[Freeipa-users] client/authentication inside a docker container

Fri Feb 5 01:39:05 UTC 2016

On Thu, Feb 4, 2016 at 4:23 PM, Nordgren, Bryce L -FS <bnordgren at fs.fed.us>
wrote:

> An RHEL 7 host filesystem may have the same basic structure as an Ubuntu
> trusty container filesystem, but may have different users defined,
> particularly for running services and for owning the files those services
> must touch. To what extent do you want the same users to be enforced
> between the container and the host? Is it OK for service accounts to be
> different, as long as user/login/people accounts are the same?
>
>
>
Yes, that would be OK. I think all I need is that the files touched inside
the container look consistent permissions-wise to files that you see on the
host, and vice-versa. As such, I don't need authentication inside the
container since we don't need to host any services in the container. I just
need 1:1 mapping for uid:gid for regular users.

> It almost sounds like you’re using containers to isolate user environments
> and processes, but you’re accumulating data from/sharing data between
> containers…Which implies that the processes generating the data run as the
> user and not as a system service. It may be easier to wrap whatever program
> you’re running as a web service so the users don’t have to log in and your
> uid:gid problem goes away.
>
>
>
Yes, I've just got started with Docker, and trying to use it as a way to
isolate development environment. We have a tool which has some weird
toolchain dependencies (old versions of gcc, boost, bison, and possibly a
few others), which would make it very hacky to compile/run it natively on
all systems. I think docker solves that problem such that whenever the use
wants to use that tool, they can just drop into the docker container and
work there.

> Bryce
>
>
>
> *From:* freeipa-users-bounces at redhat.com [mailto:
> freeipa-users-bounces at redhat.com] *On Behalf Of *Prasun Gera
> *Sent:* Thursday, February 04, 2016 8:19 AM
> *To:* freeipa-users at redhat.com
> *Subject:* [Freeipa-users] client/authentication inside a docker container
>
>
>
> I am trying to set up a docker image with a specific development
> environment. We use idm 4.2 for authentication, and non-kerberized nfs
> (including home) for data storage on the hosts. The goal is to run the
> docker container such that when the user calls docker run, it just drops
> into a shell with the container's environment, but everything else looks
> largely the same. i.e. The user gets the same uid:gid and sees the same
> directories and permissions as the host. I'm trying to figure out what the
> best way of mapping user ids is. I've looked at the following options:
>
>    - ipa-client-install inside the container. This has a few problems.
>    One is hostname and DNS. Container needs an fqdn for this to work, and the
>    dns has to resolve this hostname. We are not using IPA's DNS. So this whole
>    approach looks very kludgy. Besides, I'm not sure what the right way of
>    handling these ephemeral host names is. Ideally, they should be un-enrolled
>    when the container is destroyed,
>    - Use ipa's fake NIS. This works, and is very simple to setup, but I
>    think we want to phase out NIS. If we start using it inside docker, it will
>    never die
>    - Don't do any domain authentication. Just ask the user to create a
>    user with the same uid:gid as the host so that they can r/w to their own
>    directories.
>
> The ipa version is 4.2 running on RHEL 7. The container image will be
> based on ubuntu trusty. Hosts are a mix of different OSes.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160204/2b3d575f/attachment.htm>