405 lines
17 KiB
Markdown
405 lines
17 KiB
Markdown
---
|
|
title: "rclone serve sftp"
|
|
description: "Serve the remote over SFTP."
|
|
slug: rclone_serve_sftp
|
|
url: /commands/rclone_serve_sftp/
|
|
# autogenerated - DO NOT EDIT, instead edit the source code in cmd/serve/sftp/ and as part of making a release run "make commanddocs"
|
|
---
|
|
# rclone serve sftp
|
|
|
|
Serve the remote over SFTP.
|
|
|
|
## Synopsis
|
|
|
|
rclone serve sftp implements an SFTP server to serve the remote
|
|
over SFTP. This can be used with an SFTP client or you can make a
|
|
remote of type sftp to use with it.
|
|
|
|
You can use the filter flags (eg --include, --exclude) to control what
|
|
is served.
|
|
|
|
The server will log errors. Use -v to see access logs.
|
|
|
|
--bwlimit will be respected for file transfers. Use --stats to
|
|
control the stats printing.
|
|
|
|
You must provide some means of authentication, either with --user/--pass,
|
|
an authorized keys file (specify location with --authorized-keys - the
|
|
default is the same as ssh), an --auth-proxy, or set the --no-auth flag for no
|
|
authentication when logging in.
|
|
|
|
Note that this also implements a small number of shell commands so
|
|
that it can provide md5sum/sha1sum/df information for the rclone sftp
|
|
backend. This means that is can support SHA1SUMs, MD5SUMs and the
|
|
about command when paired with the rclone sftp backend.
|
|
|
|
If you don't supply a --key then rclone will generate one and cache it
|
|
for later use.
|
|
|
|
By default the server binds to localhost:2022 - if you want it to be
|
|
reachable externally then supply "--addr :2022" for example.
|
|
|
|
Note that the default of "--vfs-cache-mode off" is fine for the rclone
|
|
sftp backend, but it may not be with other SFTP clients.
|
|
|
|
|
|
## VFS - Virtual File System
|
|
|
|
This command uses the VFS layer. This adapts the cloud storage objects
|
|
that rclone uses into something which looks much more like a disk
|
|
filing system.
|
|
|
|
Cloud storage objects have lots of properties which aren't like disk
|
|
files - you can't extend them or write to the middle of them, so the
|
|
VFS layer has to deal with that. Because there is no one right way of
|
|
doing this there are various options explained below.
|
|
|
|
The VFS layer also implements a directory cache - this caches info
|
|
about files and directories (but not the data) in memory.
|
|
|
|
## VFS Directory Cache
|
|
|
|
Using the `--dir-cache-time` flag, you can control how long a
|
|
directory should be considered up to date and not refreshed from the
|
|
backend. Changes made through the mount will appear immediately or
|
|
invalidate the cache.
|
|
|
|
--dir-cache-time duration Time to cache directory entries for. (default 5m0s)
|
|
--poll-interval duration Time to wait between polling for changes.
|
|
|
|
However, changes made directly on the cloud storage by the web
|
|
interface or a different copy of rclone will only be picked up once
|
|
the directory cache expires if the backend configured does not support
|
|
polling for changes. If the backend supports polling, changes will be
|
|
picked up within the polling interval.
|
|
|
|
You can send a `SIGHUP` signal to rclone for it to flush all
|
|
directory caches, regardless of how old they are. Assuming only one
|
|
rclone instance is running, you can reset the cache like this:
|
|
|
|
kill -SIGHUP $(pidof rclone)
|
|
|
|
If you configure rclone with a [remote control](/rc) then you can use
|
|
rclone rc to flush the whole directory cache:
|
|
|
|
rclone rc vfs/forget
|
|
|
|
Or individual files or directories:
|
|
|
|
rclone rc vfs/forget file=path/to/file dir=path/to/dir
|
|
|
|
## VFS File Buffering
|
|
|
|
The `--buffer-size` flag determines the amount of memory,
|
|
that will be used to buffer data in advance.
|
|
|
|
Each open file will try to keep the specified amount of data in memory
|
|
at all times. The buffered data is bound to one open file and won't be
|
|
shared.
|
|
|
|
This flag is a upper limit for the used memory per open file. The
|
|
buffer will only use memory for data that is downloaded but not not
|
|
yet read. If the buffer is empty, only a small amount of memory will
|
|
be used.
|
|
|
|
The maximum memory used by rclone for buffering can be up to
|
|
`--buffer-size * open files`.
|
|
|
|
## VFS File Caching
|
|
|
|
These flags control the VFS file caching options. File caching is
|
|
necessary to make the VFS layer appear compatible with a normal file
|
|
system. It can be disabled at the cost of some compatibility.
|
|
|
|
For example you'll need to enable VFS caching if you want to read and
|
|
write simultaneously to a file. See below for more details.
|
|
|
|
Note that the VFS cache is separate from the cache backend and you may
|
|
find that you need one or the other or both.
|
|
|
|
--cache-dir string Directory rclone will use for caching.
|
|
--vfs-cache-mode CacheMode Cache mode off|minimal|writes|full (default off)
|
|
--vfs-cache-max-age duration Max age of objects in the cache. (default 1h0m0s)
|
|
--vfs-cache-max-size SizeSuffix Max total size of objects in the cache. (default off)
|
|
--vfs-cache-poll-interval duration Interval to poll the cache for stale objects. (default 1m0s)
|
|
--vfs-write-back duration Time to writeback files after last use when using cache. (default 5s)
|
|
|
|
If run with `-vv` rclone will print the location of the file cache. The
|
|
files are stored in the user cache file area which is OS dependent but
|
|
can be controlled with `--cache-dir` or setting the appropriate
|
|
environment variable.
|
|
|
|
The cache has 4 different modes selected by `--vfs-cache-mode`.
|
|
The higher the cache mode the more compatible rclone becomes at the
|
|
cost of using disk space.
|
|
|
|
Note that files are written back to the remote only when they are
|
|
closed and if they haven't been accessed for --vfs-write-back
|
|
second. If rclone is quit or dies with files that haven't been
|
|
uploaded, these will be uploaded next time rclone is run with the same
|
|
flags.
|
|
|
|
If using --vfs-cache-max-size note that the cache may exceed this size
|
|
for two reasons. Firstly because it is only checked every
|
|
--vfs-cache-poll-interval. Secondly because open files cannot be
|
|
evicted from the cache.
|
|
|
|
### --vfs-cache-mode off
|
|
|
|
In this mode (the default) the cache will read directly from the remote and write
|
|
directly to the remote without caching anything on disk.
|
|
|
|
This will mean some operations are not possible
|
|
|
|
* Files can't be opened for both read AND write
|
|
* Files opened for write can't be seeked
|
|
* Existing files opened for write must have O_TRUNC set
|
|
* Files open for read with O_TRUNC will be opened write only
|
|
* Files open for write only will behave as if O_TRUNC was supplied
|
|
* Open modes O_APPEND, O_TRUNC are ignored
|
|
* If an upload fails it can't be retried
|
|
|
|
### --vfs-cache-mode minimal
|
|
|
|
This is very similar to "off" except that files opened for read AND
|
|
write will be buffered to disk. This means that files opened for
|
|
write will be a lot more compatible, but uses the minimal disk space.
|
|
|
|
These operations are not possible
|
|
|
|
* Files opened for write only can't be seeked
|
|
* Existing files opened for write must have O_TRUNC set
|
|
* Files opened for write only will ignore O_APPEND, O_TRUNC
|
|
* If an upload fails it can't be retried
|
|
|
|
### --vfs-cache-mode writes
|
|
|
|
In this mode files opened for read only are still read directly from
|
|
the remote, write only and read/write files are buffered to disk
|
|
first.
|
|
|
|
This mode should support all normal file system operations.
|
|
|
|
If an upload fails it will be retried at exponentially increasing
|
|
intervals up to 1 minute.
|
|
|
|
### --vfs-cache-mode full
|
|
|
|
In this mode all reads and writes are buffered to and from disk. When
|
|
data is read from the remote this is buffered to disk as well.
|
|
|
|
In this mode the files in the cache will be sparse files and rclone
|
|
will keep track of which bits of the files it has dowloaded.
|
|
|
|
So if an application only reads the starts of each file, then rclone
|
|
will only buffer the start of the file. These files will appear to be
|
|
their full size in the cache, but they will be sparse files with only
|
|
the data that has been downloaded present in them.
|
|
|
|
This mode should support all normal file system operations and is
|
|
otherwise identical to --vfs-cache-mode writes.
|
|
|
|
When reading a file rclone will read --buffer-size plus
|
|
--vfs-read-ahead bytes ahead. The --buffer-size is buffered in memory
|
|
whereas the --vfs-read-ahead is buffered on disk.
|
|
|
|
When using this mode it is recommended that --buffer-size is not set
|
|
too big and --vfs-read-ahead is set large if required.
|
|
|
|
## VFS Performance
|
|
|
|
These flags may be used to enable/disable features of the VFS for
|
|
performance or other reasons.
|
|
|
|
In particular S3 and Swift benefit hugely from the --no-modtime flag
|
|
(or use --use-server-modtime for a slightly different effect) as each
|
|
read of the modification time takes a transaction.
|
|
|
|
--no-checksum Don't compare checksums on up/download.
|
|
--no-modtime Don't read/write the modification time (can speed things up).
|
|
--no-seek Don't allow seeking in files.
|
|
--read-only Mount read-only.
|
|
|
|
When rclone reads files from a remote it reads them in chunks. This
|
|
means that rather than requesting the whole file rclone reads the
|
|
chunk specified. This is advantageous because some cloud providers
|
|
account for reads being all the data requested, not all the data
|
|
delivered.
|
|
|
|
Rclone will keep doubling the chunk size requested starting at
|
|
--vfs-read-chunk-size with a maximum of --vfs-read-chunk-size-limit
|
|
unless it is set to "off" in which case there will be no limit.
|
|
|
|
--vfs-read-chunk-size SizeSuffix Read the source objects in chunks. (default 128M)
|
|
--vfs-read-chunk-size-limit SizeSuffix Max chunk doubling size (default "off")
|
|
|
|
Sometimes rclone is delivered reads or writes out of order. Rather
|
|
than seeking rclone will wait a short time for the in sequence read or
|
|
write to come in. These flags only come into effect when not using an
|
|
on disk cache file.
|
|
|
|
--vfs-read-wait duration Time to wait for in-sequence read before seeking. (default 20ms)
|
|
--vfs-write-wait duration Time to wait for in-sequence write before giving error. (default 1s)
|
|
|
|
## VFS Case Sensitivity
|
|
|
|
Linux file systems are case-sensitive: two files can differ only
|
|
by case, and the exact case must be used when opening a file.
|
|
|
|
File systems in modern Windows are case-insensitive but case-preserving:
|
|
although existing files can be opened using any case, the exact case used
|
|
to create the file is preserved and available for programs to query.
|
|
It is not allowed for two files in the same directory to differ only by case.
|
|
|
|
Usually file systems on macOS are case-insensitive. It is possible to make macOS
|
|
file systems case-sensitive but that is not the default
|
|
|
|
The "--vfs-case-insensitive" mount flag controls how rclone handles these
|
|
two cases. If its value is "false", rclone passes file names to the mounted
|
|
file system as-is. If the flag is "true" (or appears without a value on
|
|
command line), rclone may perform a "fixup" as explained below.
|
|
|
|
The user may specify a file name to open/delete/rename/etc with a case
|
|
different than what is stored on mounted file system. If an argument refers
|
|
to an existing file with exactly the same name, then the case of the existing
|
|
file on the disk will be used. However, if a file name with exactly the same
|
|
name is not found but a name differing only by case exists, rclone will
|
|
transparently fixup the name. This fixup happens only when an existing file
|
|
is requested. Case sensitivity of file names created anew by rclone is
|
|
controlled by an underlying mounted file system.
|
|
|
|
Note that case sensitivity of the operating system running rclone (the target)
|
|
may differ from case sensitivity of a file system mounted by rclone (the source).
|
|
The flag controls whether "fixup" is performed to satisfy the target.
|
|
|
|
If the flag is not provided on the command line, then its default value depends
|
|
on the operating system where rclone runs: "true" on Windows and macOS, "false"
|
|
otherwise. If the flag is provided without a value, then it is "true".
|
|
|
|
## Auth Proxy
|
|
|
|
If you supply the parameter `--auth-proxy /path/to/program` then
|
|
rclone will use that program to generate backends on the fly which
|
|
then are used to authenticate incoming requests. This uses a simple
|
|
JSON based protocl with input on STDIN and output on STDOUT.
|
|
|
|
**PLEASE NOTE:** `--auth-proxy` and `--authorized-keys` cannot be used
|
|
together, if `--auth-proxy` is set the authorized keys option will be
|
|
ignored.
|
|
|
|
There is an example program
|
|
[bin/test_proxy.py](https://github.com/rclone/rclone/blob/master/bin/test_proxy.py)
|
|
in the rclone source code.
|
|
|
|
The program's job is to take a `user` and `pass` on the input and turn
|
|
those into the config for a backend on STDOUT in JSON format. This
|
|
config will have any default parameters for the backend added, but it
|
|
won't use configuration from environment variables or command line
|
|
options - it is the job of the proxy program to make a complete
|
|
config.
|
|
|
|
This config generated must have this extra parameter
|
|
- `_root` - root to use for the backend
|
|
|
|
And it may have this parameter
|
|
- `_obscure` - comma separated strings for parameters to obscure
|
|
|
|
If password authentication was used by the client, input to the proxy
|
|
process (on STDIN) would look similar to this:
|
|
|
|
```
|
|
{
|
|
"user": "me",
|
|
"pass": "mypassword"
|
|
}
|
|
```
|
|
|
|
If public-key authentication was used by the client, input to the
|
|
proxy process (on STDIN) would look similar to this:
|
|
|
|
```
|
|
{
|
|
"user": "me",
|
|
"public_key": "AAAAB3NzaC1yc2EAAAADAQABAAABAQDuwESFdAe14hVS6omeyX7edc...JQdf"
|
|
}
|
|
```
|
|
|
|
And as an example return this on STDOUT
|
|
|
|
```
|
|
{
|
|
"type": "sftp",
|
|
"_root": "",
|
|
"_obscure": "pass",
|
|
"user": "me",
|
|
"pass": "mypassword",
|
|
"host": "sftp.example.com"
|
|
}
|
|
```
|
|
|
|
This would mean that an SFTP backend would be created on the fly for
|
|
the `user` and `pass`/`public_key` returned in the output to the host given. Note
|
|
that since `_obscure` is set to `pass`, rclone will obscure the `pass`
|
|
parameter before creating the backend (which is required for sftp
|
|
backends).
|
|
|
|
The program can manipulate the supplied `user` in any way, for example
|
|
to make proxy to many different sftp backends, you could make the
|
|
`user` be `user@example.com` and then set the `host` to `example.com`
|
|
in the output and the user to `user`. For security you'd probably want
|
|
to restrict the `host` to a limited list.
|
|
|
|
Note that an internal cache is keyed on `user` so only use that for
|
|
configuration, don't use `pass` or `public_key`. This also means that if a user's
|
|
password or public-key is changed the cache will need to expire (which takes 5 mins)
|
|
before it takes effect.
|
|
|
|
This can be used to build general purpose proxies to any kind of
|
|
backend that rclone supports.
|
|
|
|
|
|
```
|
|
rclone serve sftp remote:path [flags]
|
|
```
|
|
|
|
## Options
|
|
|
|
```
|
|
--addr string IPaddress:Port or :Port to bind server to. (default "localhost:2022")
|
|
--auth-proxy string A program to use to create the backend from the auth.
|
|
--authorized-keys string Authorized keys file (default "~/.ssh/authorized_keys")
|
|
--dir-cache-time duration Time to cache directory entries for. (default 5m0s)
|
|
--dir-perms FileMode Directory permissions (default 0777)
|
|
--file-perms FileMode File permissions (default 0666)
|
|
--gid uint32 Override the gid field set by the filesystem. (default 1000)
|
|
-h, --help help for sftp
|
|
--key stringArray SSH private host key file (Can be multi-valued, leave blank to auto generate)
|
|
--no-auth Allow connections with no authentication if set.
|
|
--no-checksum Don't compare checksums on up/download.
|
|
--no-modtime Don't read/write the modification time (can speed things up).
|
|
--no-seek Don't allow seeking in files.
|
|
--pass string Password for authentication.
|
|
--poll-interval duration Time to wait between polling for changes. Must be smaller than dir-cache-time. Only on supported remotes. Set to 0 to disable. (default 1m0s)
|
|
--read-only Mount read-only.
|
|
--uid uint32 Override the uid field set by the filesystem. (default 1000)
|
|
--umask int Override the permission bits set by the filesystem. (default 2)
|
|
--user string User name for authentication.
|
|
--vfs-cache-max-age duration Max age of objects in the cache. (default 1h0m0s)
|
|
--vfs-cache-max-size SizeSuffix Max total size of objects in the cache. (default off)
|
|
--vfs-cache-mode CacheMode Cache mode off|minimal|writes|full (default off)
|
|
--vfs-cache-poll-interval duration Interval to poll the cache for stale objects. (default 1m0s)
|
|
--vfs-case-insensitive If a file name not found, find a case insensitive match.
|
|
--vfs-read-ahead SizeSuffix Extra read ahead over --buffer-size when using cache-mode full.
|
|
--vfs-read-chunk-size SizeSuffix Read the source objects in chunks. (default 128M)
|
|
--vfs-read-chunk-size-limit SizeSuffix If greater than --vfs-read-chunk-size, double the chunk size after each chunk read, until the limit is reached. 'off' is unlimited. (default off)
|
|
--vfs-read-wait duration Time to wait for in-sequence read before seeking. (default 20ms)
|
|
--vfs-write-back duration Time to writeback files after last use when using cache. (default 5s)
|
|
--vfs-write-wait duration Time to wait for in-sequence write before giving error. (default 1s)
|
|
```
|
|
|
|
See the [global flags page](/flags/) for global options not listed here.
|
|
|
|
## SEE ALSO
|
|
|
|
* [rclone serve](/commands/rclone_serve/) - Serve a remote over a protocol.
|
|
|