initial commit

.gitignore

@@ -0,0 +1 @@
+.DS_Store

CHANGELOG.md

@@ -0,0 +1,13 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+## [Unreleased]
+
+## [0.3.1] - 2022-02-08
+
+### Added
+- Added a changelog
+
+[unreleased]: https://github.com/ibm/repo-template/compare/v0.0.1...HEAD
+[0.3.1]: https://github.com/ibm/repo-template/releases/tag/v0.0.1

CONTRIBUTING.md

@@ -0,0 +1,84 @@
+## Contributing In General
+Our project welcomes external contributions. If you have an itch, please feel
+free to scratch it.
+
+To contribute code or documentation, please submit a [pull request](https://github.com/ibm/sftp-only-container/pulls).
+
+A good way to familiarize yourself with the codebase and contribution process is
+to look for and tackle low-hanging fruit in the [issue tracker](https://github.com/ibm/sftp-only-container/issues).
+Before embarking on a more ambitious contribution, please quickly [get in touch](#communication) with us.
+
+**Note: We appreciate your effort, and want to avoid a situation where a contribution
+requires extensive rework (by you or by us), sits in backlog for a long time, or
+cannot be accepted at all!**
+
+### Proposing new features
+
+If you would like to implement a new feature, please [raise an issue](https://github.com/ibm/sftp-only-container/issues)
+before sending a pull request so the feature can be discussed. This is to avoid
+you wasting your valuable time working on a feature that the project developers
+are not interested in accepting into the code base.
+
+### Fixing bugs
+
+If you would like to fix a bug, please [raise an issue](https://github.com/ibm/sftp-only-container/issues) before sending a
+pull request so it can be tracked.
+
+### Merge approval
+
+The project maintainers use LGTM (Looks Good To Me) in comments on the code
+review to indicate acceptance. A change requires LGTMs from two of the
+maintainers of each component affected.
+
+For a list of the maintainers, see the [MAINTAINERS.md](MAINTAINERS.md) page.
+
+## Legal
+
+Each source file must include a license header for the Apache
+Software License 2.0. Using the SPDX format is the simplest approach.
+e.g.
+
+```
+/*
+Copyright <holder> All Rights Reserved.
+
+SPDX-License-Identifier: Apache-2.0
+*/
+```
+
+We have tried to make it as easy as possible to make contributions. This
+applies to how we handle the legal aspects of contribution. We use the
+same approach - the [Developer's Certificate of Origin 1.1 (DCO)](https://github.com/hyperledger/fabric/blob/master/docs/source/DCO1.1.txt) - that the Linux® Kernel [community](https://elinux.org/Developer_Certificate_Of_Origin)
+uses to manage code contributions.
+
+We simply ask that when submitting a patch for review, the developer
+must include a sign-off statement in the commit message.
+
+Here is an example Signed-off-by line, which indicates that the
+submitter accepts the DCO:
+
+```
+Signed-off-by: John Doe <[email protected]>
+```
+
+You can include this automatically when you commit a change to your
+local git repository using the following command:
+
+```
+git commit -s
+```
+
+## Communication
+**FIXME** Please feel free to connect with us on our [Slack channel](link).
+
+## Setup
+**FIXME** Please add any special setup instructions for your project to help the developer
+become productive quickly.
+
+## Testing
+**FIXME** Please provide information that helps the developer test any changes they make
+before submitting.
+
+## Coding style guidelines
+**FIXME** Optional, but recommended: please share any specific style guidelines you might
+have for your project.

Dockerfile

@@ -0,0 +1,55 @@
+#
+# SFTP only Container - thomasw64/sshd
+#
+# Under Apache 2.0 License see LICENSE file.
+#
+# Copyright IBM 2021,2022
+# SPDX-License-Identifier: Apache2.0
+#
+# Authors:
+#  - Thomas Weinzettl <[email protected]>
+#
+#===============================================================================
+
+# Choose from one of the two:
+#  ubi8-minimal:latest ..... if you have RH licenses
+#  fedora-minimal:latest ... if you prefer complete open source
+# FROM registry.access.redhat.com/ubi8-minimal:latest
+FROM registry.fedoraproject.org/fedora-minimal:latest
+
+LABEL org.opencontainers.image.title="SFTP only Container"
+LABEL org.opencontainers.image.description="A container that allows to share docker/podman volumes via a secure SFTP only connection."
+LABEL org.opencontainers.image.authors="[email protected]"
+LABEL org.opencontainers.image.source="https://github.com/IBM/sftp-only-container.git"
+LABEL org.opencontainers.image.vendor="IBM"
+LABEL org.opencontainers.image.licenses="Apache-2.0"
+#LABEL description="A ssh container with an simple method to import public keys"
+LABEL org.opencontainers.image.version="0.3.1"
+
+RUN microdnf --nodocs -y install openssh-server sudo && \
+    microdnf clean all
+
+RUN mkdir -p /home/.sshd/ && \
+    chmod 700 /home/.sshd
+
+RUN sed -i "s/#PubkeyAuthentication yes/PubkeyAuthentication yes/g" /etc/ssh/sshd_config && \
+    sed -i "s/PermitRootLogin yes/PermitRootLogin no/g" /etc/ssh/sshd_config && \
+    sed -i "s/PasswordAuthentication yes/PasswordAuthentication no/g" /etc/ssh/sshd_config && \
+    sed -i "s/GSSAPIAuthentication yes/GSSAPIAuthentication no/g" /etc/ssh/sshd_config && \
+    sed -i "s/#PermitEmptyPasswords no/PermitEmptyPasswords no/g" /etc/ssh/sshd_config
+
+COPY entrypoint.sh /entrypoint.sh
+COPY ssh-key.sh /bin/ssh-key.sh
+COPY ssh-functions.sh /bin/ssh-functions.sh
+COPY containeradm /bin/containeradm
+
+ENV SFTP_ONLY=no
+ENV DEBUG=0
+
+VOLUME ["/Volume","/home/"]
+
+EXPOSE 22
+
+ENTRYPOINT ["/entrypoint.sh"]
+
+CMD ["/sbin/sshd","-D","-e"]

