freeipa / freeipa-container Goto Github PK

View Code? Open in Web Editor NEW

589.0 44.0 250.0 890 KB

FreeIPA server in containers — images at https://quay.io/repository/freeipa/freeipa-server?tab=tags

Home Page: https://quay.io/repository/freeipa/freeipa-server?tab=tags

License: Apache License 2.0

Shell 98.79% Makefile 1.21%

container container-image freeipa freeipa-server identity-management docker kubernetes podman moby-engine k3s

freeipa-container's Introduction

FreeIPA Server

FreeIPA allows Linux administrators to centrally manage identity, authentication and access control aspects of Linux and UNIX systems by providing simple to install and use command line and web based management tools.

FreeIPA is built on top of well known Open Source components and standard protocols with a very strong focus on ease of management and automation of installation and configuration tasks.

FreeIPA can seamlessly integrate into an Active Directory environment via cross-realm Kerberos trust or user synchronization.

Benefits

FreeIPA:

Allows all your users to access all the machines with the same credentials and security settings
Allows users to access personal files transparently from any machine in an authenticated and secure way
Uses an advanced grouping mechanism to restrict network access to services and files only to specific users
Allows central management of security mechanisms like passwords, SSH Public Keys, SUDO rules, Keytabs, Access Control Rules
Enables delegation of selected administrative tasks to other power users
Integrates into Active Directory environments

Components

The FreeIPA project provides unified installation and management tools for the following components:

LDAP Server - based on the 389 project
KDC - based on MIT Kerberos implementation
PKI based on Dogtag project
Samba libraries for Active Directory integration
DNS Server based on BIND and the Bind-DynDB-LDAP plugin

Project Website

Releases, announcements and other information can be found on the IPA server project page at http://www.freeipa.org/ .

Documentation

The most up-to-date documentation can be found at http://freeipa.org/page/Documentation .

Quick Start

To get started quickly, start here: http://www.freeipa.org/page/Quick_Start_Guide

For developers

Building FreeIPA from source
- http://www.freeipa.org/page/Build
- See the BUILD.txt file in the source root directory

Licensing

Please see the file called COPYING.

Contacts

If you want to be informed about new code releases, bug fixes, security fixes, general news and information about the IPA server subscribe to the freeipa-announce mailing list at https://www.redhat.com/mailman/listinfo/freeipa-interest/ .
If you have a bug report please submit it at: https://pagure.io/freeipa/issues
If you want to participate in actively developing IPA please subscribe to the freeipa-devel mailing list at https://lists.fedoraproject.org/archives/list/[email protected]/ or join us in IRC at irc://irc.libera.chat/freeipa

freeipa-container's People

Contributors

Stargazers

Watchers

Forkers

ezajko redconnection tobereplaced x-itec knighcl muzili hidupcloud taylormonacelli joshuacox nkinder mapero tkent-xetus 40a tonyli71 johnhsieh ipv1337 mnescot aebruno goern amishhammer fatherlinux codificat shoop nirupamak songketmail rthur liufei11111 annakan erikdejonge ikogan vskubriev sgallagher zultron sgnl05 eformat muayyad-alsadi niushao nickcis shaishaw iconoeugen jessfraz ryanmaclean seanorama transactrx codekoala marquisthunder drhuettl marcosgildavid-sky alicerum ericmdev bramabrama kioco adelton alinmear rbabyuk-vs jbussdieker drsnowbird cordelster martbab jcruzcruz chen369 willisc7 subfxnet lukeshaughnessy arano-kai alexmtv tarak-mpc spotlesscoder mdo84 cn-tingguo jsecchiero dmyerscough miradam tiboris bradbeam newgoliath felipevolpone tscherf sportsbitenews jasonbrooks weizhenwei stlaz tobias-hammerschmidt tonnulus mikalv mattymo trucemop blackhatchsecurity chesty sjas entercloudsuite chazchandler trongtan124 piso8 afahounko lucamaf buuhsmead srgtcauliflour figome jesus-bustos

freeipa-container's Issues

Can a client be enrolled to a server on the same host?

I have a machine with two ip addresses, 12.34.56.1 and 12.34.56.2

I created a replica with the centos-7 image and ran it with -p 12.34.56.2:80:80 ....

If I ipa-client-install on the machine outside of docker, the first line is:

Skip replica.i.just.configured: cannot verify if this is an IPA server

Then on ntp:

Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.

If I stop the replica container, the ntp issue disappears. My guess is that it has something to do with binding 0.0.0.0 instead of 12.34.56.1.

Is there a way to get the setup I am looking for? Perhaps shorter step is, is there a way to inform ipa to bind to a specific ip instead of 0.0.0.0?

can not connect to the freeipa web ui using the host IP

Hello,

Could you please give me an example on how to run the freeipa so that the freeipa web ui is available on the local host and on external hosts ?

Is-it possible mapping the 80 and 443 freeipa ports to different ports on the host ?

Thanks a lot
Karl Forner

Error unpacking rpm package

Im getting an error in installing this package
Installing : httpd-2.4.6-31.el7.centos.x86_64 73/83Error unpacking rpm package httpd-2.4.6-31.el7.centos.x86_64

Production questions

I'm evaluating FreeIPA for a new project (micro-installation, 10 users, 15 machines) and am looking at running it from inside of a docker instance in production.

I'm willing to work through bugs and dragons, but is there anything you know of that is currently a show-stopper for doing this?

I'm new to FreeIPA, so I might be entirely off -- Here's what I'm worried about on first inspection:

It looks like we need to expose 7389, 9443, 9444, 9445 for replication and server-server communication.
Passwords need to be passed in over the command-line. We could do a little better by reading them from files that we mount to the container so that they only show in the command that's internal to the container as opposed to on the host.
We don't expose a meaningful process to the docker host for sending signals to via docker kill.
We run an ssh server (maybe remove?)
We have to workaround systemctl
ntpd in the container

Any insights into what are or will be problems would be helpful. I'd also be happy to help out if there's anything on the roadmap that is open to outside contributors.

Cheers,
ToBeReplaced

can not docker exec inside freeipa-server

I do not know if it is related to the freeipa-server container, or a problem with my docker installation, but I can not connect inside the running server:

docker exec -ti freeipa bash
Cannot run exec command e67d75c75f8b082b104267d3bbb0fb2d95e341ecdc33e7faf612807b9fa32077 in container 926ef3ee2b0b6bbdc27f1875b006c4dcabf040558fb8d8063d723c297643e110: write parent: broken pipe
                                   Error starting exec command in container e67d75c75f8b082b104267d3bbb0fb2d95e341ecdc33e7faf612807b9fa32077: Cannot run exec command e67d75c75f8b082b104267d3bbb0fb2d95e341ecdc33e7faf612807b9fa32077 in container 926ef3ee2b0b6bbdc27f1875b006c4dcabf040558fb8d8063d723c297643e110: write parent: broken pipe

One of my use case is to reload the name service (rndc reload).

P.S
I hope I'not creating too many issues...

