include examples of building using buildah as well

[vbatts]

https://github.com/projectatomic/buildah/ as a drop in replacement for docker build is buildah bud such that buildah bud -t freeipa . ought to produce an image that can be pushed to a registry, or run using cri-o or podman.

Initially there is an issue using the version of buildah in f26: https://github.com/projectatomic/buildah/issues/439

[adelton]

I've filed https://github.com/freeipa/freeipa-container/pull/188 to address the build issue.

[adelton]

With buildah from its current master, we are hitting

STEP 36: RUN echo 1.1 > /etc/volume-version
STEP 37: ENV container docker
STEP 38: EXPOSE 53/udp 53 80 443 389 636 88 464 88/udp 464/udp 123/udp 7389 9443 9444 9445
STEP 39: VOLUME [ "/tmp", "/run", "/data" ]
STEP 40: STOPSIGNAL RTMIN+3
STEP 41: ENTRYPOINT [ "/usr/local/sbin/init" ]
STEP 42: RUN uuidgen > /data-template/build-id
Invocation error: command [/bin/sh] not supported.
error building at step {Env:[container=docker DISTTAG=f26container FGC=f26   PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin container=docker] Command:run Args:[uuidgen > /data-template/build-id] Flags:[] Attrs:map[] Message:RUN uuidgen > /data-template/build-id Original:RUN uuidgen > /data-template/build-id}: exit status 8

I believe it is symptom of https://github.com/projectatomic/buildah/issues/600.

[adelton]

@vbatts, I haven't been following buildah development and status recently. Would you be able to take the recent buildah on some reasonable OS and this repo and check if buildah bud work?

[vbatts]

just build buildah master (https://github.com/projectatomic/buildah/commit/1119820edd56acfbc052cb4fc6efcb760c5f4615)

and then

[vbatts@getdown] (master) ~/src/github.com/freeipa/freeipa-container$ sudo buildah bud -t freeipa .
STEP 1: FROM registry.fedoraproject.org/fedora:27
Getting image source signatures
Copying blob sha256:ff3dab903f926d26db009e0dcd575b8ccea7635b6b225835c35df765662707ec
 80.73 MiB / 80.73 MiB [====================================================] 3s
Copying config sha256:cdbb563c65db81d6cd25192deafb0ad9c3dbf628b406900ee6f94d377b6254dc
 1.27 KiB / 1.27 KiB [======================================================] 0s
Writing manifest to image destination
Storing signatures
STEP 2: MAINTAINER FreeIPA Developers <freeipa-devel@lists.fedorahosted.org>
STEP 3: RUN groupadd -g 288 kdcproxy ; useradd -u 288 -g 288 -c 'IPA KDC Proxy User' -d '/var/lib/kdcproxy' -s '/sbin/nologin' kdcproxy
STEP 4: RUN groupadd -g 289 ipaapi; useradd -u 289 -g 289 -c 'IPA Framework User' -d / -s '/sbin/nologin' ipaapi
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
STEP 5: RUN mkdir -p /run/lock && dnf upgrade -y && dnf install -y freeipa-server freeipa-server-dns freeipa-server-trust-ad initscripts && dnf clean all

[...]

