An RHEL 7 host filesystem may have the same basic structure as an Ubuntu trusty container filesystem, but may have different users defined, particularly for running services and for owning the files those services must touch. To what extent do you want the same users to be enforced between the container and the host? Is it OK for service accounts to be different, as long as user/login/people accounts are the same?
It almost sounds like you’re using containers to isolate user environments and processes, but you’re accumulating data from/sharing data between containers…Which implies that the processes generating the data run as the user and not as a system service. It may be easier to wrap whatever program you’re running as a web service so the users don’t have to log in and your uid:gid problem goes away. Bryce From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Prasun Gera Sent: Thursday, February 04, 2016 8:19 AM To: firstname.lastname@example.org Subject: [Freeipa-users] client/authentication inside a docker container I am trying to set up a docker image with a specific development environment. We use idm 4.2 for authentication, and non-kerberized nfs (including home) for data storage on the hosts. The goal is to run the docker container such that when the user calls docker run, it just drops into a shell with the container's environment, but everything else looks largely the same. i.e. The user gets the same uid:gid and sees the same directories and permissions as the host. I'm trying to figure out what the best way of mapping user ids is. I've looked at the following options: * ipa-client-install inside the container. This has a few problems. One is hostname and DNS. Container needs an fqdn for this to work, and the dns has to resolve this hostname. We are not using IPA's DNS. So this whole approach looks very kludgy. Besides, I'm not sure what the right way of handling these ephemeral host names is. Ideally, they should be un-enrolled when the container is destroyed, * Use ipa's fake NIS. This works, and is very simple to setup, but I think we want to phase out NIS. If we start using it inside docker, it will never die * Don't do any domain authentication. Just ask the user to create a user with the same uid:gid as the host so that they can r/w to their own directories. The ipa version is 4.2 running on RHEL 7. The container image will be based on ubuntu trusty. Hosts are a mix of different OSes.
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project