search

emberstack / docker-sftp

SFTP Server for Docker
MIT License
186 stars 48 forks source link

Support OpenShift #45

Closed Sabik2006 closed 3 years ago

Sabik2006 commented 3 years ago

Docker-sftp doesn't work inside pod on Openshift 4

I have below exception during docker-sftp start on Openshift 4 (but it works fine on Openshift 3) :

2020-09-15 12:17:05.747 [INF] (ES.SFTP.Host.Program) Starting host 2020-09-15 12:17:06.091 [WRN] (Microsoft.AspNetCore.Server.Kestrel) Overriding address(es) 'http://+:80'. Binding to endpoints defined in UseKestrel() instead. 2020-09-15 12:17:06.100 [INF] (Microsoft.Hosting.Lifetime) Now listening on: http://0.0.0.0:25080 2020-09-15 12:17:06.101 [DBG] (ES.SFTP.Host.HostedService) Starting 2020-09-15 12:17:06.102 [DBG] (ES.SFTP.Host.Orchestrator) Starting 2020-09-15 12:17:06.153 [FTL] (ES.SFTP.Host.Program) Host terminated unexpectedly System.UnauthorizedAccessException: Access to the path '/etc/sssd/sssd.conf' is denied. ---> System.IO.IOException: Permission denied --- End of inner exception stack trace --- at Interop.ThrowExceptionForIoErrno(ErrorInfo errorInfo, String path, Boolean isDirectory, Func`2 errorRewriter) at Microsoft.Win32.SafeHandles.SafeFileHandle.Open(String path, OpenFlags flags, Int32 mode) at System.IO.FileStream.OpenHandle(FileMode mode, FileShare share, FileOptions options) at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options) at System.IO.FileSystem.CopyFile(String sourceFullPath, String destFullPath, Boolean overwrite) at System.IO.File.Copy(String sourceFileName, String destFileName, Boolean overwrite) at ES.SFTP.Host.Orchestrator.ConfigureAuthentication() in /src/ES.SFTP.Host/Orchestrator.cs:line 93 at ES.SFTP.Host.Orchestrator.Start() in /src/ES.SFTP.Host/Orchestrator.cs:line 63 at ES.SFTP.Host.HostedService.StartAsync(CancellationToken cancellationToken) in /src/ES.SFTP.Host/HostedService.cs:line 25 at Microsoft.Extensions.Hosting.Internal.Host.StartAsync(CancellationToken cancellationToken) at Microsoft.Extensions.Hosting.HostingAbstractionsHostExtensions.RunAsync(IHost host, CancellationToken token) at Microsoft.Extensions.Hosting.HostingAbstractionsHostExtensions.RunAsync(IHost host, CancellationToken token) at ES.SFTP.Host.Program.Main(String[] args) in /src/ES.SFTP.Host/Program.cs:line 33

Can I some configure docker-sftp to store all its files inside "/tmp" directory? It seems that in Openshift 4 there are rights to create and edit files only inside "/tmp" directory

VictorCardona commented 3 years ago

I have the same Issue in OpenShift 3.11 but in IBM Cloud, any with any helpful information?

Thanks

2020-09-16 20:46:14.489 [INF] (Microsoft.Hosting.Lifetime) Now listening on: http://0.0.0.0:25080 2020-09-16 20:46:14.491 [DBG] (ES.SFTP.Host.Configuration.ConfigurationService) Starting 2020-09-16 20:46:14.494 [DBG] (ES.SFTP.Host.Configuration.ConfigurationService) Validating and updating configuration 2020-09-16 20:46:14.517 [INF] (ES.SFTP.Host.Configuration.ConfigurationService) Configuration contains '1' user(s) 2020-09-16 20:46:14.518 [INF] (ES.SFTP.Host.Configuration.ConfigurationService) Started 2020-09-16 20:46:14.523 [DBG] (ES.SFTP.Host.Security.AuthenticationService) Starting 2020-09-16 20:46:14.523 [DBG] (ES.SFTP.Host.Security.AuthenticationService) Stopping SSSD service 2020-09-16 20:46:14.597 [DBG] (ES.SFTP.Host.Security.AuthenticationService) Applying SSSD configuration 2020-09-16 20:46:14.647 [FTL] (ES.SFTP.Host.Program) Host terminated unexpectedly System.UnauthorizedAccessException: Access to the path '/etc/sssd/sssd.conf' is denied. ---> System.IO.IOException: Permission denied --- End of inner exception stack trace --- at Interop.ThrowExceptionForIoErrno(ErrorInfo errorInfo, String path, Boolean isDirectory, Func`2 errorRewriter)

winromulus commented 3 years ago

@VictorCardona @Sabik2006 - I have no experience with OpenShift but the application needs to be able to write files in the container in /etc/sssd/ and in /app/. Someone will need to investigate and propose a fix for this, someone with experience in OpenShift. I've tagged this as help wanted.

