On Thu, Feb 04, 2016 at 12:37:07PM -0500, Prasun Gera wrote: > On Thu, Feb 4, 2016 at 10:56 AM, Jan Pazdziora <jpazdzi...@redhat.com> > wrote: > > > > The goal is to run the > > > docker container such that when the user calls docker run, > > > > Is any user allowed to run docker run? That seems like a security > > issue. > > Well any user that can do sudo should be able to run docker. Is there a > security issue with that ?
You need to limit those sudo calls to very specific list of parameters that can be passed to the docker client, otherwise it has the potential of running any command. > > > it just drops > > > into a shell with the container's environment, but everything else looks > > > largely the same. i.e. The user gets the same uid:gid and sees the same > > > directories and permissions as the host. > > > > So you want bash started in the container, with the uid:gid of the > > person invoking the command? If the users are trusted to do docker > > run, they can do > > > > docker run -u $UID container bash > > > > themselves. > > Yes, this is similar to the 3rd point I mentioned. The problem though is > that directory listings will not show names inside the container. They'll In that case, having sssd-client package installed in the container and /var/lib/sss mounted to the container could help. > only show uids and gids. NIS solves this as a quick hack, but is there > something better ? Permissions would still work since NFS is not > kerberized. Another issue I haven't figured out is how the user can get > sudo inside the container. If you start docker with the user's uid, I don't > know if there is a safe way for that user to get sudo inside. If you start > docker in the root shell, you can create the user with the uid:gid, add it > to sudoers, and then change to the user's shell ? Yes. If you have /var/lib/sss mounted and sssd-common (or libsss_sudo in new versions) installed in the container, you can even use the sudo rules from IPA. > > But you likely do not want to give every user a way to run any command, > > why not just use sudo, and > > > > docker run -u $SUDO_UID container bash > > > > in the script invoked with the sudo (untested)? > > I didn't follow this. Can you explain a bit more ? In the default setup, > you anyway need sudo to run docker. Not really -- access to docker's Unix socket is all that the docker client needs. > What is the -u string here ? Setting the uid under which the container processes are run back to the invoking user. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project