src/sftp.js

'use strict';

exports = module.exports = {
    start,

    DEFAULT_MEMORY_LIMIT: 256 * 1024 * 1024
};

const apps = require('./apps.js'),
    assert = require('node:assert'),
    blobs = require('./blobs.js'),
    BoxError = require('./boxerror.js'),
    debug = require('debug')('box:sftp'),
    docker = require('./docker.js'),
    hat = require('./hat.js'),
    infra = require('./infra_version.js'),
    mounts = require('./mounts.js'),
    path = require('node:path'),
    paths = require('./paths.js'),
    safe = require('safetydance'),
    services = require('./services.js'),
    shell = require('./shell.js')('sftp'),
    volumes = require('./volumes.js');

async function ensureKeys() {
    for (const keyType of [ 'rsa', 'ed25519' ]) {
        const privateKey = await blobs.get(`sftp_${keyType}_private_key`);
        const publicKey = await blobs.get(`sftp_${keyType}_public_key`);
        const publicKeyFile = path.join(paths.SFTP_KEYS_DIR, `ssh_host_${keyType}_key.pub`);
        const privateKeyFile = path.join(paths.SFTP_KEYS_DIR, `ssh_host_${keyType}_key`);

        if (!privateKey || !publicKey) {
            debug(`ensureSecrets: generating new sftp keys of type ${keyType}`);
            safe.fs.unlinkSync(publicKeyFile);
            safe.fs.unlinkSync(privateKeyFile);
            const [error] = await safe(shell.spawn('ssh-keygen', ['-m', 'PEM', '-t', keyType, '-f', `${paths.SFTP_KEYS_DIR}/ssh_host_${keyType}_key`, '-q', '-N', ''], {}));
            if (error) throw new BoxError(BoxError.OPENSSL_ERROR, `Could not generate sftp ${keyType} keys: ${error.message}`);
            const newPublicKey = safe.fs.readFileSync(publicKeyFile);
            await blobs.set(`sftp_${keyType}_public_key`, newPublicKey);
            const newPrivateKey = safe.fs.readFileSync(privateKeyFile);
            await blobs.set(`sftp_${keyType}_private_key`, newPrivateKey);
        } else {
            if (!safe.fs.writeFileSync(publicKeyFile, publicKey)) throw new BoxError(BoxError.FS_ERROR, `Could not save sftp public ${keyType} key: ${safe.error.message}`);
            if (!safe.fs.writeFileSync(privateKeyFile, privateKey, { mode: 0o600 })) throw new BoxError(BoxError.FS_ERROR, `Could not save sftp private ${keyType} key: ${safe.error.message}`);
        }
    }
}

async function start(existingInfra) {
    assert.strictEqual(typeof existingInfra, 'object');

    debug('start: re-creating container');

    const serviceConfig = await services.getServiceConfig('sftp');
    const image = infra.images.sftp;
    const memoryLimit = serviceConfig.memoryLimit || exports.DEFAULT_MEMORY_LIMIT;
    const cloudronToken = hat(8 * 128);

    await ensureKeys();

    const resolvedAppDataDir = safe.fs.realpathSync(paths.APPS_DATA_DIR);
    if (!resolvedAppDataDir) throw new BoxError(BoxError.FS_ERROR, `Could not resolve apps data dir: ${safe.error.message}`);

    const dataDirs = [{ hostDir: resolvedAppDataDir, mountDir: '/mnt/appsdata' }];

