docer安裝之pure-ftp

時間 2019-11-24

標籤 docer 安裝 pure ftp 欄目 FTP 简体版

原文原文鏈接

https://hub.docker.com/r/stilliard/pure-ftpdhtml

Docker Pure-ftpd Server

https://hub.docker.com/r/stilliard/pure-ftpd/node

Check out our basic example workflow & our slightly more advanced workflow with tls & an auto created user.

Pull down latest version with docker:mysql

docker pull stilliard/pure-ftpd:hardened

Often needing to run as sudo, e.g. sudo docker pull stilliard/pure-ftpdlinux

If you want to make changes, my advice is to either change the run command when running it or extend this image to make any changes rather than forking the project.
This is because rebuilding the entire docker image via a fork can be very slow as it rebuilds the entire pure-ftpd package from source.git

To change the command run on start you could use the command: option if using docker-compose, or with docker run directly you could use:github

docker run --rm -d --name ftpd_server -p 21:21 -p 30000-30009:30000-30009 stilliard/pure-ftpd:hardened bash /run.sh -c 30 -C 10 -l puredb:/etc/pure-ftpd/pureftpd.pdb -E -j -R -P localhost -p 30000:30059

To extend it you can create a new project with a DOCKERFILE like so:web

FROM stilliard/pure-ftpd

# e.g. you could change the defult command run:
CMD /run.sh -c 30 -C 10 -l puredb:/etc/pure-ftpd/pureftpd.pdb -E -j -R -P $PUBLICHOST -p 30000:30059

Then you can build your own image, docker build --rm -t my-pure-ftp ., where my-pure-ftp is the name you want to build assql

Starting it

docker run -d --name ftpd_server -p 21:21 -p 30000-30009:30000-30009 -e "PUBLICHOST=localhost" stilliard/pure-ftpd:hardeneddocker

Or for your own image, replace stilliard/pure-ftpd with the name you built it with, e.g. my-pure-ftpshell

You can also pass ADDED_FLAGS as an env variable to add additional options such as --tls to the pure-ftpd command.
e.g. -e "ADDED_FLAGS=--tls=2"

Operating it

docker exec -it ftpd_server /bin/bash

Setting runtime FTP user

To create a user on the ftp container, use the following environment variables: FTP_USER_NAME, FTP_USER_PASS and FTP_USER_HOME.

FTP_USER_HOME is the root directory of the new user.

Example usage:

docker run -e FTP_USER_NAME=bob -e FTP_USER_PASS=12345 -e FTP_USER_HOME=/home/bob stilliard/pure-ftpd

If you wish to set the UID & GID of the FTP user, use the FTP_USER_UID & FTP_USER_GID environment variables.

Using different passive ports

To use passive ports in a different range (eg: 10000-10009), use the following setup:

docker run -e FTP_PASSIVE_PORTS=10000:10009 --expose=10000-10009 -p 21:21 -p 10000-10009:10000-10009

You may need the --expose= option, because default passive ports exposed are 30000 to 30009.

Example usage once inside

Create an ftp user: e.g. bob with chroot access only to /home/ftpusers/bob

pure-pw useradd bob -f /etc/pure-ftpd/passwd/pureftpd.passwd -m -u ftpuser -d /home/ftpusers/bob

No restart should be needed.

If you have any trouble with volume permissions due to the uid or gid of the created user you can change the -u flag for the uid you would like to use and/or specify -g with the group id as well. For more information see issue #35.

More info on usage here: https://download.pureftpd.org/pure-ftpd/doc/README.Virtual-Users

Test your connection

From the host machine:

ftp -p localhost 21

Docker compose

Docker compose can help you simplify the orchestration of your containers.
We have a simple example of the docker compose.
& here's a more detailed example using wordpress with ftp using this image.

Max clients

By default we set 5 max clients at once, but you can increase this by using the following environment variable FTP_MAX_CLIENTS, e.g. to FTP_MAX_CLIENTS=50 and then also increasing the number of public ports opened from FTP_PASSIVE_PORTS=30000:30009 FTP_PASSIVE_PORTS=30000:30099. You'll also want to open those ports when running docker run. In addition you can specify the maximum connections per ip by setting the environment variable FTP_MAX_CONNECTIONS. By default the value is 5.

