[Freeipa-users] client/authentication inside a docker container

[Jan Pazdziora]

On Thu, Feb 04, 2016 at 10:19:16AM -0500, Prasun Gera wrote:
> I am trying to set up a docker image with a specific development
> environment. We use idm 4.2 for authentication, and non-kerberized nfs
> (including home) for data storage on the hosts.

Are the hosts IPA-enrolled?

> The goal is to run the
> docker container such that when the user calls docker run,

Is any user allowed to run docker run? That seems like a security
issue.

> it just drops
> into a shell with the container's environment, but everything else looks
> largely the same. i.e. The user gets the same uid:gid and sees the same
> directories and permissions as the host.

So you want bash started in the container, with the uid:gid of the
person invoking the command? If the users are trusted to do docker
run, they can do

	docker run -u $UID container bash

themselves.

But you likely do not want to give every user a way to run any command,
why not just use sudo, and

	docker run -u $SUDO_UID container bash

in the script invoked with the sudo (untested)?

-- 
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat