Docker for beginners and WEB UI
Nick Coghlan
ncoghlan at gmail.com
Sat Mar 7 15:43:01 UTC 2015
On 6 March 2015 at 23:15, Colin Walters <walters at verbum.org> wrote:
> On Fri, Mar 6, 2015, at 05:03 AM, Bohuslav Kabrda wrote:
>>
>> This makes me wonder how DevAssistant should approach this. Up until now, DevAssistant just added the invoking user to the "docker" group and then communicated with docker using docker-py library. Now, if we're not supposed to add the user to "docker" group, we can't use the library, because all the calls will fail - or we'd need to ask user to run DevAssistant as root, which is IMO wrong.
>> AFAIK there's no way to elevate DevAssistant permissions temporarily just to do the docker call. So what is the recommended approach to do this? (This is a general problem, I think, for code that needs to communicate with local Docker server.)
>
> There's no easy answer. Historically, most *local* daemons have been using DBus and PolicyKit for authorization. Docker is HTTP-based, which means it's easier to remote, but on the other hand, there's no way to do system-local authorization in HTTP.
What level of granularity of "system-local authorization" are you
referring to there? The reason I ask is because my understanding is
that the FreeIPA folks are aiming to enable at least user level local
authorization for web services through sssd. An Apache-focused
write-up of the overall scheme is at
http://www.freeipa.org/page/Web_App_Authentication
Now, the nature of FreeIPA means that's more focused at *org* level
authentication and authorization than local system auth, but it does
provide some interesting possibilities for tinkering with
authorization at the HTTP level. Since Docker really *wants* to be
treated as a remote web service, perhaps it would be feasible to teach
DevAssistant to talk to a local Docker daemon over HTTP, and use some
of the FreeIPA (and perhaps iptables) tooling to automate setting up
appropriate local permissions for it to do that?
Or am I missing something fundamental that makes this an inherently
unworkable idea? (I know its an overly *complicated* idea, but I don't
think "simple" is one of the options on the table at this point)
Regards,
Nick.
--
Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia
More information about the env-and-stacks
mailing list