Enhance Dockerfile and README to clarify user permissions and capabilities for Kerberos container
This commit is contained in:
+15
-1
@@ -5,13 +5,27 @@ RUN apt-get update && \
|
||||
krb5-kdc \
|
||||
krb5-admin-server \
|
||||
krb5-config \
|
||||
libcap2-bin \
|
||||
tini && \
|
||||
rm -rf /var/lib/apt/lists/*
|
||||
|
||||
COPY entrypoint.sh /entrypoint
|
||||
RUN groupadd -r krb5 && useradd -r -g krb5 -s /sbin/nologin krb5
|
||||
|
||||
# Allow binding to privileged ports without root
|
||||
RUN setcap cap_net_bind_service=+ep /usr/sbin/krb5kdc && \
|
||||
setcap cap_net_bind_service=+ep /usr/sbin/kadmind
|
||||
|
||||
# Pre-create files the entrypoint writes to outside the volume
|
||||
RUN mkdir -p /etc/krb5kdc && \
|
||||
touch /etc/krb5.conf && \
|
||||
chown -R krb5:krb5 /etc/krb5kdc /etc/krb5.conf /var/lib/krb5kdc
|
||||
|
||||
COPY --chown=krb5:krb5 entrypoint.sh /entrypoint
|
||||
|
||||
RUN chmod +x /entrypoint
|
||||
|
||||
USER krb5
|
||||
|
||||
EXPOSE 88/tcp 88/udp 464/tcp 464/udp 749/tcp
|
||||
|
||||
ENTRYPOINT ["tini", "--", "/entrypoint"]
|
||||
|
||||
Reference in New Issue
Block a user