Browse Source
new: [sftp] add doc to ``sftp`` charm
new: [sftp] add doc to ``sftp`` charm
Signed-off-by: Valentin Lab <valentin.lab@kalysto.org>pull/19/head
1 changed files with 75 additions and 0 deletions
@ -0,0 +1,75 @@ |
|||||
|
* Presentation |
||||
|
|
||||
|
This charm allows you to host a SFTP (using ssh) with it's own user |
||||
|
database. They can be authenticated with a password or with a SSH key. |
||||
|
|
||||
|
You can choose exactly what data will be accessible to them by mount |
||||
|
binding each directory you want to share from the host in their own |
||||
|
home directory in the container. (see the examples). |
||||
|
|
||||
|
The permissions should be managed through group permissions, directly |
||||
|
from the host and in the shared directory. |
||||
|
|
||||
|
Each user in the container will be part of multiple groups |
||||
|
(configurable via the options of the charm in your service definition |
||||
|
of the =compose.yml=), and the GID of the groups will be the same on |
||||
|
the host and on the container. |
||||
|
|
||||
|
* Example configuration |
||||
|
|
||||
|
#+begin_src yaml |
||||
|
sftp: |
||||
|
docker-compose: |
||||
|
ports: |
||||
|
- "10622:22" |
||||
|
volumes: |
||||
|
## Here we allow access to specific directories only by binding |
||||
|
## them in their home directory: |
||||
|
- /srv/datastore/data/www/var/www/www.myclientwebsite.com:/home/myclient1/www.myclientwebsite.com:rw |
||||
|
- /srv/datastore/data/www/var/www/www.myclientwebsite.com:/home/myclient2/www.myclientwebsite.com:rw |
||||
|
options: |
||||
|
users: |
||||
|
myclient1: |
||||
|
## These groups are created on the container with the given GID |
||||
|
## Note that UID/GID are the same for the container and the host, |
||||
|
## So don't forget to give the appropriate rights from the host on |
||||
|
## the shared directory to ensure that access is effectively granted |
||||
|
## as you want to the customer |
||||
|
groups: |
||||
|
- sftpaccess-rw:3000 |
||||
|
password: FaKePaSSw0rdT0Ch4Ng3 |
||||
|
keys: |
||||
|
- "ssh-rsa AAAAB3NzaC2yc2Z..." |
||||
|
myclient2: |
||||
|
## These groups are created on the container with the given GID |
||||
|
## Note that UID/GID are the same for the container and the host, |
||||
|
## So don't forget to give the appropriate rights from the host on |
||||
|
## the shared directory to ensure that access is effectively granted |
||||
|
## as you want to the customer |
||||
|
groups: |
||||
|
- sftpaccess-rw:3000 |
||||
|
password: FaKePaSSw0rdT0Ch4Ng3 |
||||
|
keys: |
||||
|
- "ssh-rsa AAAAB3NzBC1yc2X..." |
||||
|
#+end_src |
||||
|
|
||||
|
|
||||
|
In this case, you'll need also to make sure to set up correctly the |
||||
|
directories you shared, in this example, only |
||||
|
=/srv/datastore/data/www/var/www/www.myclientwebsite.com= is shared : |
||||
|
you are expected to set the permissions of the group identified by the |
||||
|
id `3000`. |
||||
|
|
||||
|
Using getfacl/setfacl is the right tool most of the time. If you don't |
||||
|
have it: |
||||
|
|
||||
|
#+begin_src sh |
||||
|
apt-get install acl |
||||
|
#+end_src |
||||
|
|
||||
|
Then, you could: |
||||
|
|
||||
|
#+begin_src sh |
||||
|
find /srv/datastore/data/www/var/www/www.myclientwebsite.com -type d \ |
||||
|
-exec getfacl -mR d:g:3000:rwx,d:g:3000:rwx |
||||
|
#+end_src |
||||
Write
Preview
Loading…
Cancel
Save
Reference in new issue