On 10 Jan 2022, at 17:52, Steve F <steve.falzon(a)outlook.com>
wrote:
Hello!
Currently dscontainer will start, configure and run ds-389 as a root user. I am wondering
if there is support to run as a non-root user?
It is as simple as chown'ing the files to a non privileged user, updating
nsslapd-localuser to the correct user, then running dscontainer -r as the unprivileged
user?
There is support for it! It appears that recently it broke though so I'm currently
looking into it.
The main issue is passing through the usernames from the host to the container. For
example, if you do "docker -u dirsrv:dirsrv ..." then the "dirsrv"
user in the container needs to exist and have matching uid/gid. But that's not
something we can fix or influence sadly, that's something that the operator needs to
resolve.
The currently broken functionality is using bare uid/gid, which is how systems like k8s do
it, and it appears we have a regression there. I'm looking at it in the next few days
and we'll go from there.
If you have any other container questions or issues, please let us know so we can resolve
them!
--
Sincerely,
William Brown
Senior Software Engineer, Identity and Access Management
SUSE Labs, Australia