FreeIPA server and client in Docker containers; see hub.docker.com for the images:
Clone or download
adelton The python2-ipaserver no longer seems being installed.
Addressing
Step 7/47 : RUN sed -i '/installutils.verify_fqdn(config.master_host_name, options.no_host_dns)/s/)/, local_hostname=False)/' /usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py && python -m compileall /usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py
 ---> Running in 34a5865821d8
sed: can't read /usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py: No such file or directory
The command '/bin/sh -c sed -i '/installutils.verify_fqdn(config.master_host_name, options.no_host_dns)/s/)/, local_hostname=False)/' /usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py && python -m compileall /usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py' returned a non-zero code: 2
Latest commit 757b079 Sep 1, 2018
Permalink
Failed to load latest commit information.
tests Build image in install, for easier local testing. Jul 31, 2018
.dockerignore Do not pass .git to docker builder. Nov 27, 2015
.travis.yml If our Dockerfile did not change, we would not have image and instead… Aug 24, 2018
Dockerfile Make Dockerfile point to Dockerfile.fedora-27. May 29, 2018
Dockerfile.centos-7 Workaround 1615948. Aug 23, 2018
Dockerfile.fedora-23 Revert "Workaround https://fedorahosted.org/spin-kickstarts/ticket/58." Aug 15, 2018
Dockerfile.fedora-24 Revert "Workaround https://fedorahosted.org/spin-kickstarts/ticket/58." Aug 15, 2018
Dockerfile.fedora-25 Revert "Workaround https://fedorahosted.org/spin-kickstarts/ticket/60." Aug 15, 2018
Dockerfile.fedora-26 Revert "Workaround https://fedorahosted.org/spin-kickstarts/ticket/60." Aug 15, 2018
Dockerfile.fedora-27 The python2-ipaserver no longer seems being installed. Sep 1, 2018
Dockerfile.fedora-28 Revert "Workaround https://fedorahosted.org/spin-kickstarts/ticket/60." Aug 15, 2018
Dockerfile.fedora-rawhide Revert "Workaround https://fedorahosted.org/spin-kickstarts/ticket/60." Aug 15, 2018
Dockerfile.rhel-7 Revert "Workaround https://fedorahosted.org/spin-kickstarts/ticket/58." Aug 15, 2018
LICENSE-2.0 Adding Apache License, Version 2.0. Jun 26, 2014
Makefile Stop git diff from paginating when run on terminal. Aug 13, 2016
README Example of unattended invocation. Jul 14, 2018
README.md Add README.md to display README in Markdown on GitHub. Mar 28, 2017
atomic-install-help Document the ip-address keyword. Nov 14, 2016
certmonger-wait-for-ready.conf Workaround #187. Jul 20, 2018
container-ipa.target Using container-ipa.target to better isolate from the default .wants. Feb 18, 2016
exit-status.conf Use systemctl exit to return status from the container. Jul 14, 2018
exit-via-chroot.conf Move exit-via-chroot.conf to file instead of creating it inside RUN. May 30, 2016
exit-with-status Stop the container when configuring or upgrading IPA fails. Dec 14, 2015
freeipa-server-openshift-image.json Add ImageStream entry for fedora-27, remove EOL'd fedora-24. Dec 19, 2017
freeipa-server-openshift-volume.json Compatibility fix for OpenShift Origin 1.4. Jan 26, 2017
freeipa-server-openshift.json Add TIMEOUT parameter for update acceptor timeout. May 5, 2017
hostnamectl-wrapper Fedora rawhide uses nis-domainname.service instead of fedora-domainna… Jul 5, 2018
init-data When during upgrade /data contains symlink and new image would like t… Jul 31, 2018
install.sh generalize NET_HOST_PARAM to NET_PARAM Nov 23, 2017
ipa-server-configure-first The /etc/named.conf is symlink to /data, avoid changing it. Jul 31, 2018
ipa-server-configure-first.service Drive exit/no-exit via /run/systemd overrides. Jul 14, 2018
ipa-server-update-self-ip-address.service Using container-ipa.target to better isolate from the default .wants. Feb 18, 2016
ipa-server-upgrade.service In RHEL 7 / CentOS 7 containers, upgrade would hang. Jul 31, 2018
ipa-volume-upgrade-1.0-1.1 Mark the container-ipa.target-based setup as volume 1.1, add upgrades. Feb 19, 2016
systemctl-exit-with-status Use systemctl exit to return status from the container. Jul 14, 2018
uninstall.sh Define LABELs for atomic install/run/stop/uninstall. Aug 25, 2016
volume-data-autoupdate Save /etc/tmpfiles.d to /usr/lib as well. Dec 4, 2015
volume-data-list preserve gssproxy configuration between container runs Apr 26, 2017
volume-data-mv-list Fix list of files that should be stored on the data volume. Nov 30, 2015

README.md

FreeIPA server in Docker

This repository contains the Dockerfile and associated assets for building a FreeIPA server Docker image from the official yum repo.

Install docker 1.10+:

yum install -y docker

Start the service:

systemctl start docker

To build the image, run in the root of the repository:

docker build -t freeipa-server .

The repository contains multiple Dockerfiles for various operating systems. Use -f option to docker build to pick different than default target.