stale[bot] commented 3 years ago

Automatically marked as stale due to no recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

Sabik2006 commented 3 years ago

@VictorCardona @Sabik2006 - I have no experience with OpenShift but the application needs to be able to write files in the container in /etc/sssd/ and in /app/. Someone will need to investigate and propose a fix for this, someone with experience in OpenShift. I've tagged this as help wanted.

As I see it, this issue is not specific for Openshift. There just should be an ability to configure root path for all docker-sftp paths, something like "rootPath = '/tmp'", so filepath "/etc/sssd/sssd.conf" will look like "/tmp/etc/sssd/sssd.conf", and my problem will be solved (because all my pods have rights to write and modify files only inside "/tmp" directory)

stale[bot] commented 3 years ago

Removed stale label.

VictorCardona commented 3 years ago

For this problem in OpenShift, I found that we can execute one command to set permissions for anyuid to execute the pod, "bypassing" the non-root security in OpenShift.

oc adm policy add-scc-to-user anyuid -z default

Changing default for the service account created by the helm deployment.

https://dodgydudes.se/allow-containers-to-run-as-root-on-openshift-3-10/

Info for anyone who can need it.

And really thanks for the help

I have the same Issue in OpenShift 3.11 but in IBM Cloud, any with any helpful information?

Thanks

2020-09-16 20:46:14.489 [INF] (Microsoft.Hosting.Lifetime) Now listening on: http://0.0.0.0:25080 2020-09-16 20:46:14.491 [DBG] (ES.SFTP.Host.Configuration.ConfigurationService) Starting 2020-09-16 20:46:14.494 [DBG] (ES.SFTP.Host.Configuration.ConfigurationService) Validating and updating configuration 2020-09-16 20:46:14.517 [INF] (ES.SFTP.Host.Configuration.ConfigurationService) Configuration contains '1' user(s) 2020-09-16 20:46:14.518 [INF] (ES.SFTP.Host.Configuration.ConfigurationService) Started 2020-09-16 20:46:14.523 [DBG] (ES.SFTP.Host.Security.AuthenticationService) Starting 2020-09-16 20:46:14.523 [DBG] (ES.SFTP.Host.Security.AuthenticationService) Stopping SSSD service 2020-09-16 20:46:14.597 [DBG] (ES.SFTP.Host.Security.AuthenticationService) Applying SSSD configuration 2020-09-16 20:46:14.647 [FTL] (ES.SFTP.Host.Program) Host terminated unexpectedly System.UnauthorizedAccessException: Access to the path '/etc/sssd/sssd.conf' is denied. ---> System.IO.IOException: Permission denied --- End of inner exception stack trace --- at Interop.ThrowExceptionForIoErrno(ErrorInfo errorInfo, String path, Boolean isDirectory, Func`2 errorRewriter)

Sabik2006 commented 3 years ago

For this problem in OpenShift, I found that we can execute one command to set permissions for anyuid to execute the pod, "bypassing" the non-root security in OpenShift. oc adm policy add-scc-to-user anyuid -z default

Yes, this could be a solution, but not in my case - I work with external Openshift, and I simply don't have enough rights to perform this command:

$ oc adm policy add-scc-to-user anyuid -z default Error from server (Forbidden): securitycontextconstraints.security.openshift.io "anyuid" is forbidden: User "my_user" cannot get resource "securitycontextconstraints" in API group "security.openshift.io" at the cluster scope

So I still need some configurable property in docker-sftp, like I described in my previous comment: https://github.com/emberstack/docker-sftp/issues/45#issuecomment-701388023

stale[bot] commented 3 years ago

Automatically marked as stale due to no recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] commented 3 years ago

Automatically closed stale item.