STEP 31: RUN rm -rf /var/log-removed
STEP 32: RUN sed -i 's!^d /var/log.*!L /var/log - - - - /data/var/log!' /usr/lib/tmpfiles.d/var.conf
STEP 33: RUN mv /usr/lib/tmpfiles.d/journal-nocow.conf /usr/lib/tmpfiles.d/journal-nocow.conf.disabled
STEP 34: RUN rm -f /data-template/var/lib/systemd/random-seed
STEP 35: RUN echo 1.1 > /etc/volume-version
STEP 36: ENV container docker
STEP 37: EXPOSE 53/udp 53 80 443 389 636 88 464 88/udp 464/udp 123/udp 7389 9443 9444 9445
STEP 38: VOLUME [ "/tmp", "/run", "/data" ]
STEP 39: STOPSIGNAL RTMIN+3
STEP 40: ENTRYPOINT [ "/usr/local/sbin/init" ]
STEP 41: RUN uuidgen > /data-template/build-id
STEP 42: LABEL install 'docker run -ti --rm --privileged -v /:/host -e HOST=/host -e DATADIR=/var/lib/${NAME} -e NAME=${NAME} -e IMAGE=${IMAGE} ${IMAGE} /bin/install.sh'
STEP 43: LABEL run 'docker run ${RUN_OPTS} --name ${NAME} -v /var/lib/${NAME}:/data:Z -v /sys/fs/cgroup:/sys/fs/cgroup:ro --tmpfs /run --tmpfs /tmp -v /dev/urandom:/dev/random:ro ${IMAGE}'
STEP 44: LABEL RUN_OPTS_FILE '/var/lib/${NAME}/docker-run-opts'
STEP 45: LABEL stop 'docker stop ${NAME}'
STEP 46: LABEL uninstall 'docker run --rm --privileged -v /:/host -e HOST=/host -e DATADIR=/var/lib/${NAME} ${IMAGE} /bin/uninstall.sh'
STEP 47: COMMIT containers-storage:[overlay@/var/lib/containers/storage+/var/run/containers/storage:overlay.override_kernel_check=true]localhost/freeipa:latest
Getting image source signatures
Skipping fetch of repeat blob sha256:2487790d8cedb05861822554890ce1cf2f3bfb39ee3a1f394f7b065358d60298
Copying blob sha256:aea0cbb7553bde1e0a32cb2faef05ad958e7e331651fd1930a78858a2c29f165
 222.80 MiB / 222.80 MiB [==================================================] 8s
Copying config sha256:c4d526cf469bd9dcd162a13cfe7cecf492581d5371715e9b713006649ecebe1d
 1.61 KiB / 1.61 KiB [======================================================] 0s
Writing manifest to image destination
Storing signatures
c4d526cf469bd9dcd162a13cfe7cecf492581d5371715e9b713006649ecebe1d
[vbatts@getdown] (master) ~/src/github.com/freeipa/freeipa-container$ echo $?
0

So there's that!

[adelton]

Thanks.

What is the plan for bringing buildah to Ubuntu?

Lately, I rely on Travis CI for the project, so it'd be nice if we could have CI test for the buildah approach if we are to mention it in the documentation and support it.

[vbatts]

I thought they packaging it there, but have to check with @lsm5

-------- Original Message -------- On Aug 11, 2018, 15:11, Jan Pazdziora wrote:

Thanks.

What is the plan for bringing buildah to Ubuntu?

Lately, I rely on Travis CI for the project, so it'd be nice if we could have CI test for the buildah approach if we are to mention it in the documentation and support it.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[adelton]

My poor-man's way of trying that (not having Ubuntu VM around) is

docker run --rm -ti ubuntu bash -c 'apt-get update && apt-get -y install buildah'

which ends with

E: Unable to locate package buildah

[lsm5]

Try the ppa at https://launchpad.net/~projectatomic/+archive/ubuntu/ppa

Right now it's for 16.04 LTS only and I'll be submitting 18.04 there soon.

Also, the version in there is a little old, cause my Travis autobuilds have been broken for a while now and I've been spread too thin. But I'll resume this soon as I can.

HTH.

On Sat, Aug 11, 2018 at 12:22:32PM -0700, Jan Pazdziora wrote:

My poor-man's way of trying that (not having Ubuntu VM around) is

docker run --rm -ti ubuntu bash -c 'apt-get update && apt-get -y install buildah'

which ends with

E: Unable to locate package buildah

-- You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub: https://github.com/freeipa/freeipa-container/issues/186#issuecomment-412296375

-- Lokesh IRC: lsm5 GPG: 0xC7C3A0DD https://keybase.io/lsm5

[adelton]

@lsm5, thanks. Looking at https://docs.travis-ci.com/user/reference/overview/, Travis CI currently only offers Ubuntu Precise 12.04 or Ubuntu Trusty 14.04. Any chance of making a build for 14.04?