Docker build can not remove directory

I tried to build the docker image for fedora 23 (master branch), but it fails with the error:

Step 23 : COPY volume-data-list volume-data-mv-list volume-data-autoupdate /etc/
 ---> 92b06fe6b010
Removing intermediate container b669e7a14aca
Step 24 : RUN set -e ; cd / ; mkdir /data-template ; cat /etc/volume-data-list | while read i ; do echo $i ; if [ -e $i ] ; then tar cf - .$i | ( cd /data-template && tar xf - ) ; fi ; mkdir -p $( dirname $i ) ; if [ "$i" == /var/log/ ] ; then mv /var/log /var/log-removed ; else rm -rf $i ; fi ; ln -sf /data${i%/} ${i%/} ; done
 ---> Running in a6d312129375
/etc/certmonger/
rm: cannot remove '/etc/certmonger/': Directory not empty
The command '/bin/sh -c set -e ; cd / ; mkdir /data-template ; cat /etc/volume-data-list | while read i ; do echo $i ; if [ -e $i ] ; then tar cf - .$i | ( cd /data-template && tar xf - ) ; fi ; mkdir -p $( dirname $i ) ; if [ "$i" == /var/log/ ] ; then mv /var/log /var/log-removed ; else rm -rf $i ; fi ; ln -sf /data${i%/} ${i%/} ; done' returned a non-zero code: 1

My host is:

# docker -v
Docker version 1.9.1, build 7206621
# cat /etc/redhat-release
Fedora release 23 (Twenty Three)

must disable DNS client to create the freeIPA container instance.

In my setup, the DNS server running in the docker container is bound to the docker host throught port forwarding (-p).
So the docker host "is" the DNS server, and as such is client of itself (i.e. is in the /etc/resolv.conf).
So far so good, but in this setup, before creating the freeipa container instance, it seems that I must first disable the (local) DNS nameserver in /etc/resolv.conf, run the freeipa container, then reenable the DNS in /etc/resolv.conf, otherwise I get errors:

Warning: skipping DNS resolution of host ipa.quartzbio.com
The domain name has been determined based on the host name.

Checking forwarders, please wait ...
ipa         : ERROR    Forwarder 10.9.70.3 does not work
Forwarder 10.9.70.3 does not respond
FreeIPA server configuration failed.

where 10.9.70.3 is the IP address of the docker host

My question: is there a way to be able to start the freeipa without having to mess with the host setup ?

Regards, and many thanks for the docker !!

P.S
current docker run command (I tried many variants):

eval "PASSWORD_VALUE=\${IPA_PASSWORD}" && \
    docker run --name freeipa -t -d \
    -e IPA_SERVER_IP=10.9.70.3 \
    -e IPA_SERVER_INSTALL_OPTS="--no-host-dns --forwarder=8.8.8.8 -N" \
    -h ipa.quartzbio.com \
    -e PASSWORD=$PASSWORD_VALUE \
    -v /secure/freeipa_server/freeipa/data:/data \
    -v /etc/localtime:/etc/localtime:ro \
    -p 53:53  -p 53:53/udp \
    -p 9980:80 -p 9943:443 \
    -p 389:389 -p 636:636 -p 88:88 -p 464:464 \
    -p 88:88/udp -p 464:464/udp -p 7389:7389 \
    -p 9443:9443 -p 9444:9444 -p 9445:9445  adelton/freeipa-server

services fail on restart of container

After creating the initial container named "ipa-server", I stopped and and started it with

docker start -ia ipa-server

Everything started up without errors, and I was able to add users and authenticate over LDAP.

Unfortunately, when I stopped and started it again, some services failed to start:

FreeIPA server is already configured, starting the services.
Starting [ntpd.service]
Starting [certmonger.service]
Starting [ipa.service]
Existing service file detected!
Assuming stale, cleaning and proceeding
Starting Directory Service
Failed to data from service file: Failed to get list of services to probe status:
Directory Server is stopped
Shutting down
Starting [sssd.service]
^C[admin@airbuildserver openldap]$ docker start -ai ipa-server 
FreeIPA server is already configured, starting the services.
Starting [ntpd.service]
Starting [certmonger.service]
Starting [ipa.service]
Existing service file detected!
Assuming stale, cleaning and proceeding
Starting Directory Service
Failed to data from service file: Failed to get list of services to probe status:
Directory Server is stopped
Shutting down
Starting [sssd.service]

Also, if I commit the container, and then run it again to make changes, e.g. change port mapping, it starts certmonger and ntp, and then crashes.

Please, rebuild the image with FreeIPA 4.1.4

I guess you will only need to push the button on Docker Hub

ipa-replica-install / Feature Request: Replicas

I have an existing IPA installation (all 3.3.3, CentOS 7).

I'd be interested in trying out a container for the next cell.

So, feature/container request: Ability to run an IPA server in a container that is a replica of an existing server.

Some DNS entries not changed in `update_server_ip_address`

Perhaps I'm not understanding the way update_server_ip_address is supposed to be used but it seems like there are two things that aren't updated when the IP address is set, ipa-ca.$(hostname -d) and the reverse zone. It's fairly easy to update those using ipa like this:

OLD_IP_ADDRESS=$(ip addr show | awk '/inet .*global/ { split($2,a,"/"); print a[1]; }' | head -1)

kdestroy -A
echo "${ADMIN_PASSWORD}" | kinit admin
ipa dnszone-del $(echo ${IP_ADDRESS} | awk -F. '{ print $3"."$2"."$1 }').in-addr.arpa
ipa dnszone-add $(echo ${NEW_IP_ADDRESS} | awk -F. '{ print $3"."$2"."$1 }').in-addr.arpa --name-server=$(hostname -f). --admin-email=hostmaster.$(hostname -d). --allow-sync-ptr=1 --dynamic-update=1
ipa dnsrecord-mod $(hostname -d) $(hostname -a) --a-rec=${OLD_IP_ADDRESS} --a-ip-address=${IP_ADDRESS}
ipa dnsrecord-mod $(hostname -d) ipa-ca --a-rec=${OLD_IP_ADDRESS} --a-ip-address=${IP_ADDRESS}
kdestroy -A

The issue I'm having is being reliably able to determine the admin password on startup. I'd prefer not to have to store it in a file (actually, why is the ds master stored in a file?), but the system keytab isn't enough to update those records. Would it be useful to alter the ACLs so it can? Is there a reason nsupdate is used currently rather than ipa besides the above issue? Is there a reason those aren't updated?

Docker run fails with FreeIPA server configuration failed

I have prepared a freeipa data directory with a ipa-server-install-options file with the password properties as documented here: https://registry.hub.docker.com/u/adelton/freeipa-server/

But if I try to run the following Docker command:

sudo docker run --name freeipa-server-container -h ipa.example.test -v /home/my/programs/freeipa/data/:/data -ti adelton/freeipa-server:centos-7

I receive following error output:

Usage: ipa-server-install [options]
ipa-server-install: error: In unattended mode you need to provide at least -r, -p and -a options
FreeIPA server configuration failed.

Do I miss something?

Thanks for help

Read-only file system errors running current docker image tags centos-7, latest

Tested on CoreOS, OSX-boot2docker, and nkinder tested on centos-7 on fedora (#freeipa chat)

Here is the command and output: http://www.codeshare.io/34wmc

Top snippet:
core-01 ~ # docker run --name freeipa-server-container -ti -h ipa.example.test -v /var/lib/ipa-data:/data:Z adelton/freeipa-server:centos-7
tar: ./var/log/samba/old: Cannot utime: Read-only file system
tar: ./var/log/samba/old: Cannot change ownership to uid 0, gid 0: Read-only file system
tar: ./var/log/samba: Cannot utime: Read-only file system
....

