On Fri, Mar 22, 2024 at 5:03 PM Tero Saarni <tero.saarni(a)gmail.com> wrote:
On Fri, Mar 22, 2024 at 3:46 PM Alexey Tikhonov
<atikhono(a)redhat.com>
wrote:
> Is this a "single UID" container (i.e. SSSD and client apps run under the
> same UID within container namespace)?
> What do you use as an entry point of the container / how do you manage
> (start of) multiple processes?
>
> What authentication means do you use?
> If this is Kerberos, does your app use TGT acquired during authentication?
>
Yes single UID container with simple init (no systemd). Both SSSD and
client applications run within the same container. In our use case we use
only LDAP domains for now, no Kerberos.
What platform is this? Is it still
```
The container is executed in OpenShift cluster which does not allow running
as root inside container.
```
as in your original email in this thread?
JFTR: Openshift should eventually get
https://github.com/kubernetes/enhancements/blob/master/keps/sig-node/127-...
(i.e. 'user namespaces' support) so that pod fully restricted in the host
namespace can be run fully unrestricted in the container user-ns (including
running with uid=0 in container namespace while uid!=0 in host namespace).
Having said that, and taking into account 'user-ns' support isn't available
yet, you might want to try builds from
https://copr.fedorainfracloud.org/coprs/g/sssd/nightly/ : currently Fedora
rawhide, Centos-stream 9 and Rhel 9 packages there are built
'--with-sssd-user=sssd' and main SSSD process can be run directly under
'sssd' user.
Since you don't need Kerberos / handle keytabs and user TGTs, it should
work out of the box.
Your feedback and observations are welcome.