[lsm5]

When I started packaging it up for Ubuntu, I decided against 14.04, though I can't remember why right now, probably because of some dependency issue.

@cevich mentioned Cirrus CI as a more flexible alternative. Wanna give that a shot instead? If not, I'll see if things have changed on 14.04.

HTH.

On Sun, Aug 12, 2018 at 03:42:55AM -0700, Jan Pazdziora wrote:

@lsm5, thanks. Looking at https://docs.travis-ci.com/user/reference/overview/, Travis CI currently only offers Ubuntu Precise 12.04 or Ubuntu Trusty 14.04. Any chance of making a build for 14.04?

-- You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub: https://github.com/freeipa/freeipa-container/issues/186#issuecomment-412334101

-- Lokesh IRC: lsm5 GPG: 0xC7C3A0DD https://keybase.io/lsm5

[vbatts]

hey yes. buildah ought to be generally available for use and testing of the Dockerfiles

[adelton]

I have started to test FreeIPA container with podman. I wonder if we should promote buildah when podman gives the user the whole lifecycle, similar to docker. One of the issues with buildah is that at least buildah-1.4-3 in Fedora 28 does not seem to support caching, making rebuilds extremely slow.

[vbatts]

Buildah defaults to no cache, as the typical production infra does this as the standard use-case. To enable caching add the --layers flag

[lsm5]

I have started to test FreeIPA container with podman. I wonder if we should promote buildah when podman gives the user the whole lifecycle, similar to docker. One of the issues with buildah is that at least buildah-1.4-3 in Fedora 28 does not seem to support caching, making rebuilds extremely slow.

@rhatdan @nalind @TomSweeneyRedHat ^

[rhatdan]

Podman is just vendoring in Buildah, So promoting podman build is fine. In podman build we default to --cache=true, since this matches the Docker behaviour. In buildah bud we default to --cache=false. Although you set the environment variable BUILDAH_CACHE to change the default.

[abbra]

I just tried building with podman build on RHEL 8 beta:

# yum -y install buildah
...
# podman build --rm -t freeipa-server --file Dockerfile.fedora-29
...
# podman image ls localhost/freeipa-server
REPOSITORY                 TAG      IMAGE ID       CREATED         SIZE
localhost/freeipa-server   latest   fd451133b28a   3 minutes ago   866 MB

There are few errors during the build, all around terminal output, like the following

STEP 34: RUN rm -v /var/lib/systemd/random-seed
ERRO[0000] read container terminal output: input/output error: input/output error 
removed '/var/lib/systemd/random-seed'
--> 9278aa53b8bf69b7449e2e9960ccd7c35a1d57e4d07de363ca47e449032eecd5

A resulting image runs well with volume overrides for /data and /var/log/journal:

# mkdir -p /var/lib/ipa-data-server /var/log/ipa-journal-server
# podman container run --name f-6-server -h ipa.example.test -v /var/lib/ipa-data-server:/data:Z -v /var/log/ipa-journal-server:/var/log/journal:Z -e PASSWORD=Test1234 localhost/freeipa-server -U -r EXAMPLE.TEST --setup-dns --no-forwarders --no-ntp

[rhatdan]

@abbra Does it work better with podman build --rm -ti freeipa-server --file Dockerfile.fedora-29

podman does not require buildah to be installed, it is built into podman.

[abbra]

@rhatdan no it doesn't. There is no -ti option to podman build:

# podman build --rm -ti freeipa-server --file Dockerfile.fedora-29
flag provided but not defined: -ti
See 'podman build --help'.

If I remove -i, e.g. would use podman build --rm -t freeipa-server --file Dockerfile.fedora-29, it works (I removed buildah package first).

[rhatdan]

Oops, I have no idea what the problem with tty was then.
Any SELinux AVCs?

