From a0c63423892f78f73938b91312a53c27023e2b0b Mon Sep 17 00:00:00 2001 From: Slawomir Koszewski Date: Sat, 16 May 2026 14:35:41 +0200 Subject: [PATCH] Enhance Dockerfile and README to clarify user permissions and capabilities for Kerberos container --- Dockerfile | 16 +++++++++++++++- README.md | 3 +++ 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 356436d..29f672b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -5,13 +5,27 @@ RUN apt-get update && \ krb5-kdc \ krb5-admin-server \ krb5-config \ + libcap2-bin \ tini && \ rm -rf /var/lib/apt/lists/* -COPY entrypoint.sh /entrypoint +RUN groupadd -r krb5 && useradd -r -g krb5 -s /sbin/nologin krb5 + +# Allow binding to privileged ports without root +RUN setcap cap_net_bind_service=+ep /usr/sbin/krb5kdc && \ + setcap cap_net_bind_service=+ep /usr/sbin/kadmind + +# Pre-create files the entrypoint writes to outside the volume +RUN mkdir -p /etc/krb5kdc && \ + touch /etc/krb5.conf && \ + chown -R krb5:krb5 /etc/krb5kdc /etc/krb5.conf /var/lib/krb5kdc + +COPY --chown=krb5:krb5 entrypoint.sh /entrypoint RUN chmod +x /entrypoint +USER krb5 + EXPOSE 88/tcp 88/udp 464/tcp 464/udp 749/tcp ENTRYPOINT ["tini", "--", "/entrypoint"] diff --git a/README.md b/README.md index 5c63648..b9cf6b8 100644 --- a/README.md +++ b/README.md @@ -67,6 +67,9 @@ This creates `slawek/admin@REALM` and grants it full kadmin rights via the ACL. ./scripts/run-container.sh ``` +Runs as user `krb5`; `CAP_NET_BIND_SERVICE` is granted to the daemon binaries at build time via `setcap`. + + The `kerberos_data` volume (`/var/lib/krb5kdc`) holds the realm database, configuration, and keytab. All files are written once on first start. On subsequent starts the container requires no environment variables — the persisted configuration is used as-is. Sensitive variables (`KRB5_MASTER_PASSWORD`, `KRB5_ADMIN_PASSWORD`) can be removed from the env file after the realm is initialised. ## Ports