How to: upgrade

Say you have a working freeipa, using your docker, with a given freeipa version, e.g. 4.1, and a local mount using -v to /data
Now if I want to upgrade to the latest docker version, e.g. 4.2.3, or 4.3.
Is it enough to pull the newer docker, and to re-run it with the same docker command-line used to run the old one, with a mount to the same /data ?

Unknown operation 'start-enabled' and 'stop-running' after dnf upgrade and docker restart.

docker start -ia ipa

"/var/log" already exists and is not a directory.
FreeIPA server is already configured, starting the services.
Unknown operation 'start-enabled'.
Unknown operation 'stop-running'.

centos-7 replica container entrypoint fails:

Command:
$ docker run -ti --name freeipa-replica-container -h ipareplica1.developnet.io -v /var/lib/ipa-data:/data -e IPA_SERVER_IP=ip-here -p 53:53/udp -p 53:53 -p 80:80 -p 443:443 -p 389:389 -p 636:636 -p 88:88 -p 464:464 -p 88:88/udp -p 464:464/udp -p 7389:7389 -p 9443:9443 -p 9444:9444 -p 9445:9445 adelton/freeipa-server:centos-7
Usage: ipa-replica-install [options] REPLICA_FILE

ipa-replica-install: error: you must provide a file generated by ipa-replica-prepare
FreeIPA server configuration failed.

Then if I run the command that I think throws the error:
[root@ip-172-31-27-104 /]# /usr/sbin/ipa-replica-install /data/*.gpg
Directory Manager (existing master) password:

Run connection check to master
...
it works - but it does prompt me for the passwords, even though they are in ipa-replica-install-options
[root@ip-172-31-27-104 /]# cat /data/ipa-replica-install-options

This file was written by cloud-config.

--password=password1
--admin-password=password1

IPA services fail to start after building image

First of all, I should note that I'm pretty new to Docker.

I was able to build the image per the README, with one change. I tried to run it with all my settings:

docker run --env=[IPA_SERVER=172.17.0.1,PASSWORD="mypasswd"] --name ipa-server -ti -h ipa.docker.lan -p 11080:80 -p 11081:443 freeipa-server

but I received the message:

Start as docker run -h $FQDN_HOSTNAME -e PASSWORD=$THE_ADMIN_PASSWORD image

So I did that, and the IPA server installed with no problems. I committed the image, and then tried to run the new image to commit my other settings:

docker stop <id>
docker commit <id> freeipa-server
docker run --name ipa-server -ti  -p 11080:80 -p 11081:443 freeipa-server

However, I got the following output, and the container crashed:

FreeIPA server is already configured, starting the services.
Starting [ntpd.service]
Starting [certmonger.service]
No pidof for [/usr/sbin/ntpd] found in [ntpd.service.name]

Running the image again, with the entry point set to /bin/bash, I tried running "systemct start-enabled" manually, and received the same message minus the last line. "systemctl status ntpd" returned "active".

However, when I tried to open the webui, it couldn't find the page. I can manually run "systemctl start httpd", and ncat can connect to the external ports 11080 and 11081, but the browser can't find the host. Perhaps because IPA isn't running.

I tried creating a container from the image on dockerhub, with the instructions posted there. It seemed to build and run without problems. However, I still get "Server not found" for the webui. I am prompted to add an exception for the certificate, but that's it. I can't see how it's getting a certificate from a website that it can't find.

Also, although I can connect to port 389 of the container using ncat, an ldapsearch query fails.

Fedora23 docker image in github is missing httpd

The Fedora23 image built on 2016-03-09T15:28:08.344Z is missing the httpd package. An error is logged in the build log bhrim8ftzilufofvxquu4sj:

error: httpd-2.4.18-1.fc23.x86_64: install failed

Please rebuild the docker image for Fedora23 and upload to docker hub.

Error running systemd freeipa-server

I did a docker build of * master-systemd:
commit 77d5cb8
Author: Jan Pazdziora [email protected]
Date: Wed Dec 16 09:20:16 2015 +0100

build ok, but when I run it:

docker run  --name freeipa -ti -p 8081:80 -p 8043:443 -h ipa.example.test -e PASSWORD=Secret123  -v /sys/fs/cgroup:/sys/fs/cgroup:ro -v `pwd`/data:/data:Z freeipa-server

I get:

systemd 222 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ -LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN)
Detected virtualization docker.
Detected architecture x86-64.

Welcome to Fedora 23 (Twenty Three)!

