Error 550 Could not list: file does not exist (MLSD not working - ECONNREFUSED on passive mode)

[XPOL555]

i have installed sftpgo in my kubernetes' cluster via https://artifacthub.io/packages/helm/sagikazarmark/sftpgo

Services are up and running

my values.yaml used during install

sftpd:
  enabled: true
ftpd:
  enabled: true
httpd:
  enabled: true
config:
  ftpd:
    bindings:
      port: 30021
      passive_connections_security: 1
    passive_port_range:
      start: 30000
      end: 30100
serviceAccount:
  create: true
service:
  ports:
    sftp:
      port: 22
      nodePort:
    ftp:
      port: 21
      nodePort:
    webdav:
      port: 81
      nodePort:
    http:
      port: 80
      nodePort:
services:
  ftp-public:
    type: LoadBalancer
    ports:
      ftp:
        port: 21
        nodePort: 30021
ui:
  ingress:
    enabled: true
    hosts:
      - host: MYDOMAIN
        paths:
          - path: /
            pathType: ImplementationSpecific

note: MYDOMAIN is not the real value i used

web application is reachable and i created users.

When i try to connect with the user i created it says that the directory cannot be listed

Response:	550 Could not list: file does not exist
Error:	Failed to retrieve directory listing

[XPOL555]

in according to the support policies i did a donation! https://github.com/drakkan/sftpgo#support-policy i really like the project and to have it installed in my cluster in a matter of seconds is amazing!

and i love golang ❤️

[drakkan]

Hi,

thanks for your small donation.

The chart you used is a bit out of date and installs an SFTPGo version with known security issues.

FTP may be unexpectedly hard to set up. For example you haven't set the passive IP and FileZilla is guessing it

sftpgo/sftpgo.json

Line 117 in 7b00fe3

"force_passive_ip": "",

is the configured passive ports range (30000-30100) forwarded to your pod/s? Things get even more complicated with a load balancer.
I'm not sure if the chart has been tested with FTP, I suggest to start with a simple container and a single pod and once that works, try switching to multiple pods or the chart.

[XPOL555]

Thank you @drakkan for the quick reply!

Sad to see the helm chart is so outdated.

I tryied adding the force_passive_ip option but nothing changed (clean install),

is the configured passive ports range (30000-30100) forwarded to your pod/s? Things get even more complicated with a load balancer.

Yes, it is.

I'm not sure if the chart has been tested with FTP, I suggest to start with a simple container and a single pod and once that works, try switching to multiple pods or the chart.

I am going to try build it as a single service and expose everything.

[peterge-misoft]

Thx! I needed ~4h to solve the port forwarding problem for my docker installation. Sadly, there I cant find a method to forward port ranges to my container in docker compose. So I might just use the apt installation.

[XPOL555]

So this is my yaml

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: sftpgo-ftpren-home
spec:
  accessModes:
    - ReadWriteOnce
  storageClassName: local-path
  resources:
    requests:
      storage: 1Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: sftpgo-ftpren-data
spec:
  accessModes:
    - ReadWriteOnce
  storageClassName: local-path
  resources:
    requests:
      storage: 10Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: sftpgo-ftpren
spec:
  selector:
    matchLabels:
      app: sftpgo-ftpren
  template:
    metadata:
      labels:
        app: sftpgo-ftpren
    spec:
      containers:
        - name: sftpgo
          image: drakkan/sftpgo:v2
          env:
            - name: SFTPGO_FTPD__BINDINGS__0__PORT
              value: "30021"
            - name: SFTPGO_FTPD__BINDINGS__0__FORCE_PASSIVE_IP
              value: "MYNODEIP"
            - name: SFTPGO_FTPD__PASSIVE_PORT_RANGE__START
              value: "30000"
            - name: SFTPGO_FTPD__PASSIVE_PORT_RANGE__END
              value: "30100"
          resources:
            limits:
              memory: "512Mi"
              cpu: "1"
            requests:
              memory: "256Mi"
              cpu: "100m"
          ports:
            - containerPort: 8080
            - containerPort: 2022
            - containerPort: 30021
          volumeMounts:
            - mountPath: /var/lib/sftpgo
              name: home
            - mountPath: /srv/sftpgo
              name: data
      volumes:
        - name: data
          persistentVolumeClaim:
            claimName: sftpgo-ftpren-data
        - name: home
          persistentVolumeClaim:
            claimName: sftpgo-ftpren-home
---
apiVersion: v1
kind: Service
metadata:
  name: sftpgo-ftpren
spec:
  selector:
    app: sftpgo-ftpren
  ports:
    - port: 8080

---
apiVersion: v1
kind: Service
metadata:
  name: sftpgo-ftpren-ftp
spec:
  type: LoadBalancer
  selector:
    app: sftpgo-ftpren
  ports:
    - port: 30021
      nodePort: 30021

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-sftpgo-ftpren-traefik
spec:
  rules:
    - host: sub.mydomain.example
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name:  sftpgo-ftpren
                port:
                  number: 8080

Services:

Pod up and running

WEB UI working

Now passive move seems to be working

Still can't get the directory listing

p.s.
i guess the helm was really old, now i also added the 2 persistent volume claims to have the configs and data saved:

[XPOL555]

fun fact:

if i log in with the web client i see the files (i created an empty file via cli just for test)

[drakkan]

You have a connection refused error now. You client tries to connect to your public IP on one of the configured passive ports. Please be sure that these ports are forwarded to the SFTPGo pod. This is similar to the error reported in #1065

[XPOL555]

can't make it work, so frustrating

[drakkan]

So this is my yaml

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: sftpgo-ftpren-home
spec:
  accessModes:
    - ReadWriteOnce
  storageClassName: local-path
  resources:
    requests:
      storage: 1Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: sftpgo-ftpren-data
spec:
  accessModes:
    - ReadWriteOnce
  storageClassName: local-path
  resources:
    requests:
      storage: 10Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: sftpgo-ftpren
spec:
  selector:
    matchLabels:
      app: sftpgo-ftpren
  template:
    metadata:
      labels:
        app: sftpgo-ftpren
    spec:
      containers:
        - name: sftpgo
          image: drakkan/sftpgo:v2
          env:
            - name: SFTPGO_FTPD__BINDINGS__0__PORT
              value: "30021"
            - name: SFTPGO_FTPD__BINDINGS__0__FORCE_PASSIVE_IP
              value: "MYNODEIP"

this is the IP to which FTP clients connect for passive connections.
The FTP client issues a PASV command on the control connection, the server responds with the passive IP and a free port from the configured passive range. Client connects to this IP:port for data connections (lists directory contents, uploads, downloads, etc. You get connection refused at this step. Try to check the force_passive_ip configuration and the firewall and forwarding rules

        - name: SFTPGO_FTPD__PASSIVE_PORT_RANGE__START
          value: "30000"
        - name: SFTPGO_FTPD__PASSIVE_PORT_RANGE__END
          value: "30100"
      resources:
        limits:
          memory: "512Mi"
          cpu: "1"
        requests:
          memory: "256Mi"
          cpu: "100m"
      ports:
        - containerPort: 8080
        - containerPort: 2022
        - containerPort: 30021
      volumeMounts:
        - mountPath: /var/lib/sftpgo
          name: home
        - mountPath: /srv/sftpgo
          name: data
  volumes:
    - name: data
      persistentVolumeClaim:
        claimName: sftpgo-ftpren-data
    - name: home
      persistentVolumeClaim:
        claimName: sftpgo-ftpren-home

---

apiVersion: v1
kind: Service
metadata:
name: sftpgo-ftpren
spec:
selector:
app: sftpgo-ftpren
ports:
- port: 8080

---

apiVersion: v1
kind: Service
metadata:
name: sftpgo-ftpren-ftp
spec:
type: LoadBalancer
selector:
app: sftpgo-ftpren
ports:
- port: 30021
nodePort: 30021

---

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-sftpgo-ftpren-traefik
spec:
rules:
- host: sub.mydomain.example
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: sftpgo-ftpren
port:
number: 8080

Services: ![image](https://user-images.githubusercontent.com/4218220/203154768-3657a3ff-4d68-466f-ab62-d38cd6464c23.png)

Pod up and running ![image](https://user-images.githubusercontent.com/4218220/203155286-12cb2491-549f-4122-b897-b10a7c12146f.png)

WEB UI working

![image](https://user-images.githubusercontent.com/4218220/203155471-72adcea8-565d-4ad8-a8e1-8b8dd80cc77d.png)

Now passive move seems to be working ![image](https://user-images.githubusercontent.com/4218220/203155824-7191ed81-50c3-4514-aba0-c932edeb8f1a.png)

Still can't get the directory listing

p.s. i guess the helm was really old, now i also added the 2 persistent volume claims to have the configs and data saved: ![image](https://user-images.githubusercontent.com/4218220/203155049-22d30e68-82f3-42d1-86bd-6c6b35330e71.png)

[XPOL555]

I get it to work... but in a 🤮 way!

