Closed svperfecta closed 7 years ago
we never thought a single-file executable (without dependencies) needed to be put in a docker container :) besides, teleport
needs to run as root
to impersonate user logins. but I guess this could be used for testing?
Yeah you're right. I'm not sure what I was thinking here.
On Thu, Apr 13, 2017 at 4:53 PM Ev Kontsevoy notifications@github.com wrote:
we never thought a single-file executable needed to be put in a docker container :) besides, teleport needs to run as root to impersonate user logins. but I guess this could be used for testing?
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/gravitational/teleport/issues/893#issuecomment-294018603, or mute the thread https://github.com/notifications/unsubscribe-auth/AAADMKfZnYpQilS2fq707YPPsIm8gSMeks5rvos5gaJpZM4MwYHA .
hehe, cool. we'll save ourselves a bit of time by not starting to maintain this for now and instead invest in other areas, like maintaining BSD or/and ARM binaries! :) we may revisit this later!
Counterpoint - it would make it easier to update the binary by having it wrapped in a container and pulling it down from dockerhub. Also, it, would make it easier to have a docker-compose.yml
to just boot up a stack quickly.
Hey Francis - But when you connected to the daemon, it would grant you access to the container rather than the host. Not exactly expected behavior right?
On Tue, May 9, 2017 at 1:11 AM, Francis Lavoie notifications@github.com wrote:
Counterpoint - it would make it easier to update the binary by having it wrapped in a container and pulling it down from dockerhub. Also, it, would make it easier to have a docker-compose.yml to just boot up a stack quickly.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/gravitational/teleport/issues/893#issuecomment-300062956, or mute the thread https://github.com/notifications/unsubscribe-auth/AAADMHLMzuPxdlTwegkV1bQ20CeJ9AfEks5r3_WPgaJpZM4MwYHA .
Actually, I would expect that. Unless I misunderstand how Teleport works (I'm just about to set it up in the coming days), I'd rather lock it from having access to the rest of the things running on my host machine. If it wants to run commands like ssh
, it should do it from inside the container.
I guess I'll clarify - I'd run Teleport on one of our internal machines, it would connect to the various machines I want SSH access to via OpenSSH. I don't think I'll be running Teleport on my other machines if I don't need to, rather keep things simple.
It also can be useful to deploy Teleport as a pod in k8s, and use it to ssh other pods or k8s nodes
I think this should be revisited for a number of reasons, I'm looking at using teleport inside of containers specifically to limit access and ability within cluster. Also distribution through docker images would be a benefit and should be easy since you're already building with containers. Also, since the teleport binaries are not statically linked, they do have dependencies, as shown when you try to run them inside containers.
@kontsevoy we should update the docs, we now release to docker as well, our images are all here:
https://quay.io/repository/gravitational/teleport?tag=latest&tab=tags
@klizhentas any reason we're not tagging with latest
?
Updated the docs & the README
Hey Team - Wondered if you had plans to release an official Docker image? I noticed there are many poorly maintained ones out there.
https://hub.docker.com/