    // custom app data directories
    const allApps = await apps.list();
    for (const app of allApps) {
        if (!app.manifest.addons?.localstorage || !app.storageVolumeId) continue;

        const hostDir = await apps.getStorageDir(app), mountDir = `/mnt/app-${app.id}`; // see also sftp:userSearchSftp
        if (hostDir === null || !safe.fs.existsSync(hostDir)) { // this can fail if external mount does not have permissions for yellowtent user
            // do not create host path when cloudron is restoring. this will then create dir with root perms making restore logic fail
            debug(`Ignoring app data dir ${hostDir} for ${app.id} since it does not exist`);
            continue;
        }

        dataDirs.push({ hostDir, mountDir });
    }

    // volume directories
    dataDirs.push({ hostDir: '/mnt/volumes', mountDir: '/mnt/volumes' }); // managed volumes
    const allVolumes = await volumes.list();
    for (const volume of allVolumes) {
        if (mounts.isManagedProvider(volume.mountType)) continue; // skip managed volume. these are acessed via /mnt/volumes mount above

        if (!safe.fs.existsSync(volume.hostPath)) {
            debug(`Ignoring volume host path ${volume.hostPath} since it does not exist`);
            continue;
        }

        dataDirs.push({ hostDir: volume.hostPath, mountDir: `/mnt/volume-${volume.id}` });
    }

    // mail data dir
    const resolvedMailDataDir = safe.fs.realpathSync(paths.MAIL_DATA_DIR);
    if (!resolvedMailDataDir) throw new BoxError(BoxError.FS_ERROR, `Could not resolve mail data dir: ${safe.error.message}`);
    dataDirs.push({ hostDir: resolvedMailDataDir, mountDir: '/mnt/maildata' });

    const readOnly = !serviceConfig.recoveryMode ? '--read-only' : '';
    const cmd = serviceConfig.recoveryMode ? '/bin/bash -c \'echo "Debug mode. Sleeping" && sleep infinity\'' : '';

    const volumeMounts = dataDirs.map(v => `-v "${v.hostDir}:${v.mountDir}"`).join(' ');
    const runCmd = `docker run --restart=unless-stopped -d --name=sftp \
                --hostname sftp \
                --net cloudron \
                --net-alias sftp \
                --log-driver syslog \
                --log-opt syslog-address=unix://${paths.SYSLOG_SOCKET_FILE} \
                --log-opt syslog-format=rfc5424 \
                --log-opt tag=sftp \
                -m ${memoryLimit} \
                --memory-swap -1 \
                -p 222:22 \
                ${volumeMounts} \
                -e CLOUDRON_SFTP_TOKEN=${cloudronToken} \
                -v ${paths.SFTP_KEYS_DIR}:/etc/ssh:ro \
                --label isCloudronManaged=true \
                ${readOnly} -v /tmp -v /run ${image} ${cmd}`;

    debug('startSftp: stopping and deleting previous sftp container');
    await docker.stopContainer('sftp');
    await docker.deleteContainer('sftp');

    debug('startSftp: starting sftp container');
    await shell.bash(runCmd, { encoding: 'utf8' });

    if (existingInfra.version !== 'none' && existingInfra.images.sftp !== image) await docker.deleteImage(existingInfra.images.sftp);
}
containerize sftp 2019-04-04 20:46:01 -07:00			`'use strict';`

			`exports = module.exports = {`
Fixes to service configuration restart service does not rebuild automatically, we should add a route for that. we need to figure where to scale services etc if we randomly create containers like that. 2021-01-21 12:53:38 -08:00			`start,`

			`DEFAULT_MEMORY_LIMIT: 256 * 1024 * 1024`
containerize sftp 2019-04-04 20:46:01 -07:00			`};`

