On Thu, Feb 4, 2016 at 10:56 AM, Jan Pazdziora <jpazdzi...@redhat.com>

> On Thu, Feb 04, 2016 at 10:19:16AM -0500, Prasun Gera wrote:
> > I am trying to set up a docker image with a specific development
> > environment. We use idm 4.2 for authentication, and non-kerberized nfs
> > (including home) for data storage on the hosts.
> Are the hosts IPA-enrolled?
> Yes.

> > The goal is to run the
> > docker container such that when the user calls docker run,
> Is any user allowed to run docker run? That seems like a security
> issue.
> Well any user that can do sudo should be able to run docker. Is there a
security issue with that ?

> > it just drops
> > into a shell with the container's environment, but everything else looks
> > largely the same. i.e. The user gets the same uid:gid and sees the same
> > directories and permissions as the host.
> So you want bash started in the container, with the uid:gid of the
> person invoking the command? If the users are trusted to do docker
> run, they can do
>         docker run -u $UID container bash
> themselves.
> Yes, this is similar to the 3rd point I mentioned. The problem though is
that directory listings will not show names inside the container. They'll
only show uids and gids. NIS solves this as a quick hack, but is there
something better ? Permissions would still work since NFS is not
kerberized. Another issue I haven't figured out is how the user can get
sudo inside the container. If you start docker with the user's uid, I don't
know if there is a safe way for that user to get sudo inside. If you start
docker in the root shell, you can create the user with the uid:gid, add it
to sudoers, and then change to the user's shell ?

> But you likely do not want to give every user a way to run any command,
> why not just use sudo, and
>         docker run -u $SUDO_UID container bash
> in the script invoked with the sudo (untested)?
> I didn't follow this. Can you explain a bit more ? In the default setup,
you anyway need sudo to run docker. What is the -u string here ?

> Jan Pazdziora
> Senior Principal Software Engineer, Identity Management Engineering, Red
> Hat
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to