Unable to connect via ftp client

[mateodelnorte]

Hi there. Thanks for putting this repo together. I'm having issues using this image in a docker stack, deployed in a docker swarm.

I've got a docker stack file that looks like the following:

version: "3.4"

networks:

  proxy:
    external: true

services:

  ftp:
    image: stilliard/pure-ftpd:hardened-latest
    networks:
      - proxy
    volumes:
      - ftp:/home/ftpusers
      - ftpusers:/etc/pure-ftpd/passwd
    environment:
      - FTP_USER_NAME=${FTP_USER_NAME}
      - FTP_USER_PASS=${FTP_USER_PASS}
      - FTP_USER_HOME=/home/${FTP_USER_NAME}
      - PUBLIC_HOST=ftp.mysite.com
    ports:
      - 30000-30009:30000-30009
      - target: 21
        published: 21
        protocol: tcp
    deploy:
      mode: replicated
      replicas: 1
      resources:
        limits:
          cpus: '2'
          memory: 1G
        reservations:
          cpus: '0.50'
          memory: 128M
      placement:
        constraints:
          - node.role == worker
      restart_policy:
        delay: 30s
      labels:
        - com.df.notify=true
        - com.df.reqMode=tcp
        - com.df.port=21
        - com.df.serviceDomain=${FTP_DOMAIN:-localhost}
        - com.df.alertName=memlimit
        - com.df.alertIf=@service_mem_limit:0.8
        - com.df.alertFor=30s


volumes:

  ftp:
    driver: cloudstor:aws

  ftpusers:
    driver: cloudstor:aws

Our pureftpd service spins up just as expected and seems to run fine. When I attempt to connect to it via an ftp client, though, I run into some trouble:

> ftp
ftp> open
(to) ftp.mysite.com
Trying 18.232.7.225...
Connected to public-docker-swarm-elb-43587394.us-east-1.elb.amazonaws.com.
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 1 of 5 allowed.
220-Local time is now 04:03. Server port: 21.
220-This is a private system - No anonymous login
220 You will be disconnected after 15 minutes of inactivity.
Name (ftp.staging-gridpl.us:matt): admin
331 User admin OK. Password required
Password:
230 OK. Current directory is /
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
ftp: Can't connect to `172.18.0.2': Connection refused
500 I won't open a connection to 192.168.255.2 (only to 11.255.92.137)

Any ideas as to why I'm not able to open a connection? Should PUBLICHOST be the publicly resolved hostname of my ftp server, or something else?

Note, since my pureftpd container is in a docker swarm, that means it's essentially behind two load balancers - an AWS ELB and a docker-flow-proxy load balancer. Are there any gotchas when deploying pureftpd behind a load balancer?

Thanks.

[mateodelnorte]

I've been able to get past the initial connection issue (We had a PUBLIC_HOST env var instead of a PUBLICHOST env var). But, I'm still having connection issues:

ftp -p ftp.mysite.com
Trying 18.232.7.225...
Connected to public-docker-swarm-elb-43587394.us-east-1.elb.amazonaws.com.
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 3 of 5 allowed.
220-Local time is now 05:15. Server port: 21.
220-This is a private system - No anonymous login
220 You will be disconnected after 15 minutes of inactivity.
Name (ftp.ftp.mysite.com:matt): admin
331 User admin OK. Password required
Password:
230 OK. Current directory is /
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Extended Passive mode OK (|||30005|)

421 Service not available, remote server timed out. Connection closed.
ftp>

Even though I've opened up all the appropriate ports on my load balancers, I'm not able to issue a command. It actually did issue a command once, but I wasn't able to get it to repeat. It only ever seems to work on a single outbound port, 30008.

Using FileZilla, I get the following:

Status:      	Connection established, waiting for welcome message...
Status:      	Insecure server, it does not support FTP over TLS.
Status:      	Logged in
Status:      	Retrieving directory listing...
Status:      	Server sent passive reply with unroutable address. Using server address instead.

Any ideas?

Thanks.

