[38408] in Kerberos
Re: Running KDC as non-root and dockerize KDC
daemon@ATHENA.MIT.EDU (Robbie Harwood)
Fri Jan 4 11:14:51 2019
From: Robbie Harwood <rharwood@redhat.com>
To: Yegui Cai <caiyegui@gmail.com>, <kerberos@mit.edu>
In-Reply-To: <CAJYMFR49qbBP9coHm6DQLJMM38xoZFX7Dvm0uGHLK+fLZRyjUg@mail.gmail.com>
Date: Fri, 4 Jan 2019 11:14:37 -0500
Message-ID: <jlg5zv4wgb6.fsf@redhat.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0551338688108790663=="
Errors-To: kerberos-bounces@mit.edu
--===============0551338688108790663==
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512;
protocol="application/pgp-signature"
--=-=-=
Content-Type: text/plain
Yegui Cai <caiyegui@gmail.com> writes:
> Hi all.
>
> This can be two threads but I have the following two questions at the
> same time.
>
> 1. Can we run KDC as a non-root user? Meaning is it required to run KDC as
> root?
The KDC and kadmin want several low-number ports, including 88, 749, and
possibly 754. They also need permissions set up correctly in order to
access the datastore. Modifying these permissions requires some care to
avoid circumventing any additional protections your system may already
have (e.g., Selinux). I'm not aware of other potential issues.
> 2. Is there any official docker images for KDC? or any plan to have
> one?
The FreeIPA project has container images for the server:
https://www.freeipa.org/page/Docker (note that this includes more than
just a KDC, though).
I'm not aware of anyone else distributing images, but there's nothing
that stops you from setting it up in a container.
Thanks,
--Robbie
--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEA5qc6hnelQjDaHWqJTL5F2qVpEIFAlwvhm4ACgkQJTL5F2qV
pELQPw/+NTerF+m5avtptTCXZIAa/9E5JHVElM9XC/xQaOH9JNVbBMQ1LcLGAKqW
DrIXTe4S1l21rr8I2JPX++HPFC/IN76jwy1Yb4SXlpPT+baukKsyHcmi1aB2XYZc
1tu/4Wjm1ws2XqWn186RunGOsaL3ZVFkKivYpurwO8KF+uKFag7zI6204WHF24yH
MZGeqehs5WgamCjrc82NAKEFpvZXd0njB2pCCH420clJCcGlE0aTnuE0WFhR3FM5
rbetKLVZM/28Ddj0iWWOm5LizxKLLt8+8ymnAIlSZ1Y2n7+1ENm+Ro3VS2pZ5qHH
64kRvIL0Ffm488VUuP5ELRVauacwSzDk+ikMtM5xn387kA9G1HJ6yIZSx703cRK4
dEdc+VBvfPCBu1X6USEkOPAdBuKa1Cowv0nu02lzbjg4oP7M/T90+q179gpNDc/I
Qn8TUQqdURy0FIdB3UhYchCJFno2phRM7k+I6QNFRC/yCTIoYxFkhR8O7VscoY9a
1caOxuJ0AUzJljDV2gZyoePm1fAn5nAnuY9eI1G6V0DiBHXQvTMy/3KDsG1uXPcz
HK1tH74rD+SHsc3dIE/VEz8E55BWcdEySIQMkfIC/tt/WasLaZsC895UTVnFoGi8
kgn2CjROV3AJgg5otlIkX3KskJ29DHhhTZEW/s0AMAcwBTNixh0=
=0Ogq
-----END PGP SIGNATURE-----
--=-=-=--
--===============0551338688108790663==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============0551338688108790663==--
