StephanSainleger
/
0k-charms
forked from 0k/0k-charms
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
466 Commits
13 Branches
0 Tags
107 MiB
Tree: 7981ed7dec
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '7981ed7dec'
${ noResults }
0k-charms/sftp/README.org

75 lines
2.7 KiB
Raw Normal View History

new: add doc to ``sftp`` charm Signed-off-by: Valentin Lab <valentin.lab@kalysto.org>
3 years ago
  1. * Presentation
  3. This charm allows you to host a SFTP (using ssh) with it's own user
  4. database. They can be authenticated with a password or with a SSH key.
  6. You can choose exactly what data will be accessible to them by mount
  7. binding each directory you want to share from the host in their own
  8. home directory in the container. (see the examples).
  10. The permissions should be managed through group permissions, directly
  11. from the host and in the shared directory.
  13. Each user in the container will be part of multiple groups
  14. (configurable via the options of the charm in your service definition
  15. of the =compose.yml=), and the GID of the groups will be the same on
  16. the host and on the container.
  18. * Example configuration
  20. #+begin_src yaml
  21. sftp:
  22. docker-compose:
  23. ports:
  24. - "10622:22"
  25. volumes:
  26. ## Here we allow access to specific directories only by binding
  27. ## them in their home directory:
  28. - /srv/datastore/data/www/var/www/www.myclientwebsite.com:/home/myclient1/www.myclientwebsite.com:rw
  29. - /srv/datastore/data/www/var/www/www.myclientwebsite.com:/home/myclient2/www.myclientwebsite.com:rw
  30. options:
  31. users:
  32. myclient1:
  33. ## These groups are created on the container with the given GID
  34. ## Note that UID/GID are the same for the container and the host,
  35. ## So don't forget to give the appropriate rights from the host on
  36. ## the shared directory to ensure that access is effectively granted
  37. ## as you want to the customer
  38. groups:
  39. - sftpaccess-rw:3000
  40. password: FaKePaSSw0rdT0Ch4Ng3
  41. keys:
  42. - "ssh-rsa AAAAB3NzaC2yc2Z..."
  43. myclient2:
  44. ## These groups are created on the container with the given GID
  45. ## Note that UID/GID are the same for the container and the host,
  46. ## So don't forget to give the appropriate rights from the host on
  47. ## the shared directory to ensure that access is effectively granted
  48. ## as you want to the customer
  49. groups:
  50. - sftpaccess-rw:3000
  51. password: FaKePaSSw0rdT0Ch4Ng3
  52. keys:
  53. - "ssh-rsa AAAAB3NzBC1yc2X..."
  54. #+end_src
  57. In this case, you'll need also to make sure to set up correctly the
  58. directories you shared, in this example, only
  59. =/srv/datastore/data/www/var/www/www.myclientwebsite.com= is shared :
  60. you are expected to set the permissions of the group identified by the
  61. id `3000`.
  63. Using getfacl/setfacl is the right tool most of the time. If you don't
  64. have it:
  66. #+begin_src sh
  67. apt-get install acl
  68. #+end_src
  70. Then, you could:
  72. #+begin_src sh
  73. find /srv/datastore/data/www/var/www/www.myclientwebsite.com -type d \
  74. -exec getfacl -mR d:g:3000:rwx,d:g:3000:rwx
  75. #+end_src