All Pure-ftpd flags available:

https://linux.die.net/man/8/pure-ftpd

Logs

To get verbose logs add the following to your docker run command:

-e "ADDED_FLAGS=-d -d"

Then if you exec into the container you could watch over the log with tail -f /var/log/messages

Want a transfer log file? add the following to your docker run command:

-e "ADDED_FLAGS=-O w3c:/var/log/pure-ftpd/transfer.log"

Tags available for different versions

Latest versions

latest - latest working version
jessie-latest - latest but will always remain on debian jessie
hardened - latest + more secure/hardened defaults

Previous version before tags were introduced

wheezy-1.0.36 - incase you want to roll back to before we started using debian jessie

Specific pure-ftpd versions

jessie-1.x.x - jessie + specific versions, e.g. jessie-1.0.36
hardened-1.x.x - hardened + specific versions

Check the tags on github for available versions, feel free to submit issues and/or pull requests for newer versions

Usage of specific tags: sudo docker pull stilliard/pure-ftpd:hardened-1.0.36

An arm64 build is also available here: https://hub.docker.com/r/zhabba/pure-ftpd-arm64 - Thanks @zhabba

Our default pure-ftpd options explained

/usr/sbin/pure-ftpd # path to pure-ftpd executable
-c 5 # --maxclientsnumber (no more than 5 people at once)
-C 5 # --maxclientsperip (no more than 5 requests from the same ip)
-l puredb:/etc/pure-ftpd/pureftpd.pdb # --login (login file for virtual users)
-E # --noanonymous (only real users)
-j # --createhomedir (auto create home directory if it doesnt already exist)
-R # --nochmod (prevent usage of the CHMOD command)
-P $PUBLICHOST # IP/Host setting for PASV support, passed in your the PUBLICHOST env var
-p 30000:30009 # PASV port range (10 ports for 5 max clients)
-tls 1 # Enables optional TLS support

For more information please see man pure-ftpd, or visit: https://www.pureftpd.org/

Why so many ports opened?

This is for PASV support, please see: #5 PASV not fun :)

Docker Volumes

There are a few spots onto which you can mount a docker volume to configure the server and persist uploaded data. It's recommended to use them in production.

/home/ftpusers/ The ftp's data volume (by convention).
/etc/pure-ftpd/passwd A directory containing the single pureftps.passwd file which contains the user database (i.e., all virtual users, their passwords and their home directories). This is read on startup of the container and updated by the pure-pw useradd -f /etc/pure- ftpd/passwd/pureftpd.passwd ...command.
/etc/ssl/private/ A directory containing a single pure-ftpd.pem file with the server's SSL certificates for TLS support. Optional TLS is automatically enabled when the container finds this file on startup.

Keep user database in a volume

You may want to keep your user database through the successive image builds. It is possible with Docker volumes.

Create a named volume:

docker volume create --name my-db-volume

Specify it when running the container:

docker run -d --name ftpd_server -p 21:21 -p 30000-30009:30000-30009 -e "PUBLICHOST=localhost" -v my-db-volume:/etc/pure-ftpd/passwd stilliard/pure-ftpd:hardened

When an user is added, you need to use the password file which is in the volume:

pure-pw useradd bob -f /etc/pure-ftpd/passwd/pureftpd.passwd -m -u ftpuser -d /home/ftpusers/bob

(Thanks to the -m option, you don't need to call pure-pw mkdb with this syntax).

Changing a password

e.g. to change the password for user "bob":

pure-pw passwd bob -f /etc/pure-ftpd/passwd/pureftpd.passwd -m

Development (via git clone)

# Clone the repo
git clone https://github.com/stilliard/docker-pure-ftpd.git
cd docker-pure-ftpd
# Build the image
make build
# Run container in background:
make run
# enter a bash shell inside the container:
make enter
# test that it's all working with
make test

TLS

If you want to enable tls (for ftps connections), you need to have a valid certificate. You can get one from one of the certificate authorities that you'll find when googling this topic. The certificate (containing private key and certificate) needs to be at:

/etc/ssl/private/pure-ftpd.pem

Use docker volumes to get the certificate there at runtime. The container will automatically enable optional TLS when it detect the file at this location.

