forked from 0k/0k-charms
Browse Source
new: add doc to ``sftp`` charm
new: add doc to ``sftp`` charm
Signed-off-by: Valentin Lab <valentin.lab@kalysto.org>pull/1/head
Valentin Lab
3 years ago
1 changed files with 75 additions and 0 deletions
@ -0,0 +1,75 @@ |
|||
* Presentation |
|||
|
|||
This charm allows you to host a SFTP (using ssh) with it's own user |
|||
database. They can be authenticated with a password or with a SSH key. |
|||
|
|||
You can choose exactly what data will be accessible to them by mount |
|||
binding each directory you want to share from the host in their own |
|||
home directory in the container. (see the examples). |
|||
|
|||
The permissions should be managed through group permissions, directly |
|||
from the host and in the shared directory. |
|||
|
|||
Each user in the container will be part of multiple groups |
|||
(configurable via the options of the charm in your service definition |
|||
of the =compose.yml=), and the GID of the groups will be the same on |
|||
the host and on the container. |
|||
|
|||
* Example configuration |
|||
|
|||
#+begin_src yaml |
|||
sftp: |
|||
docker-compose: |
|||
ports: |
|||
- "10622:22" |
|||
volumes: |
|||
## Here we allow access to specific directories only by binding |
|||
## them in their home directory: |
|||
- /srv/datastore/data/www/var/www/www.myclientwebsite.com:/home/myclient1/www.myclientwebsite.com:rw |
|||
- /srv/datastore/data/www/var/www/www.myclientwebsite.com:/home/myclient2/www.myclientwebsite.com:rw |
|||
options: |
|||
users: |
|||
myclient1: |
|||
## These groups are created on the container with the given GID |
|||
## Note that UID/GID are the same for the container and the host, |
|||
## So don't forget to give the appropriate rights from the host on |
|||
## the shared directory to ensure that access is effectively granted |
|||
## as you want to the customer |
|||
groups: |
|||
- sftpaccess-rw:3000 |
|||
password: FaKePaSSw0rdT0Ch4Ng3 |
|||
keys: |
|||
- "ssh-rsa AAAAB3NzaC2yc2Z..." |
|||
myclient2: |
|||
## These groups are created on the container with the given GID |
|||
## Note that UID/GID are the same for the container and the host, |
|||
## So don't forget to give the appropriate rights from the host on |
|||
## the shared directory to ensure that access is effectively granted |
|||
## as you want to the customer |
|||
groups: |
|||
- sftpaccess-rw:3000 |
|||
password: FaKePaSSw0rdT0Ch4Ng3 |
|||
keys: |
|||
- "ssh-rsa AAAAB3NzBC1yc2X..." |
|||
#+end_src |
|||
|
|||
|
|||
In this case, you'll need also to make sure to set up correctly the |
|||
directories you shared, in this example, only |
|||
=/srv/datastore/data/www/var/www/www.myclientwebsite.com= is shared : |
|||
you are expected to set the permissions of the group identified by the |
|||
id `3000`. |
|||
|
|||
Using getfacl/setfacl is the right tool most of the time. If you don't |
|||
have it: |
|||
|
|||
#+begin_src sh |
|||
apt-get install acl |
|||
#+end_src |
|||
|
|||
Then, you could: |
|||
|
|||
#+begin_src sh |
|||
find /srv/datastore/data/www/var/www/www.myclientwebsite.com -type d \ |
|||
-exec getfacl -mR d:g:3000:rwx,d:g:3000:rwx |
|||
#+end_src |
Write
Preview
Loading…
Cancel
Save
Reference in new issue