Introduction
I have a fresh installation of VMware Cloud Foundation (VCF) 5.2 installed and want to configure the SFTP server. This server is used for SDDC Manager and NSX Manager. Luckily, in this version, SDDC Manager should be able to communicate with modern SFTP servers using ECDSA SSH public key encryption. I have a post regarding how to configure the security if using an older version of VCF.
The SFTP Server
The first thing we need to check (or configure) is the SFTP server itself. It is best practice to separate users and roles. This includes creating separate accounts known as service accounts. These accounts are user accounts but not intended for human interaction, therefore, we will create the group and user with the --system
switch for both.
First we will create a group that will contain SFTP users.
sudo groupadd --system sftp-users
We will create a user account, adding to the sftp-users
group, not create a home directory, and set as a system account. This does not allow an interactive login and there will not be a home directory.
sudo useradd --groups sftp-users --no-create-home --shell /bin/false --system sddc-manager-sftp-sa
Now we will add a password to the user account. Even though the user cannot log in interactively, the password is still required for SDDC Manager to make the connection.
sudo passwd sddc-manager-sftp-sa
We need a place to store the backup files, so we will create an sftp
directory as well as an sddc-manager
sub-directory.
sudo mkdir /var/sftp
sudo mkdir /var/sftp/sddc-manager
Change the group ownership to sftp-users.
sudo chown --recursive root:sftp-users /var/sftp/
Change the directory permissions to allow the group and everyone else read and execute. When we configure the SFTP server Match Group
block, we will specify a ChrootDirectory
. With this configuration, all components of the path name must be root owned and not writable by any other user or group.
sudo chmod 0755 /var/sftp/
The /var/sftp/sddc-manager
directory does need to be writable.
sudo chmod 0775 /var/sftp/sddc-manager
To use a ChrootDirectory
, we need to change the Subsystem
in the main /etc/ssh/sshd_config
file. Comment out the original Subsystem command and add a new line.
#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp
Now we need to configure the SFTP Server to accept logins from our users in the sftp-users
group. We will also only allow them to interact with the /var/sftp
directory.
sudo vi /etc/ssh/sshd_config.d/10-sftp-server.conf
Match Group sftp-users
ChrootDirectory /var/sftp
AllowTcpForwarding no
X11Forwarding
Restart sshd.service
.
sudo systemctl restart ssh.service
SDDC Manager
Now that the SFTP Server is configured or the configuration is verified, we can configure the SDDC Manager.
After logging in to the SDDC Manager, select Backup from the Administration menu. If this is the first time configuring, select Site Settings. Complete the form with site specific settings.
One thing to note on the Backup Directory…on the SFTP server, the ChrootDirectory
is /var/sftp/
. This means that when the service account user logs into the SFTP server, that is the location you will be in the file system. Since we have a sub-directory for SDDC Manager, set the Backup Directory parameter to /sddc-manager.
After the Site Settings are verified or configured (is there a difference, really?) go back to the SDDC Manager Configurations page.
Select Backup Now and verify the backup completes. There will be tasks in the Tasks pane that will present a status.
When the Status shows Successful, you can verify files were written on the SFTP Server for an extra level of confidence.
You can configure a Backup Schedule to include Automatic Backups and Backup Frequency. Select the Edit text next to Backup Schedule.
Leave a Reply