Rsync to virtual host?

danb35 · January 14, 2025, 2:51pm

NethServer Version: 8.current
Module: webserver

I started writing a post asking about SSH public key authentication to SFTP files to virtual hosts on NS8, but then I found that you can configure public keys per-user in the SFTPGo web admin pages. Well and good.

But as I look over the options for scp, I’m thinking it can’t quite do what I’m wanting to do and I’d need rsync instead. So let me back up a bit.

I’m (slowly) moving services from my NS7 server to my NS8 server, and two of those services are my own repo of NS7 modules, and my mirror of @stephdl’s repo. Moving the data from the old system to the new is simple enough with scp -r, but keeping it up to date is the problem, especially for my own repo. So I’m thinking the way to go is to update the data on a separate system, and periodically push it out to the NS8 system. Particularly with my own repo, this moves private key material off of the public system, which is a definite security win.

But I still need to push the data out to the NS8 system. scp -r -P 3092 * 9005@ns8:/ will do it, but will copy everything every time–seems wasteful. rsync seems like the way around this, but I’m not sure it can be made to work this way–any input?

Andy_Wismer · January 14, 2025, 5:15pm

Hi @danb35

rsync is traditionally “push”. makes it difficult to get all right, especially permissions.

But with what you know now about containers (Sorry, I had an unexpected vsitor then, but MrMarkuz was able to help you then!), you can also think about “pull”…

A cron job inside the container triggers the defined rsync pull, eliminating all permission issues.
→ your rsync job runs from the container, with the right permissions from the start.

My 2 cents
Andy

mrmarkuz · January 14, 2025, 6:14pm

Cron is installed in the sftpgo container but needs to be started.
If pull is not an option, it’s possible to use rsync to connect after enabling rsync as ssh command.

Enter environment:

runagent -m webserver1

To be able to write to the root directory of the sftpgo user 9003, owner and permissions need to be set:

podman exec -ti sftpgo sh
chown root:9003 /srv/sftpgo/data/9003
chmod 775 /srv/sftpgo/data/9003
exit

Edit the sftpgo service using systemctl to override the config so it survives updates:

systemctl --user edit sftpgo

and add following content between the already existing comments:
We’re overriding the ExecStart in the Service section.

### Editing /home/webserver1/.config/systemd/user/sftpgo.service.d/override.conf
### Anything between here and the comment below will become the new contents of the file

[Service]
ExecStart=
ExecStart=/usr/bin/podman run --conmon-pidfile %t/sftpgo.pid \
    --cidfile %t/sftpgo.ctr-id --cgroups=no-conmon \
    --pod-id-file %t/webserver.pod-id --replace -d --name  sftpgo \
    --volume websites:/srv/sftpgo/data:z \
    --volume sftpgo_backups:/srv/sftpgo/backups:Z \
    --volume sftpgo_config:/var/lib/sftpgo:Z \
    --volume %S/state/sftpgo.conf.d/admin.json:/etc/sftpgo/admin.json:Z \
    --env SFTPGO_LOADDATA_FROM=/etc/sftpgo/admin.json \
    --env SFTPGO_HTTPD__WEB_ROOT=${TRAEFIK_PATH}\
    --env SFTPGO_SFTPD__ENABLED_SSH_COMMANDS=rsync \
    --user 0:0 \
    ${SFTPGO_IMAGE}

### Lines below this comment will be discarded

Restart sftpgo:

systemctl --user restart sftpgo

Now it should be possible to use rsync to connect to sftpgo like

rsync -av -e "ssh -p 3092" dump.tar.gz 9003@192.168.3.144:

Maybe we should implement this to the ns8-webserver app and enable cron by default? BTW, I found that cron is missing in ns8-lamp. @stephdl should I open PRs?

Sources:

stephdl · January 15, 2025, 7:09am

systemctl --user --edit sftpgo.service

you can overwrite the systemd user

for ns8-lamp we should install chronie IIRC

stephdl · January 15, 2025, 6:04pm

cron added to ns8-lamp

mrmarkuz · January 15, 2025, 7:33pm

Thanks, this way the config should be kept after updates. I adapted my previous post to use systemctl --user edit sftpgo

stephdl · January 15, 2025, 8:10pm

We should think for webserver on what to do. If cron is already added to sftpgo it should be easy for us but i do not like to modify the permission…is it a mandatory ?

mrmarkuz · January 15, 2025, 8:16pm

I found no other way to upload a file to the root directory without changing owner and permissions of the sftpgo user dir (eg 9001)
IIRC it’s also the same issue when web installers want to create files in that directory.

