From 7affaed10fcf113ccadd8280e6dd52115bf077b6 Mon Sep 17 00:00:00 2001 From: Nicholas Digati Date: Tue, 22 Mar 2016 14:04:19 -0700 Subject: [PATCH 01/18] Initial commit to the develop branch - Updated Dockerfile to combine some instructions and hopefully reduce number of layers in the image. - Updated add_users script to try and debug why some files permissions are not updating. - Added pubkey authentication to sshd_config for sftp - Updated supervisord conf to have logging for various services. --- s3-backed-ftp/Dockerfile | 51 +++++++++++-------------- s3-backed-ftp/add_users_in_container.sh | 17 ++++----- s3-backed-ftp/sshd_config | 1 + s3-backed-ftp/supervisord.conf | 7 ++++ 4 files changed, 39 insertions(+), 37 deletions(-) diff --git a/s3-backed-ftp/Dockerfile b/s3-backed-ftp/Dockerfile index 287fe71..b129db8 100644 --- a/s3-backed-ftp/Dockerfile +++ b/s3-backed-ftp/Dockerfile @@ -1,10 +1,11 @@ FROM factual/docker-base +# Install needed packages and cleanup after RUN apt-get -y update && apt-get -y install --no-install-recommends \ automake \ autotools-dev \ - g++ \ - git \ + g++ \ + git \ libcurl4-gnutls-dev \ libfuse-dev \ libssl-dev \ @@ -16,34 +17,28 @@ RUN apt-get -y update && apt-get -y install --no-install-recommends \ openssh-server \ supervisor \ && rm -rf /var/lib/apt/lists/* - -RUN pip3 install awscli - -RUN git clone https://github.com/s3fs-fuse/s3fs-fuse.git && \ - cd s3fs-fuse && \ - ./autogen.sh && \ - ./configure && \ - make && \ - sudo make install - -RUN mkdir -p /home/aws/s3bucket/ - -ADD s3-fuse.sh /usr/local/ - -ADD vsftpd.conf /etc/vsftpd.conf - -RUN chown root:root /etc/vsftpd.conf - -ADD sshd_config /etc/ssh/sshd_config - -ADD users.sh /usr/local/ - -ADD add_users_in_container.sh /usr/local/ - -RUN echo "/usr/sbin/nologin" >> /etc/shells +# Run commands to set-up everything +RUN pip3 install awscli && \ + git clone https://github.com/s3fs-fuse/s3fs-fuse.git && \ + cd s3fs-fuse && \ + ./autogen.sh && \ + ./configure && \ + make && \ + sudo make install && \ + mkdir -p /home/aws/s3bucket/ && \ + echo "/usr/sbin/nologin" >> /etc/shells + +# Copy scripts to /usr/local +COPY ["s3-fuse.sh", "users.sh", "add_users_in_container.sh", "/usr/local/"] + +# Copy needed config files to their destinations +COPY vsftpd.conf /etc/vsftpd.conf +COPY sshd_config /etc/ssh/sshd_config COPY supervisord.conf /etc/supervisor/conf.d/supervisord.conf -EXPOSE 21 22 +# Expose ftp and sftp ports +EXPOSE 21 22 +# Run supervisord at container start CMD ["/usr/bin/supervisord"] diff --git a/s3-backed-ftp/add_users_in_container.sh b/s3-backed-ftp/add_users_in_container.sh index 591c6b5..3bc4a8c 100755 --- a/s3-backed-ftp/add_users_in_container.sh +++ b/s3-backed-ftp/add_users_in_container.sh @@ -1,6 +1,6 @@ #!/bin/bash # This script will update the env.list file (file containing USERS environrment variable) and add the new users if there are any. -# Will check for new users at a given time interval (change sleep duration on line 33) +set -ex FTP_DIRECTORY="/home/aws/s3bucket/ftp-users" CONFIG_FILE="env.list" # May need to modify config file name to reflect future changes in env file location/name @@ -8,7 +8,7 @@ SLEEP_DURATION=60 # Change theses next two variables to set different permissions for files/directories # These were default from vsftpd so change accordingly if necessary FILE_PERMISSIONS=644 -DIRECTORY_PERMISSIONS=755 +DIRECTORY_PERMISSIONS=750 add_users() { aws s3 cp s3://$CONFIG_BUCKET/$CONFIG_FILE ~/$CONFIG_FILE @@ -17,7 +17,7 @@ add_users() { for u in $USERS; do read username passwd <<< $(echo $u | sed 's/:/ /g') - # If account exists set password again + # If account exists set password again # In cases where password changes in env file if getent passwd "$username" >/dev/null 2>&1; then echo $u | chpasswd -e @@ -26,20 +26,19 @@ add_users() { # Permissions when uploaded directly through S3 Web client were set as: # 000 root:root # This would not allow ftp users to read the files - + # Search for files and directories not owned correctly - find "$FTP_DIRECTORY"/"$username"/files/* \( \! -user "$username" \! -group "$username" \) -print0 | xargs -0 chown "$username:$username" + find "$FTP_DIRECTORY/$username/files"/* \( \! -user "$username" \! -group "$username" \) -print0 | xargs -0 chown "$username:$username" # Search for files with incorrect permissions - find "$FTP_DIRECTORY"/"$username"/files/* -type f \! -perm "$FILE_PERMISSIONS" -print0 | xargs -0 chmod "$FILE_PERMISSIONS" + find "$FTP_DIRECTORY/$username/files"/* -type f \! -perm "$FILE_PERMISSIONS" -print0 | xargs -0 chmod "$FILE_PERMISSIONS" # Search for directories with incorrect permissions - find "$FTP_DIRECTORY"/"$username"/files/* -type d \! -perm "$DIRECTORY_PERMISSIONS" -print0 | xargs -0 chmod "$DIRECTORY_PERMISSIONS" + find "$FTP_DIRECTORY/$username/files"/* -type d \! -perm "$DIRECTORY_PERMISSIONS" -print0 | xargs -0 chmod "$DIRECTORY_PERMISSIONS" fi - # If user account doesn't exist create it - # As well as their home directory + # If user account doesn't exist create it