Multiple users? #7
Comments
|
You can either specify multiple users in the SFTP_USERS environment variable, or you can create a config file with the users in: https://github.com/atmoz/sftp#store-users-in-config |
|
You'd also want to mount multiple different Azure File shares: one for each user :) |
|
Awesome thanks! What if both users need to share the same file share?
…On Thu, Nov 14, 2019 at 7:39 AM Ben Hummerstone ***@***.***> wrote:
You'd also want to mount multiple different Azure File shares: one for
each user :)
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#7?email_source=notifications&email_token=ACRNWHGQOQH5MO3M7UUFQQLQTVIIVA5CNFSM4JL4HL7KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEEB3OWA#issuecomment-553891672>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ACRNWHFAUORB7ZO3K25D57TQTVIIVANCNFSM4JL4HL7A>
.
|
|
It isn't something I've actually tried, but I think it should just work: give it a try with just the single file share and see what happens! |
|
I've been trying this out, and this currently isn't possible without modifying the base container image. The main reason is the chroot to %HOME%, so a user can only see what's in their own home directory, so that is where the Azure File shares are mounted |
|
Here's a sample with multiple users/multiple shares: https://github.com/bhummerstone/azure-templates/blob/master/compute/sftp/sftp-existing-stg-multi-user.json |
|
Hey, I was wondering what the full steps would be to set up the following: so when you deploy this code it deploys one container and one user which can access the container What are the steps/ code to add more containers? thanks |
|
Do you need more than one container in the container group? Is this for performance or isolation purposes? It might be easier to just deploy the whole container group multiple times. |
|
As for multiple users, it may be possible to modify the base container image to:
(see here for a semi-related example: #4) |
|
i need to be able to create users which only have access to one folder which relates to the client and not see any others. Would this be possible without needing to create multiple containers? |
|
Yes, that would work. I'd recommend having a container/file share per client to provide the easiest separation, and you would also need to modify the original container image to allow access somewhere other than %HOME%, as this is unique to each user |
|
I've got some high-level steps for editing the image here: #3 (comment) |
|
You'd want to edit the sftp/files/sshd_config file and change the ChrootDirectory to a folder of your choice, and then mount the Azure Files share in that folder. You may also need to edit the Dockerfile to pre-create this folder |
|
is there any reason why everything i create gets wiped each time i reboot? i thought maybe i was doing something wrong but i've tested creating a directory, user and group on a linux test vm and it didn't wipe when i rebooted |
|
This sample runs as a container which is deployed fresh each time, so the only thing that is persisted is what is stored in the /upload directory, as this is backed by the Azure Files share |
|
thanks Ben, i have figured it out now. What's useful to know for anyone using this is that if you want to add more users or file shares POST deployment just re-deploy the code with them in. It just replaces the config of the container and doesn't touch anything else. The only thing missing to make this perfect now is for the public IP to be static and a GUI would be cool. |
|
There's a pull request in to update the sample to include a public DNS record, which would remain static between deployments; you could also alias this with your own custom DNS record. In terms of a GUI, is there anything in particular you would like to see? UI for configuring users/shares etc.? |
|
Yes i did see that and updated the config to have a custom domain which should do. yes exactly, just a UI which prompts you for username and password and then for a standard user displays the folders they have access to but for administrator a view which can see all users and folders. |
|
Gotcha. I've been thinking about this as a personal project: there's an Azure Container Instance connector in Logic Apps, so you could have a website that allows you to configure them, and then pass off to a Logic App to deploy/reconfigure the ACI. |
|
just one other minor thing, how can you setup users without referencing parameters? So for example here i have 10 users: it's very long winded adding all of this and then adding the parameters and then also having to type the value. I'd rather just type the value but i'm not 100% sure what i can change the about to? |
|
Yes, you can specify the users in a config file and then mount that using an Azure Files share: https://github.com/atmoz/sftp#store-users-in-config You may need to have a custom script to copy your custom users.conf file into /etc/sftp, as you can't mount a share directly into /etc/sftp as it requires special permissions that Azure Files doesn't support. You should be fine to mount scripts into /etc/sftp.d as per: https://github.com/atmoz/sftp#execute-custom-scripts-or-applications |