LICENSE

@@ -186,7 +186,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright [yyyy] [name of copyright owner]
+   Copyright 2021, 2022 IBM
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.

MAINTAINERS.md

@@ -0,0 +1,3 @@
+# MAINTAINERS
+
+Thomas Weinzettl - [email protected]

README.md

@@ -1,2 +1,97 @@
+<!-- This should be the location of the title of the repository, normally the short name -->
 # sftp-only-container
-container files and shell scripts for the IBM Developer tutorial sftp-only container for IBM zCX (or any other appliance-like container runtime).
+
+<!-- Build Status, is a great thing to have at the top of your repository, it shows that you take your CI/CD as first class citizens -->
+<!-- [![Build Status](https://travis-ci.org/jjasghar/ibm-cloud-cli.svg?branch=master)](https://travis-ci.org/jjasghar/ibm-cloud-cli) -->
+
+<!-- Not always needed, but a scope helps the user understand in a short sentance like below, why this repo exists -->
+## Scope
+
+container files and shell scripts for the IBM Developer tutorial sftp-only
+container for IBM zCX (or any other appliance-like container runtime).
+
+*TODO* add link to public site, once published.
+
+## Usage - Start the container
+
+### Requirements
+
+- IBM Z Container Extension (zCX) or other remote container runtime (docker or podman) e.g. podman machines on MacOS
+- volume for `/home` to contain _authorized_keys_ for ssh public key
+authentication
+- volume for `/Volume` to host the hub of container volumes to mount onto
+
+### Start the container
+
+Here is an example to start the container. The `dummy_volume` is an example of
+how to add another container volume to the sftp_only container.
+
+```
+$ docker run --name sftp-only --hostname sftp-only --rm -d -p 2022:22 \
+-v sftp-home:/home -v sftp-volume:/Volume -v dummy_volume:/Volume/dummy \
+-e SFTP_ONLY=yes thomasw/sftp-only:latest
+```
+
+| Environment Variable | Values | description |
+| --- | --- | --- |
+| SFTP_ONLY | yes / **no** | **Default:** no <br/>Set to _yes_ if the container should restrict the access to sftp, and change the root to `/Volume` |
+| DEBUG | **0** numeric | **Default:** 0 (for no output) <br/> 1 or higher is more verbose |
+
+## Usage User Administration
+
+This can be done on the running container with `docker exec` or on the `/home`
+volume while stopped.
+
+```
+$ docker exec sftp-only containeradm
+...
+```
+
+or
+
+```
+$ docker run --rm -v sftp-home:/home thomasw/sftp-only:latest containeradm
+...
+```
+
+To get started you need to add a user and add his ssh public key like this:
+
+```
+$ docker exec sftp-only containeradm user add username
+User username was added.
+$ docker exec sftp-only containeradm key add \
+"username:ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFHe4Aqe5RbyC1d7Zco+EI9Q4VUvtwcLEHHURK02pe+B test-key"
+added key to user username
+$
+```
+
+Here is a list of the most important commands:
+
+| Task | Command |
+| --- | --- |
+| Add a user | `... containeradm user add username` or <br />`... containeradm user add username:1000:1000` |
+| Delete a user | `... containeradm user del username` |
+| List users | `... containeradm user list` |
+| Add user to a group | `... containeradm user addgrp username groupname` |
+| Remove user from a group | `... containeradm user rmgrp username groupname` |
+| Add ssh public key | `... containeradm key "username:ssh-ed25119 AAAA...."` |
+| List keys | `... containeradm key list username` |
+| Dump the ssh config | `... containeradm showconfig` |
+| Regenerate the hostkeys | `... containeradm hostkey refresh`
+
+## License
+
+The Dockerfiles and associated shell scripts are licensed under the [Apache License 2.0](https://www.apache.org/licenses/LICENSE-2.0.html)
+
+All source files must include a Copyright and License header. The SPDX license header is  preferred because it can be easily scanned.
+
+If you would like to see the detailed LICENSE click [here](LICENSE).
+
+```text
+#
+# Copyright 2020- IBM Inc. All rights reserved
+# SPDX-License-Identifier: Apache2.0
+#
+```
+
+[issues]: https://github.com/IBM/sftp-only-container/issues/new