[abbra]

Yes, though the only ones I see are the following two for tee calls:

----
type=PROCTITLE msg=audit(02.12.2018 20:08:05.425:2032) : proctitle=/usr/bin/coreutils --coreutils-prog-shebang=tee /usr/bin/tee /dev/stderr 
type=SYSCALL msg=audit(02.12.2018 20:08:05.425:2032) : arch=x86_64 syscall=openat success=yes exit=3 a0=0xffffff9c a1=0x7fffbdf38f4a a2=O_WRONLY|O_CREAT|O_TRUNC a3=0x1b6 items=0 ppid=5884 pid=5897 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=tee exe=/usr/bin/coreutils subj=system_u:system_r:container_t:s0:c293,c326 key=(null) 
type=AVC msg=audit(02.12.2018 20:08:05.425:2032) : avc:  denied  { associate } for  pid=5897 comm=tee name=2 scontext=system_u:object_r:container_t:s0:c293,c326 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=1 
type=AVC msg=audit(02.12.2018 20:08:05.425:2032) : avc:  denied  { add_name } for  pid=5897 comm=tee name=2 scontext=system_u:system_r:container_t:s0:c293,c326 tcontext=system_u:system_r:container_t:s0:c293,c326 tclass=dir permissive=1 
----
type=PROCTITLE msg=audit(02.12.2018 20:08:07.216:2033) : proctitle=/usr/bin/coreutils --coreutils-prog-shebang=tee /usr/bin/tee /dev/stderr 
type=SYSCALL msg=audit(02.12.2018 20:08:07.216:2033) : arch=x86_64 syscall=openat success=yes exit=3 a0=0xffffff9c a1=0x7ffdb097af4a a2=O_WRONLY|O_CREAT|O_TRUNC a3=0x1b6 items=0 ppid=6023 pid=6035 auid=cloud-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=tee exe=/usr/bin/coreutils subj=system_u:system_r:container_t:s0:c529,c843 key=(null) 
type=AVC msg=audit(02.12.2018 20:08:07.216:2033) : avc:  denied  { associate } for  pid=6035 comm=tee name=2 scontext=system_u:object_r:container_t:s0:c529,c843 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=1 
type=AVC msg=audit(02.12.2018 20:08:07.216:2033) : avc:  denied  { add_name } for  pid=6035 comm=tee name=2 scontext=system_u:system_r:container_t:s0:c529,c843 tcontext=system_u:system_r:container_t:s0:c529,c843 tclass=dir permissive=1 
----

[adelton]

For the record, I filed https://bugzilla.redhat.com/show_bug.cgi?id=1655211 for the podman run -t/ podman exec issue.

[adelton]

I'm hitting https://bugzilla.redhat.com/show_bug.cgi?id=1661597 when running tests/run-partial-tests.sh and tests/run-master-and-replica.sh.

[adelton]

In branch podman, I start to play with testing podman-run Travis CI builds. I use https://launchpad.net/~projectatomic/+archive/ubuntu/ppa. I've found out (https://travis-ci.org/adelton/freeipa-container/jobs/471131847) that podman does not pull runc, leading to

STEP 4: RUN groupadd -g 288 kdcproxy ; useradd -u 288 -g 288 -c 'IPA KDC Proxy User' -d '/var/lib/kdcproxy' -s '/sbin/nologin' kdcproxy
error running container: error creating container for [/bin/sh -c groupadd -g 288 kdcproxy ; useradd -u 288 -g 288 -c 'IPA KDC Proxy User' -d '/var/lib/kdcproxy' -s '/sbin/nologin' kdcproxy]: : exec: "runc": executable file not found in $PATH

When I add runc to the list of packages to install, I get (https://travis-ci.org/adelton/freeipa-container/jobs/471134254):