Set hostname to <ipa.example.test>.
Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway.
sys-fs-fuse-connections.mount: Cannot add dependency job, ignoring: Unit sys-fs-fuse-connections.mount is masked.
swap.target: Cannot add dependency job, ignoring: Unit swap.target is masked.
ldconfig.service: Cannot add dependency job, ignoring: Unit ldconfig.service is masked.
systemd-hwdb-update.service: Cannot add dependency job, ignoring: Unit systemd-hwdb-update.service is masked.
local-fs.target: Cannot add dependency job, ignoring: Unit local-fs.target is masked.
dev-hugepages.mount: Cannot add dependency job, ignoring: Unit dev-hugepages.mount is masked.
systemd-update-done.service: Cannot add dependency job, ignoring: Unit systemd-update-done.service is masked.
dnf-makecache.timer: Cannot add dependency job, ignoring: Unit dnf-makecache.timer is masked.
slices.target: Cannot add dependency job, ignoring: Unit slices.target is masked.
fedora-autorelabel-mark.service: Cannot add dependency job, ignoring: Unit fedora-autorelabel-mark.service is masked.
rpcbind.socket: Cannot add dependency job, ignoring: Unit rpcbind.socket is masked.
systemd-logind.service: Cannot add dependency job, ignoring: Unit systemd-logind.service is masked.
getty.target: Cannot add dependency job, ignoring: Unit getty.target is masked.
systemd-user-sessions.service: Cannot add dependency job, ignoring: Unit systemd-user-sessions.service is masked.
nfs-client.target: Cannot add dependency job, ignoring: Unit nfs-client.target is masked.
nfs-client.target: Cannot add dependency job, ignoring: Unit nfs-client.target is masked.
[  OK  ] Reached target Encrypted Volumes.
[  OK  ] Reached target Remote File Systems.
[  OK  ] Created slice Root Slice.
[  OK  ] Listening on /dev/initctl Compatibility Named Pipe.
[  OK  ] Listening on Journal Socket.
[  OK  ] Created slice System Slice.
         Starting Create System Users...
         Starting Load/Save Random Seed...
         Starting Rebuild Journal Catalog...
[  OK  ] Reached target Paths.
[  OK  ] Listening on Journal Socket (/dev/log).
         Starting Journal Service...
[  OK  ] Started Create System Users.
[  OK  ] Started Load/Save Random Seed.
[  OK  ] Started Rebuild Journal Catalog.
[  OK  ] Started Journal Service.
         Starting Flush Journal to Persistent Storage...
[  OK  ] Started Flush Journal to Persistent Storage.
         Starting Create Volatile Files and Directories...
[  OK  ] Started Create Volatile Files and Directories.
         Starting Security Auditing Service...
[FAILED] Failed to start Security Auditing Service.
See 'systemctl status auditd.service' for details.
         Starting Update UTMP about System Boot/Shutdown...
[  OK  ] Started Update UTMP about System Boot/Shutdown.
[  OK  ] Reached target System Initialization.
[  OK  ] Reached target Timers.
[  OK  ] Listening on D-Bus System Message Bus Socket.
[  OK  ] Reached target Sockets.
[  OK  ] Reached target Basic System.
[  OK  ] Started D-Bus System Message Bus.
         Starting D-Bus System Message Bus...
         Starting Configure IPA server upon the first start...
         Starting Cleanup of Temporary Directories...
[  OK  ] Started Cleanup of Temporary Directories.
[  OK  ] Stopped Network Time Service.
         Starting Network Time Service...
[  OK  ] Started Network Time Service.
[  OK  ] Created slice system-dirsrv.slice.
         Starting 389 Directory Server EXAMPLE-TEST....
[  OK  ] Started 389 Directory Server EXAMPLE-TEST..
         Stopping 389 Directory Server EXAMPLE-TEST....
[  OK  ] Stopped 389 Directory Server EXAMPLE-TEST..
         Starting 389 Directory Server EXAMPLE-TEST....
[  OK  ] Started 389 Directory Server EXAMPLE-TEST..
         Stopping 389 Directory Server EXAMPLE-TEST....
[  OK  ] Stopped 389 Directory Server EXAMPLE-TEST..
         Starting 389 Directory Server EXAMPLE-TEST....
[  OK  ] Started 389 Directory Server EXAMPLE-TEST..
         Stopping 389 Directory Server EXAMPLE-TEST....
[  OK  ] Stopped 389 Directory Server EXAMPLE-TEST..
         Starting 389 Directory Server EXAMPLE-TEST....
[  OK  ] Started 389 Directory Server EXAMPLE-TEST..
[  OK  ] Created slice system-pki\x2dtomcatd.slice.
         Starting PKI Tomcat Server pki-tomcat...
[  OK  ] Started PKI Tomcat Server pki-tomcat.
[  *** ] A start job is running for Configure IPA server upon the first start (1min 25s / no limit)
         Stopping PKI Tomcat Server pki-tomcat...
[  OK  ] Stopped PKI Tomcat Server pki-tomcat.
         Starting PKI Tomcat Server pki-tomcat...
[  OK  ] Started PKI Tomcat Server pki-tomcat.
         Stopping PKI Tomcat Server pki-tomcat...
[  OK  ] Stopped PKI Tomcat Server pki-tomcat.
         Starting PKI Tomcat Server pki-tomcat...
[  OK  ] Started PKI Tomcat Server pki-tomcat.
[  OK  ] Started D-Bus System Message Bus.
         Starting Certificate monitoring and PKI enrollment...
[  OK  ] Started Certificate monitoring and PKI enrollment.
         Stopping PKI Tomcat Server pki-tomcat...
[  OK  ] Stopped PKI Tomcat Server pki-tomcat.
         Starting PKI Tomcat Server pki-tomcat...
[  OK  ] Started PKI Tomcat Server pki-tomcat.
         Stopping 389 Directory Server EXAMPLE-TEST....
[  OK  ] Stopped 389 Directory Server EXAMPLE-TEST..
         Starting 389 Directory Server EXAMPLE-TEST....
[  OK  ] Started 389 Directory Server EXAMPLE-TEST..
         Stopping PKI Tomcat Server pki-tomcat...
[  OK  ] Stopped PKI Tomcat Server pki-tomcat.
         Starting PKI Tomcat Server pki-tomcat...
[  OK  ] Started PKI Tomcat Server pki-tomcat.
[*     ] A start job is running for Configure IPA server upon the first start (2min 24s / no limit)
[  OK  ] Stopped Kerberos 5 KDC.

         Starting Kerberos 5 KDC...
[  OK  ] Started Kerberos 5 KDC.
[  OK  ] Stopped Kerberos 5 Password-changing and Administration.
         Starting Kerberos 5 Password-changing and Administration...
[  OK  ] Started Kerberos 5 Password-changing and Administration.
[  OK  ] Stopped IPA memcached daemon, increases IPA server performance.
         Starting IPA memcached daemon, increases IPA server performance...
[  OK  ] Started IPA memcached daemon, increases IPA server performance.
[  OK  ] Closed ipa-otpd socket.
[  OK  ] Listening on ipa-otpd socket.
[  OK  ] Stopped The Apache HTTP Server.
         Starting The Apache HTTP Server...
[FAILED] Failed to start The Apache HTTP Server.
See 'systemctl status httpd.service' for details.

FreeIPA server configuration failed.
[FAILED] Failed to start Configure IPA server upon the first start.
See 'systemctl status ipa-server-configure-first.service' for details.
[ !!  ] Powering off as result of failure.

disable forced HTTPS

I was pushing this into an instance of octohost ( http://octohost.io/ ). But FreeIPA demands traffic from port 443. Which is broken once octohost does all of it's routing. I've modified octohost in the past so I could get force the routing of certain ports to a specific host:
https://github.com/octohost/octohost/pull/78/files
and I'm also the one who put the force SSL in place:
octohost/octohost#113
and I've got a pull request that hasn't been merged yet to force alternate nginx configurations so I can give a container special configuration options

However, given all this i don't want to give port 443 and port 80 to my FreeIPA container, I want to dedicate those ports to the nginx reverse proxy so all the name based routing continues to work. But, as you guys probably well understand, the SSL connection needs to be terminated at the nginx reverse proxy. So what I need is to be able to specify a cert and key for the container upon starting up (and have those on the host for the proxy to use), and also to be able to disable the force SSL on the FreeIPA container (as SSL is being handled upstream by the nginx proxy). There would'nt happen to be some ENV vars already you can specify for this? If not, anyone have any pointers on where all I might run into issues trying to get FreeIPA to do such a thing (i.e. accept that SSL is handled upstream by the proxy and relax the rules a bit).

Or perhaps I'm going about this entirely wrong and someone has alternate suggestions, in any case I'd like to hear opinions.

ENTRYPOINT script fails on first start

Script /usr/sbin/ipa-server-configure-first

fails with:

[root@ipa data]# systemd-tmpfiles --remove --create
[/usr/lib/tmpfiles.d/journal-nocow.conf:26] Failed to replace specifiers: /var/log/journal/%m
[/usr/lib/tmpfiles.d/systemd.conf:26] Failed to replace specifiers: /run/log/journal/%m
[/usr/lib/tmpfiles.d/systemd.conf:28] Failed to replace specifiers: /run/log/journal/%m
[/usr/lib/tmpfiles.d/systemd.conf:29] Failed to replace specifiers: /run/log/journal/%m
[/usr/lib/tmpfiles.d/systemd.conf:32] Failed to replace specifiers: /var/log/journal/%m
[/usr/lib/tmpfiles.d/systemd.conf:34] Failed to replace specifiers: /var/log/journal/%m
[/usr/lib/tmpfiles.d/systemd.conf:35] Failed to replace specifiers: /var/log/journal/%m
"/var/log" already exists and is not a directory.

host image: "docker.io/fedora 23"

DNS and network configuration in production

What is the recommended way to structure the docker network and IP addresses to use FreeIPA with DNS enabled?

