Synopsis
As part of building a web service, I wanted to have some of the microservice dependencies dockerized for easy setup and deployment. The three applications my web service depends are:- mongodb
- rabbitmq
- sftp
This post is about dockerizing sftp. The container will provide sftp-only user accounts and the users will be restricted to their home directory. The former is done through disabling login (in the Dockerfile), the latter by chrooting to the user's home directory (in the sshd_config file).
FROM ubuntu:latest
The latest version of ubuntu is our starting point.
RUN apt-get update && \
apt-get -y install openssh-server
Sftp (SSH File Transfer Protocol) is a separate protocol packaged with SSH, so we install the ssh server.
RUN mkdir /var/run/sshd
Privilege separation directory, /var/run/sshd, must be present, otherwise the container will exit immediately after starting.
COPY sshd_config /etc/ssh/sshd_config
The default ssh configuration is adjusted for sftp purposes (https://github.com/tamarakaufler/go_loyalty_scheme_service/tree/master/dockerized/sftp).
RUN groupadd sftpusers
All sftp users will be part of this group.
RUN adduser --quiet --disabled-password sftp_loyalty
When creating a new sftp user, the --disabled-password option is provided not to have problems with the following command to change the password.
RUN echo "sftp_loyalty:BIGSeCrEt" | chpasswd sftp_loyalty
RUN usermod -g sftpusers sftp_loyalty && \
usermod -s /bin/nologin sftp_loyalty && \
chown root:sftp_loyalty /home/sftp_loyalty && \
chmod 755 /home/sftp_loyalty
This assigns the sftp user to the correct group and disables normal login.
RUN mkdir /home/sftp_loyalty/uploads && \
chown sftp_loyalty:sftp_loyalty /home/sftp_loyalty/uploads && \
chmod 755 /home/sftp_loyalty/uploads
EXPOSE 22
CMD ["/usr/sbin/sshd", "-D"]
Starts the ssh server. I originally tried using: service sshd start
but that did not work, preventing the container from starting.
Update: Providing the full path:
/usr/sbin/service sshs start
works
-----------------------------------------------------------------------------------------------------------------
sshd_config (based on the default /etc/ssh/sshd_config)
- Deleted the original line:
- Subsystem sftp /usr/lib/openssh/sftp-server
- Added at the end of the default sshd_config file:
Subsystem sftp internal-sftp Match Group sftpusers ChrootDirectory %h #set the home directory ForceCommand internal-sftp X11Forwarding no AllowTCPForwarding no
https://github.com/tamarakaufler/go_loyalty_scheme_service (when it becomes public)
References
https://www.vultr.com/docs/setup-sftp-only-user-accounts-on-ubuntu-14
https://github.com/atmoz/sftp
https://docs.docker.com/engine/examples/running_ssh_service/
No comments:
Post a Comment
Note: only a member of this blog may post a comment.