You can also self-sign a certificate, which is certainly the easiest way to start out. Self signed certificates come with certain drawbacks, but it might be better to have a self signed one than none at all.

Here's how to create a self-signed certificate from within the container:

mkdir -p /etc/ssl/private
openssl dhparam -out /etc/ssl/private/pure-ftpd-dhparams.pem 2048
openssl req -x509 -nodes -newkey rsa:2048 -sha256 -keyout \
    /etc/ssl/private/pure-ftpd.pem \
    -out /etc/ssl/private/pure-ftpd.pem
chmod 600 /etc/ssl/private/*.pem

Automatic TLS certificate generation

If ADDED_FLAGS contains --tls and file /etc/ssl/private/pure-ftpd.pem does not exists it is possible to generate self-signed certificate if TLS_CN, TLS_ORG and TLS_C are set.

Keep in mind that if no volume is set for /etc/ssl/private/ directory generated certificates won't be persisted and new ones will be generated on each start.

You can also pass -e "TLS_USE_DSAPRAM=true" for faster generated certificates though this option is not recommended for production.

Credits

Thanks for the help on stackoverflow with this! https://stackoverflow.com/questions/23930167/installing-pure-ftpd-in-docker-debian-wheezy-error-421

Also thanks to all the awesome contributors that have made this project amazing!https://github.com/stilliard/docker-pure-ftpd/graphs/contributors

================================

vsftp的權限組合配置很強大，可是對於通常人來講比較複雜，老牛從頭就開始用vsftp，到如今不少年了
雖然知道其餘幾種ftp，但這麼多年都沒安裝來試試，今天在一臺VPS上須要用到ftp，就順便換換pure-ftpd試試
安裝

yum install pure-ftpd -y

修改配置文件pure-ftpd.conf

vi /etc/pure-ftpd/pure-ftpd.conf

############################################################
# #
# Configuration file for pure-ftpd wrappers #
# #
############################################################

# If you want to run Pure-FTPd with this configuration
# instead of command-line options, please run the
# following command :
#
# /usr/sbin/pure-config.pl /etc/pure-ftpd/pure-ftpd.conf
#
# Please don't forget to have a look at documentation at
# http://www.pureftpd.org/documentation.shtml for a complete list of
# options.

# Cage in every user in his home directory
#限制全部用戶只能訪問主目錄
ChrootEveryone yes

# If the previous option is set to "no", members of the following group
# won't be caged. Others will be. If you don't want chroot()ing anyone,
# just comment out ChrootEveryone and TrustedGID.
#信任組ID，不用設置，註釋掉
# TrustedGID 100

# Turn on compatibility hacks for broken clients
#是否斷開非兼容的客戶端，設置no時，兼容ie等比較非正規化的ftp客戶端
BrokenClientsCompatibility no

# Maximum number of simultaneous users
#最大鏈接的客戶端數量
MaxClientsNumber 10

# Fork in background
#是否以守護(doemon)進程運行，設置yes
Daemonize yes

# Maximum number of sim clients with the same IP address
#單個IP最大鏈接數
MaxClientsPerIP 8

# If you want to log all client commands, set this to "yes".
# This directive can be duplicated to also log server responses.
#是否記錄全部用戶的ftp鏈接命令
VerboseLog no

# List dot-files even when the client doesn't send "-a".
#客戶端未發出-a命令時，是否列出隱藏文件（dot-files）？
DisplayDotFiles yes

# Don't allow authenticated users - have a public anonymous FTP only.
#只容許匿名用戶？咱們用於非公共ftp，因此要進行認證，不能匿名登陸
AnonymousOnly no

# Disallow anonymous connections. Only allow authenticated users.
#設置爲yes時，禁止匿名用戶登陸，只容許認證用戶登陸
NoAnonymous yes

# Syslog facility (auth, authpriv, daemon, ftp, security, user, local*)
# The default facility is "ftp". "none" disables logging.
#默認( facility )是 "ftp"。 "none" 將禁止日誌。
SyslogFacility ftp

# Display fortune cookies
#設置用戶登錄後的顯示信息
# FortunesFile /usr/share/fortune/zippy

# Don't resolve host names in log files. Logs are less verbose, but
# it uses less bandwidth. Set this to "yes" on very busy servers or
# if you don't have a working DNS.
#//禁止反向解析，在日誌文件中不解析主機名。
DontResolve yes