When all relevant ports are forwarded from the host, the container answers DNS queries with its internal docker-assigned address (172.17.0.39, for instance). The SRV records for Kerberos and LDAP point clients to an address they cannot reach instead of the host's address where the services are exposed. FreeIPA is unaware that docker exposes its services to a different network as a different address.

When the container is instead run with --net=host to take on the hosts' network stack and address, the container's installation script has a conflict with host's systemctl d-bus:

CalledProcessError: Command '/bin/systemctl start messagebus.service' returned non-zero exit status 10

Is there a better way to approach this that better supports a containerized FreeIPA with DNS? Thanks!

ipa-server-install: error: option --forwarder: invalid IP address 127.0.0.11

I can not kick off FreeIPA container on docker within user defined network (docker 1.10). I get following error message during initialization of a new container:

$ cat var/log/ipa-server-configure-first.log 
Sat Mar 12 22:46:49 UTC 2016 /usr/sbin/init-data 
Sat Mar 12 22:46:50 UTC 2016 /usr/sbin/ipa-server-configure-first 
Usage: ipa-server-install [options]

ipa-server-install: error: option --forwarder: invalid IP address 127.0.0.11: cannot use loopback IP address
FreeIPA server configuration failed.
Sun Mar 13 10:49:50 UTC 2016 /usr/sbin/init-data 
Sun Mar 13 10:49:51 UTC 2016 /usr/sbin/ipa-server-configure-first 
Usage: ipa-server-install [options]

ipa-server-install: error: option --forwarder: invalid IP address 127.0.0.11: cannot use loopback IP address
FreeIPA server configuration failed.
Sun Mar 13 10:50:01 UTC 2016 /usr/sbin/init-data 
Sun Mar 13 10:50:01 UTC 2016 /usr/sbin/ipa-server-configure-first

I use docker-compose to manage my docker containers. This error happens when using version 2 of docker-compose configuration file which might be related to new networking (DNS) behavior introduced in docker. I'm using master-systemd branch of FreeIPA.

I tried to set IPA_SERVER_INSTALL_OPTS='--forwarder=8.8.8.8' or IPA_SERVER_INSTALL_OPTS='--forwarder=127.0.0.1' and also directly adding this lines to ipa-server-install-options file but neither seems to work (ipa-server-install just ignores them).

My system is Arch Linux:

docker version
Client:
 Version:      1.10.3
 API version:  1.22
 Go version:   go1.5.3
 Git commit:   20f81dd
 Built:        Sat Mar 12 19:18:57 2016
 OS/Arch:      linux/amd64

Server:
 Version:      1.10.3
 API version:  1.22
 Go version:   go1.5.3
 Git commit:   20f81dd
 Built:        Sat Mar 12 19:18:57 2016
 OS/Arch:      linux/amd64

Issue with working with OTP

There seems to be major issues when implementing OTP. First problem is the systemd file :: /usr/lib/systemd/system/[email protected] --the enviromentfile this is pointing at /etc/ipa/default.conf. This breaks when the systemd attempts to add the [global] tag.

Attempted to patch that and point to the same file without the [global] tag however all OTP still fails with no real indication as to why.

Errors encountered while building freeipa docker container from source

I just tried cloning the docker-freeipa repo and building an image based on it. That part seemed to go fine. However when I then proceeded to run the container I got the following error:

  [36/38]: enabling compatibility plugin
  [37/38]: tuning directory server
ipa         : CRITICAL Failed to load ds-nfiles.ldif: Command ''/usr/bin/ldapmodify' '-v' '-f' '/tmp/tmpP2lB19' '-H' 'ldap://ipa.bubba.net:389' '-x' '-D' 'cn=Directory Manager' '-y' '/tmp/tmpUxhUy6'' returned non-zero exit status 53
  [38/38]: configuring directory to start on boot
Done configuring directory server (dirsrv).

The docker run then proceeded until this error:

  [26/27]: configure Server-Cert certificate renewal
  [27/27]: Configure HTTP to proxy connections
Done configuring certificate server (pki-tomcatd).
Configuring directory server (dirsrv): Estimated time 10 seconds
  [1/3]: configuring ssl for ds instance
  [2/3]: restarting directory server
ipa         : CRITICAL Failed to restart the directory server. See the installation log for details.
  [error] SystemExit: 1
FreeIPA server configuration failed.
Java virtual machine used: /usr/lib/jvm/jre/bin/java
classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/lib/java/commons-daemon.jar
main class used: org.apache.catalina.startup.Bootstrap
flags used:  
options used: -Dcatalina.base=/usr/share/tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat/temp -Djava.util.logging.config.file=/usr/share/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
arguments used: stop

For reference I'm attempting to run the container initially like so:

$ export IP=192.168.1.111; docker run -e IPA_SERVER_IP=$IP -e FORWARDER=8.8.8.8 \
-p $IP:53:53/udp -p $IP:53:53 -p $IP:80:80 -p $IP:443:443 -p $IP:389:389 -p $IP:636:636 \
-p $IP:88:88 -p $IP:464:464 -p $IP:88:88/udp -p $IP:464:464/udp -p $IP:7389:7389 \
--name ipa -ti -h ipa.bubba.net -e PASSWORD=secretpass lamolabs/freeipa

Changelog would be super helpful

Changelog or at the very least a notice in the README about backwards incompatible changes would be super helpful! I have spent 4 hours trying to upgrade my FreeIPA installation when I decided to check the commit logs and found out that /sys/fs/cgroup must be mounted due to Systemd changes.

For the purpose of search engine indexing, my container was just hanging with only one line in the logs:

FreeIPA server is already configured but with different version, volume update.

how to get ipa web app certificate and key ?

I'd like to get the certificate and private key used by the freeipa web app.

I had to reverse-proxy this web app because it is bound on a non standard port, 9943.
So I setup a virtual host that reverses-proxy the freeipa web app, both on http and https.
For https, apparently there is no way to only forward the https queries to port 9943, without setting a SSL engine.
So when a client requests a https://ipa.example.test, it gets a response encrypted by the vhost certificate.

I think that causes a problem with the ipa-client-install, (because my proxy certificate is self-signed).

* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/ipa/ca.crt
  CApath: none
* Server certificate:
*   subject: xxxxxxxxxxxxxxxxxx
*   start date: Jul 09 09:45:31 2015 GMT
*   expire date: Jul 06 09:45:31 2025 GMT
*   common name: ipa.example.test
*   issuer: xxxxxxxxxxxxxxxxxxxxxxxx
* NSS error -8172 (SEC_ERROR_UNTRUSTED_ISSUER)
* Peer's certificate issuer has been marked as not trusted by the user.
* Closing connection 0
libcurl failed to execute the HTTP POST transaction, explaining:  Peer's certificate issuer has been marked as not trusted by the user.

So I was thinking to reuse the same certificate and private key for my apache proxy that the ones used for the freeipa web ui, but I can't find them.

Does it make sense ?

Regards,
Karl

systemctl should log to stdout/stderr

hi,

around line 600 I see the code below

    if ($pid == 0) {
        open(STDOUT, '>>', '/var/log/systemctl.log');
        open(STDERR, '>>', '/var/log/systemctl.log');
        open(STDIN, '<', '/dev/null');
        POSIX::setsid();
        exec "$ENV@paths";
    }

but it's good for containers to log to /dev/stderr and /dev/stdout instead of files
to avoid writing to containers files (overlayfs / device mapper)
and to allow logs to be collected later by host logging like docker logs -f and hosts journald

I can send pull request but I believe the fix is obvious.

exec starting with -

I was looking in my logs and found this

Can't exec "-/usr/bin/kdestroy": No such file or directory at /bin/systemctl line 341.

ipa server can not be restarted

Overview: When I create the container using docker run, it works well the first time (when there is no prior data volume). Then I get to a bash terminal, then I exit.

