#2151 [RFE] Integrate SSSD with containers
Closed: Fixed None Opened 5 years ago by dpal.

Containers are becoming really hot last several months. It becomes apparent that we need to react sooner rather than later. I have been having different discussions with groups working on containers.
Here are the to main use cases we need to address:

- Serving different identity data to the processes running in two different containers
- When user SSH into a machine and into a container SSSD should be able to enforce HBAC rules.

We can probably fork this into several tickets in future.

Based on the recent discussion with container engineers the recommendation was to leverage environment variables with something like the following

a. When container is started we assume that there is an env var CONTAINER_NAMESPACE (for example)
b. When a process connects to SSSD it will look at the peer process on the other side of the socket.
c. Then it will check that the process is running inside a container. There is no call to do this yet. There are couple options: to traverse /proc/pid/cgroup and determine when container the process belongs to or to ask systemd to implement a call. This needs to be sorted out as traversing /proc seems like a hack (though several people independently suggested this). Assume we got a container ID as a result of this lookup.
d. Using this ID we will ask docker about the CONTAINER_NAMESPACE
variable and use its value to determine SSSD source/domain (or sources) to use. See "inspect" call in the docker API:
http://docs.docker.io/en/latest/api/docker_remote_api_v1.6/
e. If variable not set or the process is not inside a container SSSD
will use reasonable defaults.

This effort is somewhat related to #1021 and to have ability to serve different source/domains to different applications running on the system.

For the SSH case it seems that every container needs to be exposed as a virtual host. The we would be able to apply all the HBAC rules. It is unclear how this will be accomplished so we need to continue a discussion.

This ticket absolutely requires a design. The ideas above are triaged with container guys but still need to be more formally recorded and reviewed.


Docker containers are mostly used as lightweight VMs. Wouldn't this be more targeted at other containerized environments like OpenShift?

Adding Jan P. as well.

Fields changed

cc: => jpazdziora@redhat.com

On 11/14/2013 10:15 AM, Daniel P. Berrange wrote:

On Thu, Nov 14, 2013 at 09:07:37AM -0600, Josh Poimboeuf wrote:

On Thu, Nov 14, 2013 at 09:58:33AM -0500, Aristeu Rozanski wrote:

On Wed, Nov 13, 2013 at 06:13:06PM -0500, Dmitri Pal wrote:

  • Is there an easy call to see if a process on the other side of the
    socket is running in a container and in which one?
    High level you could use libvirt for that.
    Which libvirt interface would give this? I looked but didn't see one.
    There isn't one to report this, but conceivably one could be designed.

If it'll be implemented manually, checking process' cgroup in proc and
/proc/<pid>/ns/* files to determine which namespaces it's attached on.
True, though how would you convert the namespace id to a docker or
libvirt container name?
I don't think you'd want to try such a conversion - if we wanted this,
you'd want a formal API for it whose semantics could be guaranteed
long term.

Daniel
Yes this is seems like what I am really looking for.

The framework might be not ready for us to use by 1.12.

milestone: NEEDS_TRIAGE => SSSD 1.12 beta

Fields changed

rhbz: => todo

Fields changed

priority: major => blocker

Lukas is working on this effort.

owner: somebody => lslebodn

Moving forward as an ongoing tracker.

milestone: SSSD 1.12 beta => SSSD 1.12.1

Fields changed

milestone: SSSD 1.12.1 => SSSD 1.13 beta

Related ticket - #2438

blockedby: => 2438

Fields changed

mark: => 1

Fields changed

blockedby: 2438 => 2438, 2476

We decided to de-prioritize this effort for the 1.13 upstream release during our face-to-face plannings in Brno. Moving to 1.13 backlog.

milestone: SSSD 1.13 beta => SSSD 1.13 backlog
priority: blocker => major

Mass-moving tickets not planned for the 1.13 release to 1.14

milestone: SSSD 1.13 backlog => SSSD 1.14 beta

Fields changed

cc: jpazdziora@redhat.com => jpazdziora@redhat.com, jheiss@aput.net
sensitive: => 0

There is a separate sssd-docker container in RHEL these days, so this work is done. Additional work should be tracked with separate tickets, but I'm going to close this one.

milestone: SSSD 1.14 beta => SSSD 1.14 alpha
resolution: => fixed
status: new => closed

And fedora version of sssd container is already in docker hub for some time
https://hub.docker.com/r/fedora/sssd/

Metadata Update from @dpal:
- Issue assigned to lslebodn
- Issue marked as depending on: #2261
- Issue marked as depending on: #2438
- Issue marked as depending on: #2476
- Issue set to the milestone: SSSD 1.14 alpha

2 years ago

Login to comment on this ticket.

Metadata