Is there any way to set up a docker context such that I can execute docker commands as another user on a remote box? I have a setup such that I ssh to a remote box as my own username, then interact once on that box with docker using a separate user which is in the docker group (with sudo -u userNameHere).
I'm hoping to be able to use docker contexts to deploy stuff on the box without having to SSH in directly, however it seems like this additional user step may make that impossible. Is there a way to do this, or am I stuck SSHing in for now?
You can modify ~/.ssh/config so you always connect to some host(s) as a different user:
Host example.com *.example.com
HostName example.com
IdentityFile ~/.ssh/id_rsa
User admin
The above will make your ssh client to connect to example.com or any server that match *.example.com (server1.example.com for instance) as a user admin.
Related
From inside a container, I would like to get the id of a user on the host machine (what the command id -u username would output, from the host).
Is there a way to accomplish this?
I thought I could mount /etc/passwd in the container and grep inside, but unfortunately the users are not listed in this file on our server (possibly related to the LDAP authentication mechanism?).
Thanks
I ended up solving this by mounting host folder /home on my container, and getting the id of the owner of user's home dir /home/<user>.
There's no way to get information about host users from inside a container. A design goal of Docker is that the host and containers are isolated from each other. A container has no concept of a host user; from the Docker daemon point of view, Docker doesn't even really know which user requested that a container be launched.
(This is doubly true if your host authentication system is something more complicated like an LDAP setup: a container simply may not have the tools or credentials required to query it, and the isolation means there's no way to somehow delegate to the host.)
If a principal goal of your application is to interact with host users, or the host filesystem, or you otherwise actively don't want Docker's isolation features, it's better to run your program outside of Docker.
Problem statement:
On the standalone On-Prem server, using nvidia docker. Whenever users create a new environment - they can potentially open up any port for all traffic from outside world(by passing our client firewall) if they don't specify local host variables.
So, how to protect such server tunneling request & instead make it open just for localhost? Any thoughts / ideas??
You can't give untrusted users the direct ability to run docker commands. For instance, anyone who can run a Docker command can run
docker run --rm -v /:/host busybox cat /host/etc/shadow
and then run an offline password cracker to get your host's root password. Being able to bypass the firewall is probably the least of your concerns.
I have created a docker container from ubuntu image. Other users can attach to this container by docker exec -it CONTAINER_ID bash. Is there a way to add username and password for this command? I don't want my container to be accessed by other users. I want when users execute docker exec command to attach to my container, it prompts to ask a username and password. Users can only attach to it after input a correct username and password. Just like what ssh does.
Access to the docker socket (which is used by the docker command line), should be treated as sysadmin level access to the host and all containers being run on that host.
You can configure the docker daemon to listen on a port with TLS credentials and validation of client certificates. However, once a user has access to any docker API calls, they would have access to them all, and without any login prompts.
You could try a third party plugin provided by Twistlock that implements the authz plugin for docker. This will let you limit access to the exec call to specific TLS client certificates. However it will not limit which containers they can exec into.
Probably the closest to what you want comes with Docker's EE offering, specifically UCP. It's a commercial tool, but they provide a different API entrypoint that performs its own authentication, including the option for a user/password with web based requests, and RBAC security that lets you limit access to calls like exec to specific users and specific collections of containers.
If you wanted to do this from the container side, I'm afraid that won't work. Exec is run as a Linux exec syscall directly inside the container namespace, so there's nothing inside the container you could do to prevent that sort of access. The best option is to remove any commands from your image that you don't want anyone to be able to run in the container.
I have created a docker container and its accessible to everyone in the network. So is there any way so that i can set any authentication for a particular container. As i am new to this technology. plz help me. Thanks in advance.
I checked man page and it shows as login as a option. Do it will help me in this situation.
There is already answer for similar question which can cover yours. Take a look Docker: What is the simplest way to secure a private registry?.
In short:
# Run the registry on the server, allow only localhost connection
docker run -p 127.0.0.1:5000:5000 registry
# On the client, setup ssh tunneling
ssh -N -L 5000:localhost:5000 user#server
I want to add Authentication and Authorization for the docker daemon for more security.
use case :-
Any command can be issued to the docker daemon by only valid user and that the user has the rights to execute the command. Here I want to use LDAP for user authentication.
Q :- Does docker has integration with LDAP for above use case ? If not then any work around to do this ?
I want help how to proceed on this. some starters will help.
Please advise me. Thanks for answer !
One way to protect docker daemon is to give access to the socket file only to users who should have access. Docker uses a group called docker, so adding a user to this group gives access to all docker commands gpasswd -a user docker. This however does not restrict the commands a user can run.
If you'd prefer LDAP authentication and restriction on commands, take a look at Docker remote API which is used internally by docker client as well. You can use it to control docker daemon, add your own authentication, restriction on commands, etc.