[Freeipa-users] client/authentication inside a docker container

Nordgren, Bryce L -FS bnordgren at fs.fed.us
Thu Feb 4 21:23:40 UTC 2016 

An RHEL 7 host filesystem may have the same basic structure as an Ubuntu trusty container filesystem, but may have different users defined, particularly for running services and for owning the files those services must touch. To what extent do you want the same users to be enforced between the container and the host? Is it OK for service accounts to be different, as long as user/login/people accounts are the same?

It almost sounds like you’re using containers to isolate user environments and processes, but you’re accumulating data from/sharing data between containers…Which implies that the processes generating the data run as the user and not as a system service. It may be easier to wrap whatever program you’re running as a web service so the users don’t have to log in and your uid:gid problem goes away.

Bryce

From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Prasun Gera
Sent: Thursday, February 04, 2016 8:19 AM
To: freeipa-users at redhat.com
Subject: [Freeipa-users] client/authentication inside a docker container

I am trying to set up a docker image with a specific development environment. We use idm 4.2 for authentication, and non-kerberized nfs (including home) for data storage on the hosts. The goal is to run the docker container such that when the user calls docker run, it just drops into a shell with the container's environment, but everything else looks largely the same. i.e. The user gets the same uid:gid and sees the same directories and permissions as the host. I'm trying to figure out what the best way of mapping user ids is. I've looked at the following options:

  *   ipa-client-install inside the container. This has a few problems. One is hostname and DNS. Container needs an fqdn for this to work, and the dns has to resolve this hostname. We are not using IPA's DNS. So this whole approach looks very kludgy. Besides, I'm not sure what the right way of handling these ephemeral host names is. Ideally, they should be un-enrolled when the container is destroyed,
  *   Use ipa's fake NIS. This works, and is very simple to setup, but I think we want to phase out NIS. If we start using it inside docker, it will never die
  *   Don't do any domain authentication. Just ask the user to create a user with the same uid:gid as the host so that they can r/w to their own directories.
The ipa version is 4.2 running on RHEL 7. The container image will be based on ubuntu trusty. Hosts are a mix of different OSes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160204/1e58f0c3/attachment.htm>

More information about the Freeipa-users mailing list