At this point I can not restart the freeipa container, either by running docker start, or by running the exact same docker run command used to create the container.
The reason seems to be that it can not resolve the freeipa hostname (ipa.quartzbio.com), which is expected because it is only defined in the docker host /etc/hosts, and the reason why I used
-h ipa.quartzbio.com and -e IPA_SERVER_IP=10.9.70.3.

I don't know what to do, since I intend to use the DNS service provided by the freeipa container to resolve the hostname.

N.B: If I delete the data volume, I can run the docker without error.

docker run --name freeipa -ti \
    -e IPA_SERVER_IP=10.9.70.3 \
    -e IPA_SERVER_INSTALL_OPTS="--no-host-dns -d" \
    -h ipa.quartzbio.com \
    -e PASSWORD=$IPA_PASSWORD \
    -v /secure/freeipa_server/freeipa/data:/data \
    -v /etc/localtime:/etc/localtime:ro \
    -p 53:53  -p 53:53/udp \
    -p 9980:80 -p 9943:443 \
    -p 389:389 -p 636:636 -p 88:88 -p 464:464 \
    -p 88:88/udp -p 464:464/udp -p 7389:7389 \
    -p 9443:9443 -p 9444:9444 -p 9445:9445  adelton/freeipa-server
FreeIPA server is already configured, starting the services.
Starting [ntpd.service]
Starting [certmonger.service]
Starting [ipa-dnskeysyncd.service]
Starting [fedora-domainname.service]
domainname: you must be root to change the domain name
Starting [ipa.service]
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
zone localhost.localdomain/IN: loaded serial 0
zone localhost/IN: loaded serial 0
zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
zone 0.in-addr.arpa/IN: loaded serial 0
Starting ipa_memcached Service
Starting httpd Service
Starting pki-tomcatd Service
Starting ipa-otpd Service
Starting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful
Starting [sssd.service]
Host ipa.quartzbio.com not found: 3(NXDOMAIN)
Stopping ipa-dnskeysyncd Service
Stopping ipa-otpd Service
Stopping pki-tomcatd Service

can not enroll freeipa-client

On my host, running the freeipa master in a adelton/freeipa-server, I have trouble testing it using a freeipa-client.

if I type:

docker run --privileged -h ipahtest.example.com --link freeipa:ipa
-e PASSWORD=$PASSWORD_VALUE
-ti adelton/freeipa-client

I get:

Skip ipamidgard.example.com: cannot verify if this is an IPA server

Skip ipa2.example.com: cannot verify if this is an IPA server
Discovery was successful!
Hostname: ipahtest.example.com
Realm: example.COM
DNS Domain: example.com
IPA Server: ipah.example.com
BaseDN: dc=example,dc=com

Synchronizing time with KDC...
Attempting to sync time using ntpd.  Will timeout after 15 seconds
Attempting to sync time using ntpd.  Will timeout after 15 seconds
Attempting to sync time using ntpd.  Will timeout after 15 seconds
Attempting to sync time using ntpd.  Will timeout after 15 seconds
Attempting to sync time using ntpd.  Will timeout after 15 seconds
Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
Please make sure the following ports are opened in the firewall settings:
     TCP: 80, 88, 389
     UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working properly after enrollment:
     TCP: 464
     UDP: 464, 123 (if NTP enabled)
Kerberos authentication failed
kinit: Password incorrect while getting initial credentials

Installation failed. Rolling back changes.
IPA client is not configured on this system.

For file list fails if no file matches blob.

If the blob expression is not matching and file the for loop will do a single
iteration with the blob expression as value:

# for i in /usr/lib/systemd/system/*-dummy.service ; do echo $i ; done
/usr/lib/systemd/system/*-dummy.service

This behaviour will lead to errors like:

sed: can't read /usr/lib/systemd/system/*-domainname.service: No such file or directory

stopped services reported by ipactl status

Sorry, yet another issue.

In my freeipa server docker, if I run ipactl status, I get:

# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: STOPPED
ipa-otpd Service: STOPPED
ipa-dnskeysyncd Service: STOPPED
ipa: INFO: The ipactl command was successful

Is this normal ?

Thanks

Warning when start

Failed to create file /var/log/wtmp: No such file or directory
Failed to create file /var/log/btmp: No such file or directory

httpd package error on unpacking

I'm getting problems with httpd in multiple branches (fedora21 as well as the centos-7 shown here), anyone else running into this, looking up into the install log it was here that it failed:
Installing : httpd-2.4.6-31.el7.centos.x86_64 200/373Error unpacking rpm package httpd-2.4.6-31.el7.centos.x86_64

force IPv4

I'm running into the issue where none of the IPv4 addresses are being listened to by the majority of processes. So I added these two lines:

RUN echo 'net.ipv6.conf.all.disable_ipv6 = 1' >> /etc/sysctl.d/ipv6.conf
RUN echo 'net.ipv6.conf.eth0.disable_ipv6 = 1' >> /etc/sysctl.d/ipv6.conf

as this page seemed to indicate it might work:
https://www.freeipa.org/page/Deployment_Recommendations#Active_Directory_Integration

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:88              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:749             0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:464             0.0.0.0:*               LISTEN      -                   
tcp        0      0 172.17.0.2:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::88                   :::*                    LISTEN      -                   
tcp6       0      0 ::1:953                 :::*                    LISTEN      -                   
tcp6       0      0 :::443                  :::*                    LISTEN      -                   
tcp6       0      0 :::8443                 :::*                    LISTEN      -                   
tcp6       0      0 :::636                  :::*                    LISTEN      -                   
tcp6       0      0 127.0.0.1:8005          :::*                    LISTEN      -                   
tcp6       0      0 :::389                  :::*                    LISTEN      -                   
tcp6       0      0 127.0.0.1:8009          :::*                    LISTEN      -                   
tcp6       0      0 :::749                  :::*                    LISTEN      -                   
tcp6       0      0 :::80                   :::*                    LISTEN      -                   
tcp6       0      0 :::8080                 :::*                    LISTEN      -                   
tcp6       0      0 :::464                  :::*                    LISTEN      -                   
tcp6       0      0 :::53                   :::*                    LISTEN      -

but sysctl is probably not running, in that fashion at least, inside the container. Any ideas on how I can get it to listen on IPv4 as well?

can not delete replica

Hello,

I have a freeipa master running on in adelton/freeipa-server docker.
I managed to create a replica, using another adelton/freeipa-server.

I stopped the replica docker. When I tried to re-run it, I got this message:

A replication agreement for this host already exists. It needs to be removed.
Run this on the master that generated the info file:
% ipa-replica-manage del ipa2.quartzbio.com --force

So I entered into the master server docker using docker exec, and typed:

% kinit admin
% ipa-replica-manage del ipa2.quartzbio.com --force  -v

but it hangs forever.
I also tried

%ipa-replica-manage list    
ipa2.quartzbio.com: master
ipa.quartzbio.com: master

% ipa-replica-manage list-ruv
ipa.quartzbio.com:389: 4
ipa2.quartzbio.com:389: 3

% ipa-replica-manage disconnect ipa2.quartzbio.com ipa.quartzbio.com --force
this one hangs too.

In the meantime I setup the replica using another name. But why isn't is working ?

Best,

Can I run freeipa-server communication (ipa-client, WebUI) on a custom port?

I would like to use something like :4443 to access FreeIPA WebUI. Is it even possible?

restarting container results in not being able to contact KDC realm

When I restart docker and the container I'll eventually run into an issue where I'm unable to connect to the KDC realm. When I enter the restarted container and attempt to run kinit admin I encounter this:

kinit: Cannot contact any KDC for realm 'BUBBA.NET' while getting initial credentials

I suspect that when I restart docker I'm getting a new IP address for the container and this is causing an issue with configuration files such as /etc/resolv.conf, perhaps. I'll look into it further but was wondering if your script /usr/sbin/ipa-server-configure-first took this into account?

NOTE: looking through my container that resulted from the restart I noticed that it now has IP 172.17.0.5 but previously had 172.17.0.9 when looking through the log file /var/log/krb5kdc.log, for example.

IPA_SERVER_IP does not appear to be sticking?

docker run --name=demofreeipa \
        -d \
        -e IPA_SERVER_IP=$(IPA_SERVER_IP) \
        -p 53:53/udp -p 53:53 \
        -p 80:80 -p 443:443 -p 389:389 -p 636:636 -p 88:88 -p 464:464 \
        -p 88:88/udp -p 464:464/udp -p 123:123/udp -p 7389:7389 \
        -p 9443:9443 -p 9444:9444 -p 9445:9445 \
        -h demo.freeipa.example.com \
        -e PASSWORD=$(FREEIPA_MASTER_PASS) \
        -v /sys/fs/cgroup:/sys/fs/cgroup:ro \
        -t adelton/freeipa-server:fedora-23

The IPA Master Server will be configured with:
Hostname:       demo.freeipa.example.com
IP address(es): 172.17.0.2

which is the docker IP address not the one I fed it previously with -e IPA_SERVER_IP=$(IPA_SERVER_IP)

for consistency sake I made a Makefile that prompts for anything specific to the installation (and gitignores all the responses so I don't commit my master password etc to git):

https://github.com/joshuacox/mkFreeIPA

it's intended use would be make temp, and it would make you a temporary freeIPA server quickly, that you could make persistent after you got it running with make grab, and then make rmtemp, and finally make prod to run the container with the persistent directories. But alas, it fails on make temp with

  [error] CalledProcessError: Command ''/bin/systemctl' 'restart' 'httpd.service'' returned non-zero exit status 1
ipa.ipapython.install.cli.install_tool(Server): ERROR    Command ''/bin/systemctl' 'restart' 'httpd.service'' returned non-zero exit status 1
FreeIPA server configuration failed.

which may or may not be related to the IP address not being passed correctly.

can you spot what I'm doing wrong? I know I had this working a few months ago, and now something seems off, it's most likely me and I'd appreciate any extra eyes.

Incorrect permissions :: /etc/ipa/dnssec/ipa-dnskeysyncd.keytab

Following error exists:

[start ipa-dnskeysyncd.service]
Running [export SOFTHSM2_CONF=/etc/ipa/dnssec/softhsm2.conf; /usr/sbin/runuser -g named -u ods -- /usr/libexec/ipa/ipa-dnskeysyncd]
Marked pid [2444] for [ipa-dnskeysyncd.service]
[is-active ipa-dnskeysyncd.service]
[is-active ipa.service]
Traceback (most recent call last):
  File "/usr/libexec/ipa/ipa-dnskeysyncd", line 68, in <module>
    ipautil.kinit_hostprincipal(KEYTAB_FB, WORKDIR, PRINCIPAL)
  File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 1208, in kinit_hostprincipal
    raise StandardError('Error initializing principal %s in %s: %s' % (principal, keytab, str(e)))
StandardError: Error initializing principal ipa-dnskeysyncd/fax.puglord.com in /etc/ipa/dnssec/ipa-dnskeysyncd.keytab: (13, 'Permission denied')

Originally the file was listed:
-r--r----- 1 root ods 354 Jul 16 00:48 ipa-dnskeysyncd.keytab

Meaning the process could not access the file.

How to add real SSL certs?

Currently it generated self-signed certs by default...what's the proper way to put your own certs?

ntp server ?

Hi,

Is there a ntp server supposed to run inside the freeipa server container ?
I bound the port using "-p 123:123/udp" but it does not seem to work:

from the docker host:

ntpdate localhost
 2 Jul 15:45:28 ntpdate[1461]: bind() fails: Permission denied

ntpdate $container)ip
 2 Jul 15:45:37 ntpdate[1472]: bind() fails: Permission denied

from inside the container:

ps -fA | grep ntp
=> nothing

ntpdate localhost
 2 Jul 09:47:22 ntpdate[623]: no server suitable for synchronization found

Is there something wrong ?

Best,
Karl

use real systemd

Is there anything against using real systemd instead of your replacement ?
I have a working setup here: https://github.com/maci0/docker-systemd-unpriv

Error running freeipa-server

The same error as Error running systemd freeipa-server #46
but on adelton/freeipa-server:latest

Configuring the web interface (httpd). Estimated time: 1 minute
  [1/19]: setting mod_nss port to 443
  [2/19]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2
  [3/19]: setting mod_nss password file
  [4/19]: enabling mod_nss renegotiate
  [5/19]: adding URL rewriting rules
  [6/19]: configuring httpd
  [7/19]: configure certmonger for renewals
  [8/19]: setting up ssl
  [9/19]: importing CA certificates from LDAP
  [10/19]: setting up browser autoconfig
  [11/19]: publish CA cert
  [12/19]: creating a keytab for httpd
  [13/19]: clean up any existing httpd ccache
  [14/19]: configuring SELinux for httpd
  [15/19]: create KDC proxy user
  [16/19]: create KDC proxy config
  [17/19]: enable KDC proxy
  [18/19]: restarting httpd
  [error] CalledProcessError: Command ''/bin/systemctl' 'restart' 'httpd.service'' returned non-zero exit status 10
ipa.ipapython.install.cli.install_tool(Server): ERROR    Command ''/bin/systemctl' 'restart' 'httpd.service'' returned non-zero exit status 10
FreeIPA server configuration failed.
No service definition found for [ipa-otpd.service].
Java virtual machine used: /usr/lib/jvm/jre/bin/java
classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/lib/java/commons-daemon.jar
main class used: org.apache.catalina.startup.Bootstrap
flags used:
options used: -Dcatalina.base=/usr/share/tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat/temp -Djava.util.logging.config.file=/usr/share/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
arguments used: stop

2016-02-20T13:27:34Z DEBUG stderr=
2016-02-20T13:27:34Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2016-02-20T13:27:34Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
2016-02-20T13:27:34Z DEBUG Starting external process
2016-02-20T13:27:34Z DEBUG args='/bin/systemctl' 'restart' 'httpd.service'
2016-02-20T13:28:25Z DEBUG Process finished, return code=10
2016-02-20T13:28:25Z DEBUG stdout=
2016-02-20T13:28:25Z DEBUG stderr=ipa         : INFO     KDC proxy enabled