volumes: async'ify 2021-05-11 17:50:48 -07:00			`const apps = require('./apps.js'),`
use node: prefix for requires mostly because code is being autogenerated by all the AI stuff using this prefix. it's also used in the stack trace. 2025-08-14 11:17:38 +05:30			`assert = require('node:assert'),`
sftp: move key generation to sftp code 2021-11-16 21:50:09 -08:00			`blobs = require('./blobs.js'),`
sftp: rework appdata and volume mounting logic this tries to solve two issues: * the current approach mounts the data directories of apps/volumes individually. this causes a problem with volume mounts that mount after the container is started i.e not network time/delay but systemd ordering. With CIFS, the mount is a hostname. This requires unbound to be running but unbound can only start after docker because it wants to bind to the docker network. one way to fix is to not start sftp automatically and only start sftp container in the box code. This results in the sftp container attaching itself of the directory before mounting and it appears empty. (on the host, the directory will appear to have mount data!) * every time apptask runs we keep rebuilding this sftp container. this results in much race. the fix is: mount the parent directory of apps and volumes. in addition, then any specialized appdata paths and volume paths are mounted individually. this greatly minimized rebuilding and also since we don't rely on binding to the mount point itself. the child directories can mount in leisure. this limits the race issue to only no-op volume mounts. part of #789 2021-06-24 16:19:30 -07:00			`BoxError = require('./boxerror.js'),`
Mount data custom app data location specifically into sftp addon Fixes #722 2020-07-24 14:44:41 +02:00			`debug = require('debug')('box:sftp'),`
services: better status for sftp and turn 2021-10-19 15:51:22 -07:00			`docker = require('./docker.js'),`
sftp: init and access API with a token 2020-10-19 17:26:20 -07:00			`hat = require('./hat.js'),`
containerize sftp 2019-04-04 20:46:01 -07:00			`infra = require('./infra_version.js'),`
volumes: check provider instead of hostPath 2024-08-08 14:12:06 +02:00			`mounts = require('./mounts.js'),`
use node: prefix for requires mostly because code is being autogenerated by all the AI stuff using this prefix. it's also used in the stack trace. 2025-08-14 11:17:38 +05:30			`path = require('node:path'),`
sftp: ubuntu 20 requires keys in legacy format 2020-11-26 11:45:43 -08:00			`paths = require('./paths.js'),`
sftp: only mount data dirs that exist when restoring, the platform starts first and the sftp container goes and creates app data dirs with root permission. this prevents the app restore logic from downloading the backup since it expects yellowtent perm 2020-08-09 12:10:20 -07:00			`safe = require('safetydance'),`
services: better status for sftp and turn 2021-10-19 15:51:22 -07:00			`services = require('./services.js'),`
shell: make require take a tag 2024-10-14 19:10:31 +02:00			`shell = require('./shell.js')('sftp'),`
sftp: rework appdata and volume mounting logic this tries to solve two issues: * the current approach mounts the data directories of apps/volumes individually. this causes a problem with volume mounts that mount after the container is started i.e not network time/delay but systemd ordering. With CIFS, the mount is a hostname. This requires unbound to be running but unbound can only start after docker because it wants to bind to the docker network. one way to fix is to not start sftp automatically and only start sftp container in the box code. This results in the sftp container attaching itself of the directory before mounting and it appears empty. (on the host, the directory will appear to have mount data!) * every time apptask runs we keep rebuilding this sftp container. this results in much race. the fix is: mount the parent directory of apps and volumes. in addition, then any specialized appdata paths and volume paths are mounted individually. this greatly minimized rebuilding and also since we don't rely on binding to the mount point itself. the child directories can mount in leisure. this limits the race issue to only no-op volume mounts. part of #789 2021-06-24 16:19:30 -07:00			`volumes = require('./volumes.js');`
containerize sftp 2019-04-04 20:46:01 -07:00
sftp: move key generation to sftp code 2021-11-16 21:50:09 -08:00			`async function ensureKeys() {`
sftp: ed25519 keys 2023-03-09 10:55:14 +01:00			`for (const keyType of [ 'rsa', 'ed25519' ]) {`
			const privateKey = await blobs.get(`sftp_${keyType}_private_key`);
			const publicKey = await blobs.get(`sftp_${keyType}_public_key`);
			const publicKeyFile = path.join(paths.SFTP_KEYS_DIR, `ssh_host_${keyType}_key.pub`);
			const privateKeyFile = path.join(paths.SFTP_KEYS_DIR, `ssh_host_${keyType}_key`);

