How to use VAS4 inside Docker container?

The problem statement here is to recognize and use your AD authenticated host-users inside any Docker container.

Enjoy the graphics! Not really related to VAS but I find it funny!

docker-meme

Problem in action!

$ docker run -it --rm rhel7 id vasuser
id: vasuser: no such user

You see the problem?

Mounting `/etc/nsswitch.conf` & `/opt/quest` inside container was a no-brainer, so that’s our starting point.

docker run --rm --privileged -v /usr/bin/strace:/usr/bin/strace -v /etc/nsswitch.conf:/etc/nsswitch.conf:ro -v /opt/quest:/opt/quest:ro rhel7 strace id vasuser
-- no such user --

Damn!

But we get a very important clue from the strace output. The vas4 client library is missing 🙁

open("/lib64/tls/x86_64/libnss_vas4.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
docker run --rm --privileged -v /usr/bin/strace:/usr/bin/strace -v /etc/nsswitch.conf:/etc/nsswitch.conf:ro -v /opt/quest:/opt/quest:ro -v /opt/quest/lib64/nss/libnss_vas4.so.2:/lib64/tls/x86_64/libnss_vas4.so.2:ro  rhel7 strace id vasuser
-- no such user --

Damn again!

But we get another important clue from the strace output. The vas client library needs to communication with daemon through this named pipe.

connect(3, {sa_family=AF_LOCAL, sun_path="/var/opt/quest/vas/vasd/.vasd40_ipc_sock"}, 110) = -1 ENOENT (No such file or directory)
docker run --rm --privileged -v /usr/bin/strace:/usr/bin/strace -v /etc/nsswitch.conf:/etc/nsswitch.conf:ro -v /opt/quest:/opt/quest:ro -v /opt/quest/lib64/nss/libnss_vas4.so.2:/lib64/tls/x86_64/libnss_vas4.so.2:ro -v /var/opt/quest/vas/vasd/.vasd40_ipc_sock:/var/opt/quest/vas/vasd/.vasd40_ipc_sock rhel7 strace id vasuser

— expected result —

Hurray!

===

So the final command that works is

docker run --rm -v /etc/nsswitch.conf:/etc/nsswitch.conf:ro -v /opt/quest:/opt/quest:ro -v /opt/quest/lib64/nss/libnss_vas4.so.2:/lib64/tls/x86_64/libnss_vas4.so.2:ro -v /var/opt/quest/vas/vasd/.vasd40_ipc_sock:/var/opt/quest/vas/vasd/.vasd40_ipc_sock rhel7 id vasuser

— expected result —

Enjoy!

Leave a Reply

Your email address will not be published. Required fields are marked *