[Freeipa-users] Re: Get running FreeIPA in Docker in Docker
On Fri, Sep 22, 2023 at 12:03:19PM -, Jay Smith via FreeIPA-users wrote:
> Thank you very much for your hint Ulf. That's working for me.
>
> docker run -it \
> -h ${MK_FREEIPA_SERVER_DOMAIN_NAME} \
> --name ipa \
> --sysctl net.ipv6.conf.all.disable_ipv6=0 \
> -v /tmp/freeipa-data/data:/data \
> -e "IPA_SERVER_HOSTNAME=${MK_FREEIPA_SERVER_DOMAIN_NAME}" \
> -e "IPA_SERVER_IP=${MK_FREEIPA_SERVER_IP}" \
> -e "DEBUG_TRACE=1" \
> -e "DEBUG_NO_EXIT=1" \
> --privileged=true \
Where did you find the guidance to use --privileged=true?
Is it actively harmful to the general security posture of the system
and should be avoided. It hasn't been needed for FreeIPA server
containers for ages.
> --ip "${MK_FREEIPA_SERVER_IP}" \
> --add-host "${MK_FREEIPA_SERVER_DOMAIN_NAME}:${MK_FREEIPA_SERVER_IP}" \
> -p "443:443" \
> freeipa/freeipa-server:fedora-38-4.10.2 \
> --skip-mem-check \
> --domain=${MK_INTERNAL_SUB_DOMAIN} \
> --realm=${MK_FREEIPA_SERVER_REALM} \
> --ds-password=${MK_FREEIPA_SERVER_DS_PASSWORD} \
> --ip-address=${MK_FREEIPA_SERVER_IP} \
> --admin-password=${MK_FREEIPA_SERVER_ADMIN_PASSWORD} \
> --no-host-dns \
> --unattended \
> --setup-dns \
> --allow-zone-overlap \
> --auto-reverse \
> --reverse-zone=${MK_FREEIPA_SERVER_DNS_REVERSE_ZONE} \
> --auto-forwarders \
> --no-ntp
--
Jan Pazdziora | OpenShift AI | Red Hat
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Get running FreeIPA in Docker in Docker
Thank you very much for your hint Ulf. That's working for me.
docker run -it \
-h ${MK_FREEIPA_SERVER_DOMAIN_NAME} \
--name ipa \
--sysctl net.ipv6.conf.all.disable_ipv6=0 \
-v /tmp/freeipa-data/data:/data \
-e "IPA_SERVER_HOSTNAME=${MK_FREEIPA_SERVER_DOMAIN_NAME}" \
-e "IPA_SERVER_IP=${MK_FREEIPA_SERVER_IP}" \
-e "DEBUG_TRACE=1" \
-e "DEBUG_NO_EXIT=1" \
--privileged=true \
--ip "${MK_FREEIPA_SERVER_IP}" \
--add-host "${MK_FREEIPA_SERVER_DOMAIN_NAME}:${MK_FREEIPA_SERVER_IP}" \
-p "443:443" \
freeipa/freeipa-server:fedora-38-4.10.2 \
--skip-mem-check \
--domain=${MK_INTERNAL_SUB_DOMAIN} \
--realm=${MK_FREEIPA_SERVER_REALM} \
--ds-password=${MK_FREEIPA_SERVER_DS_PASSWORD} \
--ip-address=${MK_FREEIPA_SERVER_IP} \
--admin-password=${MK_FREEIPA_SERVER_ADMIN_PASSWORD} \
--no-host-dns \
--unattended \
--setup-dns \
--allow-zone-overlap \
--auto-reverse \
--reverse-zone=${MK_FREEIPA_SERVER_DNS_REVERSE_ZONE} \
--auto-forwarders \
--no-ntp
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Get running FreeIPA in Docker in Docker
Hi Jay, For running FreeIPA in a container you may want to check https://github.com/freeipa/freeipa-container The setup for it to work is somewhat sensible and following their recommendations will prevent a lot of headaches. Rafael P.S.: Sorry for the top post. On Wed, Sep 20, 2023 at 10:10 AM Ulf Volmer via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > On 20.09.23 09:05, Jay Smith via FreeIPA-users wrote: > > For a test setup I try to get running a FreeIPA server within a docker > container(DinD). > > But I get some errors and I don't know why. > > > > 1. Create docker in docker container > > => docker run --privileged -itd --name docker_swarm -v > /sys/fs/cgroup:/sys/fs/cgroup docker > > > > 2. Connect to docker container and run the FreeIPA server > > => docker exec -it docker_swarm \ > > sh -c "docker run --sysctl > net.ipv6.conf.all.disable_ipv6=0 --privileged=true --name ipa -ti -h > ipa.example.test --cgroupns=host \ > > -v /sys/fs/cgroup:/sys/fs/cgroup:rw -v > /tmp/freeipa-data:/data freeipa/freeipa-server:fedora-38-4.10.2 > --skip-mem-check --no-ntp" > > > > The error I get is: > > docker: Error response from daemon: failed to create task for container: > failed to create shim task: OCI runtime create failed: runc create failed: > unable to start container process: unable to apply cgroup configuration: > failed to write 670: write > /sys/fs/cgroup/docker/3c2cc48a075d3f62143d70718aefe4c55938e4332262894e67f31328eaa5a006/cgroup.procs: > no such file or directory: unknown. > > ERRO[0038] error waiting for container: > > From my knowledge: > > * We have cgroups v2 nowadays, please remove the volume /sys/fs/cgroup > (from both commands) > * you need cgroup nesting, please read the link below: > > https://github.com/containerd/containerd/issues/6659 > > Best regards > Ulf > > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > -- Rafael Guterres Jeffman Senior Software Engineer FreeIPA - Red Hat ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Get running FreeIPA in Docker in Docker
On 20.09.23 09:05, Jay Smith via FreeIPA-users wrote: For a test setup I try to get running a FreeIPA server within a docker container(DinD). But I get some errors and I don't know why. 1. Create docker in docker container => docker run --privileged -itd --name docker_swarm -v /sys/fs/cgroup:/sys/fs/cgroup docker 2. Connect to docker container and run the FreeIPA server => docker exec -it docker_swarm \ sh -c "docker run --sysctl net.ipv6.conf.all.disable_ipv6=0 --privileged=true --name ipa -ti -h ipa.example.test --cgroupns=host \ -v /sys/fs/cgroup:/sys/fs/cgroup:rw -v /tmp/freeipa-data:/data freeipa/freeipa-server:fedora-38-4.10.2 --skip-mem-check --no-ntp" The error I get is: docker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: unable to apply cgroup configuration: failed to write 670: write /sys/fs/cgroup/docker/3c2cc48a075d3f62143d70718aefe4c55938e4332262894e67f31328eaa5a006/cgroup.procs: no such file or directory: unknown. ERRO[0038] error waiting for container: From my knowledge: * We have cgroups v2 nowadays, please remove the volume /sys/fs/cgroup (from both commands) * you need cgroup nesting, please read the link below: https://github.com/containerd/containerd/issues/6659 Best regards Ulf ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