if ! getent passwd "$username" >/dev/null 2>&1; then useradd -d "$FTP_DIRECTORY/$username" -s /usr/sbin/nologin $username usermod -G ftpaccess $username diff --git a/s3-backed-ftp/sshd_config b/s3-backed-ftp/sshd_config index 7b24c6d..2d6176f 100644 --- a/s3-backed-ftp/sshd_config +++ b/s3-backed-ftp/sshd_config @@ -1,5 +1,6 @@ # Change to no to disable tunnelled clear text passwords PasswordAuthentication no +PubkeyAuthentication yes #Port 22 diff --git a/s3-backed-ftp/supervisord.conf b/s3-backed-ftp/supervisord.conf index 3d044f5..fdae6be 100644 --- a/s3-backed-ftp/supervisord.conf +++ b/s3-backed-ftp/supervisord.conf @@ -6,10 +6,14 @@ logfile=/var/log/supervisord.log command=/usr/local/s3-fuse.sh autorestart=false priority=1 +stdout_logfile=/var/log/s3-fuse-startup.log +stderr_logfile=/var/log/s3-fuse-startup.log [program:sshd] command=/usr/sbin/sshd -D autorestart=true +stdout_logfile=/var/log/sshd.log +stderr_logfile=/var/log/sshd.log [program:vsftpd] command=/usr/sbin/vsftpd @@ -18,3 +22,6 @@ autorestart=true [program:add_users_in_container] command=/usr/local/add_users_in_container.sh autorestart=true +stdout_logfile=/var/log/add-users.log +stderr_logfile=/var/log/add-users.log + From 4573af0c542d0fb2f72e258aad676b5d8de9d5de Mon Sep 17 00:00:00 2001 From: Nicholas Digati Date: Tue, 22 Mar 2016 18:38:15 -0700 Subject: [PATCH 02/18] Updated README with new passive ports --- s3-backed-ftp/README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/s3-backed-ftp/README.md b/s3-backed-ftp/README.md index da5ae80..b1c2a4a 100644 --- a/s3-backed-ftp/README.md +++ b/s3-backed-ftp/README.md @@ -22,13 +22,13 @@ To run: 3. Then after building the container (if necessary), run using: - - `docker run --rm -p 21:21 -p 222:22 -p 1024-1048:1024-1048 --name --cap-add SYS_ADMIN --device /dev/fuse --env-file env.list ` + - `docker run --rm -p 21-22:21-22 -p 30000-30100:30000-30100 --name --cap-add SYS_ADMIN --device /dev/fuse --env-file env.list ` - If you would like the docker to restart after reboot then use: - * `docker run --restart=always -p 21:21 -p 222:22 -p 1024-1048:1024-1048 --name --cap-add SYS_ADMIN --device /dev/fuse --env-file env.list ` + * `docker run --restart=always -p 21-22:21-22 -p 30000-30100:30000-30100 --name --cap-add SYS_ADMIN --device /dev/fuse --env-file env.list ` - If `env.list` file is named differently change accordingly. - If you don't want to use the cap-add and device options you could also just use the privileged option instead: - * `docker run --restart=always -p 21:21 -p 222:22 -p 1024-1024:1024-1048 --privileged --env-file env.list ` - + * `docker run --restart=always -p 21-22:21-22 -p 30000-30100:30000-30100 --privileged --env-file env.list ` + ## Environment Variables 1. ` USERS ` = List of users to add to the ftp/sftp server. Listed in the form username:hashedpassword, each separated by a space. From 05f00d15be713fb8a59d2ce11006311d28d5287e Mon Sep 17 00:00:00 2001 From: Nicholas Digati Date: Wed, 23 Mar 2016 14:40:30 -0700 Subject: [PATCH 03/18] Updated find command in add_users script --- s3-backed-ftp/add_users_in_container.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/s3-backed-ftp/add_users_in_container.sh b/s3-backed-ftp/add_users_in_container.sh index 3bc4a8c..f548d44 100755 --- a/s3-backed-ftp/add_users_in_container.sh +++ b/s3-backed-ftp/add_users_in_container.sh @@ -1,6 +1,6 @@ #!/bin/bash # This script will update the env.list file (file containing USERS environrment variable) and add the new users if there are any. -set -ex +set -x FTP_DIRECTORY="/home/aws/s3bucket/ftp-users" CONFIG_FILE="env.list" # May need to modify config file name to reflect future changes in env file location/name @@ -28,13 +28,13 @@ add_users() { # This would not allow ftp users to read the files # Search for files and directories not owned correctly - find "$FTP_DIRECTORY/$username/files"/* \( \! -user "$username" \! -group "$username" \) -print0 | xargs -0 chown "$username:$username" + find "$FTP_DIRECTORY/$username/files/*" \( \! -user "$username" \! -group "$username" \) -print0 | xargs -0 chown "$username:$username" # Search for files with incorrect permissions - find "$FTP_DIRECTORY/$username/files"/* -type f \! -perm "$FILE_PERMISSIONS" -print0 | xargs -0 chmod "$FILE_PERMISSIONS" + find "$FTP_DIRECTORY/$username/files/*" -type f \! -perm "$FILE_PERMISSIONS" -print0 | xargs -0 chmod "$FILE_PERMISSIONS" # Search for directories with incorrect permissions - find "$FTP_DIRECTORY/$username/files"/* -type d \! -perm "$DIRECTORY_PERMISSIONS" -print0 | xargs -0 chmod "$DIRECTORY_PERMISSIONS" + find "$FTP_DIRECTORY/$username/files/*" -type d \! -perm "$DIRECTORY_PERMISSIONS" -print0 | xargs -0 chmod "$DIRECTORY_PERMISSIONS" fi From 3e9f939be919183d06a5adc438566739118d08e9 Mon Sep 17 00:00:00 2001 From: Nicholas Digati Date: Wed, 23 Mar 2016 14:44:10 -0700 Subject: [PATCH 04/18] Added '-e' back to set --- s3-backed-ftp/add_users_in_container.