fork 0k-charms
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
Valentin Lab 81551b8b4d new: [base] use ``set -eux`` more consistently between scripts 1 year ago
..
build new: [sftp] compose ready charm 6 years ago
hooks fix: [sftp] allow same group usage amongst different users 5 years ago
lib fix: [sftp] ensure that cache won't be used with a different version of the function 5 years ago
README.org new: [sftp] add doc to ``sftp`` charm 3 years ago
metadata.yml new: [sftp] compose ready charm 6 years ago

README.org

Presentation

This charm allows you to host a SFTP (using ssh) with it's own user database. They can be authenticated with a password or with a SSH key.

You can choose exactly what data will be accessible to them by mount binding each directory you want to share from the host in their own home directory in the container. (see the examples).

The permissions should be managed through group permissions, directly from the host and in the shared directory.

Each user in the container will be part of multiple groups (configurable via the options of the charm in your service definition of the compose.yml), and the GID of the groups will be the same on the host and on the container.

Example configuration

  sftp:
    docker-compose:
      ports:
        - "10622:22"
      volumes:
        ## Here we allow access to specific directories only by binding
        ## them in their home directory:
        - /srv/datastore/data/www/var/www/www.myclientwebsite.com:/home/myclient1/www.myclientwebsite.com:rw
        - /srv/datastore/data/www/var/www/www.myclientwebsite.com:/home/myclient2/www.myclientwebsite.com:rw
    options:
      users:
        myclient1:
          ## These groups are created on the container with the given GID
          ## Note that UID/GID are the same for the container and the host,
          ## So don't forget to give the appropriate rights from the host on
          ## the shared directory to ensure that access is effectively granted
          ## as you want to the customer
          groups:
            - sftpaccess-rw:3000
          password: FaKePaSSw0rdT0Ch4Ng3
          keys:
            - "ssh-rsa AAAAB3NzaC2yc2Z..."
        myclient2:
          ## These groups are created on the container with the given GID
          ## Note that UID/GID are the same for the container and the host,
          ## So don't forget to give the appropriate rights from the host on
          ## the shared directory to ensure that access is effectively granted
          ## as you want to the customer
          groups:
            - sftpaccess-rw:3000
          password: FaKePaSSw0rdT0Ch4Ng3
          keys:
            - "ssh-rsa AAAAB3NzBC1yc2X..."

In this case, you'll need also to make sure to set up correctly the directories you shared, in this example, only /srv/datastore/data/www/var/www/www.myclientwebsite.com is shared : you are expected to set the permissions of the group identified by the id `3000`.

Using getfacl/setfacl is the right tool most of the time. If you don't have it:

apt-get install acl

Then, you could:

find /srv/datastore/data/www/var/www/www.myclientwebsite.com -type d \
    -exec getfacl -mR d:g:3000:rwx,d:g:3000:rwx