FTP server hosting in Azure Kubernetes

8/2/2019

I am hosting an FTP server basically vsftpd server in a Azure Kubernetes pod. I have exposed it using a Load balancer type service. I have also forwarded all the exposed ports to the service.I am still unable to connect to the server in passive mode.

I have enabled the passive mode. As Azure Kubernetes is behind NAT i have also explicitly provided pasv_address as the external ip of the exposed load balancer service.I also tried running FTP server using xinetd instead of standalone but it didn't work. I got a solutions somewhere to add this in vsftpd.conf seccomp_sandbox=NO But it is not working.I have tried connecting using windows powershell. Also with FileZilla and wsftp.I also disabled firewall in my machine.

I have also tried connecting FTP server using the same pod where it is deployed and i am able to transfer data. It would be using active mode . I also tried connecting to FTP server from a different pod in the same cluster using PASSIVE mode I was able to do that and even transferred a file. But form outside the cluster using my local machine or any other FTP client i am unable to open data channel on the FTP server.

I have deployed the FTP server with same configuration locally on a docker container .It still is unable to open data channel on the FTP server.

Here is the vsftpd.conf I am using in FTP server

listen=YES
listen_ipv6=NO
anonymous_enable=NO
local_enable=YES
write_enable=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
chroot_local_user=YES
allow_writeable_chroot=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
ssl_enable=NO
user_sub_token=$USER
local_root=/home/$USER/ftp
pasv_enable=YES
pasv_min_port=30000
pasv_max_port=30009
pasv_promiscuous=YES
dirlist_enable=YES
download_enable=YES
use_sendfile=NO
pasv_address=x.x.x.x # Load balancer External IP
seccomp_sandbox=NO

Here is the deployment.yaml to deploy that in Kubernetes. Note i am also deploying mssql server in the same pod and i am able to access it.
---
apiVersion: v1
kind: Service
metadata:
  name: ipldb-mssql-deployment
spec:
  selector:
    app: ipldb-mssql
  ports:
    - { port: 1433, targetPort: 1433, name: tcp }
    - { port: 21, targetPort: 21, name: ftp }
    - { port: 30000, targetPort: 30000, name: pasv1 }
    - { port: 30001, targetPort: 30001, name: pasv2 }
    - { port: 30002, targetPort: 30002, name: pasv3 }
    - { port: 30003, targetPort: 30003, name: pasv4 }
    - { port: 30004, targetPort: 30004, name: pasv5 }
    - { port: 30005, targetPort: 30005, name: pasv6 }
    - { port: 30006, targetPort: 30006, name: pasv7 }
    - { port: 30007, targetPort: 30007, name: pasv8 }
    - { port: 30008, targetPort: 30008, name: pasv9 }
    - { port: 30009, targetPort: 30009, name: pasv10 }
  type: LoadBalancer
---
apiVersion: apps/v1beta1
kind: Deployment
metadata: 
  name: ipldb-mssql-deployment
spec: 
  replicas: 1
  template: 
    metadata: 
      labels: 
        app: ipldb-mssql
    spec: 
      containers: 
        - 
          env: 
            - 
              name: MSSQL_PID
              value: Developer
            - 
              name: ACCEPT_EULA
              value: "Y"
            - 
              name: MSSQL_SA_PASSWORD
              value: pass
          image: "image"
          name: ipldb-mssql-filestorage
          ports: 
            - 
              containerPort: 1433
            - 
              containerPort: 21
            - 
              containerPort: 30000
            - 
              containerPort: 30001
            - 
              containerPort: 30002
            - 
              containerPort: 30003
            - 
              containerPort: 30004
            - 
              containerPort: 30005
            - 
              containerPort: 30006
            - 
              containerPort: 30007
            - 
              containerPort: 30008
            - 
              containerPort: 30009
      imagePullSecrets: 
        - 
          name: myPullSeceret

I need to run this FTP server on Kubernetes without client opening ports unnecessarily. But the client i use give me error

227 Entering Passive Mode (x,x,x,x,x,x). connecting data channel to x.x.x.x:x,x(x) Failed to connect data channel to x.x.x.x:x,x(x) PORT x,x,x,x,x,x 500 Illegal PORT command. Port failed 500 Illegal PORT command.

-- Akansha
azure-kubernetes
docker
ftp-server
nat
vsftpd

1 Answer

8/16/2019

I was able to figure out the issue.Responding in case someone needs this answer. I changed externalTrafficPolicy: Cluster to externalTrafficPolicy: Local of the loadbalancer service.

-- Akansha
Source: StackOverflow