SFTP server deployment
The SFTP server uses the secure version of FTP, which is called SFTP. SFTP is done over SSH. Due to the
nature of SSH, extra security is added to ensure that only FTP is allowed. The FTP pods have the root file
system set to read-only mode. All Linux® capabilities are dropped. It
ensures that the process has no capabilities and can also work with security context constraints (SCC) that
are set to restricted. In a Red Hat®
OpenShift® deployment, the SCC that is used controls the User
and UID of the FTP. By default, the pods start with UID 1000 with user FTM, but Red Hat
OpenShift forces the pods to come up with some high UID and the username that match the UID.

FTM deployment architecture

Automatic retry
The number of SFTP servers that are deployed must be at least 1 per zone, which enables most FTP clients to automatically retry to the backup server. The Kubernetes service automatically handles the retry. Another benefit of this configuration is the ability to balance the load across many servers.
However, some clients do not support retry. The FTP clients that are shown in the following table were tested. Each client was run by using the same file. The file that was being copied by using secure FTP is around 4 Gb. The file hash was compared to verify that every bit was copied correctly.
| FTP client | Retry supported |
|---|---|
| FileZilla | Yes |
sftp |
No |
lftp |
Yes, but you must set up the sftp:connect-program variable. |
sftp -P 2000 1000670001@543678654-example.cloudlftp to transfer the file when the SFTP file transfer fails.Configure the SFTP server in your FTM deployment
- It uses a secret that is called
<ftm-instance>-sftp-server. This secret contains thessh_host_keythat was generated during the deployment. - It uses a configmap that is called
<ftm-instance>-sftp-server. This configmap contains theauthorized_keyskey, which holds all the public keys that can access the system.
Create your own SSH keys and add them to the configmap. After configuring the
keys, connect to the SFTP server using any FTP tools. You need to restart the SFTP pod whenever you
update the configmap to apply the changes.
The SFTP service exposes a node port that you use to connect to it. You can find the node port
value in the <ftm_instance>-sftp-server service. Use this node port value as the
port to connect to the FTM SFTP server.
<ftm_instance>-sftp-server pod by running the
id command. When you run the command, the result is the ID you need to use to
connect to the SFTP server. For example, use 1000940000 as the ID to connect to the
SFTP server from your SFTP client.sh-4.4$ id
uid=1000940000(1000940000) gid=0(root) groups=0(root),1000940000
| Persistent volume claim name | Mount path |
|---|---|
<ftm-instance>-application |
/opt/ibm/application |
<ftm-instance>-debug |
/opt/ibm/debug-data |
<ftm-instance>-image-data |
/opt/ibm/image-data |
<ftm-instance>-gateway |
/opt/ibm/runtime-processing |
Configure access to the FTM SFTP service when you are using HAProxy on an infrastructure node
After the instance for your FTM offering is running successfully, configure the Red Hat OpenShift environment so that FTM users can connect to the SFTP service by using the exposed ports.
- Use the Red Hat OpenShift Container Platform user interface to log in as an administrator to the cluster that you deployed your FTM offering to.
- View the networking services on the Red Hat
OpenShift Container Platform and select the service for SFTP that
belongs to your FTM installation. For example,
<ftm-instance>-sftp-server. - Click the name of the service to display the service port mapping. The node port is used to expose a
service on a specific port on all nodes in the cluster. An example service port mapping is shown in the
following table.
Table 3. Service port mapping - port to node port Port Node port 2000 30988
frontend sftp
bind *:2000
mode tcp
default_backend sftp
backend sftp
balance source
mode tcp
server worker_1 10.x.x.a:30988 check
server worker_2 10.x.x.b:30988 check
server worker_3 10.x.x.c:30988 check
server worker_4 10.x.x.d:30988 check
server worker_5 10.x.x.e:30988 checksystemctl restart haproxyConfigure access to the FTM SFTP service when you are using Red Hat OpenShift in a hosted cloud environment
After the instance for your FTM offering is running successfully, configure the Red Hat OpenShift environment so that FTM users can connect to the SFTP service by using the exposed ports.
<ftm-instance>-sftp-server is the
Red Hat
OpenShift service name for the FTM SFTP
service.oc expose service --type LoadBalancer --generator="service/v2" --name=<ftm-instance>-sftp-server-lb <ftm-instance>-sftp-serverIngress to connect to.
oc describe svc <ftm-instance>-sftp-server-lbFor other cloud providers, follow the instructions from your cloud provider to expose the SFTP service outside the cluster.