Installing an SFTP server
To use Sandbox instances, an SFTP server is required. The SFTP server is used to transfer z/OS® image volumes to the storage for sandbox instances.
- You can install an SFTP server on a Linux® server or OpenShift®. Note that no SFTP server is provided with or managed by Sandbox; however,
you can find images for SSH/SFTP in Docker Hub.
To transfer faster, set up the server inside the cluster with fast local storage, but this is not required.
- Sandbox must have a user credential that has read access to the SFTP server. SSH certificates are not supported currently.
Installing an SSH or SFTP server on a Red Hat Linux server
- Run the following command to check whether SSH is
installed.
rpm -qa|grep ssh - If SSH is not installed, run the following
command.
yum install openssh-server - Open port 22.
iptables -I INPUT -p tcp --dport 22 -j ACCEPT - Create a directory and change the
authority.
mkdir -p /data/sftp chmod 701 /data - Add a group, and a user for SFTP. Then, provide your new password.
groupadd sftpusers useradd -g sftpusers -d /upload -s /sbin/nologin sftpuser passwd sftpuser - Create a directory for the file transfer. Then, make the changes that you
need.
mkdir -p /data/sftpuser/upload chown -R root:sftpusers /data/sftpuser chown -R sftpuser:sftpusers /data/sftpuser/upload - Add the following lines in the
/etc/ssh/sshd_config.Match Group sftpuser
ForceCommand internal-sftp - Restart the SFTP service.
service sshd restart
Installing an SSH or SFTP server on OpenShift
As you might follow different guidelines for the security of your SFTP servers and container with privilege, you can merge the following instructions with the guidelines you followed for your business process.
To deploy an SFTP server within your cluster, use an SFTP container image that is approved with your organization might be the easiest way. Also, you can build a custom container to start an SFTP server. The following example shows a Docker file that can be used to build a functional SFTP container.
FROM registry.access.redhat.com/ubi8/ubi:latest
ARG home=/home/sshuser
RUN yum -y update && \
yum -y install openssh-server \
openssh-clients && \
/usr/bin/ssh-keygen -A && \
groupadd sshgroup && \
useradd -ms /bin/bash -g sshgroup sshuser && \
echo 'sshuser:PASSWORD' | chpasswd && \
mkdir $home/.ssh && \
touch $home/.ssh/authorized_keys && \
chown sshuser:sshgroup $home/.ssh/authorized_keys && \
chmod 600 $home/.ssh/authorized_keys
EXPOSE 22
CMD /usr/sbin/sshd && sleep infinityIn this example, the installation replaces PASSWORD with the password you
specified. Also, to improve the security of the access, you need to change the sshd
configuration. For example, you can change the configuration to prevent login sessions to allow only
the access as an SFTP server.
sshd, the container needs to be started with privileged access,
which might have specific security concerns for your organization. Therefore, you can follow all the
guidelines of your organizations, and also follow the best practices where they are
applicable.
apiVersion: apps/v1
kind: Deployment
metadata:
name: <instance name>
namespace: <namespace>
spec:
selector:
matchLabels:
app: <instance name>
template:
metadata:
labels:
app: <instance name>
spec:
containers:
- name: <instance name>
image: <image>
ports:
- containerPort: 22
securityContext:
privileged: true
allowPrivilegeEscalation: true
volumeMounts:
- name: <volume name>
mountPath: /data-stor
volumes:
- name: <volume name>
persistentVolumeClaim:
claimName: <PVC name>To use the YAML file, you need to change any values as needed. Also, you need to manually create the PVC and PV that has the required space to hold the z/OS volumes that are needed before you change the values. To allow access your user ID and other user IDs that are dependent to your environment, you might need to change the permissions to your storage.