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/s3-backed-ftp/add_users_in_container.sh b/s3-backed-ftp/add_users_in_container.sh index f548d44..292e395 100755 --- a/s3-backed-ftp/add_users_in_container.sh +++ b/s3-backed-ftp/add_users_in_container.sh @@ -1,6 +1,6 @@ #!/bin/bash # This script will update the env.list file (file containing USERS environrment variable) and add the new users if there are any. -set -x +set -ex FTP_DIRECTORY="/home/aws/s3bucket/ftp-users" CONFIG_FILE="env.list" # May need to modify config file name to reflect future changes in env file location/name From 969866a5575ee5abfaaaaec7237b0f7417494837 Mon Sep 17 00:00:00 2001 From: Nicholas Digati Date: Wed, 23 Mar 2016 15:46:21 -0700 Subject: [PATCH 05/18] Removed '*' from find command, added mindepth option --- s3-backed-ftp/add_users_in_container.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/s3-backed-ftp/add_users_in_container.sh b/s3-backed-ftp/add_users_in_container.sh index 292e395..e0e9b9a 100755 --- a/s3-backed-ftp/add_users_in_container.sh +++ b/s3-backed-ftp/add_users_in_container.sh @@ -28,13 +28,13 @@ add_users() { # This would not allow ftp users to read the files # Search for files and directories not owned correctly - find "$FTP_DIRECTORY/$username/files/*" \( \! -user "$username" \! -group "$username" \) -print0 | xargs -0 chown "$username:$username" + find "$FTP_DIRECTORY/$username/files/" -mindepth 1 \( \! -user "$username" \! -group "$username" \) -print0 | xargs -0 chown "$username:$username" # Search for files with incorrect permissions - find "$FTP_DIRECTORY/$username/files/*" -type f \! -perm "$FILE_PERMISSIONS" -print0 | xargs -0 chmod "$FILE_PERMISSIONS" + find "$FTP_DIRECTORY/$username/files/" -mindepth 1 -type f \! -perm "$FILE_PERMISSIONS" -print0 | xargs -0 chmod "$FILE_PERMISSIONS" # Search for directories with incorrect permissions - find "$FTP_DIRECTORY/$username/files/*" -type d \! -perm "$DIRECTORY_PERMISSIONS" -print0 | xargs -0 chmod "$DIRECTORY_PERMISSIONS" + find "$FTP_DIRECTORY/$username/files/" -mindepth 1 -type d \! -perm "$DIRECTORY_PERMISSIONS" -print0 | xargs -0 chmod "$DIRECTORY_PERMISSIONS" fi From 7b5aca4df7f6a9763c7446aae51e4e92977700b5 Mon Sep 17 00:00:00 2001 From: Nicholas Digati Date: Wed, 23 Mar 2016 16:14:49 -0700 Subject: [PATCH 06/18] Added '-r' option to xargs incase no files are present when trying to chown or chmod --- s3-backed-ftp/add_users_in_container.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/s3-backed-ftp/add_users_in_container.sh b/s3-backed-ftp/add_users_in_container.sh index e0e9b9a..8db5fd2 100755 --- a/s3-backed-ftp/add_users_in_container.sh +++ b/s3-backed-ftp/add_users_in_container.sh @@ -28,13 +28,13 @@ add_users() { # This would not allow ftp users to read the files # Search for files and directories not owned correctly - find "$FTP_DIRECTORY/$username/files/" -mindepth 1 \( \! -user "$username" \! -group "$username" \) -print0 | xargs -0 chown "$username:$username" + find "$FTP_DIRECTORY/$username/files/" -mindepth 1 \( \! -user "$username" \! -group "$username" \) -print0 | xargs -0 -r chown "$username:$username" # Search for files with incorrect permissions - find "$FTP_DIRECTORY/$username/files/" -mindepth 1 -type f \! -perm "$FILE_PERMISSIONS" -print0 | xargs -0 chmod "$FILE_PERMISSIONS" + find "$FTP_DIRECTORY/$username/files/" -mindepth 1 -type f \! -perm "$FILE_PERMISSIONS" -print0 | xargs -0 -r chmod "$FILE_PERMISSIONS" # Search for directories with incorrect permissions - find "$FTP_DIRECTORY/$username/files/" -mindepth 1 -type d \! -perm "$DIRECTORY_PERMISSIONS" -print0 | xargs -0 chmod "$DIRECTORY_PERMISSIONS" + find "$FTP_DIRECTORY/$username/files/" -mindepth 1 -type d \! -perm "$DIRECTORY_PERMISSIONS" -print0 | xargs -0 -r chmod "$DIRECTORY_PERMISSIONS" fi From f64b1c1807fc2effea6792231f6cf088e57c999e Mon Sep 17 00:00:00 2001 From: Nicholas Digati Date: Tue, 5 Apr 2016 11:38:49 -0700 Subject: [PATCH 07/18] Removed 'set -e' option and added new IP address detection block --- s3-backed-ftp/add_users_in_container.sh | 2 +- s3-backed-ftp/s3-fuse.sh | 20 +++++++++++++++----- 2 files changed, 16 insertions(+), 6 deletions(-) diff --git a/s3-backed-ftp/add_users_in_container.sh b/s3-backed-ftp/add_users_in_container.sh index 8db5fd2..96d2633 100755 --- a/s3-backed-ftp/add_users_in_container.sh +++ b/s3-backed-ftp/add_users_in_container.sh @@ -1,6 +1,6 @@ #!/bin/bash # This script will update the env.list file (file containing USERS environrment variable) and add the new users if there are any. -set -ex +set -x FTP_DIRECTORY="/home/aws/s3bucket/ftp-users" CONFIG_FILE="env.list" # May need to modify config file name to reflect future changes in env file location/name diff --git a/s3-backed-ftp/s3-fuse.sh b/s3-backed-ftp/s3-fuse.sh index 88b396c..6814af7 100755 --- a/s3-backed-ftp/s3-fuse.sh +++ b/s3-backed-ftp/s3-fuse.sh @@ -17,7 +17,7 @@ if [ -z $IAM_ROLE ] && [ -z $AWS_ACCESS_KEY_ID ]; then exit 1 fi -# Abort if the AWS_SECRET_ACCESS_KEY was not provided if an IAM_ROLE was not provided neither. +# Abort if the AWS_SECRET_ACCESS_KEY was not provided if an IAM_ROLE was not provided neither. if [ -z $IAM_ROLE ] && [ -z $AWS_SECRET_ACCESS_KEY ]; then echo "You need to set AWS_SECRET_ACCESS_KEY environment variable. Aborting!" exit 1 @@ -30,16 +30,26 @@ if [ -z $IAM_ROLE ] && [ ! -z $AWS_ACCESS_KEY_ID ] && [ ! -z $AWS_SECRET_ACCESS_ chmod 600 ~/.passwd-s3fs fi -# Update the vsftpd.conf file to include the IP address if running on an EC2 instance -if curl -s http://instance-data.ec2.internal > /dev/null ; then - IP=$(curl -s http://169.254.169.254/latest/meta-data/public-ipv4) +if [ ! -z $PASV_ADDRESS ]; then + sed -i "s/^pasv_address=/pasv_address=$PASV_ADDRESS/" /etc/vsftpd.conf +elif curl -s http://instance-data.ec2.internal > /dev/null ; then + IP=$(curl -s http://instance-data.ec2.internal/latest/meta-data/public-ipv4) sed -i "s/^pasv_address=/pasv_address=$IP/" /etc/vsftpd.conf else + echo "You need to set PASV_ADDRESS environment variable, or run in an EC2 instance. Aborting!" exit 1 fi +# Update the vsftpd.conf file to include the IP address if running on an EC2 instance +# if curl -s http://instance-data.ec2.internal > /dev/null ; then +# IP=$(curl -s http://169.254.169.254/latest/meta-data/public-ipv4) +# sed -i "s/^pasv_address=/pasv_address=$IP/" /etc/vsftpd.conf +# else +# echo "Skipping" +# fi + # start s3 fuse -# Code above is not needed if the IAM role is attaced to EC2 instance +# Code above is not needed if the IAM role is attaced to EC2 instance # s3fs provides the iam_role option to grab those credentials automatically /usr/local/bin/s3fs $FTP_BUCKET /home/aws/s3bucket -o allow_other -o mp_umask="0022" -o iam_role="$IAM_ROLE" #-d -d -f -o f2 -o curldbg /usr/local/users.sh From 026792091ddbe61f9e9e620e5eccdb6ab2c09dbc Mon Sep 17 00:00:00 2001 From: Nicholas Digati Date: Mon, 11 Apr 2016 14:00:27 -0700 Subject: [PATCH 08/18] Removed 'set -x', no longer needed, just filling up log files --- s3-backed-ftp/add_users_in_container.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/s3-backed-ftp/add_users_in_container.sh b/s3-backed-ftp/add_users_in_container.sh index 96d2633..b6f3e8e 100755 --- a/s3-backed-ftp/add_users_in_container.sh +++ b/s3-backed-ftp/add_users_in_container.sh @@ -1,6 +1,5 @@ #!/bin/bash # This script will update the env.list file (file containing USERS environrment variable) and add the new users if there are any. -set -x FTP_DIRECTORY="/home/aws/s3bucket/ftp-users" CONFIG_FILE="env.list" # May need to modify config file name to reflect future changes in env file location/name From 2717b44b90525327355414b3ed400b8914e9fcb1 Mon Sep 17 00:00:00 2001 From: Nicholas Digati Date: Mon, 18 Apr 2016 13:56:11 -0700 Subject: [PATCH 09/18] Added commands to update permissions for ssh-key sftp access --- s3-backed-ftp/add_users_in_container.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/s3-backed-ftp/add_users_in_container.sh b/s3-backed-ftp/add_users_in_container.sh index b6f3e8e..6a91b24 100755 --- a/s3-backed-ftp/add_users_in_container.sh +++ b/s3-backed-ftp/add_users_in_container.sh @@ -35,6 +35,11 @@ add_users() { # Search for directories with incorrect permissions find "$FTP_DIRECTORY/$username/files/" -mindepth 1 -type d \! -perm "$DIRECTORY_PERMISSIONS" -print0 | xargs -0 -r chmod "$DIRECTORY_PERMISSIONS" + # Setup correct permissions on .ssh folder and authorized_keys file for ssh-key sftp access + find "$FTP_DIRECTORY/$username/.ssh/" -mindepth 1 -type d \! -perm 700 -print0 | xargs -0 -r chmod 700 + + find "$FTP_DIRECTORY/$username/.ssh/authorized_keys" -mindepth 1 -type f \! -perm 600 -print0 | xargs -0 -r chmod 600 + fi # If user account doesn't exist create it From f4164c209a299c91f83cd6e8ed38faeea44fc3b2 Mon Sep 17 00:00:00 2001 From: Nicholas Digati Date: Tue, 19 Apr 2016 14:25:50 -0700 Subject: [PATCH 10/18] Changed the way .ssh is configured - Since these files should not be updated through S3 their permissions should always be the same so just create them for each user at startup instead of checking/update constantly through the 'add_users' script. --- s3-backed-ftp/add_users_in_container.sh | 5 ----- s3-backed-ftp/users.sh | 17 ++++++++++++----- 2 files changed, 12 insertions(+), 10 deletions(-) diff --git a/s3-backed-ftp/add_users_in_container.sh b/s3-backed-ftp/add_users_in_container.sh index 6a91b24..b6f3e8e 100755 --- a/s3-backed-ftp/add_users_in_container.sh +++ b/s3-backed-ftp/add_users_in_container.sh @@ -35,11 +35,6 @@ add_users() { # Search for directories with incorrect permissions find "$FTP_DIRECTORY/$username/files/" -mindepth 1 -type d \! -perm "$DIRECTORY_PERMISSIONS" -print0 | xargs -0 -r chmod "$DIRECTORY_PERMISSIONS" - # Setup correct permissions on .ssh folder and authorized_keys file for ssh-key sftp access - find "$FTP_DIRECTORY/$username/.ssh/" -mindepth 1 -type d \! -perm 700 -print0 | xargs -0 -r chmod 700 - - find "$FTP_DIRECTORY/$username/.ssh/authorized_keys" -mindepth 1 -type f \! -perm 600 -print0 | xargs -0 -r chmod 600 - fi # If user account doesn't exist create it diff --git a/s3-backed-ftp/users.sh b/s3-backed-ftp/users.sh index 2cfefbe..daae69f 100755 --- a/s3-backed-ftp/users.sh +++ b/s3-backed-ftp/users.sh @@ -13,7 +13,7 @@ chmod 755 $FTP_DIRECTORY # Expecing an environment variable called USERS to look like "bob:hashedbobspassword steve:hashedstevespassword" for u in $USERS; do - + read username passwd <<< $(echo $u | sed 's/:/ /g') # User needs to be created every time since stopping the docker container gets rid of users. @@ -22,7 +22,7 @@ for u in $USERS; do # set the users password echo $u | chpasswd -e - + if [ -z "$username" ] || [ -z "$passwd" ]; then echo "Invalid username:password combination '$u': please fix to create '$username'" continue @@ -34,18 +34,25 @@ for u in $USERS; do chmod 750 "$FTP_DIRECTORY/$username" chown $username:ftpaccess "$FTP_DIRECTORY/$username/files" chmod 750 "$FTP_DIRECTORY/$username/files" + + # Create .ssh folder and authorized_keys file, for ssh-key sftp access + mkdir -p "$FTP_DIRECTORY/$username/.ssh" + chmod 700 "$FTP_DIRECTORY/$username/.ssh" + touch "$FTP_DIRECTORY/$username/.ssh/authorized_keys" + chmod 600 "$FTP_DIRECTORY/$username/.ssh/authorized_keys" + else echo "Creating '$username' directory..." - + # Root must own all directories leading up to and including users home directory mkdir -p "$FTP_DIRECTORY/$username" chown root:ftpaccess "$FTP_DIRECTORY/$username" chmod 750 "$FTP_DIRECTORY/$username" - + # Need files sub-directory for SFTP chroot mkdir -p "$FTP_DIRECTORY/$username/files" chown $username:ftpaccess "$FTP_DIRECTORY/$username/files" chmod 750 "$FTP_DIRECTORY/$username/files" fi - + done From 692254f7f95e4f3b4511eed0b1475c9a46ddf333 Mon Sep 17 00:00:00 2001 From: Nicholas Digati Date: Tue, 19 Apr 2016 15:08:48 -0700 Subject: [PATCH 11/18] Fixed incorrect url for finding ec2 metadata --- s3-backed-ftp/s3-fuse.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/s3-backed-ftp/s3-fuse.sh b/s3-backed-ftp/s3-fuse.sh index 6814af7..43c0c51 100755 --- a/s3-backed-ftp/s3-fuse.sh +++ b/s3-backed-ftp/s3-fuse.sh @@ -32,8 +32,8 @@ fi if [ ! -z $PASV_ADDRESS ]; then sed -i "s/^pasv_address=/pasv_address=$PASV_ADDRESS/" /etc/vsftpd.conf -elif curl -s http://instance-data.ec2.internal > /dev/null ; then - IP=$(curl -s http://instance-data.ec2.internal/latest/meta-data/public-ipv4) +elif curl -s http://instance-data > /dev/null ; then + IP=$(curl -s http://instance-data/latest/meta-data/public-ipv4) sed -i "s/^pasv_address=/pasv_address=$IP/" /etc/vsftpd.conf else echo "You need to set PASV_ADDRESS environment variable, or run in an EC2 instance. Aborting!" From 58df04f6a2abbe5a83fd91078ca0623e0e1699ca Mon Sep 17 00:00:00 2001 From: Nicholas Digati Date: Tue, 19 Apr 2016 16:16:41 -0700 Subject: [PATCH 12/18] More ssh changes - Update ownership of .ssh folder and authorized_keys files. They weren't owned correctly so ssh wouldn't be able to read them. Both now owned by the sftp user - Updated supervisor config to allow stderr logging for ssh process --- s3-backed-ftp/supervisord.conf | 2 +- s3-backed-ftp/users.sh | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/s3-backed-ftp/supervisord.conf b/s3-backed-ftp/supervisord.conf index fdae6be..89db361 100644 --- a/s3-backed-ftp/supervisord.conf +++ b/s3-backed-ftp/supervisord.conf @@ -10,7 +10,7 @@ stdout_logfile=/var/log/s3-fuse-startup.log stderr_logfile=/var/log/s3-fuse-startup.log [program:sshd] -command=/usr/sbin/sshd -D +command=/usr/sbin/sshd -D -e autorestart=true stdout_logfile=/var/log/sshd.log stderr_logfile=/var/log/sshd.log diff --git a/s3-backed-ftp/users.sh b/s3-backed-ftp/users.sh index daae69f..4023553 100755 --- a/s3-backed-ftp/users.sh +++ b/s3-backed-ftp/users.sh @@ -38,8 +38,10 @@ for u in $USERS; do # Create .ssh folder and authorized_keys file, for ssh-key sftp access mkdir -p "$FTP_DIRECTORY/$username/.ssh" chmod 700 "$FTP_DIRECTORY/$username/.ssh" + chown $username "$FTP_DIRECTORY/$username/.ssh" touch "$FTP_DIRECTORY/$username/.ssh/authorized_keys" chmod 600 "$FTP_DIRECTORY/$username/.ssh/authorized_keys" + chown $username "$FTP_DIRECTORY/$username/.ssh/authorized_keys" else echo "Creating '$username' directory..." From 6daa8c547813afdba1a9fcfe93441377357b2bd5 Mon Sep 17 00:00:00 2001 From: Nicholas Digati Date: Tue, 19 Apr 2016 17:04:32 -0700 Subject: [PATCH 13/18] Readded periodic check for incorrect owner/permissions for .ssh and authorized_keys --- s3-backed-ftp/add_users_in_container.sh | 76 +++++++++++++------------ 1 file changed, 41 insertions(+), 35 deletions(-) diff --git a/s3-backed-ftp/add_users_in_container.sh b/s3-backed-ftp/add_users_in_container.sh index b6f3e8e..b75edf2 100755 --- a/s3-backed-ftp/add_users_in_container.sh +++ b/s3-backed-ftp/add_users_in_container.sh @@ -10,50 +10,56 @@ FILE_PERMISSIONS=644 DIRECTORY_PERMISSIONS=750 add_users() { - aws s3 cp s3://$CONFIG_BUCKET/$CONFIG_FILE ~/$CONFIG_FILE - USERS=$(cat ~/"$CONFIG_FILE" | grep USERS | cut -d '=' -f2) + aws s3 cp s3://$CONFIG_BUCKET/$CONFIG_FILE ~/$CONFIG_FILE + USERS=$(cat ~/"$CONFIG_FILE" | grep USERS | cut -d '=' -f2) - for u in $USERS; do - read username passwd <<< $(echo $u | sed 's/:/ /g') + for u in $USERS; do + read username passwd <<< $(echo $u | sed 's/:/ /g') - # If account exists set password again - # In cases where password changes in env file - if getent passwd "$username" >/dev/null 2>&1; then - echo $u | chpasswd -e + # If account exists set password again + # In cases where password changes in env file + if getent passwd "$username" >/dev/null 2>&1; then + echo $u | chpasswd -e - # Fix for issue when pulling files that were uploaded directly to S3 (through aws web console) - # Permissions when uploaded directly through S3 Web client were set as: - # 000 root:root - # This would not allow ftp users to read the files + # Fix for issue when pulling files that were uploaded directly to S3 (through aws web console) + # Permissions when uploaded directly through S3 Web client were set as: + # 000 root:root + # This would not allow ftp users to read the files - # Search for files and directories not owned correctly - find "$FTP_DIRECTORY/$username/files/" -mindepth 1 \( \! -user "$username" \! -group "$username" \) -print0 | xargs -0 -r chown "$username:$username" + # Search for files and directories not owned correctly + find "$FTP_DIRECTORY/$username/files/" -mindepth 1 \( \! -user "$username" \! -group "$username" \) -print0 | xargs -0 -r chown "$username:$username" - # Search for files with incorrect permissions - find "$FTP_DIRECTORY/$username/files/" -mindepth 1 -type f \! -perm "$FILE_PERMISSIONS" -print0 | xargs -0 -r chmod "$FILE_PERMISSIONS" + # Search for files with incorrect permissions + find "$FTP_DIRECTORY/$username/files/" -mindepth 1 -type f \! -perm "$FILE_PERMISSIONS" -print0 | xargs -0 -r chmod "$FILE_PERMISSIONS" - # Search for directories with incorrect permissions - find "$FTP_DIRECTORY/$username/files/" -mindepth 1 -type d \! -perm "$DIRECTORY_PERMISSIONS" -print0 | xargs -0 -r chmod "$DIRECTORY_PERMISSIONS" + # Search for directories with incorrect permissions + find "$FTP_DIRECTORY/$username/files/" -mindepth 1 -type d \! -perm "$DIRECTORY_PERMISSIONS" -print0 | xargs -0 -r chmod "$DIRECTORY_PERMISSIONS" - fi + # Search for .ssh folders and authorized_keys files with incorrect permissions/ownership + find "$FTP_DIRECTORY/$username/.ssh" -mindepth 1 -type d \! -perm 700 -print0 | xargs -0 -r chmod 700 + find "$FTP_DIRECTORY/$username/.ssh" -mindepth 1 -type d \! -user "$username" -print0 | xargs -0 -r chown "$username" - # If user account doesn't exist create it - if ! getent passwd "$username" >/dev/null 2>&1; then - useradd -d "$FTP_DIRECTORY/$username" -s /usr/sbin/nologin $username - usermod -G ftpaccess $username + find "$FTP_DIRECTORY/$username/.ssh/authorized_keys" -mindepth 1 -type f \! -perm 600 -print0 | xargs -0 -r chmod 600 + find "$FTP_DIRECTORY/$username/.ssh/authorized_keys" -mindepth 1 -type f \! -user "$username" -print0 | xargs -0 -r chown "$username" + fi - mkdir -p "$FTP_DIRECTORY/$username" - chown root:ftpaccess "$FTP_DIRECTORY/$username" - chmod 750 "$FTP_DIRECTORY/$username" + # If user account doesn't exist create it + if ! getent passwd "$username" >/dev/null 2>&1; then + useradd -d "$FTP_DIRECTORY/$username" -s /usr/sbin/nologin $username + usermod -G ftpaccess $username - mkdir -p "$FTP_DIRECTORY/$username/files" - chown $username:ftpaccess "$FTP_DIRECTORY/$username/files" - chmod 750 "$FTP_DIRECTORY/$username/files" - fi - done + mkdir -p "$FTP_DIRECTORY/$username" + chown root:ftpaccess "$FTP_DIRECTORY/$username" + chmod 750 "$FTP_DIRECTORY/$username" + + mkdir -p "$FTP_DIRECTORY/$username/files" + chown $username:ftpaccess "$FTP_DIRECTORY/$username/files" + chmod 750 "$FTP_DIRECTORY/$username/files" + fi + done } - while true; do - add_users - sleep $SLEEP_DURATION - done +while true; do + add_users + sleep $SLEEP_DURATION +done From b1008974baa932707c9b5838b6e91df8d9f32624 Mon Sep 17 00:00:00 2001 From: Nicholas Digati Date: Tue, 19 Apr 2016 17:06:24 -0700 Subject: [PATCH 14/18] Fixed indentation --- s3-backed-ftp/add_users_in_container.sh | 68 ++++++++++++------------- 1 file changed, 34 insertions(+), 34 deletions(-) diff --git a/s3-backed-ftp/add_users_in_container.sh b/s3-backed-ftp/add_users_in_container.sh index b75edf2..e542f2b 100755 --- a/s3-backed-ftp/add_users_in_container.sh +++ b/s3-backed-ftp/add_users_in_container.sh @@ -10,56 +10,56 @@ FILE_PERMISSIONS=644 DIRECTORY_PERMISSIONS=750 add_users() { - aws s3 cp s3://$CONFIG_BUCKET/$CONFIG_FILE ~/$CONFIG_FILE - USERS=$(cat ~/"$CONFIG_FILE" | grep USERS | cut -d '=' -f2) + aws s3 cp s3://$CONFIG_BUCKET/$CONFIG_FILE ~/$CONFIG_FILE + USERS=$(cat ~/"$CONFIG_FILE" | grep USERS | cut -d '=' -f2) - for u in $USERS; do - read username passwd <<< $(echo $u | sed 's/:/ /g') + for u in $USERS; do + read username passwd <<< $(echo $u | sed 's/:/ /g') - # If account exists set password again - # In cases where password changes in env file - if getent passwd "$username" >/dev/null 2>&1; then - echo $u | chpasswd -e + # If account exists set password again + # In cases where password changes in env file + if getent passwd "$username" >/dev/null 2>&1; then + echo $u | chpasswd -e - # Fix for issue when pulling files that were uploaded directly to S3 (through aws web console) - # Permissions when uploaded directly through S3 Web client were set as: - # 000 root:root - # This would not allow ftp users to read the files + # Fix for issue when pulling files that were uploaded directly to S3 (through aws web console) + # Permissions when uploaded directly through S3 Web client were set as: + # 000 root:root + # This would not allow ftp users to read the files - # Search for files and directories not owned correctly - find "$FTP_DIRECTORY/$username/files/" -mindepth 1 \( \! -user "$username" \! -group "$username" \) -print0 | xargs -0 -r chown "$username:$username" + # Search for files and directories not owned correctly + find "$FTP_DIRECTORY/$username/files/" -mindepth 1 \( \! -user "$username" \! -group "$username" \) -print0 | xargs -0 -r chown "$username:$username" - # Search for files with incorrect permissions - find "$FTP_DIRECTORY/$username/files/" -mindepth 1 -type f \! -perm "$FILE_PERMISSIONS" -print0 | xargs -0 -r chmod "$FILE_PERMISSIONS" + # Search for files with incorrect permissions + find "$FTP_DIRECTORY/$username/files/" -mindepth 1 -type f \! -perm "$FILE_PERMISSIONS" -print0 | xargs -0 -r chmod "$FILE_PERMISSIONS" - # Search for directories with incorrect permissions - find "$FTP_DIRECTORY/$username/files/" -mindepth 1 -type d \! -perm "$DIRECTORY_PERMISSIONS" -print0 | xargs -0 -r chmod "$DIRECTORY_PERMISSIONS" + # Search for directories with incorrect permissions + find "$FTP_DIRECTORY/$username/files/" -mindepth 1 -type d \! -perm "$DIRECTORY_PERMISSIONS" -print0 | xargs -0 -r chmod "$DIRECTORY_PERMISSIONS" - # Search for .ssh folders and authorized_keys files with incorrect permissions/ownership + # Search for .ssh folders and authorized_keys files with incorrect permissions/ownership find "$FTP_DIRECTORY/$username/.ssh" -mindepth 1 -type d \! -perm 700 -print0 | xargs -0 -r chmod 700 find "$FTP_DIRECTORY/$username/.ssh" -mindepth 1 -type d \! -user "$username" -print0 | xargs -0 -r chown "$username" find "$FTP_DIRECTORY/$username/.ssh/authorized_keys" -mindepth 1 -type f \! -perm 600 -print0 | xargs -0 -r chmod 600 find "$FTP_DIRECTORY/$username/.ssh/authorized_keys" -mindepth 1 -type f \! -user "$username" -print0 | xargs -0 -r chown "$username" - fi + fi - # If user account doesn't exist create it - if ! getent passwd "$username" >/dev/null 2>&1; then - useradd -d "$FTP_DIRECTORY/$username" -s /usr/sbin/nologin $username - usermod -G ftpaccess $username + # If user account doesn't exist create it + if ! getent passwd "$username" >/dev/null 2>&1; then + useradd -d "$FTP_DIRECTORY/$username" -s /usr/sbin/nologin $username + usermod -G ftpaccess $username - mkdir -p "$FTP_DIRECTORY/$username" - chown root:ftpaccess "$FTP_DIRECTORY/$username" - chmod 750 "$FTP_DIRECTORY/$username" + mkdir -p "$FTP_DIRECTORY/$username" + chown root:ftpaccess "$FTP_DIRECTORY/$username" + chmod 750 "$FTP_DIRECTORY/$username" - mkdir -p "$FTP_DIRECTORY/$username/files" - chown $username:ftpaccess "$FTP_DIRECTORY/$username/files" - chmod 750 "$FTP_DIRECTORY/$username/files" - fi - done + mkdir -p "$FTP_DIRECTORY/$username/files" + chown $username:ftpaccess "$FTP_DIRECTORY/$username/files" + chmod 750 "$FTP_DIRECTORY/$username/files" + fi + done } while true; do - add_users - sleep $SLEEP_DURATION + add_users + sleep $SLEEP_DURATION done From ca5b622296845a7285865e237cd9361e102961c8 Mon Sep 17 00:00:00 2001 From: Nicholas Digati Date: Fri, 6 May 2016 16:44:35 -0700 Subject: [PATCH 15/18] Updated Dockerfile --- s3-backed-ftp/Dockerfile | 50 +++++++++++++++------------------------- 1 file changed, 19 insertions(+), 31 deletions(-) diff --git a/s3-backed-ftp/Dockerfile b/s3-backed-ftp/Dockerfile index b129db8..220faa8 100644 --- a/s3-backed-ftp/Dockerfile +++ b/s3-backed-ftp/Dockerfile @@ -1,36 +1,23 @@ -FROM factual/docker-base +FROM debian:jessie -# Install needed packages and cleanup after -RUN apt-get -y update && apt-get -y install --no-install-recommends \ - automake \ - autotools-dev \ - g++ \ - git \ - libcurl4-gnutls-dev \ - libfuse-dev \ - libssl-dev \ - libxml2-dev \ - make \ - pkg-config \ - python3-pip \ - vsftpd \ - openssh-server \ - supervisor \ - && rm -rf /var/lib/apt/lists/* - -# Run commands to set-up everything -RUN pip3 install awscli && \ - git clone https://github.com/s3fs-fuse/s3fs-fuse.git && \ - cd s3fs-fuse && \ - ./autogen.sh && \ - ./configure && \ - make && \ - sudo make install && \ - mkdir -p /home/aws/s3bucket/ && \ - echo "/usr/sbin/nologin" >> /etc/shells +# Install needed build packages and cleanup after +RUN buildDeps='automake autotools-dev g++ git libcurl4-gnutls-dev libfuse-dev libssl-dev libxml2-dev make pkg-config' \ + && runDeps='python3-pip vsftpd openssh-server supervisor' \ + && apt-get -y update && apt-get -y install $buildDeps $runDeps --no-install-recommends \ + && rm -rf /var/lib/apt/lists/* \ + && git clone