-
Notifications
You must be signed in to change notification settings - Fork 252
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sssd container support #5443
Comments
Hi, @holmanb (I know it's been a long since you reported this, but just in case if you would be available to answer) what was your use case, why SSSD didn't fit and what was the issue with running SSSD in the container? While no 'ready to use' image was provided (mostly due to lack of demand / understanding of use cases), some folks were building such containers for their needs (see for example: https://blog.rook.io/prototyping-an-nfs-connection-to-ldap-using-sssd-7c27f624f1a4) |
I suppose the use case would be 6G. We want to use kubernetes to basically have a situation where there is a load on the network for example a football game or concert we can scale up the number of replicas to meet demand as networks are generally bottlenecked by backend compute rather than the cell phone towers themselves. The cell phone towers use sssd/sshd/vsftpd to synchronize state, handle cell phone calls etc. Unfortunately countries have gotten more strict in what they allow to be running on a network and have pretty much mandated that non-root is mandatory. KR Dave |
Hi @davidmather, thank you.
Could you please provide very high level arch overview (if possible)?
'non-root' - where / what does it actually mean? |
No we have this already they are looking for Openshift restricted-v2. SSSD doesn't require unrestricted capabilites even with the old version (we have a capabilities testing tool). Just chmod u+s sssd sshd vsftpd. We have a timeline for early 2025 for everything to be fixed so we have kind of left this on the long finger as we have 100+ other containers to implement that don't require sssd but now we have approx 30 left so pressure back on to fix this.
**eccd@director-0-ccd-c16c002:~> kubectl exec -it filetransferservice-5f8d497659-j7bkd -- bash |
It's not exactly what I meant. Well, I think it's a matter of time when Openshift gets https://github.com/kubernetes/enhancements/blob/master/keps/sig-node/127-user-namespaces/README.md , so you should be able to restrict (revoke all capabilities) your pod in the host namespace but keep running your container (more or less) using just 'hostUsers = false'
So you have everything packed into a single systemd based container... What 'auth_provider' is used in your sssd.conf? |
Yes this is true the plan is to either replace systemd with catatonit https://github.com/openSUSE/catatonit or remove it entirely and cron with https://github.com/aptible/supercronic vsftpd + sshd have coding issues that I am looking into at the moment. (mostly to do with the use of chroot which could be swapped for kubernetes subpaths.)
filetransferservice-5f8d497659-j7bkd:/ # cat /etc/sssd/sssd.conf [pam] [nss] Allow for offline logins by locally storing password hashes (default: false).cache_credentials = truefiletransferservice-5f8d497659-j7bkd:/ # cat /etc/sssd/conf.d/ldap_remote.conf Allow for offline logins by locally storing password hashes (default: false).cache_credentials = true |
It did (and some bits still do). Depending on build config, sssd-2.9- versions might use CAP_CHOWN, CAP_DAC_READ_SEARCH, CAP_FOWNER, CAP_SETGID, CAP_SETUID, ... in specific code paths.
This already requires CAP_SETUID for pod. As I understand it, you have two options:
This makes things easier. You don't need Kerberos, so don't need 'krb5_child'/'ldap_child' (and 'selinux_child') -- those are the only helpers that still want some capabilities in sssd-2.10: Line 20 in 0d5e8f1
What base image do you use? |
No u+s doesn't use CAP_SETUID just allowPrivilegeEscalation: true. However to avoid SETUID we are modifying the Kubernetes ingress to route packets based on the UID required. So you would have a container for each user with the correct subpaths specified for that user then avoid calling setuid entirely.
We can run vsftpd/sshd without any capabilities/privileges assuming the above statement is true and setuid is avoided.
These are generally required due to incorrect filesystem permissions. Are they still required with chmod -R 777 / ?? possibly the files being accessed would need to change
We have a local RHEL mirror and generally build from scratch and pull in the RPMs we need. |
Maybe.
Probably... mostly.
SSSD will refuse to start if, for example, sssd.conf is readable by all. There are might be other catches. |
Sure will take a look and get back to you. It will probably be next week as my working day is over. |
I am seeing sss_log.c has the following vsylog calls hardcode /dev/log which cannot be accessed without CAP_DAC_READ_SEARCH, CAP_FOWNER Can the syslog calls be replaced with a port or file based logger?
There is also
in pam_sss_gss.c |
That's a great topic - what to do with logging in the container. Historically SSSD has two log facilities: Line 135 in 0d5e8f1
(2) Line 184 in 0d5e8f1
(1) is used to "log everything" for debugging (for example, a tricky misconfiguration or a bug in SSSD).
-- selected by '--logger' command line option of main 'sssd' process. It's typically set to 'files' (by default). (2) is used to log most important notices to sysadmins, typically requiring immediate action (there are might be cases of misuse though)
-- selected at build time by ./configure option '--with-syslog=syslog|journald' (not configurable at runtime) (2) is a tiny subset of (1) I'm not fluent with containers, but IIUC typical approach is that app logs to stdout and then container runtime takes care of everything else. But this naturally also requires "single container - single app" approach. The question is: what would be equivalent (if needed) for SYSLOG's LOG_CRIT/LOG_ALERT/SSS_LOG_EMERG in container use case? One solution could be to introduce |
There are 3 main ways
syslog.conf
Syslog config
Syslog config
Arguably version 2 is the best because the container can have a readOnlyRootFilesystem and syslog running in a sidecar in all cases logs can be pushed directly to elasticsearch. https://www.elastic.co/blog/openshift-container-logs-red-hat-logging-operator Logging only to stdout/stderr is discouraged while "kubectl logs" will show the most recent logs for anything that could run for a long time there is a risk that the relevant logs will not be maintained if there is a lot of logs and it is difficult to get a coherent picture of a single applications logs since everything is writing to the one place. |
Just a quick update: before touching 'syslog' based logger, I wanted to have a build that doesn't require 'systemd' stuff (ideally "unprivileged" container shouldn't have 'systemd' installed).
and SSSD uses 'libdbus' for implementation of own internal dbus server/clients (https://github.com/SSSD/sssd/tree/master/src/sbus) |
Actually...
Why? |
FWIW, I added |
Why? We have moved the system logger to /tmp/sock because the /dev/log socket requires root to create a socket in that folder on kubernetes but not /tmp. in rsyslog.conf it looks like. Sorry for the late reply I am kept very busy. |
Ah, so that's not about unprivileged SSSD accessing this socket (this shouldn't be an issue), but about socket creation itself. "/dev/log" is hard coded in glibc: But isn't it possible to create socket in advance while creating container image? Anyway, does '--with-syslog=stdout' ./configure option (#7262) work for your use case? |
@davidmather , ping |
Outside of the , it appears that authenticating a containerized service via sssd requires running
sssd
on the host and bind mounting/var/lib/sss/pipes/
into the container. While this works, it limits containerized auth to a single set of domains, which doesn't allow multi-tenancy.It appears that , however that proposal currently sits in the and a quick grep of the codebase and open issues leaves no indication that this issue has been worked on, or is being looked at. Is there some other approach to solving this problem that I haven't found documentation for perhaps?
I assume that the benefits of supporting the broader containerization ecosystem would be twofold - wider adoption and greater community contribution. As it stands, it doesn't appear that
sssd
fits my needs, though I would love to see this as a feature in sssd.The text was updated successfully, but these errors were encountered: