Reputation: 555
Persist users added within a Docker container
I have a Docker container running SSHD which accepts connections from multiple devices. Each connection is supposed to use port forwarding to connect a socket file on the container to a TCP port on the device. Every connecting device has a unique ID and is supposed to use that ID in the name of its socket file so they can be identified.
Iteration 1
Initially, I simply created a single non-root user in the SSHD container and allowed all the devices to log in as that user.
However, I discovered a problem with this setup: there was no way to limit what socket files could be opened based on which device was connecting, meaning a compromised or simply misconfigured device could potentially forward a socket with another device's ID in the name, causing all manor of havoc.
Iteration 2
My solution to this was to instead create a different user account for each device, with the username being the device ID, and only permit that device to log in to that account. Then each user could be given a separate directory in which to create its socket files, and ordinary unix file permissions could be used to prevent any device's account from interfering with another device's socket.
The problem with this was that I could no longer do all my user management during the image build step; I now needed to create new user accounts inside the container every time a new device was registered. This worked, but if the SSHD container ever had to be recreated, all the user accounts created within it would cease to exist.
Iteration 3
To fix this, the next thing I tried was this:
- Identify all the files involved in creating a new user and adding them the the SSH group, which turned out to be the following files:
/etc/group/etc/group-/etc/gshadow/etc/gshadow-/etc/passwd/etc/passwd-/etc/shadow/etc/shadow-/etc/subgid/etc/subgid-/etc/subuid/etc/subuid-
- As part of the Docker build, move all those files into a different directory, and create symlinks from their old locations to their new ones
- When creating the SSHD container, mount this new directory as a Docker volume. When the volume is first created, it will be initialized with the files from the image. Any changes to those files thereafter will happen to the copies in the volume, and thus persist even if the container is destroyed and recreated
On testing, however, I found that the standard user management tools, such as adduser and usermod, cannot handle those files being moved like that. (I suspect the problem is that those tools, rather than opening the files and editing them in place (which the symlinks would redirect just fine) are trying to write the files under other names and then move them into the expected place.)
Where to go from here
I have a few ideas which I think might work, but they're all unpalatable for one reason or another:
- Leave the files in place and make all of
/etc/a Docker volume- Problem: Most of
/etc/I don't want to persist
- Problem: Most of
- Leave the files in place and make each one a Docker volume individually
- Problem: I don't want to have 12 different volumes each holding one single file, not 12 seperate mounts
- Move the files and then edit them manually instead of using the standard tools
- Problem: The standard tools exist for a reason; each of those files uses a different esoteric format I'm not familiar with and which I'm likely to screw up if I start fiddling with them
Does anyone have any suggestions?
Upvotes: 0
Views: 75
Answers (0)
Related Questions
- Copying files from Docker container to host
- How do I get into a Docker container's shell?
- How to copy files from host to Docker container?
- How to copy Docker images from one host to another without using a repository
- How is Docker different from a virtual machine?
- How to include files outside of Docker's build context?
- How to get a Docker container's IP address from the host
- How can I add a volume to an existing Docker container?
- docker-compose up for only certain containers