search

lucee / lucee-dockerfiles

Official Lucee Dockerfiles for Docker Hub build images
https://hub.docker.com/u/lucee/
MIT License
86 stars 50 forks source link

CFFTP fails inside docker container #31

Closed mrerichoffman closed 8 years ago

mrerichoffman commented 8 years ago

EDIT - I did an apt-get install ftp directly on my lucee container and found out a directory listing will only work in passive mode via command line. So this leads me to believe passive = "true" option does not work for CFFTP? Can anyone else reproduce this issue?

I have not been able to complete simple ftp operations within lucee-nginx 4.5 docker container tag - 4.5.3-t8.0.36. I even tried rolling back to the first docker image 4.5.1.024 with no luck. After troubleshooting multiple external and internal ftp connections, I believe the core issue to be at the docker container both from a docker virtual machine and running docker on linux. I have been able to get cfftp to work as expected running on my windows box using the express installer for 4.5. The error messages make me think it has something to do with networking from docker. I receive an ftp security deny response from the remote ftp server when doing file transfers or directory list actions (connection open/close and create directory work fine). Here are some of the error messages I get for a directory list action:

FTP server running locally: 425 Can't open data connection for transfer of "/"
FTP server running remotely: 500 I won't open a connection to 172.19.0.2 (only to 24.252.XX.XXX)

I partially masked my external IP 24.252.XX.XXX - so that last error looks as if the Lucee sent my local ip instead of my external ip address when running inside docker. I would not be surprised if all versions docker images for Lucee is affected by this CFFTP issue. Please let me know if there is any config change I can make to solve this or if this is a bigger issue. For me this is a show stopping bug to avoid using lucee docker images, ftp is a must have. Thanks for looking into this.

Here is sample code to reproduce the issue:

<cfoutput>
<!--- Open the connection. ---> 

<cfftp action = "open" 
    username = "myuser" 
    connection = "myConn" 
    password = "mypass" 
    server = "ftp.example.com" 
    port = "21"
    passive = "true">

<p>Did it succeed? <cfoutput>#cfftp.succeeded#</cfoutput> 
<cfdump var="#cfftp#" label="connection"> 

<cfset dirExists = false>
<cfftp
    action="existsDir"
    connection="myConn"
    directory="/" stoponerror="no">
<cfif cfftp.ReturnValue eq true>
    <cfset dirExists = true>
</cfif>
<p>Did it succeed? <cfoutput>#cfftp.succeeded#</cfoutput>
<cfdump var="#dirExists#">

<cfftp action = "listdir" 
    connection="myConn" 
    stopOnError="yes" 
    name="ListFiles" 
    directory="/"> 

<p>Did it succeed? <cfoutput>#cfftp.succeeded#</cfoutput> 
<cfdump var="#ListFiles#">

<!--- Close the connection. ---> 
<cfftp action="close" connection="myConn">
</cfoutput>
mrerichoffman commented 8 years ago

I found a similar issue here - http://stackoverflow.com/questions/28580178/getting-i-wont-open-a-connection-to-when-connecting-to-ftp-server-from-google

Changing the ftp connection to passive did not work for my example.

mrerichoffman commented 8 years ago

I did an apt-get install ftp directly on my lucee container and found out a directory listing will only work in passive mode via command line. So this leads me to believe passive = "true" option does not work for CFFTP? Can anyone else reproduce this issue?

modius commented 8 years ago

This is likely to be a networking issue rather than a lucee issue. Docker by design restricts all a containers network interfaces. Off the top of my head, I'd suggest that you are able to talk from lucee container to your external FTP server but its unable to communicate back. I'm not an FTP expert but you may be able to publish the ports on which your FTP client needs to communicate and solve the problem. What ports have you currently got published in your docker container?

UPDATE: Scrap that. Looks like you do need passive mode: http://mozartanalytics.com/500-illegal-port-command-in-docker-container/

containers using any kind of Debian or Ubuntu distribution as base image, will reserve port 21 and will not let custom clients use it

Lucee docker image is based on Debian.

Definitely need to make sure CFFTP is properly activating passive mode.

boomfish commented 8 years ago

The documentation for using passive mode in CFFTP is scant. The behaviour reported suggests that it is still using active mode for directory operations even though the connection is in passive mode. Try adding passive="true" to all the CFFTP operations to force them into passive mode. If that works, then there is either an implementation bug or documentation bug for CFFTP passive mode in Lucee.

mrerichoffman commented 8 years ago

Thanks boomfish! I added passive="true" to all CFFTP operations and that fixed it. I was under the assumption that the passive setting was only valid on the connection open operation. I can see others running into the same issue as me who run in docker containers. Hopefully this gets addressed with the Lucee team.

Thanks again for the workaround!

modius commented 8 years ago

Might want to raise an issue within the lucee issue database: https://luceeserver.atlassian.net/projects/LDEV