This is a micro-service image for VSFTPD.
There are a few limitations but it will work if you are using host networking
--net host or have a direct/routed network between the Docker container and
the client.
Virtual Users require libs to manage the user database. Alpine does not have these by default, so I have discarded Virtual Users.
Guest users are almost as good as virtual users. The local users (users in /etc/passwd) are remaped to a single user (ftp by default)
local_enable=YES
guest_enable=YES
guest_username=ftp
The following environment variables are accepted.
Users Option 1:
-
FTP_USER: Sets the default FTP user -
FTP_PASSWORD: Plain text password (not recommended), or -
FTP_PASSWORD_HASH: Sets the password for the user specified byFTP_USER. This requires a hashed password such as the ones created withmkpasswd -m sha-512which is in the whois debian package.
Users Option 2:
-
FTP_USER_*: Adds multiple users. Value must be in the form ofusername:hash. Should not be used in conjunction withFTP_USERandFTP_PASSWORD(_HASH). -
FTP_USERS_ROOT: if set the vsftpdlocal_rootwill be set to/srv/$USERso each user is chrooted to their own directory instead of a shared one. -
FTP_CHOWN_ROOT: if setchownwill be run against/srvsetting the FTP user and group as owner and group of the directory. Note: chown is run non-recursively ie. will only chown the root` -
FTP_PASV_ADDRESS: override the IP address that vsftpd will advertise in response to the PASV command
docker run --rm -it -p 21:21 -p 4559-4564:4559-4564 -e FTP_USER=ftp -e FTP_PASSWORD=ftp docker.io/colmenaeu/vsftpd:latest
SSL can be configured (non-SSL by default). Firstly the SSL certificate and key
need to be added to the image, either using volumes or baking it into an image.
Then specify the vsftpd_ssl.conf config file as the config vsftpd should use.
This example assumes the ssl cert and key are in the same file and are mounted into the container read-only.
docker run --rm -it \
-e FTP_USER=ftpuser -e FTP_PASSWORD_HASH='$6$XWpu...DwK1' \
-v `pwd`/server.pem:/etc/ssl/certs/vsftpd.crt:ro \
-v `pwd`/server.pem:/etc/ssl/private/vsftpd.key:ro \
docker.io/colmenaeu/vsftpd:latest vsftpd /etc/vsftpd_ssl.conf
Currently allow_writeable_chroot is turned ON, however this isn't recommended as a security precaution. We might look at making this configurable in the future. The main consequence of turning this off is that the local_root can not be writable by the FTP user.
See serverfault: vsftp: whu is allow_writable_chroot=YES a bad idea?
To get the FTP logs mount /var/log outside of the container. For example add -v /var/log/ftp:/var/log to your docker run ... command.