Ok since it's not yet possible to expose a port range in kuberntes services i reduced the port range into just 11 ports (from 30010 to 30020) and manually added to both the deployment and the service

This is the Deployment

apiVersion: apps/v1
kind: Deployment
metadata:
  name: sftpgo-ftpren
spec:
  selector:
    matchLabels:
      app: sftpgo-ftpren
  template:
    metadata:
      labels:
        app: sftpgo-ftpren
    spec:
      containers:
        - name: sftpgo
          image: drakkan/sftpgo:v2
          env:
            - name: SFTPGO_FTPD__BINDINGS__0__PORT
              value: "2121"
            - name: SFTPGO_FTPD__BINDINGS__0__FORCE_PASSIVE_IP
              value: "YOURIP"
            - name: SFTPGO_FTPD__BINDINGS__0__DEBUG
              value: "true"
            - name: SFTPGO_FTPD__PASSIVE_PORT_RANGE__START
              value: "30010"
            - name: SFTPGO_FTPD__PASSIVE_PORT_RANGE__END
              value: "30020"
          resources:
            limits:
              memory: "512Mi"
              cpu: "0.2"
            requests:
              memory: "256Mi"
              cpu: "100m"
          ports:
            - containerPort: 8080
            - containerPort: 2022
            - containerPort: 30010
            - containerPort: 30011
            - containerPort: 30012
            - containerPort: 30013
            - containerPort: 30014
            - containerPort: 30015
            - containerPort: 30016
            - containerPort: 30017
            - containerPort: 30018
            - containerPort: 30019
            - containerPort: 30020
            - name: ftp
              containerPort: 2121
          volumeMounts:
            - mountPath: /var/lib/sftpgo
              name: home
            - mountPath: /srv/sftpgo
              name: data
      volumes:
        - name: data
          persistentVolumeClaim:
            claimName: sftpgo-ftpren-data
        - name: home
          persistentVolumeClaim:
            claimName: sftpgo-ftpren-home

And this is the Service that exposes just the ftp port and all the passive range.

apiVersion: v1
kind: Service
metadata:
  name: sftpgo-ftpren-ftp
spec:
  type: LoadBalancer
  selector:
    app: sftpgo-ftpren
  ports:
    - name: ftp
      port: 2121
      nodePort: 30021
    - name: ftp-base-0
      port: 30010
      nodePort: 30010
    - name: ftp-base-1
      port: 30011
      nodePort: 30011
    - name: ftp-base-2
      port: 30012
      nodePort: 30012
    - name: ftp-base-3
      port: 30013
      nodePort: 30013
    - name: ftp-base-4
      port: 30014
      nodePort: 30014
    - name: ftp-base-5
      port: 30015
      nodePort: 30015
    - name: ftp-base-6
      port: 30016
      nodePort: 30016
    - name: ftp-base-7
      port: 30017
      nodePort: 30017
    - name: ftp-base-8
      port: 30018
      nodePort: 30018
    - name: ftp-base-9
      port: 30019
      nodePort: 30019
    - name: ftp-base-10
      port: 30020
      nodePort: 30020
  sessionAffinity: None
  externalTrafficPolicy: Cluster
  ipFamilies:
    - IPv4
  ipFamilyPolicy: SingleStack
  allocateLoadBalancerNodePorts: true
  internalTrafficPolicy: Cluster

Note: if you need to expose a wide range of ports a template engine that makes the work for you can be used

TL; DR;

All the ports of the range must be exposed from the pod and the service must expose all of them

[XPOL555]

Thank you @drakkan for your support, this could have been just a discussion. I think i am gonna change the issue's title to be more "referencial" to this case

[drakkan]

Thanks for reporting back, converted to discussion