2016-02-20T13:28:25Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 416, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 406, in run_step
    method()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/httpinstance.py", line 167, in __start
    self.restart()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 316, in restart
    self.service.restart(instance_name, capture_output=capture_output, wait=wait)
  File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line 314, in restart
    capture_output=capture_output)
  File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 373, in run
    raise CalledProcessError(p.returncode, arg_string, stdout)
CalledProcessError: Command ''/bin/systemctl' 'restart' 'httpd.service'' returned non-zero exit status 10

2016-02-20T13:28:25Z DEBUG   [error] CalledProcessError: Command ''/bin/systemctl' 'restart' 'httpd.service'' returned non-zero exit status 10
2016-02-20T13:28:25Z DEBUG   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 307, in run
    cfgr.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 294, in run
    self.execute()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 316, in execute
    for nothing in self._executor():
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 356, in __runner
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 378, in _handle_exception
    util.raise_exc_info(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 346, in __runner
    step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 87, in run_generator_with_yield_from
    raise_exc_info(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 65, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 557, in _configure
    executor.next()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 356, in __runner
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 435, in _handle_exception
    self.__parent._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 378, in _handle_exception
    util.raise_exc_info(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 432, in _handle_exception
    super(ComponentBase, self)._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 378, in _handle_exception
    util.raise_exc_info(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 346, in __runner
    step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 87, in run_generator_with_yield_from
    raise_exc_info(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 65, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install
    for nothing in self._installer(self.parent):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 1285, in main
    install(self)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 257, in decorated
    func(installer)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 822, in install
    ca_is_configured=setup_ca)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/httpinstance.py", line 163, in create_instance
    self.start_creation(runtime=60)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 416, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 406, in run_step
    method()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/httpinstance.py", line 167, in __start
    self.restart()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 316, in restart
    self.service.restart(instance_name, capture_output=capture_output, wait=wait)
  File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line 314, in restart
    capture_output=capture_output)
  File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 373, in run
    raise CalledProcessError(p.returncode, arg_string, stdout)

2016-02-20T13:28:25Z DEBUG The ipa-server-install command failed, exception: CalledProcessError: Command ''/bin/systemctl' 'restart' 'httpd.service'' returned non-zero exit status 10
2016-02-20T13:28:25Z ERROR Command ''/bin/systemctl' 'restart' 'httpd.service'' returned non-zero exit status 10

If I create $(pwd)/data/var/log/httpd directory before running the container, the installation goes well.

Implement full grsec support?

grsec: use of CAP_SETFCAP in chroot denied for /usr/bin/docker[exe:22977] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/docker[docker:21162] uid/euid:0/0 gid/egid:0/0

sadly...
is there a way for the container to work without the caps?
what's the reasoning behind "--cap-add=SYS_TIME"?

DNS does not resolve IPA entries after swap to /data volume when called with --external-ca, during the two-step process

Due to the recent changes add to support the /data volume (awesome), the named daemon cannot speak to the ldap server, so the IPA DNS entries cannot be resolved (not awesome). Just creating any new container from scratch with an external data volume will reproduce the issue. Checkout the errors in /var/named/data/named.run for reference after setting up a new container.

The cause of the issue is that a symlink is created from /etc/named.keytab to /data/etc/named.keytab before /data/etc/named.keytab is created. The result is that the named.keytab is not properly created by the installation scripts. This also seems to be the case for the /etc/krb5.keytab, but doesn't have any clear side effects.

For anybody else running into this, the work around is somewhat simple. Just use ipa-getcert to create the missing keytabs, and make sure the /data/etc/named.keytab has the right ownership (named).

can not create CA replica

I'm kinda stuck because I realized my replicas are not CA enabled, and I needed one of them to replace my current master.
So I tried to setup a new CA replicate, adding the --setup-ca option to ipa-replica-install-options,
my ipa-replica-install-options:

--password=xxx
--admin-password=xxx
--no-host-dns
--setup-ca

but the install fails:
Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds

  [1/22]: creating certificate server user
  [2/22]: configuring certificate server instance
ipa         : CRITICAL failed to configure ca instance Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpKIDYI0'' returned non-zero exit status 1
  [error] RuntimeError: Configuration of CA failed
Configuration of CA failed

in ipareplica-install.log:

2015-12-18T18:08:29Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
2015-12-18T18:08:29Z DEBUG Starting external process
2015-12-18T18:08:29Z DEBUG args='/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpKIDYI0'
2015-12-18T18:08:50Z DEBUG Process finished, return code=1
2015-12-18T18:08:50Z DEBUG stdout=Loading deployment configuration from /tmp/tmpKIDYI0.
Installing CA into /var/lib/pki/pki-tomcat.
Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
    'pki-tomcat' must still be CONFIGURED!
    (see /var/log/pki-tomcat-install.log)

Installation failed.


2015-12-18T18:08:50Z DEBUG stderr=/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:768: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html
  InsecureRequestWarning)
/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:768: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html
  InsecureRequestWarning)
/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:768: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html
  InsecureRequestWarning)
/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:768: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html
  InsecureRequestWarning)
/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:768: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html
  InsecureRequestWarning)

2015-12-18T18:08:50Z CRITICAL failed to configure ca instance Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmpKIDYI0'' returned non-zero exit status 1
2015-12-18T18:08:50Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 388, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 378, in run_step
    method()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 673, in __spawn_instance
    raise RuntimeError('Configuration of CA failed')
RuntimeError: Configuration of CA failed

2015-12-18T18:08:50Z DEBUG   [error] RuntimeError: Configuration of CA failed
2015-12-18T18:08:50Z DEBUG   File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 642, in run_script
    return_value = main_function()

  File "/usr/sbin/ipa-replica-install", line 704, in main
    CA = cainstance.install_replica_ca(config)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1869, in install_replica_ca
    subject_base=config.subject_base)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 520, in configure_instance
    self.start_creation(runtime=210)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 388, in start_creation
    run_step(full_msg, method)

  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 378, in run_step
    method()

  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 673, in __spawn_instance

RFE: include freeIPA version in docker tags

Hi,

From what I read, it could be extremely important to deploy the same version of freeIPA, e.g. for a replica.
But imagine that you setup a master server using adelton/freeipa-server(:latest).
Then months later, you want to set up a replica, using a docker, but at that time adelton/freeipa-server has been updated and the versions do not match.

It could be very useful to include the IPA version in the tags, e.g. centos-7-ipa-441.

Best,
Karl

latest error

I tried to build image today and getting below error:

systemd 222 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ -LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN) Detected virtualization docker. Detected architecture x86-64. Set hostname to <freeipa.locuz.com>. Failed to install release agent, ignoring: No such file or directory Failed to create root cgroup hierarchy: Read-only file system Failed to allocate manager object: Read-only file system [!!!!!!] Failed to allocate manager object, freezing.

Same error with pulled Docker image.

Yesterday the build was working perfectly.

freeipa / freeipa-container Goto Github PK

freeipa-container's Introduction

FreeIPA Server

Benefits

Components

Project Website

Documentation

Quick Start

For developers

Licensing

Contacts

freeipa-container's People

Contributors

Stargazers

Watchers

Forkers

freeipa-container's Issues

This file was written by cloud-config.

Recommend Projects

Recommend Topics

Recommend Org