The problem statement here is to recognize and use your AD authenticated host-users inside any Docker container.
Enjoy the graphics! Not really related to VAS but I find it funny!
Problem in action!
$ docker run -it --rm rhel7 id vasuser id: vasuser: no such user
You see the problem?
Mounting `/etc/nsswitch.conf` & `/opt/quest` inside container was a no-brainer, so that’s our starting point.
docker run --rm --privileged -v /usr/bin/strace:/usr/bin/strace -v /etc/nsswitch.conf:/etc/nsswitch.conf:ro -v /opt/quest:/opt/quest:ro rhel7 strace id vasuser -- no such user --
Damn!
But we get a very important clue from the strace output. The vas4 client library is missing 🙁
open("/lib64/tls/x86_64/libnss_vas4.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
docker run --rm --privileged -v /usr/bin/strace:/usr/bin/strace -v /etc/nsswitch.conf:/etc/nsswitch.conf:ro -v /opt/quest:/opt/quest:ro -v /opt/quest/lib64/nss/libnss_vas4.so.2:/lib64/tls/x86_64/libnss_vas4.so.2:ro rhel7 strace id vasuser -- no such user --
Damn again!
But we get another important clue from the strace output. The vas client library needs to communication with daemon through this named pipe.
connect(3, {sa_family=AF_LOCAL, sun_path="/var/opt/quest/vas/vasd/.vasd40_ipc_sock"}, 110) = -1 ENOENT (No such file or directory)
docker run --rm --privileged -v /usr/bin/strace:/usr/bin/strace -v /etc/nsswitch.conf:/etc/nsswitch.conf:ro -v /opt/quest:/opt/quest:ro -v /opt/quest/lib64/nss/libnss_vas4.so.2:/lib64/tls/x86_64/libnss_vas4.so.2:ro -v /var/opt/quest/vas/vasd/.vasd40_ipc_sock:/var/opt/quest/vas/vasd/.vasd40_ipc_sock rhel7 strace id vasuser
— expected result —
Hurray!
===
So the final command that works is
docker run --rm -v /etc/nsswitch.conf:/etc/nsswitch.conf:ro -v /opt/quest:/opt/quest:ro -v /opt/quest/lib64/nss/libnss_vas4.so.2:/lib64/tls/x86_64/libnss_vas4.so.2:ro -v /var/opt/quest/vas/vasd/.vasd40_ipc_sock:/var/opt/quest/vas/vasd/.vasd40_ipc_sock rhel7 id vasuser
— expected result —
Enjoy!