Docker容器中的LDAP身份验证 [英] LDAP authentication in Docker container
问题描述
默认情况下,启动Docker容器时,内部用户是sudo.
By default, when Docker container is started the user inside is sudo.
我想要:
- 默认情况下将sudo用户锁定在容器中.
- 在容器中使用LDAP身份验证而不是默认值(当用户与映像一起提供时,或者在容器运行时由sudo用户创建).
为此,我运行了一个容器并将其配置为与LDAP服务器通信.接下来,我从该容器中创建了一个图像.
For that, I ran a container and configured it to communicate with LDAP server. Next, I created an image from this container.
现在,我可以使用此映像运行容器(但仅作为sudo用户),然后执行su LDAP_USER将当前用户更改为LDAP用户.但是,当我尝试使用-u LDAP_USER运行容器时,出现一个错误,提示用户不存在.
Now, I can run a container using this image (but only as a sudo user) and perform su LDAP_USER to change the current user to the LDAP user. However, when I try to run container with -u LDAP_USER, I get an error that user does not exists.
所以问题是:是否可以使用LDAP身份验证通过-u LDAP_USER运行容器?也许我可以以某种方式使用主机来做到这一点?
So the question is: Is it possible to use LDAP authentication to run containers with -u LDAP_USER? Maybe I can somehow use host machine to do that?
谢谢.
推荐答案
我建议仅在Docker构建文件中使用USER指令,并避免安装sshd守护程序(我想配置后者是启用该功能的方式您想要的).
I would recommend just using the USER directive within the Docker build file and avoid installing the sshd daemon (I imagine configuring the latter would be the way to enable the feature you'd looking for).
换句话说,一定要以非root用户身份运行进程,但切勿以交互方式登录到容器.后一点意味着您不必担心支持基于LDAP的身份验证.
In other words, by all means run processes as non-root system users, but never interactively login to the container. This latter point means you don't need to worry about support LDAP based authentication.
针对特定风险的最佳控制方法是消除风险.
The best control you can have against a particular risk is to remove the risk.
这篇关于Docker容器中的LDAP身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
