Comments (8)
caljnj
commented on July 24, 2024
1
Hi Cole. oops didnt realize you were an employee until now. haha.
Great thanks! If possible would be great if you could log some of the discussion publicly here so i can follow along :)
very interested to see how you approach all of the elements.
thanks for direction to the "R Admins". I added a post there to actually see how much interest there is for a reference-image for Active Directory setup.
from rstudio-docker-products.
caljnj
commented on July 24, 2024
i've got a working config for sssd/ldap/nss/pam with s6 here...
https://github.com/caljnj/rstudiopro_kerberos_mssql
it does:
- pam kerberos authentication against microsoft AD
- reuse of kerberos ticket for microsoft sql auth
- automated home directory creation
- s6 overlay for service management
- doesnt need to do a domain join! (when was the last time you wanted a container to join a domain anyway..)
still missing:
- kerberos-based drive mapping
- rstudio launcher keeps logging lots of errors so there must be something broken
- not sure s6 is really capturing all the logs emitted
- documentation
The whole PAM thing has sucked beyond belief owing to missing pam documentation and nonexistent logging, and very superficial rstudio documentation. rstudio support have said they could only offer support with "basic PAM configs". fair enough.
S6 overlay setup was also terrible. easy if you want to just run a service with a couple of command line arguments. nightmare if you want to work out how to manage the logging, and startup scripts. lots of documentation for s6 but no working examples. great.
Not sure why rstudio doesnt provide a decent starting infra for people to use. For people who want a bit of security in the product, it's a must.
anyway.. in the spirit of open source,.. basically i'm here to say im willing to get involved in an effort to create a proper reference image for rstudio server pro with sssd kerberos-based network-drives/login/sql..... if there's a group who wants to start.
from rstudio-docker-products.
caljnj
commented on July 24, 2024
i also really need some help in working out the weird connection between rstudio server and rstudio launcher.
rstudio server uses the other/rstudio PAM profile
rstudio launcher uses the su/auth-pam-sessions-profile PAM profile.
in a workaround to get mapped drives to work, i've been trying to capture the password with a PAM module and configuring rstudio with auth-pam-sessions-use-password=1 but i really cannot get it to work
would be nice if anyone has some exprience in the codebase to point out exactly how this setting should work. maybe even some directions in how to setup a test env
from rstudio-docker-products.
colearendt
commented on July 24, 2024
@caljnj I'm so sorry for the trouble you've had with this! Thank you for all of this information and the example to work with! I'm hoping we will get a chance to dig into improving the container setup here soon and address a bunch of your concerns.
We still see this image mostly as a starting point / jumping off point, since the needs of our customers are very diverse and it is unlikely that we would ever be able to hit all needs with a single or even a handful of images. However, the point is well taken that hardening and improving the images, as well as documenting and sharing patterns in use, would be very valuable to our customer base!
Admittedly, this is one of the goals of the "R Admins" section on RStudio Community. The hope is that at some point there will be a community of administrators who feel comfortable sharing the different ways that they have tackled problems https://community.rstudio.com/c/r-admin/5
from rstudio-docker-products.
colearendt
commented on July 24, 2024
Worth noting that we have made some progress here on the dev branch (#216 ). There are docs in the README
Basically we are:
- using
supervisordto startworkbench,launcher, andsssd - if any one of the three services exit, then the container will exit
- The
sssdsetup should be sufficient for joining to an AD or LDAP domain without changing the image (although I must admit we have not added kerberos client components... perhaps we should?). Our tests have all been LDAP related at present, though.
There is an image available for testing here:
docker run -it --rm rstudio/rstudio-workbench-preview:dev-2021.09.0-351.pro6
from rstudio-docker-products.
alessap
commented on July 24, 2024
@colearendt I hope this issue not too old. I wanted to give my two cents and I would definetely upvote adding the following dependency to rstudio-workbench and r-session-complete Docker images in order to enable kerberos authentication:
apt install krb5-user -yThis would avoid the need of customizing these images.
from rstudio-docker-products.
colearendt
commented on July 24, 2024
@alessap Thanks for the note here! That is definitely a reasonable addition IMO 😄
from rstudio-docker-products.
alessap
commented on July 24, 2024
@colearendt That is great to hear! I will fork the repo and create a PR then 😊
from rstudio-docker-products.
Related Issues (20)
- Search repo for files with string replacement patterns rather than hard coding a list HOT 1
- unable to build workbench/Dockerfile.ubuntu2204 HOT 2
- Remove `PYTHON_VERSION_JUPYTER` and default Jupyter installs to the primary or alternate Python version HOT 1
- Extract common `RUN` blocks to shared scripts HOT 2
- Update default package install list for Workbench for Azure ML
- Fix JupyterLab in Workbench for Azure ML
- r-session-complete image crashes when selecting/changing the project HOT 10
- Upgrade floating license server to Ubuntu 22.04
- Support multiple regions for Google Cloud Workstations image HOT 1
- Automatically check for and PR new product and tool releases
- Quick question: Shouldn't we have a default /etc/rstudio/rsession.conf ?
- Move/rename things to say posit?
- Provide supported base image(s) for SageMaker HOT 3
- RStudio Connect unistalls in docker image when updating curl to v8.4.0 HOT 5
- Upgrade Workbench for GCW to Workbench 2023.09.1
- Investigate improved image support for ARM64 architecture
- RStudio Workbench CVEs
- Incorrect env ARG means URL construction fails in Docker HOT 1
- Install virtualenv and build in the Package Manager image for git-builders HOT 1
- ClamAV reporting virus with az cli HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from rstudio-docker-products.