[Freeipa-users] client/authentication inside a docker container
Jan Pazdziora
jpazdziora at redhat.com
Thu Feb 4 15:56:40 UTC 2016
On Thu, Feb 04, 2016 at 10:19:16AM -0500, Prasun Gera wrote:
> I am trying to set up a docker image with a specific development
> environment. We use idm 4.2 for authentication, and non-kerberized nfs
> (including home) for data storage on the hosts.
Are the hosts IPA-enrolled?
> The goal is to run the
> docker container such that when the user calls docker run,
Is any user allowed to run docker run? That seems like a security
issue.
> it just drops
> into a shell with the container's environment, but everything else looks
> largely the same. i.e. The user gets the same uid:gid and sees the same
> directories and permissions as the host.
So you want bash started in the container, with the uid:gid of the
person invoking the command? If the users are trusted to do docker
run, they can do
docker run -u $UID container bash
themselves.
But you likely do not want to give every user a way to run any command,
why not just use sudo, and
docker run -u $SUDO_UID container bash
in the script invoked with the sudo (untested)?
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
More information about the Freeipa-users
mailing list