to active if passive doesn't work ... so maybe i simply dont get notified.

Any idea ? Guess i'll simply have to ask my friend to go on active if it's possible

After running

mkdir /home/ftpusers/
mkdir /home/ftpusers/ftptest/
pure-pw useradd ftptest -u ftpuser -d /home/ftpusers/ftptest
pure-pw mkdb

Wasn't able to log into the ftp server with the new user. Get the following output.

220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 1 of 50 allowed.
220-Local time is now 06:31. Server port: 21.
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
Name (localhost:jason): ftptest
331 User ftptest OK. Password required
Password:
530 Login authentication failed
Login failed.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> exit
221-Goodbye. You uploaded 0 and downloaded 0 kbytes.
221 Logout.

Edit: Fixed to have the correct failed attempt.

It looks like the files inside /etc/pure-ftpd/conf are not being read by pure-ftpd. Below are my steps:

Screen 1

$> docker run --rm --name dev -p 21:21 -p 30000-30009:30000-30009 stilliard/pure-ftpd:hardened

Screen 2

$> docker exec -it dev bash
root@dev> pure-pw useradd bob -f /etc/pure-ftpd/passwd/pureftpd.passwd -m -u ftpuser -d /home/ftpusers/bob
root@dev> mkdir -p /home/ftpusers/bob
root@dev> touch /home/ftpusers/bob/foo
root@dev> touch /home/ftpusers/bob/.bar
root@dev> cat /etc/pure-ftpd/conf/DisplayDotFiles (no)

Screen 3

$> ftp 127.0.0.1
ftp> name=bob + password
ftp> ls -al

Expect: foo

Actual: foo and .bar both showed up

Am I missing something here? It shouldn't display .bar right?

Similarly, I tried removing -j from the CMD (with /etc/pure-ftpd/conf/CreateHomeDir=yes of course, I was using hardened image) and it doesn't create home directory anymore.

Hi,

I have a droplet with an app dockerized and docker-pure-ftpd together.

I've run the container:

docker run -d --name FTP -e "PUBLICHOST=ftp.myftp.com" -p 21:21 -p 30000-30009:30000-30009 -v /var/lib/dokku/data/storage/ftp:/home/ftpusers -v /var/lib/dokku/data/storage/pureftp/:/etc/pure-ftpd stilliard/pure-ftpd

On the host or with any client I can connect to FTP. On my app container I've got always "Connection time out".

Is there a way to fix that?

Thanks a lot!

Yu.

Hi Stilliard,

I encountered the following while building the docker container with the dockerfile provided.

pure-ftpd stat /var/lib/docker/tmp/docker-builder 191299239/run.sh: no such file or directory

Please advise.
Thank you.

Kind Regards,
Cornelius

Even though the ftp daemon is started like this:

root@prd-dvm-001:~# docker logs ftpd_server
Log enabled, see /var/log/messages
Starting Pure-FTPd:
  pure-ftpd -c 50 -C 10 -l puredb:/etc/pure-ftpd/pureftpd.pdb -E -j -R -P viveo2.com -p 30000:30009 -d

When I connect it tells me the maximum clients is 5:

14:18 $ ftp [email protected]
Connected to yyy.com.
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 1 of 5 allowed.
220-Local time is now 12:18. Server port: 21.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
331 User devicelog OK. Password required
Password:
230 OK. Current directory is /
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ^D

Any idea what is wrong here?

Hi,

I used a new dockerfile to change the settings for the maximum connections number. The new image is running fine with 10 max connections however, I still have the old image stilliard/pure-ftpd:latest as an orphan.

I tried to remove it but I get this error : Error response from daemon: conflict: unable to delete 6a2be31ca0ab (cannot be forced) - image has dependent child images

Is it normal? Did I did something wrong when I created the new dockerfile?

Regards,
Ben

doing a password change with

pure-pw passwd myuser -f /etc/pure-ftpd/passwd/pureftpd.passwd

Does finish - but will not work.

Probably related, list wont work either, it tells me, it cannot read the passwd file:

pure-pw passwd list -f /etc/pure-ftpd/passwd/pureftpd.passwd

Hi from the documentation it says that overriding the command allows to increase the maximum connections, i tried it and initially didn't work, i looked around a bit and found this post:
https://ubuntuforums.org/archive/index.php/t-1721081.html

Anyway fixed the issue. There where two problems: the passive port range and the order of -c and -p.

The port range based on my first case was: (40115 + 1 - 40110) / 2=3

And ubuntu doesn't ensure -c comes before -p, so if you use the default config and run script in /etc/init.d/pure-ftpd then it will not work (even if you get the port range correct).

i did exactly the same mistakes and following this i fixed my issue, do you think you could make this more clear in the README?

Can i allow only ftps? Without pure ftp

everything is in the quesiton