3

I'm beginner in Docker, I have a vsftpd in a Debian and for passive mode I configured in vsftpd:

pasv_enable=YES
pasv_min_port=65000
pasv_max_port=65000
pasv_address=192.168.1.31

and I show with wireshark that server response with passive port 65000 but with passive IP 0.0.0.0 and I don't understand why if I configured passive IP. When I run docker I bind ports 21 and 65000 (and in Dockerfile I expose 21 and 65000) and conection in port 21 and active mode is good, but I need use also passive mode. In wireshark I show it:

227 Entering Passive Mode (0,0,0,0,253,232).
Passive IP address: 0.0.0.0 (0.0.0.0)
Passive port: 65000
Passive IP NAT: True

Dockerfile:

FROM debian:jessie

RUN apt-get update
RUN apt-get dist-upgrade -y
RUN apt-get install -y -q --no-install-recommends vsftpd
RUN apt-get clean

RUN echo "local_enable=YES" >> /etc/vsftpd.conf
RUN echo "chroot_local_user=YES" >> /etc/vsftpd.conf
RUN echo "allow_writeable_chroot=YES" >> /etc/vsftpd.conf
RUN echo "write_enable=YES" >> /etc/vsftpd.conf
RUN echo "pasv_enable=YES" >> /etc/vsftpd.conf
RUN echo "pasv_min_port=65000" >> /etc/vsftpd.conf
RUN echo "pasv_max_port=65000" >> /etc/vsftpd.conf
RUN echo "pasv_address=192.168.1.31" >> /etc/vsftpd.conf

RUN mkdir -p /var/run/vsftpd/empty

EXPOSE 21/tcp
EXPOSE 65000/tcp

CMD vsftpd

And I build and run with commands:

docker build -t vsftpd .
docker run -d -p 21:21 -p 65000:65000 -v /etc/passwd:/etc/passwd:ro -v /etc/shadow:/etc/shadow:ro -v /etc/group:/etc/group:ro -v /home:/home vsftpd

I also try run docker with more parameters:

docker run -d -p 192.168.1.31:21:21 -p 192.168.1.31:65000:65000 -v /etc/passwd:/etc/passwd:ro -v /etc/shadow:/etc/shadow:ro -v /etc/group:/etc/group:ro -v /home:/home vsftpd

And in active mode all work good, only fail passive mode and I don't understand why server say to client that connect to 0.0.0.0 with pasv_address configured. I mount passwd, shadow and group to container as read only for use local users in vsftpd and home for chroot local users, it found in active mode good. I'm trying all in virtual machine in bridge mode, and in virtual machine I have a Ubuntu server with docker.io 1.2.0.

chicks
  • 3,793
  • 10
  • 27
  • 36
  • Each data transfer (directory listing, file transfers) will need a new port because it can not immediately reuse the same port as the previous connection. Thus just having a single port for data connections is not enough, you have to allow a range of ports. And if you more problems please detail "does not work", i.e. show error messages and describe behavior more clearly. – Steffen Ullrich Jan 18 '15 at 18:48
  • I try with range 65000-65005 and don't work, I show with wireshark again and the problem is same, server say to client that connect to IP 0.0.0.0 and IP raise a connection refuse why try connect to 0.0.0.0 and can't connect in passive mode in first command after of USER and PASS commands. It's behavior (and I describe it before), server respond to PASS command with a good port but bad IP (and pasv_addres=192.168.1.31 in vsftpd.conf). –  Jan 18 '15 at 19:00
  • Now I see what you mean. It looks like that pasv_address option has no effect. I suggest you check the vsftp log file and maybe you can see from there why it does not apply this option. – Steffen Ullrich Jan 18 '15 at 19:44
  • pasv_address needs to be your external address not the address of the docker container? – 2Fast2BCn Feb 03 '15 at 14:17
  • Yes, in the man I read it. And it's set to ip of machine. –  Feb 04 '15 at 22:21

1 Answers1

3

I now can fixed it. By default, vsftpd was listening in IPv4 and IPv6 with the default configuration, etc; and I comment IPv6 config and only configure IPv4, and then all work.