Hello,
We noticed that after version 4.4.10 of fusex client, the way we were authenticating user via kerberos inside containers do not work any more.
We currently successfully run unprivileged docker containers mounting shared eosd and authentication using kerberos ticket loaded with eosfusebind -g
. As long as the userid inside the docker matches the userid on the host, this works, like this :
# su testproc -c "cat /eos/jeodpp/proc/whoami"
Virtual Identity: uid=35575 (35575,99) gid=41068 (99,41068,50008) [authz:krb5] host=... geo-location=JRC
# docker run -v /eos/:/eos/ debian bash -c "useradd -u 35575 testproc; su testproc -c 'cat /eos/jeodpp/proc/whoami'"
Virtual Identity: uid=35575 (35575,99) gid=41068 (99,41068,50008) [authz:krb5] host=... geo-location=JRC
We successfully tried the same with eosxd until v 4.4.10 volumes, but when upgrading to fusex v4.4.18, 4.4.23 or even latest testing one 4.4.45, it doesn’t work any more, even when setting correctly the KRB5CCNAME variable. The client just acts as if no ticket were available : eos content is accessible, but with a nobody (99,99) authentication :
# su testproc -c "cat /eos/jeodpp/proc/whoami"
Virtual Identity: uid=35575 (35575,99) gid=41068 (99,41068,50008) [authz:krb5] host=... geo-location=JRC
# docker run -v /eos/:/eos/ debian bash -c "useradd -u 35575 testproc; su testproc -c 'cat /eos/jeodpp/proc/whoami'"
Virtual Identity: uid=99 (99) gid=99 (99) [authz:unix] host=... geo-location=JRC
Was there some regression ? Or was it a bug, not a feature, that we were taking advantage of, and that was corrected ? If yes, what could be the correct way to restore the kerberos authentication inside docker container with the last versions of fusex client ?