Create directory which will hold the server data:

mkdir /var/lib/ipa-data

On SELinux enabled systems,

setsebool -P container_manage_cgroup 1

might be needed to enable running systemd in the containers.

You then run the container with

docker run --name freeipa-server-container -ti \
   -h ipa.example.test \
   -v /sys/fs/cgroup:/sys/fs/cgroup:ro \
   --tmpfs /run --tmpfs /tmp \
   -v /var/lib/ipa-data:/data:Z freeipa-server [ opts ]

The list of options [opts] can start with exit-on-finished to stop the container after successfully configuring the server in the container (useful for testing), or no-exit to keep the container running even if the initial configuration fails (useful for debugging).

Standard ipa-server-install will be started and you can configure the server. The docker run invocation also accepts command line parameters that will be passed to ipa-server-install, so unattended invocation is possible, for example with

docker run --rm -e PASSWORD=Secret123 -h ipa.example.test \
    freeipa-server exit-on-finished -U -r EXAMPLE.TEST --no-ntp

Optionally, you can put into the directory mounted into /data (/var/lib/ipa-data in this example) a file

ipa-server-install-options

with command line parameters to ipa-server-install command, for example

--realm=EXAMPLE.TEST
--ds-password=The-directory-server-password
--admin-password=The-admin-password

and these options will also be used as parameters to ipa-server-install.

If you want to instruct the container to create a replica, specify the command in the docker run parameters:

docker run --name freeipa-server-container -ti \
   -h ipa.example.test \
   -v /sys/fs/cgroup:/sys/fs/cgroup:ro \
   --tmpfs /run --tmpfs /tmp \
   -v /var/lib/ipa-data:/data:Z \
   freeipa-server ipa-replica-install [ opts ]

The options will be passed to ipa-replica-install in the container. You can also put options to file

ipa-replica-install-options

in the directory mounted to /data to this directory, for example with

--password=The-directory-server-password
--admin-password=The-admin-password

If your setup is of Domain Level < 1, GPG-encrypted replica information file is also needed in the directory mounted to /data.

If the above commands fail with error about invalid value for flag -v and bad format for volumes, run

chcon -t svirt_sandbox_file_t /var/lib/ipa-data

or use semanage fcontext and restorecon, and use -v option without the :Z part.

The option --name assigns the container a name that can be used later with docker start, docker stop and other commands. Command ipa-server-install is invoked non-interactively the first time the container is run.

The -ti parameters are optional and are used for get a terminal, for interactive configuration sessions.

The container can the be started and stopped:

docker stop freeipa-server-container
docker start -ai freeipa-server-container

If you want to use the FreeIPA server not just from the host where it is running but from external machines as well, you might want to use the -p options to make the services accessible externally. You will then likely want to also specify the IPA_SERVER_IP environment variable via the -e option to define what IP address should the server put to DNS as its address. Starting the server would then be

docker run -e IPA_SERVER_IP=10.12.0.98 -p 53:53/udp -p 53:53 \
    -p 80:80 -p 443:443 -p 389:389 -p 636:636 -p 88:88 -p 464:464 \
-p 88:88/udp -p 464:464/udp -p 123:123/udp -p 7389:7389 \
-p 9443:9443 -p 9444:9444 -p 9445:9445 ...

If you have existing container with data volume, it should be safe to shut it down and run new one based on newer image, with the same data directory bind-mounted to /data. The container will detect that it is running with data produced by different image and attempt to upgrade the configuration and data. Of course, keeping backup of the data directory for cases when the upgrade process fails is recommended.

Configuring and running with atomic

On platforms with atomic command available, the container can be configured with

atomic install [ --name $THE_NAME ] freeipa-server \
[ keywords for docker operation ] \
[ ipa-server-install | ipa-replica-install ] \
[ opts ]

The keywords for docker operations are:

hostname $IPA_SERVER_HOSTNAME - docker run -h $IPA_SERVER_HOSTNAME
net-host - docker run --net=host, also uses host's hostname
publish - docker run -p 443:443 ... ; publish all ports of the IPA
          container on host's interfaces
cap-add $CAPABILITY - docker run --cap-add=$CAPABILITY

The container will use /var/lib/$THE_NAME to store the configuration and data. It the gets started with

atomic run [ --name $THE_NAME ] freeipa-server

Version 1.12 of atomic is needed.

IPA-enrolled client in Docker

There are multiple *-client branches named after OS they are based on. Check out the branch you prefer and in the root of the repository, run:

docker build -t freeipa-client .

To run the client container, run it with correctly set DNS and hostname in the IPA domain, or you can link it to the freeipa-server container directly:

docker run --privileged --link freeipa-server-container:ipa \
    -e PASSWORD=Secret123 -ti freeipa-client

The first time this container runs, it invokes ipa-client-install with the given admin password.

Debugging

The container scripts provide some options for debugging:

  • Enable shell script tracing in both the top-level init-data script and the ipa-server-configure-first script by setting the $DEBUG_TRACE environment variable.

  • Disable container exit after script failure by setting the $DEBUG_NO_EXIT environment variable. After failure, the container will continue running, and can be entered for debugging with e.g. docker exec -it freeipa-server-container bash.

Example usage:

docker run [...] -e DEBUG_TRACE=1 -e DEBUG_NO_EXIT=1 freeipa-server

License

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.