|
hey, Still a little stuck on this, i have changed what i would like to setup as i've understood more about this so all i want is one file share in azure with multiple directories within the share. Each directory should talk to the users home folder E.G /home is the file share and /home/user1 is a directory. If the volume mount is set to "[concat('/home/')]" and the users home folder to /home/user1 it successfully creates a directory in the file share called user1 which is great but then user1 can't login to sftp? also just to add that there is no file path '/etc/sftp' - i found the user.conf file within run/sftp/users.conf. I've edited this file to add more users and then edited the etc/passwd file with the user too but it doesn't allow the user to sign into sftp either. I've logged into the console with these profiles and they've been able to see the folders and have confirmed they have full access so it just seems to be when you try to login with ftp client? i would prefer to set this up from within linux console and azure template if possible so any instructions on how to overcome this issue would be greatly appreciated. thanks |
|
also worth noting that if i try to change the users home folder E.G /home/user1 to /sftp/user1 the user cannot login and if i try redirecting the folder using ln it doesn't let the user login either! |
|
Gotcha. I believe the /etc/sftp folder is one that you can create and mount yourself, and the container image will append any users there to the final resting place in /run/sftp/users.conf; have a look in the Entrypoint file for this bit of scripting. As such, you could mount your own users file there. |
|
w.r.t. the additional directories, are you trying to mount a shared directory that everyone can use? or just have sub-folders in the same Azure Files share for each user? |
|
I'm trying to create a SFTP site hosted by Azure with multiple logins for different clients/customers. Each client/customer should have a separate default root folder. From what I can gather through the posts, I know it is possible but I am at a loss on how to proceed. I am not familiar with setting up SFTP sites and new to Azure as well. Am I correct in assuming there is no GUI built for this and all settings need to be written and done through text/json? Are these settings set through the Parameters of the Container Instances? Would anyone be able to provide me an example of the required syntax? |
|
@VinsonY the best we can do in terms of GUI for this is to import the template into the Azure Portal and deploy it from there: https://portal.azure.com/?feature.customportal=false#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Gallery%2Fmyareas%2Fgalleryitems |
|
Here's an example template that supports multiple users with different root folders: https://github.com/bhummerstone/azure-templates/blob/master/compute/sftp/sftp-existing-stg-multi-user.json Key parameters:
|
|
An alternative would be to just deploy the sample template multiple times: one for each user :) |
|
@bhummerstone Thanks, I'll give that a try. I realized I was overwriting existing accounts I created when I tried to deploy the same template a number of times. I think the template I used was not detailed enough and was overwriting items since I couldn't define the container instance. |
|
@bhummerstone I can only create one account when using the template you suggested. Examining the template post deployment shows multiple sftp volumes and the folder names but the associated logins don't seem to work. Would you recommend creating multiple Container Instances, one per user, and deploying it that way instead? |
|
I've moved to trying to create multiple container instances that access different points/sub folders of the same file share but have not been able to get that to work either. I assumed by changing the mounted folder points I could set where a specific users home directory would start from. EG: User1 User2 Is changing the mount paths the settings I should be changing or is there another method? |
|
I'm surprised that template doesn't work: I'll double check it myself to see what might be happening. Depending on your usage pattern, having a Container Instance per user might be the simplest way, as you can just start/stop the ACI as required. Unfortunately to change the mount path, you need to edit the container image: check this thread for an example: #4 |
|
@bhummerstone I want to create a Azure SFTP server using this solution but with 2 conditions, the access must be made using SSH Keys auth, and the solution must have a IPSec VPN access. For the SSH auth, do you recomend to use the https://github.com/bhummerstone/azure-templates/blob/master/compute/sftp/sftp-custom-image.json or i really need to create a new Docker image? |
|
You can do SSH auth without creating a custom image as you can just mount the SSH keys as a separate file share as per: https://github.com/bhummerstone/azure-templates/blob/master/compute/sftp/sftp-config-file.json However, this still does give the host key prompt each time you deploy the image, so if you want to set this to be static then you'll need to create a new Docker image and remove the steps that generate the host key. |
|
For VPN support, you'll want to modify the ACI resource in the template to deploy with vNet integration, which would assign it a private IP: this should then allow you to set up a VPN gateway, and thus enable connectivity. There's a sample template for ACI w/ vNet Integration here: https://github.com/Azure/azure-quickstart-templates/tree/master/101-aci-vnet |
|
Hi, Is there is any solution for creating multiple users for one azure fileshare.? |
|
This is unfortunately quite a complex task, as the default behaviour for the container is to force a separate folder for each user. To get around this, you would need to create a new container image based on the existing one, and modify a few things:
|
|
Hi, Any thoughts on how to restart sftp service after changing the sshd_config file? I have tried Thanks! |
|
Generally speaking with a container you want to modify the changes to the original image then redeploy rather than modify anything at runtime, so I recommend you build a new container image with the changes you would like, then modify the sample here to deploy that instead |
Hi Ben, tks so much for the template to create multiple users and map different file shares for different users. Could you pls have a look at the solution to restrict the permissions of some users who only need to read files (download only)? FYR: #19 |
|
@bhummerstone Thank you for your help, I had been struggling with this for a while. I used the multi-user template with success, but when trying to setup a new user I am having an issue authenticating via FTP client. The first two fileshares and users worked as expected, and I'm able to change their password by deploying the ARM template with a new password and restarting the container group. However, no new fileshares or users are able to be authenticated despite being able to modify the credentials of existing users. I'm sure I'm overlooking something silly but would appreciate any guidance. |
|
@mdlindsey interesting: is there anything in the logs? I believe the container image creates the users via a script in the entrypoint, so it should be picking up the details here. An alternative to doing the environment variable is to store the user details in a separate file, as per: https://github.com/atmoz/sftp#store-users-in-config. You would need to create a new container image that copies the file into the correct place rather than mounting an Azure File share as the permissions are not currently set correctly |
How would I check detailed logs? I'd be happy to take a look at that. The deployment logs say all operations are successful and show me the created resources. Everything seems fine but the new user credentials simply do not work. I will take a look at the other solution you presented but am still scratching my head over this one, as this template worked just fine for the first two users/fileshares that were created. |
|
If you look at the ACI in the Portal, you should be able to select the Container and then select Logs. Or use the Azure CLI: https://docs.microsoft.com/en-us/azure/container-instances/container-instances-get-logs |
|
Turned out the template I was using is missing a space after the directory specification for the env vars on the 2nd user. On line 104 of the gist: The space after |
@bhummerstone can you please tell me where am I supposed to put the script that mounts the users.conf file from the file share to the container? Since everything is deleted when I restart the container. This is the script that is supposed to mount my users.conf from the file share to /etc/sftp in the container, did I miss sth: Thank you. |
@bhummerstone also, creating a new container image that copies the file into the correct place rather than mounting the Azure File share seems very interesting. Can you please provide the steps to do so: and especially where to put the file containing the users. Thank you so much. |
|
@Developper28 have a look here for some guidance about how to create a new container image based on the existing one: #3 (comment) |
|
Closing this issue as it has been idle for a while |
|
Here is end to end solution for SFTP -- Azure files based on windows containers, with no issues mentioned above about ability to use single Azure fileshare for multiple users |
Would it be difficult to add support for more than 1 sftp user? Otherwise this is great for us, thank you.
The text was updated successfully, but these errors were encountered: