On Fri, Mar 22, 2024 at 5:03 PM Tero Saarni <[email protected]> wrote:
> On Fri, Mar 22, 2024 at 3:46 PM Alexey Tikhonov <[email protected]> > wrote: > >> Is this a "single UID" container (i.e. SSSD and client apps run under the >> same UID within container namespace)? >> What do you use as an entry point of the container / how do you manage >> (start of) multiple processes? >> >> What authentication means do you use? >> If this is Kerberos, does your app use TGT acquired during authentication? >> > > Yes single UID container with simple init (no systemd). Both SSSD and > client applications run within the same container. In our use case we use > only LDAP domains for now, no Kerberos. > What platform is this? Is it still ``` The container is executed in OpenShift cluster which does not allow running as root inside container. ``` as in your original email in this thread? JFTR: Openshift should eventually get https://github.com/kubernetes/enhancements/blob/master/keps/sig-node/127-user-namespaces/README.md (i.e. 'user namespaces' support) so that pod fully restricted in the host namespace can be run fully unrestricted in the container user-ns (including running with uid=0 in container namespace while uid!=0 in host namespace). Having said that, and taking into account 'user-ns' support isn't available yet, you might want to try builds from https://copr.fedorainfracloud.org/coprs/g/sssd/nightly/ : currently Fedora rawhide, Centos-stream 9 and Rhel 9 packages there are built '--with-sssd-user=sssd' and main SSSD process can be run directly under 'sssd' user. Since you don't need Kerberos / handle keytabs and user TGTs, it should work out of the box. Your feedback and observations are welcome.
-- _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
