问题
By default, when Docker container is started the user inside is sudo.
I want:
- Lock sudo user in container by default.
- Use LDAP authentication in container instead of the default (when the users are provided along with the image, or created by sudo user when container is running).
For that, I ran a container and configured it to communicate with LDAP server. Next, I created an image from this container.
Now, I can run a container using this image (but only as a sudo user) and perform su LDAP_USER to change the current user to the LDAP user. However, when I try to run container with -u LDAP_USER, I get an error that user does not exists.
So the question is: Is it possible to use LDAP authentication to run containers with -u LDAP_USER? Maybe I can somehow use host machine to do that?
Thanks.
回答1:
I would recommend just using the USER directive within the Docker build file and avoid installing the sshd daemon (I imagine configuring the latter would be the way to enable the feature you'd looking for).
In other words, by all means run processes as non-root system users, but never interactively login to the container. This latter point means you don't need to worry about support LDAP based authentication.
The best control you can have against a particular risk is to remove the risk.
回答2:
Check out this potential workaround and my own further description of the caveats of this workaround:
https://serverfault.com/questions/789321/openldap-client-inside-a-docker-container/841202#841202
I'm happy to share my Dockerfile to modify the container to support LDAP lookup if you ask...
来源:https://stackoverflow.com/questions/33825105/ldap-authentication-in-docker-container