EDIT:

But it’s just needed to create the file. If it already exists, it works with the default owner/perms.

stephdl · January 15, 2025, 8:19pm

Possibly a bug but if I use sftp I do not need to chmod the permission, at least this is how it should work…else we should open a bug

stephdl · January 15, 2025, 8:46pm

I did not need to chmod the from inside

/var/lib/sftpgo # ls -la  /srv/sftpgo/data/
total 8
drwxr-xr-x    3 root     root            52 Jan 15 20:29 .
drwxr-xr-x    1 sftpgo   sftpgo          33 Nov 28 06:10 ..
-rw-r--r--    1 root     root           497 Nov 26 17:22 50x.html
drwxrwsr-x    4 root     992            128 Dec  3  2020 9001
-rw-r--r--    1 root     root           615 Nov 26 17:22 index.html
/var/lib/sftpgo # ls -la  /srv/sftpgo/data/9001/
total 1104
drwxrwsr-x    4 root     992            128 Dec  3  2020 .
drwxr-xr-x    3 root     root            52 Jan 15 20:29 ..
lrwxrwxrwx    1 995      992              4 Jul 23  2018 6 -> 6.10
lrwxrwxrwx    1 root     992              8 Nov 26  2020 7 -> 7.9.2009
drwxrwsr-x    6 root     992             68 Nov 13  2020 7.9.2009
drwx--S---    2 root     992              6 Jan 15 20:37 iso
-rw-r--r--    1 995      992             36 Jan 14 21:32 last-update.txt
-rw-r--r--    1 bin      9001       1119387 Jan 15 20:31 testssl.sh
-rw-rw-r--    1 995      992             11 Jan 15 20:40 timestamp.txt
lrwxrwxrwx    1 995      992              3 Oct 18  2016 torrent -> iso

I used

rsync -av  rsync://mirror.nethserver.org/nethserver /srv/sftpg
o/data/9001/

however I failed to use over ssh

stephdl · January 15, 2025, 8:50pm

hum the cron of sftpgo does not work ;/

mrmarkuz · January 15, 2025, 8:51pm

You need to start it. Just execute crond.

stephdl · January 15, 2025, 8:52pm

ok so everything is lost at each reboot

mrmarkuz · January 15, 2025, 8:57pm

We could start cron via the service file ExecStartPost and add a volume?

It works using scp but

using rsync over ssh and allowing webserver to create a file in the root dir we need at least

chown bin:root 9003

I tested with Joomla.

Without the changed owner:

With changed owner the installation is possible:

So from this point of view I’d say it’s a bug as webapps can’t create files but maybe it’s enough to document it.

stephdl · January 15, 2025, 8:58pm

fun with my rsync test it works, I can display the files in the vhost by nginx and I can delete and browse from sftpgo client itself

stephdl · January 15, 2025, 9:01pm

only for joomla or this could be reproducible with wordpress or any other webapp ?

mrmarkuz · January 15, 2025, 9:02pm

I think wordpress puts it’s files in a config dir but joomla uses the root dir for configuration.php.
I didn’t test other apps yet…

EDIT:

I tested using following PHP snippet:

<?php
$myfile = fopen("testfile.txt", "w") or die("Unable to create file!");
fwrite($myfile, "Test");
fclose($myfile);
?>

Without chown bin:root it’s not possible to create a file.

stephdl · January 15, 2025, 9:16pm

yes I can reproduce

stephdl · January 15, 2025, 9:24pm

the culprit is here

mrmarkuz · January 15, 2025, 9:29pm

What about using install instead of mkdir so we can set owner in one line?

podman exec sftpgo install -d -m 0755 -o bin -g root /srv/sftpgo/data/9010

Source: linux - Using mkdir -m -p and chown together correctly - Stack Overflow