On Fri, Mar 17, 2023 at 04:32:44PM +0200, Alexander Bokovoy via FreeIPA-users wrote: > On pe, 17 maalis 2023, Rob Crittenden via FreeIPA-users wrote: > > Ronald Wimmer via FreeIPA-users wrote: > > > On 14.05.21 11:26, Ronald Wimmer via FreeIPA-users wrote: > > > > Hi, > > > > > > > > are there any plans (or maybe ongoing work already) to let FreeIPA run > > > > in a K8s environment? > > > > > > What about tearing all the tightly coupled parts (389DS, DNS, PKI, > > > HTTPD, KDC, Samba, ...) apart, let them run in K8s and do the coupling > > > there? > > > > > > Could that work if somebody took the effort (with support from the IPA > > > devs I would be willing to) or are there real showstoppers preventing > > > such an adventure? > > > > It could require a re-architecture of IPA. Some services rely on ldapi > > bind to connect to 389. You'd need to switch from that socket to a TCP > > socket and pass the requisite bind credentials (DM). Services rely on > > files in various places which if done systematically might not be too > > bad, but might require creative bind mounting and/or duplicating files. > > Installing it might require a pretty massive rewrite as it assumes a > > monolith. Upgrades would be another challenge. > > > > I don't know enough about K8S to know how naming would work to tie a > > bunch of different nodes into a single "service" with a common name. > > > > I don't know how well scaling would work either, if that's a goal. > > It will not work well. > > Performance differences between TCP/IP and UNIX domain sockets are huge. > A small clarification: in k8s and OpenShift you can use Unix sockets to communicate between different containers in the same *Pod*. So you can avoid the TCP/IP latency in that way.
> There is roughly 60% of latency difference. There is 9x throughput > difference on a bare metal system. See https://github.com/rigtorp/ipc-bench > for > the test code. > > On virtual machines in a datacenter using KVM I am reliably getting > roughly 2x slowdown in both throughput and latency. > > That is a starting point. I would not even go into technical details > requiring a tight collaboration between multiple DC components we have > right now. > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
