diff --git a/src/mvp/configs/dev.yaml b/src/mvp/configs/dev.yaml index 7d0f98e..4f79fe6 100644 --- a/src/mvp/configs/dev.yaml +++ b/src/mvp/configs/dev.yaml @@ -41,10 +41,14 @@ data: # SFTPGo is optional in dev; when enabled, admin endpoints will call SFTPGo admin API. # Admin password is provided by env var `data.sftpgo.admin_password_env`. sftpgo: - enabled: false + enabled: true host: "" # shown to users via GET /api/v2/me sftp_port: 2022 - admin_api_base: "" # e.g. http://argus-sftpgo:8080 + # NOTE: the Ray head container image sometimes fails to resolve docker-internal DNS names + # (e.g. sftpgo/argus-sftpgo). Use the docker bridge gateway + published port for stability. + # - host port 8081 -> sftpgo container 8080 + # - 172.22.0.1 is the gateway of `mvp_argus-ray-net` in the dev compose + admin_api_base: "http://172.22.0.1:8081/api/v2" # head 容器内访问 SFTPGo admin API admin_user: "admin" admin_password_env: "SFTPGO_ADMIN_PASSWORD" diff --git a/src/mvp/docker-compose.yaml b/src/mvp/docker-compose.yaml index 6ed9194..f7d1991 100644 --- a/src/mvp/docker-compose.yaml +++ b/src/mvp/docker-compose.yaml @@ -32,6 +32,9 @@ services: ARGUS_SHARED_ROOT: "/private" ARGUS_CLUSTER_NAME: "argus-ray" ARGUS_LOG_DIR: "/private/common/logs" + # Make SFTPGo admin password available to API server started via `docker exec`. + # Keep it consistent with the sftpgo container default below. + SFTPGO_ADMIN_PASSWORD: "${SFTPGO_ADMIN_PASSWORD:-my-dev-sftpgo-admin}" HF_HOME: "/private/hf" HUGGINGFACE_HUB_CACHE: "/private/hf/hub" TRANSFORMERS_CACHE: "/private/hf/transformers" @@ -54,7 +57,10 @@ services: - ../../shared:/private - ../../shared/common/sftpgo:/var/lib/sftpgo networks: - - argus-ray-net + argus-ray-net: + aliases: + - sftpgo + - argus-sftpgo environment: # Create a default admin on first start (used by API server to manage users). # Override on host as needed: diff --git a/src/mvp/py/argus/service/sftpgo.py b/src/mvp/py/argus/service/sftpgo.py index 09b2681..28031f8 100644 --- a/src/mvp/py/argus/service/sftpgo.py +++ b/src/mvp/py/argus/service/sftpgo.py @@ -125,8 +125,13 @@ class SFTPGoAdminClient: perms = dict(user_payload.get("permissions") or {"/": ["*"]}) # Ensure /common is visible as a directory and can be traversed. perms["/common"] = ["list"] - perms["/common/datasets"] = ["list", "download"] - perms["/common/hf"] = ["list", "download"] + # SFTPGo permissions are path-scoped. In practice, granting on the directory itself may + # not always cover nested paths depending on client/API behavior, so include common + # wildcard forms to ensure users can read files under these virtual folders. + perms["/common/datasets"] = ["list"] + perms["/common/datasets/*"] = ["list", "download"] + perms["/common/hf"] = ["list"] + perms["/common/hf/*"] = ["list", "download"] user_payload["permissions"] = perms desired_vf = [ @@ -157,8 +162,10 @@ class SFTPGoAdminClient: "permissions": { "/": ["*"], "/common": ["list"], - "/common/datasets": ["list", "download"], - "/common/hf": ["list", "download"], + "/common/datasets": ["list"], + "/common/datasets/*": ["list", "download"], + "/common/hf": ["list"], + "/common/hf/*": ["list", "download"], }, "virtual_folders": [ {"name": "common_datasets", "virtual_path": "/common/datasets"}, diff --git a/src/mvp/scripts/60_start_api.sh b/src/mvp/scripts/60_start_api.sh index ed2cbd1..3c18ae6 100755 --- a/src/mvp/scripts/60_start_api.sh +++ b/src/mvp/scripts/60_start_api.sh @@ -23,9 +23,8 @@ if [[ -z "${MVP_INTERNAL_TOKEN:-}" ]]; then fi env_args=(-e "MVP_INTERNAL_TOKEN=${MVP_INTERNAL_TOKEN}") -if [[ -n "${SFTPGO_ADMIN_PASSWORD:-}" ]]; then - env_args+=(-e "SFTPGO_ADMIN_PASSWORD=${SFTPGO_ADMIN_PASSWORD}") -fi +# If host does not provide it, fall back to the dev default used by docker-compose (kept in sync). +env_args+=(-e "SFTPGO_ADMIN_PASSWORD=${SFTPGO_ADMIN_PASSWORD:-my-dev-sftpgo-admin}") docker exec -d "${env_args[@]}" "${HEAD_CONTAINER}" bash -lc "nohup python3 /workspace/mvp/py/server.py --config '${CONFIG_IN_CONTAINER}' >>'${LOG_PATH}' 2>&1 & echo \$! >'${PID_PATH}'"