# Maximum idle time in minutes (default = 15 minutes)
#客戶端容許的最大的空閒時間，
#MaxIdleTime 15

# LDAP configuration file (see README.LDAP)
#LDAP配置文件目錄
# LDAPConfigFile /etc/pure-ftpd/pureftpd-ldap.conf

# MySQL configuration file (see README.MySQL)
#MySQL配置文件目錄
# MySQLConfigFile /etc/pure-ftpd/pureftpd-mysql.conf

# Postgres configuration file (see README.PGSQL)
#PGSQL配置文件目錄
# PGSQLConfigFile /etc/pure-ftpd/pureftpd-pgsql.conf

# PureDB user database (see README.Virtual-Users)
#刪除註釋，並啓用，若是須要上面那幾種數據庫來存放用戶信息，請自行刪除註釋
#此爲虛擬用戶數據庫路徑，咱們建立的虛擬用戶就保存在這裏
PureDB /etc/pure-ftpd/pureftpd.pdb

# Path to pure-authd socket (see README.Authentication-Modules)
#驗證服務pure-authd 的socket 路徑
# ExtAuth /var/run/ftpd.sock

# If you want to enable PAM authentication, uncomment the following line
#啓用 PAM 認證方式
PAMAuthentication yes

# If you want simple Unix (/etc/passwd) authentication, uncomment this
#unix認證方式，只用一種便可
# UnixAuthentication yes

# Please note that LDAPConfigFile, MySQLConfigFile, PAMAuthentication and
# UnixAuthentication can be used only once, but they can be combined
# together. For instance, if you use MySQLConfigFile, then UnixAuthentication,
# the SQL server will be asked. If the SQL authentication fails because the
# user wasn't found, another try # will be done with /etc/passwd and
# /etc/shadow. If the SQL authentication fails because the password was wrong,
# the authentication chain stops here. Authentication methods are chained in
# the order they are given.

# 'ls' recursion limits. The first argument is the maximum number of
# files to be displayed. The second one is the max subdirectories depth
#遞歸方式列出文件的數量及深度
LimitRecursion 100000 1

# Are anonymous users allowed to create new directories ?
#是否容許匿名用戶建立文件目錄
AnonymousCanCreateDirs no

# If the system is more loaded than the following value,
# anonymous users aren't allowed to download.
#設定負載闕值，當系統負載大於如下設定的數值後，將禁止匿名用戶下載！
MaxLoad 2

# Port range for passive connections replies. - for firewalling.
#FTP啓用主動模式時用到的端口範圍，建議設置爲31888 to 36888
#主要是不想去改防火牆了，用之前vsftp的防火牆端口規則
PassivePortRange 31888 36888

# Force an IP address in PASV/EPSV/SPSV replies. - for NAT.
# Symbolic host names are also accepted for gateways with dynamic IP
# addresses.
#強制一個IP地址使用被動響應（ PASV/EPSV/SPSV replies）
#ForcePassiveIP 192.168.0.1

# Upload/download ratio for anonymous users.
#匿名用戶和認證用戶下載時的速度比例
# AnonymousRatio 1 10

# Upload/download ratio for all users.
# This directive superscedes the previous one.
#上傳下載速度比例設置，全局變量
# UserRatio 1 10

# Disallow downloading of files owned by "ftp", ie.
# files that were uploaded but not validated by a local admin.
#不容許下載ftp屬主的文件
AntiWarez yes

# IP address/port to listen to (default=all IP and port 21).
#服務監聽的IP 地址和端口。(缺省是全部IP地址和21端口)
# Bind 127.0.0.1,21

# Maximum bandwidth for anonymous users in KB/s
#匿名用戶帶寬
# AnonymousBandwidth 8

# Maximum bandwidth for *all* users (including anonymous) in KB/s
# Use AnonymousBandwidth *or* UserBandwidth, both makes no sense.
#認證用戶帶寬
# UserBandwidth 8

# File creation mask. <umask for files>:<umask for dirs> .
# 177:077 if you feel paranoid.
#文件和目錄的umask
Umask 133:022

# Minimum UID for an authenticated user to log in.
#用戶ID至少要大於1000才能登錄
MinUID 1000

# Do not use the /etc/ftpusers file to disable accounts. We're already
# using MinUID to block users with uid < 1000
#是否使用/etc/ftpusers配置文件來禁用賬號，默認爲no
UseFtpUsers no