https://github.com/s3fs-fuse/s3fs-fuse.git \ + && cd s3fs-fuse \ + && ./autogen.sh \ + && ./configure \ + && make \ + && make install \ + && apt-get purge -y --auto-remove $buildDeps \ + && pip3 install awscli \ + && mkdir -p /home/aws/s3bucket/ \ + && echo "/usr/sbin/nologin" >> /etc/shells # Copy scripts to /usr/local -COPY ["s3-fuse.sh", "users.sh", "add_users_in_container.sh", "/usr/local/"] +COPY [ "s3-fuse.sh", "users.sh", "add_users_in_container.sh", "/usr/local/" ] # Copy needed config files to their destinations COPY vsftpd.conf /etc/vsftpd.conf @@ -41,4 +28,5 @@ COPY supervisord.conf /etc/supervisor/conf.d/supervisord.conf EXPOSE 21 22 # Run supervisord at container start -CMD ["/usr/bin/supervisord"] +CMD [ "/usr/bin/supervisord" ] + From 4d59bafb947e77901ddb85606b496b9301adce3a Mon Sep 17 00:00:00 2001 From: Nicholas Digati Date: Wed, 22 Jun 2016 16:41:23 -0700 Subject: [PATCH 16/18] Added option to s3fs to expire stat cache to hopefully fix memory leak on EC2 instance. --- s3-backed-ftp/s3-fuse.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/s3-backed-ftp/s3-fuse.sh b/s3-backed-ftp/s3-fuse.sh index 43c0c51..e39073f 100755 --- a/s3-backed-ftp/s3-fuse.sh +++ b/s3-backed-ftp/s3-fuse.sh @@ -51,5 +51,5 @@ fi # start s3 fuse # Code above is not needed if the IAM role is attaced to EC2 instance # s3fs provides the iam_role option to grab those credentials automatically -/usr/local/bin/s3fs $FTP_BUCKET /home/aws/s3bucket -o allow_other -o mp_umask="0022" -o iam_role="$IAM_ROLE" #-d -d -f -o f2 -o curldbg +/usr/local/bin/s3fs $FTP_BUCKET /home/aws/s3bucket -o allow_other -o mp_umask="0022" -o iam_role="$IAM_ROLE" -o stat_cache_expire=600 #-d -d -f -o f2 -o curldbg /usr/local/users.sh From 45e571d8a488d59c3015bb920b049e29f1941a91 Mon Sep 17 00:00:00 2001 From: Nicholas Digati Date: Wed, 22 Jun 2016 16:54:50 -0700 Subject: [PATCH 17/18] Changed back to old Dockerfile --- s3-backed-ftp/Dockerfile | 50 +++++++++++++++++++++++++--------------- 1 file changed, 31 insertions(+), 19 deletions(-) diff --git a/s3-backed-ftp/Dockerfile b/s3-backed-ftp/Dockerfile index 220faa8..b129db8 100644 --- a/s3-backed-ftp/Dockerfile +++ b/s3-backed-ftp/Dockerfile @@ -1,23 +1,36 @@ -FROM debian:jessie +FROM factual/docker-base -# Install needed build packages and cleanup after -RUN buildDeps='automake autotools-dev g++ git libcurl4-gnutls-dev libfuse-dev libssl-dev libxml2-dev make pkg-config' \ - && runDeps='python3-pip vsftpd openssh-server supervisor' \ - && apt-get -y update && apt-get -y install $buildDeps $runDeps --no-install-recommends \ - && rm -rf /var/lib/apt/lists/* \ - && git clone https://github.com/s3fs-fuse/s3fs-fuse.git \ - && cd s3fs-fuse \ - && ./autogen.sh \ - && ./configure \ - && make \ - && make install \ - && apt-get purge -y --auto-remove $buildDeps \ - && pip3 install awscli \ - && mkdir -p /home/aws/s3bucket/ \ - && echo "/usr/sbin/nologin" >> /etc/shells +# Install needed packages and cleanup after +RUN apt-get -y update && apt-get -y install --no-install-recommends \ + automake \ + autotools-dev \ + g++ \ + git \ + libcurl4-gnutls-dev \ + libfuse-dev \ + libssl-dev \ + libxml2-dev \ + make \ + pkg-config \ + python3-pip \ + vsftpd \ + openssh-server \ + supervisor \ + && rm -rf /var/lib/apt/lists/* + +# Run commands to set-up everything +RUN pip3 install awscli && \ + git clone https://github.com/s3fs-fuse/s3fs-fuse.git && \ + cd s3fs-fuse && \ + ./autogen.sh && \ + ./configure && \ + make && \ + sudo make install && \ + mkdir -p /home/aws/s3bucket/ && \ + echo "/usr/sbin/nologin" >> /etc/shells # Copy scripts to /usr/local -COPY [ "s3-fuse.sh", "users.sh", "add_users_in_container.sh", "/usr/local/" ] +COPY ["s3-fuse.sh", "users.sh", "add_users_in_container.sh", "/usr/local/"] # Copy needed config files to their destinations COPY vsftpd.conf /etc/vsftpd.conf @@ -28,5 +41,4 @@ COPY supervisord.conf /etc/supervisor/conf.d/supervisord.conf EXPOSE 21 22 # Run supervisord at container start -CMD [ "/usr/bin/supervisord" ] - +CMD ["/usr/bin/supervisord"] From af53e1c3688a9bb39f12ea3560fe1fd61d456a22 Mon Sep 17 00:00:00 2001 From: Nicholas Digati Date: Thu, 23 Jun 2016 16:16:17 -0700 Subject: [PATCH 18/18] Updated data connection timeout for vsftp - One user was regularly experiencing timeouts when transferring data and was fixed by setting the timeout (manually before) to 15 minutes. This should probably just be set for everyone just so it's consistent and doesn't hurt to have it either. --- s3-backed-ftp/vsftpd.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/s3-backed-ftp/vsftpd.conf b/s3-backed-ftp/vsftpd.conf index d48960d..529911c 100644 --- a/s3-backed-ftp/vsftpd.conf +++ b/s3-backed-ftp/vsftpd.conf @@ -58,7 +58,7 @@ connect_from_port_20=YES #idle_session_timeout=600 # You may change the default value for timing out a data connection. -#data_connection_timeout=120 +data_connection_timeout=900 # It is recommended that you define on your system a unique user which the # ftp server can use as a totally isolated and unprivileged user.