On Thu, Mar 21, 2024 at 10:04 PM Tero Saarni <tero.saarni(a)gmail.com> wrote:
On Thu, Mar 21, 2024 at 10:21 PM Alexey Tikhonov
<atikhono(a)redhat.com>
wrote:
> It's been awhile but... quite a lot of work has been done:
> see
https://github.com/SSSD/sssd/issues/5443#issuecomment-2013505460 for
> the list
> and TODO list in the description of
>
https://github.com/SSSD/sssd/pull/7193 for remaining bits.
>
> Upcoming sssd-2.10 should be capable of running in an unprivileged
> container without user-ns support (i.e. still OCP, but Kubernetes already
> has this feature).
>
> I could also build a general purpose SSSD container image, but I would
> need to understand requirements / typical use cases and see an interest /
> demand for this.
>
Very impressive work!
Not sure if there could be a use case for *generic* container. At least in
my use case we add client applications inside the same container
Is this a "single UID" container (i.e. SSSD and client apps run under the
same UID within container namespace)?
What do you use as an entry point of the container / how do you manage
(start of) multiple processes?
What authentication means do you use?
If this is Kerberos, does your app use TGT acquired during authentication?
, which makes it non-generic. But surely it would be of great value
to
have an *example* on how to configure and run sssd within a non-root
container for this kind of purpose.
--
Tero