# Allow FXP transfers for authenticated users.
#是否僅容許認證用戶進行 FXP 傳輸？默認爲no，這裏改yes
AllowUserFXP yes

# Allow anonymous FXP for anonymous and non-anonymous users.
#是否對匿名用戶和非匿名用戶容許進行匿名 FXP 傳輸。
AllowAnonymousFXP no

# Users can't delete/write files beginning with a dot ('.')
# even if they own them. If TrustedGID is enabled, this group
# will have access to dot-files, though.
#用戶不能刪除和寫點文件（文件名以 '.' 開頭的文件），即便用戶是文件的全部者也不行。
ProhibitDotFilesWrite no

# Prohibit *reading* of files beginning with a dot (.history, .ssh...)
#同上
ProhibitDotFilesRead no

# Never overwrite files. When a file whose name already exist is uploaded,
# it get automatically renamed to file.1, file.2, file.3, ...
#是否對已存在的文件自動重命名？必須no
AutoRename no

# Disallow anonymous users to upload new files (no = upload is allowed)
#設置yes禁止匿名用戶上傳新文件
AnonymousCantUpload yes

# Only connections to this specific IP address are allowed to be
# non-anonymous. You can use this directive to open several public IPs for
# anonymous FTP, and keep a private firewalled IP for remote administration.
# You can also only allow a non-routable local IP (like 10.x.x.x) to
# authenticate, and keep a public anon-only FTP server on another IP.
#設定僅容許來自如下IP地址的非匿名用戶鏈接。
#TrustedIP 10.1.1.1

# If you want to add the PID to every logged line, uncomment the following
# line.
#若是須要爲日誌每一行添加 PID 去掉下面行的註釋
LogPID yes

# Create an additional log file with transfers logged in a Apache-like format :
# fw.c9x.org - jedi [13/Dec/1975:19:36:39] "GET /ftp/linux.tar.bz2" 200 21809338
# This log file can then be processed by www traffic analyzers.
#log文件路徑
AltLog clf:/var/log/pureftpd.log

# Create an additional log file with transfers logged in a format optimized
# for statistic reports.

# AltLog stats:/var/log/pureftpd.log

# Create an additional log file with transfers logged in the standard W3C
# format (compatible with most commercial log analyzers)

# AltLog w3c:/var/log/pureftpd.log

# Disallow the CHMOD command. Users can't change perms of their files.
#設置爲yes時，不接受 CHMOD 命令。用戶不能更改他們文件的屬性。
#NoChmod yes

# Allow users to resume and upload files, but *NOT* to delete them.
#設置yes時，容許用戶恢復和上傳文件，不容許刪除他們
#KeepAllFiles yes

# Automatically create home directories if they are missing
#用戶主目錄不存在的話，自動建立。
CreateHomeDir no

# Enable virtual quotas. The first number is the max number of files.
# The second number is the max size of megabytes.
# So 1000:10 limits every user to 1000 files and 10 Mb.
#刪除註釋後，啓用配額管理，1000:10 就限制每個用戶只能使用 1000 個文件，共10Mb。
#Quota 1000:10

# If your pure-ftpd has been compiled with standalone support, you can change
# the location of the pid file. The default is /var/run/pure-ftpd.pid
#運行時的pid路徑
#PIDFile /var/run/pure-ftpd.pid

# If your pure-ftpd has been compiled with pure-uploadscript support,
# this will make pure-ftpd write info about new uploads to
# /var/run/pure-ftpd.upload.pipe so pure-uploadscript can read it and
# spawn a script to handle the upload.
# Don't enable this option if you don't actually use pure-uploadscript.
# 若是你的 pure-ftpd 編譯時加入了 pure-uploadscript 支持，這個指令將會使 pure-ftpd
# 發送關於新上傳的狀況信息到 /var/run/pure-ftpd.upload.pipe，這樣 pure-uploadscript
# 就能讀而後調用一個腳本去處理新的上傳。
#這個功能用好了能夠作不少事。。。

