An RHEL 7 host filesystem may have the same basic structure as an Ubuntu trusty 
container filesystem, but may have different users defined, particularly for 
running services and for owning the files those services must touch. To what 
extent do you want the same users to be enforced between the container and the 
host? Is it OK for service accounts to be different, as long as 
user/login/people accounts are the same?

It almost sounds like you’re using containers to isolate user environments and 
processes, but you’re accumulating data from/sharing data between 
containers…Which implies that the processes generating the data run as the user 
and not as a system service. It may be easier to wrap whatever program you’re 
running as a web service so the users don’t have to log in and your uid:gid 
problem goes away.


[] On Behalf Of Prasun Gera
Sent: Thursday, February 04, 2016 8:19 AM
Subject: [Freeipa-users] client/authentication inside a docker container

I am trying to set up a docker image with a specific development environment. 
We use idm 4.2 for authentication, and non-kerberized nfs (including home) for 
data storage on the hosts. The goal is to run the docker container such that 
when the user calls docker run, it just drops into a shell with the container's 
environment, but everything else looks largely the same. i.e. The user gets the 
same uid:gid and sees the same directories and permissions as the host. I'm 
trying to figure out what the best way of mapping user ids is. I've looked at 
the following options:

  *   ipa-client-install inside the container. This has a few problems. One is 
hostname and DNS. Container needs an fqdn for this to work, and the dns has to 
resolve this hostname. We are not using IPA's DNS. So this whole approach looks 
very kludgy. Besides, I'm not sure what the right way of handling these 
ephemeral host names is. Ideally, they should be un-enrolled when the container 
is destroyed,
  *   Use ipa's fake NIS. This works, and is very simple to setup, but I think 
we want to phase out NIS. If we start using it inside docker, it will never die
  *   Don't do any domain authentication. Just ask the user to create a user 
with the same uid:gid as the host so that they can r/w to their own directories.
The ipa version is 4.2 running on RHEL 7. The container image will be based on 
ubuntu trusty. Hosts are a mix of different OSes.
Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to