adelton

SSSD in container on Fedora

Jan Pazdziora

2015-10-19


Abstract

SSSD can be run in a container and provide services to the programs on the host, without being even installed on the host. Here we describe proof of concept, available today.

SSSD overview

System Security Services Daemon (SSSD) is a daemon that provides identity, authentication, and authorization services to the operating system and applications. It provides modules and/or plugins for multiple subsystems of the operating system, including NSS, PAM, or sudo. It can cache multiple types of information to speed-up subsequent lookup or authentication operations, and it can use various remote backend types, including FreeIPA, Active Directory, or LDAP.

SSSD can be configured by editing /etc/sssd/sssd.conf directly but due to overlap to other subsystems, those subsystems typically need to be configured as well to make use of SSSD, like pam_sss.so for PAM, or /etc/krb5.* for Kerberos operations. For two use cases, setups against FreeIPA and Active Directory, setup tools can be used to configure SSSD and other components of the operating system in automated fashion. For FreeIPA it's ipa-client-install, or realm which can also configure the system for remote Active Directory backend.

IPA-enrolling system

Configuring operating system and SSSD against FreeIPA is called IPA-enrollment. While running the setup tools, credentials typically need to be passed to ipa-client-install or realm to authenticate the operation on the remote system, as well as other options that specify to which remote system we are IPA-enrolling the machine, or which components should be configured.

The typical approach could include pre-creating the host record on the FreeIPA server and generating one-time password for it:

ipa$ ipa host-add --random host.example.com
[...]
  Random password: 3dW742a5rYTX
That password can then be used to authenticate from the client during IPA-enrollment, instead of using credentials of admin or other power user.

But first, the setup tool together with its dependencies that include SSSD needs to be installed:

host# dnf install -y freeipa-client
[...]
Install  68 Packages
[...]
Complete!
host# ipa-client-install -w 3dW742a5rYTX
[...]
Client configuration complete.

Many other options can be used, see

host# ipa-client-install --help
or the man page.

We can check that things work by for example checking information about user that does not exists in local /etc/passwd but exists on the FreeIPA server:

host# id bob
uid=1712400001(bob) gid=1712400001(bob) groups=1712400001(bob)
And since IPA enrollment gave the host an identity in FreeIPA server and set up keytab for the Kerberos host principal in /etc/krb5.keytab, ssh with GSSAPIAuthentication not works:
other-host$ kinit bob
Password for bob@EXAMPLE.COM: 
other-host$ ssh bob@host.example.com
Could not chdir to home directory /home/bob: No such file or directory
-sh-4.3$ id
uid=1712400001(bob) gid=1712400001(bob) groups=1712400001(bob) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-sh-4.3$ 
We don't have home directories mounted but we see that authentication works.

IPA-enrolling via SSSD in container

Instead of installing the software on the host with dnf install, we can install and run it in container. We will use docker service and atomic command. The docker daemon manages images and containers, and atomic is a utility which can use LABELs of docker images to run the containers with correct parameters.

As of 2015-10-19, we need to install atomic from Fedora 22 updates-testing repository to get resonably new version:

host# dnf install --enablerepo=updates-testing -y atomic
The atomic package will pull docker (among others) as its dependency, so we can start it:
host# systemctl start docker.service

If we've created host record for our machine on FreeIPA server and got one-time password generated, we can then download and configure the SSSD container while giving it options that will be passed directly to ipa-client-install in the container:

host# atomic install fedora/sssd -w OvPJIPluOHNj

The fedora/sssd container will first copy various configuration and data directories into the container, then runs ipa-client-install with the parameters that were passed to atomic install, and upon successful IPA-enrollment copies the config and data files back to the host machine.

Unlike ipa-client-install which configures the services and leaves SSSD daemon running, atomic install container is removed after it finishes and you need to use

host# atomic run fedora/sssd
to start it.

When we check whether sssd is running, we will see that its processes run as children of the docker daemon:

host# ps xf
[...]
11652 ?        Ssl    0:29 /usr/bin/docker -d --selinux-enabled
12537 ?        Ss     0:00  \_ /bin/bash /bin/run.sh
12545 ?        S      0:00      \_ tail -f /var/log/sssd/systemctl.log
12550 ?        Ss     0:00      \_ /usr/sbin/sssd -D -f
12551 ?        S      0:00      |   \_ /usr/libexec/sssd/sssd_be --domain example.com --uid 0 --gid 0 --debug-to-files
12552 ?        S      0:00      |   \_ /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files
12553 ?        S      0:00      |   \_ /usr/libexec/sssd/sssd_sudo --uid 0 --gid 0 --debug-to-files
12554 ?        S      0:00      |   \_ /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files
12555 ?        S      0:00      |   \_ /usr/libexec/sssd/sssd_ssh --uid 0 --gid 0 --debug-to-files
12556 ?        S      0:00      |   \_ /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 --debug-to-files
12832 ?        S      0:00      \_ sleep 1000

Depending on what packages are installed on your Fedora host, running id for user from FreeIPA might fail in spite of SSSD running:

host# id bob
id: bob: no such user
It's because libnss_sss.so is needed for NSS to be able to talk to the daemon. We can either install those client bits via dnf or as quick fix we can copy it out from the container:
host# mkdir -p /usr/lib64/sssd/modules
host# for i in /usr/lib64/libnss_sss.so.2 \
	/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so \
	/usr/lib64/libsss_sudo.so \
	/usr/lib64/security/pam_sss.so \
	/usr/lib64/security/pam_oddjob_mkhomedir.so \
	/usr/bin/kinit \
	/usr/bin/klist \
	/usr/sbin/ipa-getkeytab ; do
	if ! [ -e $i ] ; then docker cp sssd:$i $i ; fi
done

Switching to container and back

Since the configuration and data that the SSSD container uses are stored in the exact locations where standard sssd service stores them, it's possible to move from sssd running on the host directly to container, or from container to host.

Existing sssd setup can be converted to containerized using

host# systemctl stop sssd.service
host# atomic install fedora/sssd --migrate
[... image being downloaded ...]
docker run --rm=true --privileged --net=host -v /:/host -e NAME=sssd -e HOST=/host fedora/sssd /bin/install.sh --migrate
IPA client is already configured on this system.
host# atomic run fedora/sssd
docker run [...]

The containerized service is configured with /etc/systemd/system/sssd.service. Thus, the steps to move to service running directly on the host, include:

host# atomic uninstall fedora/sssd
host# rm /etc/systemd/system/sssd.service
host# systemctl daemon-reload
host# systemctl start sssd.service

Note about DNS

In the examples above, we assume that the machines can find the FreeIPA server because they are configured with correct DNS settings.

If you are trying the examples in testing setup, you can use

host# echo nameserver IP-address-of-FreeIPA-server > /etc/resolv.conf
and set the hostname on those machines with domain matching the domain handled by the FreeIPA server:
host# hostname host.example.com

Source

Versions used

  • Fedora 22 on host with
    • atomic-1.4-1.git9d724aa.fc22
    • docker-1.8.2-7.gitcb216be.fc22.x86_64
  • SSSD container docker.io/fedora/sssd: 7db1201b9c1f (use docker images)