			`if (!privateKey \|\| !publicKey) {`
			debug(`ensureSecrets: generating new sftp keys of type ${keyType}`);
sftp: delete any existing keys since we are committed to regenerating at this point in code 2023-04-27 20:03:41 +02:00			`safe.fs.unlinkSync(publicKeyFile);`
			`safe.fs.unlinkSync(privateKeyFile);`
shell: add explicit bash() function 2024-10-16 10:25:07 +02:00			const [error] = await safe(shell.spawn('ssh-keygen', ['-m', 'PEM', '-t', keyType, '-f', `${paths.SFTP_KEYS_DIR}/ssh_host_${keyType}_key`, '-q', '-N', ''], {}));
Use the async shell exec 2024-02-20 22:57:36 +01:00			if (error) throw new BoxError(BoxError.OPENSSL_ERROR, `Could not generate sftp ${keyType} keys: ${error.message}`);
sftp: ed25519 keys 2023-03-09 10:55:14 +01:00			`const newPublicKey = safe.fs.readFileSync(publicKeyFile);`
			await blobs.set(`sftp_${keyType}_public_key`, newPublicKey);
			`const newPrivateKey = safe.fs.readFileSync(privateKeyFile);`
			await blobs.set(`sftp_${keyType}_private_key`, newPrivateKey);
			`} else {`
			if (!safe.fs.writeFileSync(publicKeyFile, publicKey)) throw new BoxError(BoxError.FS_ERROR, `Could not save sftp public ${keyType} key: ${safe.error.message}`);
			if (!safe.fs.writeFileSync(privateKeyFile, privateKey, { mode: 0o600 })) throw new BoxError(BoxError.FS_ERROR, `Could not save sftp private ${keyType} key: ${safe.error.message}`);
			`}`
sftp: move key generation to sftp code 2021-11-16 21:50:09 -08:00			`}`
			`}`

services: simplify startup logic 2021-09-26 22:48:14 -07:00			`async function start(existingInfra) {`
			`assert.strictEqual(typeof existingInfra, 'object');`
Mount data custom app data location specifically into sftp addon Fixes #722 2020-07-24 14:44:41 +02:00
services: simplify startup logic 2021-09-26 22:48:14 -07:00			`debug('start: re-creating container');`
Mount data custom app data location specifically into sftp addon Fixes #722 2020-07-24 14:44:41 +02:00
refactor into getServiceConfig 2023-08-03 12:52:47 +05:30			`const serviceConfig = await services.getServiceConfig('sftp');`
docker: fix image prune it seems docker images --digests cloudron/sftp --format "{{.ID}} {{.Repository}}:{{.Tag}}@{{.Digest}} broke at some point 2023-08-08 10:42:16 +05:30			`const image = infra.images.sftp;`
Fixes to service configuration restart service does not rebuild automatically, we should add a route for that. we need to figure where to scale services etc if we randomly create containers like that. 2021-01-21 12:53:38 -08:00			`const memoryLimit = serviceConfig.memoryLimit \|\| exports.DEFAULT_MEMORY_LIMIT;`
sftp: init and access API with a token 2020-10-19 17:26:20 -07:00			`const cloudronToken = hat(8 * 128);`
containerize sftp 2019-04-04 20:46:01 -07:00
sftp: move key generation to sftp code 2021-11-16 21:50:09 -08:00			`await ensureKeys();`

