[Freeipa-users] client/authentication inside a docker container
Prasun Gera
prasun.gera at gmail.com
Thu Feb 4 15:19:16 UTC 2016
I am trying to set up a docker image with a specific development
environment. We use idm 4.2 for authentication, and non-kerberized nfs
(including home) for data storage on the hosts. The goal is to run the
docker container such that when the user calls docker run, it just drops
into a shell with the container's environment, but everything else looks
largely the same. i.e. The user gets the same uid:gid and sees the same
directories and permissions as the host. I'm trying to figure out what the
best way of mapping user ids is. I've looked at the following options:
- ipa-client-install inside the container. This has a few problems. One
is hostname and DNS. Container needs an fqdn for this to work, and the dns
has to resolve this hostname. We are not using IPA's DNS. So this whole
approach looks very kludgy. Besides, I'm not sure what the right way of
handling these ephemeral host names is. Ideally, they should be un-enrolled
when the container is destroyed,
- Use ipa's fake NIS. This works, and is very simple to setup, but I
think we want to phase out NIS. If we start using it inside docker, it will
never die
- Don't do any domain authentication. Just ask the user to create a user
with the same uid:gid as the host so that they can r/w to their own
directories.
The ipa version is 4.2 running on RHEL 7. The container image will be based
on ubuntu trusty. Hosts are a mix of different OSes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160204/bac9e46d/attachment.htm>
More information about the Freeipa-users
mailing list