[Freeipa-users] Re: Get running FreeIPA in Docker in Docker
On Fri, Sep 22, 2023 at 12:03:19PM -, Jay Smith via FreeIPA-users wrote: > Thank you very much for your hint Ulf. That's working for me. > > docker run -it \ > -h ${MK_FREEIPA_SERVER_DOMAIN_NAME} \ > --name ipa \ > --sysctl net.ipv6.conf.all.disable_ipv6=0 \ > -v /tmp/freeipa-data/data:/data \ > -e "IPA_SERVER_HOSTNAME=${MK_FREEIPA_SERVER_DOMAIN_NAME}" \ > -e "IPA_SERVER_IP=${MK_FREEIPA_SERVER_IP}" \ > -e "DEBUG_TRACE=1" \ > -e "DEBUG_NO_EXIT=1" \ > --privileged=true \ Where did you find the guidance to use --privileged=true? Is it actively harmful to the general security posture of the system and should be avoided. It hasn't been needed for FreeIPA server containers for ages. > --ip "${MK_FREEIPA_SERVER_IP}" \ > --add-host "${MK_FREEIPA_SERVER_DOMAIN_NAME}:${MK_FREEIPA_SERVER_IP}" \ > -p "443:443" \ > freeipa/freeipa-server:fedora-38-4.10.2 \ > --skip-mem-check \ > --domain=${MK_INTERNAL_SUB_DOMAIN} \ > --realm=${MK_FREEIPA_SERVER_REALM} \ > --ds-password=${MK_FREEIPA_SERVER_DS_PASSWORD} \ > --ip-address=${MK_FREEIPA_SERVER_IP} \ > --admin-password=${MK_FREEIPA_SERVER_ADMIN_PASSWORD} \ > --no-host-dns \ > --unattended \ > --setup-dns \ > --allow-zone-overlap \ > --auto-reverse \ > --reverse-zone=${MK_FREEIPA_SERVER_DNS_REVERSE_ZONE} \ > --auto-forwarders \ > --no-ntp -- Jan Pazdziora | OpenShift AI | Red Hat ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Get running FreeIPA in Docker in Docker
Thank you very much for your hint Ulf. That's working for me. docker run -it \ -h ${MK_FREEIPA_SERVER_DOMAIN_NAME} \ --name ipa \ --sysctl net.ipv6.conf.all.disable_ipv6=0 \ -v /tmp/freeipa-data/data:/data \ -e "IPA_SERVER_HOSTNAME=${MK_FREEIPA_SERVER_DOMAIN_NAME}" \ -e "IPA_SERVER_IP=${MK_FREEIPA_SERVER_IP}" \ -e "DEBUG_TRACE=1" \ -e "DEBUG_NO_EXIT=1" \ --privileged=true \ --ip "${MK_FREEIPA_SERVER_IP}" \ --add-host "${MK_FREEIPA_SERVER_DOMAIN_NAME}:${MK_FREEIPA_SERVER_IP}" \ -p "443:443" \ freeipa/freeipa-server:fedora-38-4.10.2 \ --skip-mem-check \ --domain=${MK_INTERNAL_SUB_DOMAIN} \ --realm=${MK_FREEIPA_SERVER_REALM} \ --ds-password=${MK_FREEIPA_SERVER_DS_PASSWORD} \ --ip-address=${MK_FREEIPA_SERVER_IP} \ --admin-password=${MK_FREEIPA_SERVER_ADMIN_PASSWORD} \ --no-host-dns \ --unattended \ --setup-dns \ --allow-zone-overlap \ --auto-reverse \ --reverse-zone=${MK_FREEIPA_SERVER_DNS_REVERSE_ZONE} \ --auto-forwarders \ --no-ntp ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Get running FreeIPA in Docker in Docker
Hi Jay, For running FreeIPA in a container you may want to check https://github.com/freeipa/freeipa-container The setup for it to work is somewhat sensible and following their recommendations will prevent a lot of headaches. Rafael P.S.: Sorry for the top post. On Wed, Sep 20, 2023 at 10:10 AM Ulf Volmer via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > On 20.09.23 09:05, Jay Smith via FreeIPA-users wrote: > > For a test setup I try to get running a FreeIPA server within a docker > container(DinD). > > But I get some errors and I don't know why. > > > > 1. Create docker in docker container > > => docker run --privileged -itd --name docker_swarm -v > /sys/fs/cgroup:/sys/fs/cgroup docker > > > > 2. Connect to docker container and run the FreeIPA server > > => docker exec -it docker_swarm \ > > sh -c "docker run --sysctl > net.ipv6.conf.all.disable_ipv6=0 --privileged=true --name ipa -ti -h > ipa.example.test --cgroupns=host \ > > -v /sys/fs/cgroup:/sys/fs/cgroup:rw -v > /tmp/freeipa-data:/data freeipa/freeipa-server:fedora-38-4.10.2 > --skip-mem-check --no-ntp" > > > > The error I get is: > > docker: Error response from daemon: failed to create task for container: > failed to create shim task: OCI runtime create failed: runc create failed: > unable to start container process: unable to apply cgroup configuration: > failed to write 670: write > /sys/fs/cgroup/docker/3c2cc48a075d3f62143d70718aefe4c55938e4332262894e67f31328eaa5a006/cgroup.procs: > no such file or directory: unknown. > > ERRO[0038] error waiting for container: > > From my knowledge: > > * We have cgroups v2 nowadays, please remove the volume /sys/fs/cgroup > (from both commands) > * you need cgroup nesting, please read the link below: > > https://github.com/containerd/containerd/issues/6659 > > Best regards > Ulf > > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > -- Rafael Guterres Jeffman Senior Software Engineer FreeIPA - Red Hat ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Get running FreeIPA in Docker in Docker
On 20.09.23 09:05, Jay Smith via FreeIPA-users wrote: For a test setup I try to get running a FreeIPA server within a docker container(DinD). But I get some errors and I don't know why. 1. Create docker in docker container => docker run --privileged -itd --name docker_swarm -v /sys/fs/cgroup:/sys/fs/cgroup docker 2. Connect to docker container and run the FreeIPA server => docker exec -it docker_swarm \ sh -c "docker run --sysctl net.ipv6.conf.all.disable_ipv6=0 --privileged=true --name ipa -ti -h ipa.example.test --cgroupns=host \ -v /sys/fs/cgroup:/sys/fs/cgroup:rw -v /tmp/freeipa-data:/data freeipa/freeipa-server:fedora-38-4.10.2 --skip-mem-check --no-ntp" The error I get is: docker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: unable to apply cgroup configuration: failed to write 670: write /sys/fs/cgroup/docker/3c2cc48a075d3f62143d70718aefe4c55938e4332262894e67f31328eaa5a006/cgroup.procs: no such file or directory: unknown. ERRO[0038] error waiting for container: From my knowledge: * We have cgroups v2 nowadays, please remove the volume /sys/fs/cgroup (from both commands) * you need cgroup nesting, please read the link below: https://github.com/containerd/containerd/issues/6659 Best regards Ulf ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue