传统 IT 架构中,通常使用专用的存储服务器存储核心数据,此类存储可靠性高,但同时价格昂贵,因此在安全性和可靠性要求不高的场景中,或者是一些小企业,也会用到 FTP 服务器来存储数据,同时 FTP 也能共享数据,协同协作。针对 FTP 类的存储数据迁移上云,也是经常会面对的场景,使用云上 OBS 可以很好的满足或者替换 FTP 存储需求,本实验就是将 FTP数据迁移到华为云 OBS 服务里。
关于本实验
本实验通过在华为云 ECS 上搭建 FTP 服务器模拟线下场景,通过华为云数据迁移服务 CDM将数据迁移到华为云 OBS 里,实验存储数据的快速、安全、高效的迁移,同时通过周期性迁移配置将增量数据迁移到 OBS 桶里。
安装FTP
通过下面的命令安装: yum install -y vsftpd 设置 FTP 服务开机自启动。 systemctl enable vsftpd.service 在 ECS 上启动 FTP 服务。 systemctl start vsftpd.service 查看 FTP 服务端口。 netstat -nltp|grep vsftpd
在 ECS-FTP 主机操作,目的是创建能够登录 ftp 服务器的本地用户,并设置密码:
useradd ftpadmin passwd ftpadmin 根据提示设置密码,可设置为 Huawei@1234。
创建供 FTP 使用的文件目录
mkdir /var/ftp/work01 chown -R ftpadmin:ftpadmin /var/ftp/work01
修改“vsftpd.conf”配置文件。
vi /etc/vsftpd/vsftpd.conf
#设置以下参数,不允许匿名登录 FTP 服务器,允许本地用户登录 FTP 服务器,并指定 FTP 本地用户使用的文件目录。 anonvmous enable=No #不允许匿名登录 FTP 服务器 local_enable=YES #允许本地用户登录 FTP 服务器 local_root=/var/ftp/work01 #FTP 本地用户使用的文件目录 #设置以下参数,限制用户只能访问自身的主目录。 chroot_local user=yes #所有用户都被限制在其主目录 chroot_list enable=Yes #启用例外用户名单 chroot_list file=/etc/vsftpd/chroot list#例外用户名单 allow writeable chroot=YES #设置以下参数,配置 FTP 支持被动模式。并指定FTP 服务器的公网IP 地址,以及可供访问的端口范围,端口范围请根据实际环境进行设置。 listen=YES listen_ipv6=NO pasv_address=xx.xx.xx.xx #FTP 服务器的公网IP 地址 pasv_min_port=3000 #被动模式下的最小端口 pasv_max_port=3100 #被动模式下的最大端口
可根据实际需求选择将 FTP 配置为主动模式或者被动模式。如果华为云上的服务器需要通过
公网 IP 地址访问华为云上的实例搭建的 FTP 服务器时,需要将 FTP 服务器配置为被动模式。(本实验配置为被动模式)
#设置以下参数,不允许匿名登录 FTP 服务器,允许本地用户登录 FTP 服务器,并指定 FTP 本地用户使用的文件目录。
按照上述参数配置,配置时请注意原本 vsftpd.conf 文件内容,有部分参数已经配置,核对后再添加,修改前可通过 cp vsftpd.conf vsftpd.conf.bak 命令备份配置文件。
修改完成后按 Esc 键退出编辑模式,并输入:wq 保存后退出。
配置完成后完整的配置文件如下(供参考):
PS:不能有空格,否则重启失败
# Example config file /etc/vsftpd/vsftpd.conf # # The default compiled in settings are fairly paranoid. This sample file # loosens things up a bit, to make the ftp daemon more usable. # Please see vsftpd.conf.5 for all compiled in defaults. # # READ THIS: This example file is NOT an exhaustive list of vsftpd options. # Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's # capabilities. # # Allow anonymous FTP? (Beware - allowed by default if you comment this out). #设置以下参数,不允许匿名登录 FTP 服务器,允许本地用户登录 FTP 服务器,并指定 FTP 本地用户使用的文件目录。 anonymous_enable=NO #不允许匿名登录 FTP 服务器 # # Uncomment this to allow local users to log in. # When SELinux is enforcing check for SE bool ftp_home_dir local_enable=YES #所有用户都被限制在其主目录 local_root=/var/ftp/work01 #FTP 本地用户使用的文件目录 #设置以下参数,限制用户只能访问自身的主目录。 chroot_local_user=YES #所有用户都被限制在其主目录 chroot_list_enable=YES #启用例外用户名单 chroot_list_file=/etc/vsftpd/chroot_list #例外用户名单 allow_writeable_chroot=YES # # Uncomment this to enable any form of FTP write command. write_enable=YES # # Default umask for local users is 077. You may wish to change this to 022, # if your users expect that (022 is used by most other ftpd's) local_umask=022 # # Uncomment this to allow the anonymous FTP user to upload files. This only # has an effect if the above global write enable is activated. Also, you will # obviously need to create a directory writable by the FTP user. # When SELinux is enforcing check for SE bool allow_ftpd_anon_write, allow_ftpd_full_access #anon_upload_enable=YES # # Uncomment this if you want the anonymous FTP user to be able to create # new directories. #anon_mkdir_write_enable=YES # # Activate directory messages - messages given to remote users when they # go into a certain directory. dirmessage_enable=YES # # Activate logging of uploads/downloads. xferlog_enable=YES # # Make sure PORT transfer connections originate from port 20 (ftp-data). connect_from_port_20=YES # # If you want, you can arrange for uploaded anonymous files to be owned by # a different user. Note! Using "root" for uploaded files is not # recommended! #chown_uploads=YES #chown_username=whoever # # You may override where the log file goes if you like. The default is shown # below. #xferlog_file=/var/log/xferlog # # If you want, you can have your log file in standard ftpd xferlog format. # Note that the default log file location is /var/log/xferlog in this case. xferlog_std_format=YES # # You may change the default value for timing out an idle session. #idle_session_timeout=600 # # You may change the default value for timing out a data connection. #data_connection_timeout=120 # # It is recommended that you define on your system a unique user which the # ftp server can use as a totally isolated and unprivileged user. #nopriv_user=ftpsecure # # Enable this and the server will recognise asynchronous ABOR requests. Not # recommended for security (the code is non-trivial). Not enabling it, # however, may confuse older FTP clients. #async_abor_enable=YES # # By default the server will pretend to allow ASCII mode but in fact ignore # the request. Turn on the below options to have the server actually do ASCII # mangling on files when in ASCII mode. The vsftpd.conf(5) man page explains # the behaviour when these options are disabled. # Beware that on some FTP servers, ASCII support allows a denial of service # attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd # predicted this attack and has always been safe, reporting the size of the # raw file. # ASCII mangling is a horrible feature of the protocol. #ascii_upload_enable=YES #ascii_download_enable=YES # # You may fully customise the login banner string: #ftpd_banner=Welcome to blah FTP service. # # You may specify a file of disallowed anonymous e-mail addresses. Apparently # useful for combatting certain DoS attacks. #deny_email_enable=YES # (default follows) #banned_email_file=/etc/vsftpd/banned_emails # # You may specify an explicit list of local users to chroot() to their home # directory. If chroot_local_user is YES, then this list becomes a list of # users to NOT chroot(). # (Warning! chroot'ing can be very dangerous. If using chroot, make sure that # the user does not have write access to the top level directory within the # chroot) #chroot_local_user=YES #chroot_list_enable=YES # (default follows) #chroot_list_file=/etc/vsftpd/chroot_list # # You may activate the "-R" option to the builtin ls. This is disabled by # default to avoid remote users being able to cause excessive I/O on large # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume # the presence of the "-R" option, so there is a strong case for enabling it. #ls_recurse_enable=YES # # When "listen" directive is enabled, vsftpd runs in standalone mode and # listens on IPv4 sockets. This directive cannot be used in conjunction # with the listen_ipv6 directive. #设置以下参数,配置 FTP 支持被动模式。并指定 FTP 服务器的公网 IP 地址,以及可供访问的端口范围,端口范围请根据实际环境进行设置。 listen=YES # # This directive enables listening on IPv6 sockets. By default, listening # on the IPv6 "any" address (::) will accept connections from both IPv6 # and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6 # sockets. If you want that (perhaps because you want to listen on specific # addresses) then you must run two copies of vsftpd with two configuration # files. # Make sure, that one of the listen options is commented !! listen_ipv6=NO pasv_address=124.71.217.4 #FTP 服务器的公网 IP 地址 pasv_min_port=3000 #被动模式下的最小端口 pasv_max_port=3100 #被动模式下的最大端口 pam_service_name=vsftpd userlist_enable=YES tcp_wrappers=YES
在“/etc/vsftpd/”目录下创建“chroot_list”文件。
touch chroot_list 注:“chroot_list”文件是限制在主目录下的例外用户名单。如果需要设置某个用户不受只可以访问其主目录的限制,可将对应的用户名写入该文件。如果没有例外也必须要有 “chroot_list”文件,内容可为空。
重启 vsftpd 服务使配置生效。
systemctl restart vsftpd.service