#CallUploadScript yes

# This option is useful with servers where anonymous upload is
# allowed. As /var/ftp is in /var, it save some space and protect
# the log files. When the partition is more that X percent full,
# new uploads are disallowed.
#限定上傳文件佔用硬盤的極限值，超事後再也不接收上傳數據
MaxDiskUsage 99

# Set to 'yes' if you don't want your users to rename files.
#是否禁止用戶重命名已存在的文件
NoRename no

# Be 'customer proof' : workaround against common customer mistakes like
# 'chmod 0 public_html', that are valid, but that could cause ignorant
# customers to lock their files, and then keep your technical support busy
# with silly issues. If you're sure all your users have some basic Unix
# knowledge, this feature is useless. If you're a hosting service, enable it.
#設置爲yes，防止chmod修改錯誤致使文件鎖定
CustomerProof yes

# Per-user concurrency limits. It will only work if the FTP server has
# been compiled with --with-peruserlimits (and this is the case on
# most binary distributions) .
# The format is : <max sessions per user>:<max anonymous sessions>
# For instance, 3:20 means that the same authenticated user can have 3 active
# sessions max. And there are 20 anonymous sessions max.
#3:20 意思是同一個認證用戶最大能夠有3個同時活動的進程。並且同時最多隻能有20個匿名用戶進程。
# PerUserLimits 3:20

# When a file is uploaded and there is already a previous version of the file
# with the same name, the old file will neither get removed nor truncated.
# Upload will take place in a temporary file and once the upload is complete,
# the switch to the new version will be atomic. For instance, when a large PHP
# script is being uploaded, the web server will still serve the old version and
# immediatly switch to the new one as soon as the full file will have been
# transfered. This option is incompatible with virtual
# yes文件相同直接刪除舊的，no先保留再更新
NoTruncate yes

# This option can accept three values :
# 0 : disable SSL/TLS encryption layer (default).
# 1 : accept both traditional and encrypted sessions.
# 2 : refuse connections that don't use SSL/TLS security mechanisms,
# including anonymous sessions.
# Do _not_ uncomment this blindly. Be sure that :
# 1) Your server has been compiled with SSL/TLS support (--with-tls),
# 2) A valid certificate is in place,
# 3) Only compatible clients will log in.

# TLS 1

# OpenSSL ciphers suite for TLS sessions.
# Prefix with -C: in order to require valid client certificates.
# If -C: is used, make sure that clients' public keys are installed
# on the server.
# SSL is disabled by default. TLS 1.0, 1.1 and 1.2 are available by
# default.

# TLSCipherSuite HIGH

# Certificate file, for TLS

# CertFile /etc/ssl/private/pure-ftpd.pem

# Listen only to IPv4 addresses in standalone mode (ie. disable IPv6)
# By default, both IPv4 and IPv6 are enabled.
#只容許IPV4鏈接
IPV4Only yes

# Listen only to IPv6 addresses in standalone mode (ie. disable IPv4)
# By default, both IPv4 and IPv6 are enabled.

# IPV6Only yes

# UTF-8 support for file names (RFC 2640)
# Define charset of the server filesystem and optionnally the default charset
# for remote clients if they don't use UTF-8.
# Works only if pure-ftpd has been compiled with --with-rfc2640

FileSystemCharset UTF-8
ClientCharset UTF-8

添加用戶及用戶組

/usr/sbin/groupadd -f ftpgroup;/usr/sbin/useradd -g ftpgroup ftpuser

添加虛擬用戶ftpnow，寄生到系統用戶名ftpuser

pure-pw useradd ftpnow -d /whoisyourdaddy -u ftpuser -m

//pure-pw useradd 虛擬用戶名 –u 寄生到系統用戶名 –d FTP目錄 –m（把用戶密碼加入PDB數據庫中，不須要重啓FTP）
按提示輸入兩次ftpnow用戶的密碼

修改目錄的屬主及用戶

chown ftpuser.ftpgroup /whoisyourdaddy -R

創建pure-ftpd虛擬用戶數據

pure-pw mkdb

而後參照下面命令，啓動服務，沒問題再設置開機啓動

而後重啓，試試用ftp客戶端鏈接吧

centos 7.4 64bit系統下pure-ftpd的操做命令
啓動pure-ftpd服務