Applies to: Centrify Direct Control 5.3.1 on all supported platforms
How does one set up and intergrate Centrify Direct control with a Docker Container.
Centrify is planning to write a formal white paper on this subject in the future.
The are 3 possible scenarios:
(1) Docker runs using the adclient running on the hosting host
(2) Docker runs with DirectControl (adclient) running inside the container
(3) Docker runs with adclient running in another Docker container. (uncommon)
Please note that the configuration will be different in each scenario and we will only cover how to configure the first scenario.
1. Install CentrifyDC on the hosting host, and adjoin to the domain.
2. Install CentrifyDC inside the container so it has all the binaries (PAM, NSS library and utilities).
3. At host level, tar up all the "adjoin" configuration/data files:
tar -cvf join-data.tar /etc/centrifydc/ /etc/centrifyda/ /etc/pam.d/ /etc/nsswitch.conf
optionally also include
/etc/krb5.conf /etc/krb5.keytab ... for kerberized applications
4. Copy and expand the tar inside the docker container.
5. The run time data (/var/centrifydc) has to be shared between the host and the docker container.
used to run Docker:
docker run -t -i -v /var/centrifydc:/var/centrifydc mycentos:working /bin/bash
Additonal shared directories (optional):
- If you wish to audit session inside container you will also need to share /var/centrifyda.
- Share /var/centrify as this is where adinfo will put output and where adclient put the certs and CA chain for auto-enrollment.
- Share /tmp - this is where kerberos ticket cache (krb5cc_<uid>)will be stored for kerberized applications - for example, SSO.
(1) Optionally, you may consider to share the 2 following directory through the "docker run -v" option as read-only, instead of packing them in the tar file.
/etc/centrifydc ... read only, directory
/etc/centrifyda ... read only, directory
(2) the following files we need as read only inside the container:
/etc/pam.d ... read only, directory
/etc/nsswitch.conf ... read only
/etc/krb5.keytab ... read only
/etc/krb5.conf ... read only
There is no option to share files, only directory. Given the containers will need their own /etc and have their own unique configurations, we prefer to pack them and replace them inside the container.
(3) /var/centrifydc (this cannot be read only).
it conains 2 Unix sockets used for all the client processes to talk to adclient.
(4) /var/centrifyda cannot be shared as read only
this is where the Unix socket resides for cdash to talk to dad daemon