On Thu, Feb 04, 2016 at 12:37:07PM -0500, Prasun Gera wrote:
> On Thu, Feb 4, 2016 at 10:56 AM, Jan Pazdziora <jpazdzi...@redhat.com>
> > > The goal is to run the
> > > docker container such that when the user calls docker run,
> > Is any user allowed to run docker run? That seems like a security
> > issue.
> Well any user that can do sudo should be able to run docker. Is there a
> security issue with that ?
You need to limit those sudo calls to very specific list of
parameters that can be passed to the docker client, otherwise it has
the potential of running any command.
> > > it just drops
> > > into a shell with the container's environment, but everything else looks
> > > largely the same. i.e. The user gets the same uid:gid and sees the same
> > > directories and permissions as the host.
> > So you want bash started in the container, with the uid:gid of the
> > person invoking the command? If the users are trusted to do docker
> > run, they can do
> > docker run -u $UID container bash
> > themselves.
> Yes, this is similar to the 3rd point I mentioned. The problem though is
> that directory listings will not show names inside the container. They'll
In that case, having sssd-client package installed in the container and
/var/lib/sss mounted to the container could help.
> only show uids and gids. NIS solves this as a quick hack, but is there
> something better ? Permissions would still work since NFS is not
> kerberized. Another issue I haven't figured out is how the user can get
> sudo inside the container. If you start docker with the user's uid, I don't
> know if there is a safe way for that user to get sudo inside. If you start
> docker in the root shell, you can create the user with the uid:gid, add it
> to sudoers, and then change to the user's shell ?
If you have /var/lib/sss mounted and sssd-common (or libsss_sudo
in new versions) installed in the container, you can even use the
sudo rules from IPA.
> > But you likely do not want to give every user a way to run any command,
> > why not just use sudo, and
> > docker run -u $SUDO_UID container bash
> > in the script invoked with the sudo (untested)?
> I didn't follow this. Can you explain a bit more ? In the default setup,
> you anyway need sudo to run docker.
Not really -- access to docker's Unix socket is all that the docker
> What is the -u string here ?
Setting the uid under which the container processes are run back to
the invoking user.
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project