lftp Container

Minimal Docker image that provides lftp as the main container process.

The image is configured to start lftp via ENTRYPOINT:

Platform	Link
	lftp
	nmeyer99/lftp

Why Run lftp as a Non-Root User?

For security reasons, lftp should not run as root inside a container. By default, many container processes run as root, which poses a high risk. If a vulnerability is exploited, an attacker could gain full control over the host server.

By starting the lftp process as a non-root user, you significantly limit the potential damage in case of an attack. The attacker would only have the restricted privileges of that user and couldn't access or manipulate the underlying host system.

Container Security

While containers offer good isolation, they are not immune to attacks. Key security practices include:

• Regularly updating the container image.
• Using a minimalist image with only essential components.
• Running containers as a non-root user.
• Setting restrictive access permissions within the container image.

UID/GID Matching (optional)

To avoid permission issues with bind mounts, you can build the image so that the lftp user inside the container uses the same UID/GID as your host user.

• Build with host IDs:
  • docker build --build-arg LFTP_UID=$(id -u) --build-arg LFTP_GID=$(id -g) -t lftp:latest .
• Defaults (if not provided): LFTP_UID=100, LFTP_GID=101.

Note: The container still runs as lftp (not root).

Optional apk upgrade during build

You can opt-in to upgrading all base packages during build via a build arg:

• Enable upgrade: docker build --build-arg APK_UPGRADE=true -t lftp:latest .
• Default: APK_UPGRADE=false (no upgrade for reproducibility)

The Dockerfile conditionally runs apk update && apk --no-cache upgrade before installing required packages.

Image version label

You can set the image metadata version label via a build arg:

• From git tag/commit: docker build --build-arg IMAGE_VERSION=$(git describe --tags --always --dirty) -t lftp:latest .
• Or short commit: docker build --build-arg IMAGE_VERSION=$(git rev-parse --short HEAD) -t lftp:latest .

This value is written to label org.opencontainers.image.version.

Runtime version file

The image also writes the version into a file inside the container for easy runtime inspection:

• Path: /etc/image-version
• Check inside container: cat /etc/image-version

This mirrors the IMAGE_VERSION build arg and stays immutable at runtime.

ENTRYPOINT ["/usr/bin/lftp"]
CMD []

This means all arguments passed to docker run are forwarded directly to lftp.

Features

• Small Alpine-based runtime
• lftp runs as the container process
• Runs as non-root user lftp (UID/GID configurable via build args)
• Working directory: /app

Build

Build with docker build

docker build -t lftp:local .

Build with optional arguments

docker build \
  --build-arg BASEIMAGE=library/alpine:3.22.1 \
  --build-arg APK_UPGRADE=false \
  --build-arg LFTP_UID=1000 \
  --build-arg LFTP_GID=1001 \
  --build-arg IMAGE_VERSION=dev \
  -t nmeyer99/lftp .

Usage

Important: do not prefix commands with lftp; pass only lftp arguments.

Start interactive session

docker run --rm -it nmeyer99/lftp

Connect directly to an FTP server

docker run --rm -it nmeyer99/lftp \
  -u username,password \
  ftp://your-ftp-server.com

Upload via mirror -R (local folder -> remote)

docker run --rm -it \
  -v /local/path/to/directory:/data \
  nmeyer99/lftp \
  -e "mirror -R /data /remote/directory; bye" \
  -u username,password \
  ftp://your-ftp-server.com

Note: local host paths must be mounted as volumes (-v ...:/data). Use the container path (/data) inside the lftp command.

Container paths

• WORKDIR: /app
• VOLUME: /app

Local build script

A helper script build.sh is included to resolve the latest base image and build the container:

./build.sh

With APK_UPGRADE=true:

./build.sh "--build-arg APK_UPGRADE=true"

License

See LICENSE.