On (26/11/20 16:21), Tero Saarni wrote:
I'm trying to run SSSD inside docker container without root user. The
container is executed in OpenShift cluster which does not allow running as root
SSSD requires root and checks for this specifically.
Is there any workaround for this?
I believe the limitation is implemented for security reasons, in order to have
most critical parts executed as root and have it drop privileges for other
parts but this now completely blocks using SSSD in the above environment.
There is a way how to run sssd as non-root but /usr/sbin/sssd still require
bunch of linux capabilities to achieve that.
Here is the list: audit_write chown dac_override dac_read_search fowner
ipc_lock kill net_admin setgid setuid sys_admin sys_nice sys_resource
# sys_resource is optional and not needed with default configuration
And openshift unprivileged pod has jsut following capabilities
chown, dac_override, fowner, fsetid, setpcap, net_bind_service, net_raw, sys_chroot,
Folowing two are the most problematic: setgid setuid
but they are removed from default set in the openshift by default.
You would need to run sssd with differet security context than restricted