Rootless docker with Windows AD authentication

chingryuu · August 5, 2021, 4:55pm

Recently, I began to use docker for my lab’s server. The server is a Linux server with Ubuntu server 18.04 installed. Users’ login authentication is using Windows Active Directory (AD). My current solution to run non-root docker is by adding users to docker group.

However, I found a severe security problem. AD user A can run docker container as any other user B by docker run -u B's uid:B's gid. In the container, A can get all B’s permission.

The proper way to run non-root docker may be the newly introduced ‘Rootless mode’, The problem is that rootless mode need newuidmap and newgidmap, but AD users are not listed in /etc/passwd and /etc/subuid etc, which means rootless mode and as well as userns-remap mode cannot be used for my situation (i.e. AD auth).

Is there any method to tackle this issue? Thanks so much.
Best.

StackOverflow post: link

Topic		Replies	Views
Docker run with nonroot user Docker Hub	1	2931	November 14, 2016
Don't run Docker as root: what about a user with admin privileges? General docker	3	1288	July 5, 2021
Help me understand the benefits of rootless docker over PUID/PGID General docker	1	3933	June 7, 2022
How to be root inside container General	3	16730	June 9, 2018
Manage docker as non-root user in docker-in-docker container General	1	1332	February 5, 2020

Rootless docker with Windows AD authentication

Related topics