Docker 容器中的 LDAP 身份验证 [英] LDAP authentication in Docker container
问题描述
默认情况下,Docker容器启动时,里面的用户是sudo.
By default, when Docker container is started the user inside is sudo.
我想要:
- 默认将 sudo 用户锁定在容器中.
- 在容器中使用 LDAP 身份验证,而不是默认(当用户与图像一起提供时,或者在容器运行时由 sudo 用户创建).
为此,我运行了一个容器并将其配置为与 LDAP 服务器通信.接下来,我从这个容器创建了一个图像.
For that, I ran a container and configured it to communicate with LDAP server. Next, I created an image from this container.
现在,我可以使用此映像运行容器(但只能作为 sudo 用户)并执行 su LDAP_USER 以将当前用户更改为 LDAP 用户.但是,当我尝试使用 -u LDAP_USER 运行容器时,出现用户不存在的错误.
Now, I can run a container using this image (but only as a sudo user) and perform su LDAP_USER to change the current user to the LDAP user. However, when I try to run container with -u LDAP_USER, I get an error that user does not exists.
所以问题是: 是否可以使用 LDAP 身份验证来运行带有 -u LDAP_USER 的容器?也许我可以以某种方式使用主机来做到这一点?
So the question is: Is it possible to use LDAP authentication to run containers with -u LDAP_USER? Maybe I can somehow use host machine to do that?
谢谢.
推荐答案
我建议只在 Docker 构建文件中使用 USER 指令并避免安装 sshd 守护进程(我想配置后者将是启用该功能的方式您正在寻找).
I would recommend just using the USER directive within the Docker build file and avoid installing the sshd daemon (I imagine configuring the latter would be the way to enable the feature you'd looking for).
换句话说,以非 root 系统用户的身份运行进程,但从不以交互方式登录到容器.后一点意味着您无需担心支持基于 LDAP 的身份验证.
In other words, by all means run processes as non-root system users, but never interactively login to the container. This latter point means you don't need to worry about support LDAP based authentication.
对特定风险的最佳控制是消除风险.
The best control you can have against a particular risk is to remove the risk.
这篇关于Docker 容器中的 LDAP 身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
