On Fri, Mar 22, 2024 at 5:03 PM Tero Saarni <tero.saarni@gmail.com> wrote:

On Fri, Mar 22, 2024 at 3:46 PM Alexey Tikhonov <atikhono@redhat.com> wrote:
Is this a "single UID" container (i.e. SSSD and client apps run under the same UID within container namespace)?
What do you use as an entry point of the container / how do you manage (start of) multiple processes?

What authentication means do you use?
If this is Kerberos, does your app use TGT acquired during authentication?

Yes single UID container with simple init (no systemd). Both SSSD and client applications run within the same container. In our use case we use only LDAP domains for now, no Kerberos.

What platform is this? Is it still

```

The container is executed in OpenShift cluster which does not allow running as root inside container.

```

as in your original email in this thread?

JFTR: Openshift should eventually get https://github.com/kubernetes/enhancements/blob/master/keps/sig-node/127-user-namespaces/README.md (i.e. 'user namespaces' support) so that pod fully restricted in the host namespace can be run fully unrestricted in the container user-ns (including running with uid=0 in container namespace while uid!=0 in host namespace).

Having said that, and taking into account 'user-ns' support isn't available yet, you might want to try builds from https://copr.fedorainfracloud.org/coprs/g/sssd/nightly/ : currently Fedora rawhide, Centos-stream 9 and Rhel 9 packages there are built '--with-sssd-user=sssd' and main SSSD process can be run directly under 'sssd' user.

Since you don't need Kerberos / handle keytabs and user TGTs, it should work out of the box.

Your feedback and observations are welcome.