STEP 4: RUN groupadd -g 288 kdcproxy ; useradd -u 288 -g 288 -c 'IPA KDC Proxy User' -d '/var/lib/kdcproxy' -s '/sbin/nologin' kdcproxy
error running container: error creating container for [/bin/sh -c groupadd -g 288 kdcproxy ; useradd -u 288 -g 288 -c 'IPA KDC Proxy User' -d '/var/lib/kdcproxy' -s '/sbin/nologin' kdcproxy]: json: cannot unmarshal object into Go value of type []string
: exit status 1
error building at step {Env:[DISTTAG=f29container FGC=f29 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin] Command:run Args:[groupadd -g 288 kdcproxy ; useradd -u 288 -g 288 -c 'IPA KDC Proxy User' -d '/var/lib/kdcproxy' -s '/sbin/nologin' kdcproxy] Flags:[] Attrs:map[] Message:RUN groupadd -g 288 kdcproxy ; useradd -u 288 -g 288 -c 'IPA KDC Proxy User' -d '/var/lib/kdcproxy' -s '/sbin/nologin' kdcproxy Original:RUN groupadd -g 288 kdcproxy ; useradd -u 288 -g 288 -c 'IPA KDC Proxy User' -d '/var/lib/kdcproxy' -s '/sbin/nologin' kdcproxy}: error while running runtime: exit status 1
The command "if test -n "$RUN_DOCKER_BUILD" ; then tests/run-partial-tests.sh Dockerfile.$dockerfile ; fi" exited with 125.

[adelton]

When attempting to run read-only container under podman with

readonly=--read-only docker='sudo podman' tests/run-master-and-replica.sh local/freeipa-server:fedora-rawhide

the ipa-server-install gets stuck at

Dec 23 16:22:51 ipa.example.test systemd[1]: Created slice system-dirsrv.slice.
Dec 23 16:22:51 ipa.example.test systemd[1]: Starting 389 Directory Server EXAMPLE-TEST....
Dec 23 16:22:51 ipa.example.test ns-slapd[388]: [23/Dec/2018:16:22:51.552968660 +0000] - INFO - main - 389-Directory/1.4.0.20 B2018.348.1923 starting up
Dec 23 16:22:51 ipa.example.test ns-slapd[388]: [23/Dec/2018:16:22:51.553059671 +0000] - EMERG - snmp_collator_create_semaphore - Failed to create semaphore for stats file (/dev/shm/sem.slapd-EXAMPLE-TEST.stats). Error 30.(Read-only file system)
Dec 23 16:22:51 ipa.example.test systemd[1]: dirsrv@EXAMPLE-TEST.service: Main process exited, code=exited, status=1/FAILURE
Dec 23 16:22:51 ipa.example.test systemd[1]: dirsrv@EXAMPLE-TEST.service: Failed with result 'exit-code'.
Dec 23 16:22:51 ipa.example.test systemd[1]: Failed to start 389 Directory Server EXAMPLE-TEST..

Podman likely shouldn't create /dev/shm read-only.

[rhatdan]

https://github.com/containers/libpod/pull/2051 should fix this.

[adelton]

In branch podman, I start to play with testing podman-run Travis CI builds. I use https://launchpad.net/~projectatomic/+archive/ubuntu/ppa.

I've filed this as https://github.com/containers/libpod/issues/2046.

[adelton]

Building with podman now passes. However, at least in Travis CI, we see ipa.service failing in latest Fedoras: https://travis-ci.org/adelton/freeipa-container/builds/493194737

Any idea what might be causing this?

[abbra]

@adelton at first, I suspected it might be https://pagure.io/freeipa/issue/7860 which I'm intending to fix next week. In short, 389-ds stopped using /etc/sysconfig to store own systemd configuration snippets and we need to adopt as we did already for httpd in past.

However, when running the same test on up to date F29 I've got no problem at all:

$ docker="sudo podman" tests/run-partial-tests.sh Dockerfile.fedora-rawhide
....
Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named
Updating DNS system records
Configuring client side components
Using existing certificate '/etc/ipa/ca.crt'.
Client hostname: ipa.example.test
Realm: EXAMPLE.TEST
DNS Domain: example.test
IPA Server: ipa.example.test
BaseDN: dc=example,dc=test
Configured sudoers in /data/etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Systemwide CA database updated.
SSSD enabled
Configured /etc/openldap/ldap.conf
/etc/ssh/ssh_config not found, skipping configuration
/etc/ssh/sshd_config not found, skipping configuration
Configuring example.test as NIS domain.
Client configuration complete.
The ipa-client-install command was successful
This program will set up FreeIPA client.
Version 4.7.2

The ipa-server-install command was successful

==============================================================================
Setup complete

Next steps:
    1. You must make sure these network ports are open:
        TCP Ports:
          * 80, 443: HTTP/HTTPS
          * 389, 636: LDAP/LDAPS
          * 88, 464: kerberos
          * 53: bind
        UDP Ports:
          * 88, 464: kerberos
          * 53: bind

    2. You can now obtain a kerberos ticket using the command: 'kinit admin'
       This ticket will allow you to use the IPA tools (e.g., ipa user-add)
       and the web user interface.
    3. Kerberos requires time synchronization between clients
       and servers for correct operation. You should consider enabling chronyd.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
Password for admin@EXAMPLE.TEST: 
----------------
Added user "bob"
----------------
  User login: bob
  First name: Bob
  Last name: Nowak
  Full name: Bob Nowak
  Display name: Bob Nowak
  Initials: BN
  Home directory: /home/bob
  GECOS: Bob Nowak
  Login shell: /bin/sh
  Principal name: bob@EXAMPLE.TEST
  Principal alias: bob@EXAMPLE.TEST
  Email address: bob@example.test
  UID: 959400001
  GID: 959400001
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False
uid=959400001(bob) gid=959400001(bob) groups=959400001(bob)
-rw-------. 1 root root            3893740 Feb 23 08:56 /data/var/log/ipaserver-install.log
-rw-r-----+ 1 root systemd-journal 8388608 Feb 23 08:56 /data/var/log/journal/f97fe68f64d2d6adb945a4ef680ee2c2/system.journal
ls: cannot access '/var/log/journal/f97fe68f64d2d6adb945a4ef680ee2c2': No such file or directory
C /etc
C /etc/machine-id
A /lextab.py
A /yacctab.py
OK tests/systemd-container-ipa-server-install-data.sh.
OK tests/run-partial-tests.sh.

So I suspect this could be podman version issue in Ubuntu build used in travis CI.

[adelton]

I assume https://pagure.io/freeipa/issue/7860 would only manifest itself on rawhide (in the container) while the Travis CI podman build fails on Fedora 28 and 29 (in the container) as well.

Yes, things work on my local Fedora 29 (host) as well. But I'm reluctant documenting the podman approach in README and marking this issue as resolved before having Travis reasonably stable.

The podman we use in Travis CI is (IIUIC) the latest greatest, built directly from podman upstream. But I wonder if something about the podman/runc/whatever configuration there is different, for example the networking or DNS setup. The two failed services there are

ipa.service          loaded failed failed Identity, Policy, Audit                                
named-pkcs11.service loaded failed failed Berkeley Internet Name Domain (DNS) with native PKCS#11

and I suspect that named is the real culprit:

● named-pkcs11.service - Berkeley Internet Name Domain (DNS) with native PKCS#11
   Loaded: loaded (/usr/lib/systemd/system/named-pkcs11.service; disabled; vendor preset: disabled)
   Active: failed (Result: timeout) since Thu 2019-02-14 12:06:49 UTC; 3s ago
  Process: 4287 ExecStart=/usr/sbin/named-pkcs11 -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
  Process: 4285 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
Feb 14 12:05:19 ipa.example.test named-pkcs11[4288]: network unreachable resolving './DNSKEY/IN': 2001:dc3::35#53
Feb 14 12:05:19 ipa.example.test named-pkcs11[4288]: network unreachable resolving './DNSKEY/IN': 2001:503:c27::2:30#53
Feb 14 12:05:19 ipa.example.test named-pkcs11[4288]: managed-keys-zone: Key 20326 for zone . acceptance timer complete: key now trusted
Feb 14 12:05:19 ipa.example.test named-pkcs11[4288]: resolver priming query complete
Feb 14 12:05:19 ipa.example.test named-pkcs11[4288]: checkhints: unable to get root NS rrset from cache: not found
Feb 14 12:06:49 ipa.example.test systemd[1]: named-pkcs11.service: Start operation timed out. Terminating.
Feb 14 12:06:49 ipa.example.test systemd[1]: named-pkcs11.service: Killing process 4288 (named-pkcs11) with signal SIGKILL.
Feb 14 12:06:49 ipa.example.test systemd[1]: named-pkcs11.service: Killing process 4288 (named-pkcs11) with signal SIGKILL.
Feb 14 12:06:49 ipa.example.test systemd[1]: named-pkcs11.service: Failed with result 'timeout'.
Feb 14 12:06:49 ipa.example.test systemd[1]: Failed to start Berkeley Internet Name Domain (DNS) with native PKCS#11.
exit status 3

[adelton]

I've now tested with https://travis-ci.org/adelton/freeipa-container/builds/498054916 that it also happens when /data persistence is not yet enabled in tests/run-partial-tests.sh, to narrow the search space.

[adelton]

We now see podman-based tests passing across the distros we test, in Travis CI: https://travis-ci.org/freeipa/freeipa-container/builds/593947839. So the podman behaviour now matches docker for the FreeIPA server container purposes.

The only remaining question is how to test it in CI going forward so that we can document it as recommended deployment. I've outlined the situation in https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org/thread/MHBDTUXEYPHXQT7T2RDHJRN2OMCDILRU/#MHBDTUXEYPHXQT7T2RDHJRN2OMCDILRU but the short summary is, running reasonably wide matrix of OSes and setups (external CA, read-only/read-write containers) takes quite a lot of time already now, adding podman-based tests would double the Travis CI job running times.

I'm reluctant to outright replace docker with podman in the tests completely just yet, docker likely has much bigger user base than podman. On the other hand, in Fedora 31+ where docker package was replaced by moby-engine, I see zero interaction about the bugzillas filed against moby-engine package from the maintainer(s) lately, so once I upgrade my workstation to Fedora 31, I will likely no longer test on docker locally.

I'd welcome your opinions.

[adelton]

My tests with podman have been reasonably stable for a while: https://travis-ci.org/freeipa/freeipa-container/branches.

However, today all podman tests in Travis CI https://travis-ci.org/adelton/freeipa-container/builds/614060629 failed with

Error: unable to start container "freeipa-master": container create failed (no logs from conmon): EOF

[TomSweeneyRedHat]

Added Matt, Brent and Dan, they'rell probably be interested.

On 11/19/2019 03:09 PM, Jan Pazdziora wrote:

My tests with podman have been reasonably stable for a while: https://travis-ci.org/freeipa/freeipa-container/branches.

However, today all podman tests in Travis CI https://travis-ci.org/adelton/freeipa-container/builds/614060629 failed with

|Error: unable to start container "freeipa-master": container create failed (no logs from conmon): EOF |

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/freeipa/freeipa-container/issues/186?email_source=notifications&email_token=AGDNMBNXTGLAUBJPY75RE4LQURBYJA5CNFSM4EOWADGKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEEPSQLA#issuecomment-555690028, or unsubscribe https://github.com/notifications/unsubscribe-auth/AGDNMBPGZQGWW4GU5WMVM33QURBYJANCNFSM4EOWADGA.

[adelton]

Now that we have sudo and rootless podman tests passing in both Travis CI and GitHub Actions, I feel we are ready to start documenting the podman invocation. The proposed README changes are in https://github.com/freeipa/freeipa-container/pull/342 -- comments are welcome.