use realpath to resolve links 2021-09-26 18:36:33 -07:00			`const resolvedAppDataDir = safe.fs.realpathSync(paths.APPS_DATA_DIR);`
			if (!resolvedAppDataDir) throw new BoxError(BoxError.FS_ERROR, `Could not resolve apps data dir: ${safe.error.message}`);
sftp: rework appdata and volume mounting logic this tries to solve two issues: * the current approach mounts the data directories of apps/volumes individually. this causes a problem with volume mounts that mount after the container is started i.e not network time/delay but systemd ordering. With CIFS, the mount is a hostname. This requires unbound to be running but unbound can only start after docker because it wants to bind to the docker network. one way to fix is to not start sftp automatically and only start sftp container in the box code. This results in the sftp container attaching itself of the directory before mounting and it appears empty. (on the host, the directory will appear to have mount data!) * every time apptask runs we keep rebuilding this sftp container. this results in much race. the fix is: mount the parent directory of apps and volumes. in addition, then any specialized appdata paths and volume paths are mounted individually. this greatly minimized rebuilding and also since we don't rely on binding to the mount point itself. the child directories can mount in leisure. this limits the race issue to only no-op volume mounts. part of #789 2021-06-24 16:19:30 -07:00
sftp: refactor 2021-09-25 17:07:07 -07:00			`const dataDirs = [{ hostDir: resolvedAppDataDir, mountDir: '/mnt/appsdata' }];`
docker.js and services.js: async'ify 2021-08-25 19:41:46 -07:00
sftp: refactor 2021-09-25 17:07:07 -07:00			`// custom app data directories`
			`const allApps = await apps.list();`
			`for (const app of allApps) {`
sftp: fix crash when app has no addons 2023-11-13 21:58:44 +01:00			`if (!app.manifest.addons?.localstorage \|\| !app.storageVolumeId) continue;`
docker.js and services.js: async'ify 2021-08-25 19:41:46 -07:00
migrate app dataDir to volumes 2022-06-01 22:44:52 -07:00			const hostDir = await apps.getStorageDir(app), mountDir = `/mnt/app-${app.id}`; // see also sftp:userSearchSftp
apptask: only move app uses localstorage addon 2024-06-06 15:22:33 +02:00			`if (hostDir === null \|\| !safe.fs.existsSync(hostDir)) { // this can fail if external mount does not have permissions for yellowtent user`
docker.js and services.js: async'ify 2021-08-25 19:41:46 -07:00			`// do not create host path when cloudron is restoring. this will then create dir with root perms making restore logic fail`
			debug(`Ignoring app data dir ${hostDir} for ${app.id} since it does not exist`);
sftp: refactor 2021-09-25 17:07:07 -07:00			`continue;`
docker.js and services.js: async'ify 2021-08-25 19:41:46 -07:00			`}`

			`dataDirs.push({ hostDir, mountDir });`
sftp: refactor 2021-09-25 17:07:07 -07:00			`}`
docker.js and services.js: async'ify 2021-08-25 19:41:46 -07:00
sftp: refactor 2021-09-25 17:07:07 -07:00			`// volume directories`
sftp: add note 2021-12-23 22:35:20 -08:00			`dataDirs.push({ hostDir: '/mnt/volumes', mountDir: '/mnt/volumes' }); // managed volumes`
sftp: refactor 2021-09-25 17:07:07 -07:00			`const allVolumes = await volumes.list();`
			`for (const volume of allVolumes) {`
volumes: check provider instead of hostPath 2024-08-08 14:12:06 +02:00			`if (mounts.isManagedProvider(volume.mountType)) continue; // skip managed volume. these are acessed via /mnt/volumes mount above`
docker.js and services.js: async'ify 2021-08-25 19:41:46 -07:00
			`if (!safe.fs.existsSync(volume.hostPath)) {`
			debug(`Ignoring volume host path ${volume.hostPath} since it does not exist`);
sftp: refactor 2021-09-25 17:07:07 -07:00			`continue;`
docker.js and services.js: async'ify 2021-08-25 19:41:46 -07:00			`}`

filemanager: fix mounting of filesystem and mountpoint backends 2021-12-24 10:43:39 -08:00			dataDirs.push({ hostDir: volume.hostPath, mountDir: `/mnt/volume-${volume.id}` });
sftp: refactor 2021-09-25 17:07:07 -07:00			`}`
docker.js and services.js: async'ify 2021-08-25 19:41:46 -07:00
mail: mount mail data directory into sftp container fixes #794 2021-09-25 17:19:58 -07:00			`// mail data dir`
use realpath to resolve links 2021-09-26 18:36:33 -07:00			`const resolvedMailDataDir = safe.fs.realpathSync(paths.MAIL_DATA_DIR);`
			if (!resolvedMailDataDir) throw new BoxError(BoxError.FS_ERROR, `Could not resolve mail data dir: ${safe.error.message}`);
			`dataDirs.push({ hostDir: resolvedMailDataDir, mountDir: '/mnt/maildata' });`
mail: mount mail data directory into sftp container fixes #794 2021-09-25 17:19:58 -07:00
services: add recoveryMode 2021-10-01 12:09:13 -07:00			`const readOnly = !serviceConfig.recoveryMode ? '--read-only' : '';`
			`const cmd = serviceConfig.recoveryMode ? '/bin/bash -c \'echo "Debug mode. Sleeping" && sleep infinity\'' : '';`

volumes: check provider instead of hostPath 2024-08-08 14:12:06 +02:00			const volumeMounts = dataDirs.map(v => `-v "${v.hostDir}:${v.mountDir}"`).join(' ');
services: change restart policy to unless-stopped when we stop an app, the service containers are stopped. they start running again on reboot. correct restart policy is "unless-stopped" for all the containers. 2025-06-14 17:51:35 +02:00			const runCmd = `docker run --restart=unless-stopped -d --name=sftp \
docker.js and services.js: async'ify 2021-08-25 19:41:46 -07:00			`--hostname sftp \`
			`--net cloudron \`
			`--net-alias sftp \`
			`--log-driver syslog \`
syslog: change it to unix domain socket docker is using a extra udp port for every container. when there is a lot of containers, a lot of random udp ports get used up. this causes problems when installing apps that require contiguous port ranges 2024-03-21 17:30:50 +01:00			`--log-opt syslog-address=unix://${paths.SYSLOG_SOCKET_FILE} \`
docker.js and services.js: async'ify 2021-08-25 19:41:46 -07:00			`--log-opt syslog-format=rfc5424 \`
			`--log-opt tag=sftp \`
memoryLimit: redefine to not include swap Currently, we allocate 50% as RAM and 50% as swap. The manifest is usually quite conservative on memory values. This means that we set up a system where the app is applying memory pressure almost immediately. This then swaps things randomly and increases cpu usage (kswapd shows up in the profile). To rethink the whole situation: we should not cap apps with a swap limit at all. The memory hard limit is what is important. By redefining memoryLimit , we are doubling every container's memory and it's good that we over allocate this. 2024-04-09 18:59:40 +02:00			`-m ${memoryLimit} \`
			`--memory-swap -1 \`
docker.js and services.js: async'ify 2021-08-25 19:41:46 -07:00			`-p 222:22 \`
volumes: check provider instead of hostPath 2024-08-08 14:12:06 +02:00			`${volumeMounts} \`
shell: docker run needs shell don't want to get into parsing quotes! 2024-02-22 10:34:56 +01:00			`-e CLOUDRON_SFTP_TOKEN=${cloudronToken} \`
			`-v ${paths.SFTP_KEYS_DIR}:/etc/ssh:ro \`
docker.js and services.js: async'ify 2021-08-25 19:41:46 -07:00			`--label isCloudronManaged=true \`
shell: docker run needs shell don't want to get into parsing quotes! 2024-02-22 10:34:56 +01:00			${readOnly} -v /tmp -v /run ${image} ${cmd}`;
docker.js and services.js: async'ify 2021-08-25 19:41:46 -07:00
fixup various shell usage 2024-02-28 18:47:53 +01:00			`debug('startSftp: stopping and deleting previous sftp container');`
			`await docker.stopContainer('sftp');`
			`await docker.deleteContainer('sftp');`

			`debug('startSftp: starting sftp container');`
platform: get shell output as utf8 2024-12-19 16:59:28 +01:00			`await shell.bash(runCmd, { encoding: 'utf8' });`
docker: rework image pruning with our new retagging approach, the Digest ID remains <null> because this is only set by docker if truly fetched from the registry. this means that redis container always gets removed... 2024-12-14 20:47:35 +01:00
			`if (existingInfra.version !== 'none' && existingInfra.images.sftp !== image) await docker.deleteImage(existingInfra.images.sftp);`
containerize sftp 2019-04-04 20:46:01 -07:00			`}`