SFTP server deployment

The SFTP server uses the secure version of FTP, which is called SFTP. SFTP is done over SSH. Due to the nature of SSH, extra security is added to ensure that only FTP is allowed. The FTP pods have the root file system set to read-only mode. All Linux® capabilities are dropped. It ensures that the process has no capabilities and can also work with security context constraints (SCC) that are set to restricted. In a Red Hat® OpenShift® deployment, the SCC that is used controls the User and UID of the FTP. By default, the pods start with UID 1000 with user FTM, but Red Hat OpenShift forces the pods to come up with some high UID and the username that match the UID.

The SFTP server is built by using the UBI minimal Red Hat Universal Base Image (UBI) container image. The following figure shows the SFTP server on Security-Enhanced Linux (SELinux).
Figure 1. SFTP server overview

FTM deployment architecture

The following figure shows the architecture for the SFTP server.
Figure 2. FTM deployment architecture

Automatic retry

The number of SFTP servers that are deployed must be at least 1 per zone, which enables most FTP clients to automatically retry to the backup server. The Kubernetes service automatically handles the retry. Another benefit of this configuration is the ability to balance the load across many servers.

However, some clients do not support retry. The FTP clients that are shown in the following table were tested. Each client was run by using the same file. The file that was being copied by using secure FTP is around 4 Gb. The file hash was compared to verify that every bit was copied correctly.

The following table shows various FTP clients and whether retry is supported for the client.
Table 1. FTP client and whether retry is supported
FTP client Retry supported
FileZilla Yes
sftp No
lftp Yes, but you must set up the sftp:connect-program variable.
Example of sftp command on IBM Cloud®.
sftp -P 2000 1000670001@543678654-example.cloud
Note: SFTP does not support retry. Therefore, the user must explicitly handle scenarios when SFTP file transfer fails for any reason. You can use lftp to transfer the file when the SFTP file transfer fails.

Configure the SFTP server in your FTM deployment

SFTP servers are enabled by default in a typical FTM deployment. The SFTP server has the following major configurations:
  • It uses a secret that is called <ftm-instance>-sftp-server. This secret contains the ssh_host_key that was generated during the deployment.
  • It uses a configmap that is called <ftm-instance>-sftp-server. This configmap contains the authorized_keys key, which holds all the public keys that can access the system.

Create your own SSH keys and add them to the configmap. After configuring the keys, connect to the SFTP server using any FTP tools. You need to restart the SFTP pod whenever you update the configmap to apply the changes.

The SFTP service exposes a node port that you use to connect to it. You can find the node port value in the <ftm_instance>-sftp-server service. Use this node port value as the port to connect to the FTM SFTP server.

To connect to the SFTP server, use the ID under which the SFTP server runs. To find this ID, execute a command inside the <ftm_instance>-sftp-server pod by running the id command. When you run the command, the result is the ID you need to use to connect to the SFTP server. For example, use 1000940000 as the ID to connect to the SFTP server from your SFTP client.
sh-4.4$ id
uid=1000940000(1000940000) gid=0(root) groups=0(root),1000940000
The persistent volume claims that are shown in the following table are mounted.
Table 2. Persistent volume claim name and the mount path
Persistent volume claim name Mount path
<ftm-instance>-application /opt/ibm/application
<ftm-instance>-debug /opt/ibm/debug-data
<ftm-instance>-image-data /opt/ibm/image-data
<ftm-instance>-gateway /opt/ibm/runtime-processing

Configure access to the FTM SFTP service when you are using HAProxy on an infrastructure node

After the instance for your FTM offering is running successfully, configure the Red Hat OpenShift environment so that FTM users can connect to the SFTP service by using the exposed ports.

Use the following instructions to find the port numbers that you need to use for the HAProxy configuration.
  1. Use the Red Hat OpenShift Container Platform user interface to log in as an administrator to the cluster that you deployed your FTM offering to.
  2. View the networking services on the Red Hat OpenShift Container Platform and select the service for SFTP that belongs to your FTM installation. For example, <ftm-instance>-sftp-server.
  3. Click the name of the service to display the service port mapping. The node port is used to expose a service on a specific port on all nodes in the cluster. An example service port mapping is shown in the following table.
    Table 3. Service port mapping - port to node port
    Port Node port
    2000 30988
To configure HAProxy, you need to add the port mapping to the /etc/haproxy/haproxy.cfg configuration file. Connect to the virtual machine where the HAProxy server is running and edit the file. Append the port mapping for the SFTP service to the end of the file. The following example shows the format of the configuration statements that you need to add to the file. All worker node IP addresses of the Red Hat OpenShift cluster are used.
frontend sftp
    bind *:2000
    mode tcp
    default_backend sftp

backend sftp
    balance source
    mode tcp
    server worker_1 10.x.x.a:30988 check
    server worker_2 10.x.x.b:30988 check
    server worker_3 10.x.x.c:30988 check
    server worker_4 10.x.x.d:30988 check
    server worker_5 10.x.x.e:30988 check
Restart the HAProxy server by using the following command.
systemctl restart haproxy

Configure access to the FTM SFTP service when you are using Red Hat OpenShift in a hosted cloud environment

After the instance for your FTM offering is running successfully, configure the Red Hat OpenShift environment so that FTM users can connect to the SFTP service by using the exposed ports.

For Red Hat OpenShift on IBM Cloud, you can expose the SFTP service by running the following command. In the command, <ftm-instance>-sftp-server is the Red Hat OpenShift service name for the FTM SFTP service.
oc expose service --type LoadBalancer --generator="service/v2" --name=<ftm-instance>-sftp-server-lb <ftm-instance>-sftp-server
After the load balancer service is activated, you can run the following command to find the load balancer Ingress to connect to.
oc describe svc <ftm-instance>-sftp-server-lb

For other cloud providers, follow the instructions from your cloud provider to expose the SFTP service outside the cluster.