Docker Community Forums

Share and learn in the Docker community.

Rootless docker with Windows AD authentication

Recently, I began to use docker for my lab’s server. The server is a Linux server with Ubuntu server 18.04 installed. Users’ login authentication is using Windows Active Directory (AD). My current solution to run non-root docker is by adding users to docker group.

However, I found a severe security problem. AD user A can run docker container as any other user B by docker run -u B's uid:B's gid. In the container, A can get all B's permission.

The proper way to run non-root docker may be the newly introduced ‘Rootless mode’, The problem is that rootless mode need newuidmap and newgidmap, but AD users are not listed in /etc/passwd and /etc/subuid etc, which means rootless mode and as well as userns-remap mode cannot be used for my situation (i.e. AD auth).

Is there any method to tackle this issue? Thanks so much.
Best.

StackOverflow post: link