[stilliard]

Hi Matt,
I've not used docker swarm yet but your docker stack file looks awesome to me.
Based in the error I'd double check all the ports 30000 through to 30009 are open as it seems to work until it tries to connect to one of those ports.
Hope that helps

[TemaSM]

Hi there!
@stilliard I can confirm this issue (ECONNREFUSED). It was my bad
Started facing problem after pulling new Docker image, but before it was running successfully on Docker image with commit f704b5c - Added link to full pure-ftpd flags available.
I'm using Rancher 1.6.x and deployed stilliard/pure-ftpd:

version: '2'
services:
  PureFTPD:
    image: stilliard/pure-ftpd:latest
    hostname: <host>
    environment:
      PGID: '1000'
      PUID: '1000'
      PUBLICHOST: <public_ip>
      FTP_PASSIVE_PORTS: 30000:30025
    stdin_open: true
    network_mode: bridge
    volumes:
    - /nfs/pure-ftpd:/etc/pure-ftpd:rw
    - /nfs/pure-ftpd/README.txt:/home/ftpuser/README.txt:ro
    - /srv/test:/home/ftpuser/test:rw
    tty: true
    ports:
    - 21:21/tcp
    - 20:20/tcp
    - 30000:30000/tcp
    - 30001:30001/tcp
    - 30002:30002/tcp
    - 30003:30003/tcp
    - 30004:30004/tcp
    - 30005:30005/tcp
    - 30006:30006/tcp
    - 30007:30007/tcp
    - 30008:30008/tcp
    - 30009:30009/tcp
    - 30010:30010/tcp
    - 30011:30011/tcp
    - 30012:30012/tcp
    - 30013:30013/tcp
    - 30014:30014/tcp
    - 30015:30015/tcp
    - 30016:30016/tcp
    - 30017:30017/tcp
    - 30019:30019/tcp
    - 3020:3020/tcp
    - 3021:3021/tcp
    - 3022:3022/tcp
    - 3023:3023/tcp
    - 3024:3024/tcp
    - 3025:3025/tcp
    command:
    - /run.sh -d -d -u 0 -c 100 -C 100 -l puredb:/etc/pure-ftpd/pureftpd.pdb -E -j -R -P <host> -p 30000:30025

I think there is some problems with newer commits:
ab35f79 - Fix duplicate passive port declaration
87d073b - [Merge] Fix passive port range default routine

[stilliard]

Hi @TemaSM , would you be able to paste the docker logs output for this?
It should show the command the run.sh file ended up running which should help point to the problem, thank you.

[TemaSM]

@stilliard here's log from docker container:

Log enabled, see /var/log/messages
Starting Pure-FTPd:
  pure-ftpd -d -d -u 0 -c 100 -C 100 -l puredb:/etc/pure-ftpd/pureftpd.pdb -E -j -R -P <host> -p 30000:30025

log from /var/log/messages:

Sep 11 12:53:52 ftp liblogging-stdlog:  [origin software="rsyslogd" swVersion="8.24.0" x-pid="8" x-info="https://www.rsyslog.com"] start
Sep 11 12:55:39 ftp pure-ftpd: ([email protected]) [INFO] New connection from 91.227.46.124
Sep 11 12:55:39 ftp pure-ftpd: ([email protected]) [INFO] test is now logged in
Sep 11 12:56:08 ftp pure-ftpd: ([email protected]) [INFO] New connection from 91.227.46.124
Sep 11 12:56:08 ftp pure-ftpd: ([email protected]) [INFO] test  is now logged in
Sep 11 12:56:51 ftp pure-ftpd: (test @91.227.46.124) [INFO] Logout.
Sep 11 12:56:55 ftp pure-ftpd: ([email protected]) [INFO] New connection from 91.227.46.124
Sep 11 12:56:55 ftp pure-ftpd: ([email protected]) [INFO] test  is now logged in

[stilliard]

Thanks @TemaSM

Looks like the pure-ftpd command it runs is all good. Those commits you mentioned are just around the build up of the command as far as I can see so as long as that command looks good to you too I don't think they are to blame.

But, I've just noticed in your example above, a few of the ports are incorrect:

    - 3020:3020/tcp
    - 3021:3021/tcp
    - 3022:3022/tcp
    - 3023:3023/tcp
    - 3024:3024/tcp
    - 3025:3025/tcp

I think these should be:

    - 30020:30020/tcp
    - 30021:30021/tcp
    - 30022:30022/tcp
    - 30023:30023/tcp
    - 30024:30024/tcp
    - 30025:30025/tcp

This could be causing the error, hope this helps.

[TemaSM]

@stilliard thanks, it was my bad 😃
But something strange happens when environment var FTP_PASSIVE_PORTS has value 30000:30025 - while file transferring the ECONNREFUSED error occurs randomly time to time, and when this var not set, everything works as a charm.
UPD: It was my bad:
I din't mapped 30018:30018/tcp, but pure-ftpd was configured to use port range via -p 30000:30025, where of course 30018 port was disabled.

[stilliard]

That's excellent, glad it's working for you.

Pretty weird about that variable, from the run.sh file it shouldn't have any effect for you as i your example file above you're passing "-p 30000:30025" directly which should override it.

I'll keep an eye out for any reports of this, but if it happens to you again could you check the logs again to see if anything else shows up please?

Thank you.

[stilliard]

@mateodelnorte is this resolved for you now too?

[mateodelnorte]

@stilliard I ended up using sftp to suit my purposes. But thanks!

[stilliard]

@mateodelnorte that's cool, glad it's all solved anyway :)

[Neirda24]

Hi @stilliard : it seems I am having the same trouble. But I think it is not directly linked to the project. I think it is because of the docker networking which is not forwarding the real client IP address. I am still looking for a solution on swarm mode. Any ideas ?

[vishal1503]

I'm not sure if other users are still experiencing this issue. Here's what I experienced:

I was attempting to get this container setup for our developement team so that they could upload a wordpress website. This was on our production server but not yet publicly available. All of my testing was during locally.

After initial deployment, this is the error I was seeing in FileZilla Client.

Status:	Resolving address of ftp.mydomain.org
Status:	Connecting to 10.127.213.60:21...
Status:	Connection established, waiting for welcome message...
Status:	Insecure server, it does not support FTP over TLS.
Status:	Logged in
Status:	Retrieving directory listing...
Command:	PWD
Response:	257 "/" is your current location
Command:	TYPE I
Response:	200 TYPE is now 8-bit binary
Command:	PASV
Response:	227 Entering Passive Mode (104,24,26,66,117,57)
Command:	MLSD
Error:	Connection timed out after 20 seconds of inactivity
Error:	Failed to retrieve directory listing

Upon further inspection of the last Response item, the IP address is different then the IP address in the second Status item. ftp.mydomain.org doesn't exist yet on CloudFlare. I'm strictly working locally right now (modified my host file). We do however have *.mydomain.org pointing to our Azure load balancer which is the same IP address as the last Response item.

I logged into the container and ran:

apt-get update && apt-get install vim -y

and modified the host file to point ftp.mydomain.org to 10.10.127.213.60

FileZilla connected instantly to the container. It seems that Pure-Ftpd is looking up the IP address of my PUBLICHOST using standard DNS along with the list of passive ports to be used.

I remember having this issue with PureFTPd years ago (way before containers were a thing) and remember using vsftp instead because I couldn't figure this out then.

I will also be testing the host IP address and the public IP address for PUBLICHOST and report my findings. I hope this helps with some headaches.

I've experienced similar issues before with other packages where I needed to edit the host file in the container for things to work. Moreover, I couldn't pass modified /etc/hosts file into the container without getting a bunch of startup errors.

Anyone have a workaround for this? Also, anyway to get Pure-Ftpd to use PUBLICHOST domain name in the response instead of a dns returned IP address? I imagine this was by design to ensure that a user isn't redirected to a different server by someone tempering with client's DNS but that's a risk I'm willing to take considering all of the other stops we have in place. I'm using hardened version and this is the out of box run.sh logged upon startup.

pure-ftpd  -l puredb:/etc/pure-ftpd/pureftpd.pdb -E -j -R -P ftp.gideonspromise.org -s -A -j -Z -H -4 -E -R -G -X -x   -p 30000:30009 -c 5 -C 5

[vishal1503]

Reporting back from my previous comment. Using both the host IP address and the public IP address as the PUBLICHOST works. I obviously needed to ensure that my passive range was being forward to the host IP address when connecting from outside. Additionally, I also modified the host file on my client machine to use my public IP for ftp.mydomain.org, while using my public IP as the PUBLICHOST env variable and I was able to connect successfully as well.