On Thu, Feb 4, 2016 at 10:56 AM, Jan Pazdziora <[email protected]> wrote:
> On Thu, Feb 04, 2016 at 10:19:16AM -0500, Prasun Gera wrote: > > I am trying to set up a docker image with a specific development > > environment. We use idm 4.2 for authentication, and non-kerberized nfs > > (including home) for data storage on the hosts. > > Are the hosts IPA-enrolled? > > Yes. > > The goal is to run the > > docker container such that when the user calls docker run, > > Is any user allowed to run docker run? That seems like a security > issue. > > Well any user that can do sudo should be able to run docker. Is there a security issue with that ? > > it just drops > > into a shell with the container's environment, but everything else looks > > largely the same. i.e. The user gets the same uid:gid and sees the same > > directories and permissions as the host. > > So you want bash started in the container, with the uid:gid of the > person invoking the command? If the users are trusted to do docker > run, they can do > > docker run -u $UID container bash > > themselves. > > Yes, this is similar to the 3rd point I mentioned. The problem though is that directory listings will not show names inside the container. They'll only show uids and gids. NIS solves this as a quick hack, but is there something better ? Permissions would still work since NFS is not kerberized. Another issue I haven't figured out is how the user can get sudo inside the container. If you start docker with the user's uid, I don't know if there is a safe way for that user to get sudo inside. If you start docker in the root shell, you can create the user with the uid:gid, add it to sudoers, and then change to the user's shell ? > But you likely do not want to give every user a way to run any command, > why not just use sudo, and > > docker run -u $SUDO_UID container bash > > in the script invoked with the sudo (untested)? > > I didn't follow this. Can you explain a bit more ? In the default setup, you anyway need sudo to run docker. What is the -u string here ? -- > Jan Pazdziora > Senior Principal Software Engineer, Identity Management Engineering, Red > Hat >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
