How to install it with custom CA certificate?

ricosega commented 3 years ago

Hi there,

Trying to install it with custom certificate but cannot make it work. It is even difficult to install it with its own because sometimes fails in the process and sometimes not with the same configuration, so I would really thank if someone could help.

I will paste the info about docker versions and images used below:

Client:
 Version:           19.03.6
 API version:       1.40
 Go version:        go1.12.17
 Git commit:        369ce74a3c
 Built:             Fri Dec 18 12:21:44 2020
 OS/Arch:           linux/amd64
 Experimental:      false

Server:
 Engine:
  Version:          19.03.6
  API version:      1.40 (minimum version 1.12)
  Go version:       go1.12.17
  Git commit:       369ce74a3c
  Built:            Thu Dec 10 13:23:49 2020
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.3.3-0ubuntu1~18.04.4
  GitCommit:        
 runc:
  Version:          spec: 1.0.1-dev
  GitCommit:        
 docker-init:
  Version:          0.18.0
  GitCommit:        
###################################################
docker-compose version 1.17.1, build unknown
docker-py version: 2.5.1
CPython version: 2.7.17
OpenSSL version: OpenSSL 1.1.1  11 Sep 2018
###################################################
freeipa/freeipa-server@sha256:3a5ef70bb0f8faa45cdea132f7d343fe09a15a158cd77847b6f673d5da1bbbfb
###################################################
freeipa/freeipa-server@sha256:9662e664d52fa32302c481251412c60c55449095778131d43d40c9fe878741a9

That said, here is the docker-compose.yml config that I am using:

version: '3.2'
services:
  freeipa:
    image: freeipa/freeipa-server:centos-8
    container_name: freeipa
#    hostname: freeipa.server.dev
#    restart: always
#    network_mode: host
#    privileged: true
    sysctls:
      - net.ipv6.conf.all.disable_ipv6=0
    environment:
      - IPA_SERVER_HOSTNAME=freeipa.server.dev
#      - IPA_SERVER_IP=10.10.10.10
    volumes: 
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
      - /srv/freeipa:/data
      - /srv/certs:/certs
    command:
      [
        "--no-ntp",
#        "--no-ssh",
#        "--no-sshd",
#        "--no-host-dns",
        "--realm=SERVER.DEV",
        "--domain=server.dev",
        "--ds-password=randompasswd",
        "--admin-password=randompasswd",
#        "--pki-config-override=/certs/pki.cfg",
#        "--external-ca",
        "--external-cert-file=/certs/server.pem",
        "--external-cert-file=/certs/ca.pem",
        "--unattended",
        "-v"
      ]

The commented lines are there because I tried with all options available but none of them works. I have an ipaserver-install.log with all the outputs saved.

The steps i follow are the next: FIRST TIME

        "--no-ntp",
        "--realm=SERVER.DEV",
        "--domain=server.dev",
        "--ds-password=randompasswd",
        "--admin-password=randompasswd",
        "--pki-config-override=/certs/pki.cfg",
        "--external-ca",
        "--unattended",
        "-v"

If there is no error I get the CSR to sign. After signing it I execute it with the following: SECOND TIME

        "--no-ntp",
        "--realm=SERVER.DEV",
        "--domain=server.dev",
        "--ds-password=randompasswd",
        "--admin-password=randompasswd",
        "--external-cert-file=/certs/server.pem",
        "--external-cert-file=/certs/ca.pem",
        "--unattended",
        "-v"

And in this second step I use to get different errors:

Cannot set hostname.
Configuration of client side components failed.

ricosega commented 3 years ago

Ok, achieved to discover couple things.

It won't work with docker-compose options "network_mode: host" nor "privileged: true" for sure, because it will return the second error I posted before. Configuration of client side components failed. Which is exactly the same error posted here.

So finally I added "--no-host-dns" and removed IPA_SERVER_HOSTNAME and IPA_SERVER_IP variables and again received the "Cannot set hostname" error. Then I did exactly the same as posted here and replaced the /bin/hostnamectl by this and it worked!

adelton commented 3 years ago

Can't you just uncomment that

hostname: freeipa.server.dev

line?

ricosega commented 3 years ago

The commented lines are there because I tried with all options available but none of them works.

I tried with that option uncommented for sure but I was also getting errors, maybe because of combination with privileged: true or network_mode: host

adelton commented 3 years ago

You should never need to use privileged. Whether to use host network or not really depends on your needs.

But if the docker-compose that you use supports the hostname option, I'd go with that to avoid the need for hitting the code path of changing it later (which is what then wants to call hostnamectl).

ricosega commented 3 years ago

Tested again from starting point with two different PC's.

With, Ubuntu 18.04, Docker version 19.03.6 and docker-compose version 1.17.1 the option hostname: freeipa.server.dev does not work with the following options:

version: '3.2'
services:
  freeipa:
    image: freeipa/freeipa-server:centos-8
    container_name: freeipa
    hostname: freeipa.server.dev
    sysctls:
      - net.ipv6.conf.all.disable_ipv6=0
    volumes: 
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
      - /srv/freeipa:/data
      - /srv/certs:/certs
    command:
      [
        "--no-ntp",
        "--no-host-dns",
        "--realm=SERVER.DEV",
        "--domain=server.dev",
        "--ds-password=randompasswd",
        "--admin-password=randompasswd",
        "--pki-config-override=/certs/pki.cfg",
        "--external-ca",
        "--unattended",
        "-v"
      ]

And the output is:

freeipa2   | Container invoked without fully-qualified hostname
freeipa2   |    and without specifying hostname to use.
freeipa2   | Consider using -h FQDN option to docker run.
freeipa2 exited with code 15

In this case I can skip this error by using privileged mode.

With the second PC, Ubuntu 20.04, Docker version 20.10.6 and docker-compose version 1.25.0 the option hostname: freeipa.server.dev works properly the first time.

But now, with both PC's the second time I run the docker-compose after signing the CSR with my own CA I get the hostname error.

freeipa    | The ipa-server-install command failed, exception: CalledProcessError: CalledProcessError(Command ['/bin/hostnamectl', 'set-hostname', 'freeipa.server.dev'] returned non-zero exit status 1: 'Could not set property: Connection timed out\n')
freeipa    | CalledProcessError(Command ['/bin/hostnamectl', 'set-hostname', 'freeipa.server.dev'] returned non-zero exit status 1: 'Could not set property: Connection timed out\n')
freeipa    | The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
freeipa    | FreeIPA server configuration failed.
freeipa exited with code 123

Any idea?

adelton commented 3 years ago

Could you run

ca=--external-ca replica=none tests/run-master-and-replica.sh freeipa/freeipa-server:centos-8

to see if you get the error as well? It passes both on my local environments and in GitHub Action's CI for this repository without hitting the hostnamectl issue so running the test in your environment should help us to narrow down the cause of this issue.

As mentioned already, you should never need to use privileged; please don't do that. We've worked hard enough to make it possible to use FreeIPA container unprivileged and the privileged setup can actually cause new set of issues.

adelton commented 3 years ago

We seem to have lost traction here.

ricosega commented 3 years ago

Sorry I had no time. The tests command that you asked me passed.

But tried again and same issue with hostname after signing CSR.

freeipa    | Process finished, return code=0
freeipa    | stdout=certutil: certificate is valid
freeipa    | 
freeipa    | stderr=
freeipa    | Name freeipa.server.dev resolved to {UnsafeIPAddress('172.19.0.2')}
freeipa    | Searching for an interface of IP address: 172.19.0.2
freeipa    | Testing local IP address: 127.0.0.1/255.0.0.0 (interface: lo)
freeipa    | Testing local IP address: 172.19.0.2/255.255.0.0 (interface: eth0)
freeipa    | Starting external process
freeipa    | args=['/bin/systemctl', 'is-active', 'dirsrv@SERVER-DEV.service']
freeipa    | Process finished, return code=0
freeipa    | stdout=active
freeipa    | 
freeipa    | stderr=
freeipa    | Backing up system configuration file '/etc/hostname'
freeipa    | Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index'
freeipa    | Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
freeipa    | Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
freeipa    | Starting external process
freeipa    | args=['/bin/hostnamectl', 'set-hostname', 'freeipa.server.dev']
freeipa    | Process finished, return code=1
freeipa    | stdout=
freeipa    | stderr=Could not set property: Connection timed out
freeipa    | 
freeipa    |   File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 179, in execute
freeipa    |     return_value = self.run()
freeipa    |   File "/usr/lib/python3.6/site-packages/ipapython/install/cli.py", line 340, in run
freeipa    |     return cfgr.run()
freeipa    |   File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 360, in run
freeipa    |     return self.execute()
freeipa    |   File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 386, in execute
freeipa    |     for rval in self._executor():
freeipa    |   File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner
freeipa    |     exc_handler(exc_info)
freeipa    |   File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
freeipa    |     self._handle_exception(exc_info)
freeipa    |   File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
freeipa    |     six.reraise(*exc_info)
freeipa    |   File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
freeipa    |     raise value
freeipa    |   File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner
freeipa    |     step()
freeipa    |   File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda>
freeipa    |     step = lambda: next(self.__gen)
freeipa    |   File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
freeipa    |     six.reraise(*exc_info)
freeipa    |   File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
freeipa    |     raise value
freeipa    |   File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
freeipa    |     value = gen.send(prev_value)
freeipa    |   File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 655, in _configure
freeipa    |     next(executor)
freeipa    |   File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner
freeipa    |     exc_handler(exc_info)
freeipa    |   File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
freeipa    |     self._handle_exception(exc_info)
freeipa    |   File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 518, in _handle_exception
freeipa    |     self.__parent._handle_exception(exc_info)
freeipa    |   File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
freeipa    |     six.reraise(*exc_info)
freeipa    |   File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
freeipa    |     raise value
freeipa    |   File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 515, in _handle_exception
freeipa    |     super(ComponentBase, self)._handle_exception(exc_info)
freeipa    |   File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
freeipa    |     six.reraise(*exc_info)
freeipa    |   File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
freeipa    |     raise value
freeipa    |   File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner
freeipa    |     step()
freeipa    |   File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda>
freeipa    |     step = lambda: next(self.__gen)
freeipa    |   File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
freeipa    |     six.reraise(*exc_info)
freeipa    |   File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
freeipa    |     raise value
freeipa    |   File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
freeipa    |     value = gen.send(prev_value)
freeipa    |   File "/usr/lib/python3.6/site-packages/ipapython/install/common.py", line 65, in _install
freeipa    |     for unused in self._installer(self.parent):
freeipa    |   File "/usr/lib/python3.6/site-packages/ipaserver/install/server/__init__.py", line 569, in main
freeipa    |     master_install(self)
freeipa    |   File "/usr/lib/python3.6/site-packages/ipaserver/install/server/install.py", line 276, in decorated
freeipa    |     func(installer)
freeipa    |   File "/usr/lib/python3.6/site-packages/ipaserver/install/server/install.py", line 807, in install
freeipa    |     tasks.set_hostname(host_name)
freeipa    |   File "/usr/lib/python3.6/site-packages/ipaplatform/redhat/tasks.py", line 587, in set_hostname
freeipa    |     ipautil.run([paths.BIN_HOSTNAMECTL, 'set-hostname', hostname])
freeipa    |   File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line 598, in run
freeipa    |     p.returncode, arg_string, output_log, error_log
freeipa    | 
freeipa    | The ipa-server-install command failed, exception: CalledProcessError: CalledProcessError(Command ['/bin/hostnamectl', 'set-hostname', 'freeipa.server.dev'] returned non-zero exit status 1: 'Could not set property: Connection timed out\n')
freeipa    | CalledProcessError(Command ['/bin/hostnamectl', 'set-hostname', 'freeipa.server.dev'] returned non-zero exit status 1: 'Could not set property: Connection timed out\n')
freeipa    | The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
freeipa    | FreeIPA server configuration failed.

adelton commented 3 years ago

Looking at that /usr/lib/python3.6/site-packages/ipaserver/install/server/install.py:807, the code is

    # set hostname (transient and static) if user instructed us to do so
    if options._host_name_overridden:
        tasks.backup_hostname(fstore, sstore)
        tasks.set_hostname(host_name)

and the options._host_name_overridden is set in

    options._host_name_overridden = bool(options.host_name)

What does /var/log/ipaserver-install.log say about that option:

# grep host_name /var/log/ipaserver-install.log

?

ricosega commented 3 years ago

Here is the output:

2021-05-05T08:26:49Z DEBUG ipa-server-install was invoked with arguments [] and options: {'unattended': True, 'ip_addresses': None, 'domain_name': 'server.dev', 'realm_name': 'SERVER.DEV', 'host_name': None, 'ca_cert_files': None, 'domain_level': None, 'setup_adtrust': False, 'setup_kra': False, 'setup_dns': False, 'idstart': None, 'idmax': None, 'no_hbac_allow': False, 'no_pkinit': False, 'no_ui_redirect': False, 'dirsrv_config_file': None, 'dirsrv_cert_files': None, 'http_cert_files': None, 'pkinit_cert_files': None, 'dirsrv_cert_name': None, 'http_cert_name': None, 'pkinit_cert_name': None, 'mkhomedir': False, 'ntp_servers': None, 'ntp_pool': None, 'no_ntp': True, 'force_ntpd': False, 'ssh_trust_dns': False, 'no_ssh': False, 'no_sshd': False, 'no_dns_sshfp': False, 'external_ca': False, 'external_ca_type': None, 'external_ca_profile': None, 'external_cert_files': ['/certs/server.pem', '/certs/ca.pem'], 'subject_base': None, 'ca_subject': None, 'ca_signing_algorithm': None, 'pki_config_override': None, 'allow_zone_overlap': False, 'reverse_zones': None, 'no_reverse': False, 'auto_reverse': False, 'zonemgr': None, 'forwarders': None, 'no_forwarders': False, 'auto_forwarders': False, 'forward_policy': None, 'no_dnssec_validation': False, 'no_host_dns': True, 'enable_compat': False, 'netbios_name': None, 'no_msdcs': False, 'rid_base': None, 'secondary_rid_base': None, 'ignore_topology_disconnect': False, 'ignore_last_of_role': False, 'verbose': True, 'quiet': False, 'log_file': None, 'uninstall': False}

2021-05-05T08:26:49Z DEBUG will use host_name: freeipa.server.dev

    tasks.set_hostname(host_name)

It seems is not taking it 'host_name': None, and I will have to pass it as an argument with --hostname=freeipa.server.dev. Going to try it.

adelton commented 3 years ago

No, it's the other way round. The option was not passed so it's not clear to me why options._host_name_overridden gets set and tasks.set_hostname(host_name) executed.

Are you able to run docker exec freeipa hostname while the container is running the first and the second time to see what the internal understanding of the hostname is in it?

ricosega commented 3 years ago

Tried with --hostname=freeipa.server.dev and still and error.

freeipa    | stderr=
freeipa    | Name freeipa.server.dev resolved to {UnsafeIPAddress('172.19.0.2')}
freeipa    | Searching for an interface of IP address: 172.19.0.2
freeipa    | Testing local IP address: 127.0.0.1/255.0.0.0 (interface: lo)
freeipa    | Testing local IP address: 172.19.0.2/255.255.0.0 (interface: eth0)
freeipa    | Starting external process
freeipa    | args=['/bin/systemctl', 'is-active', 'dirsrv@SERVER-DEV.service']
freeipa    | Process finished, return code=0
freeipa    | stdout=active
freeipa    | 
freeipa    | stderr=
freeipa    | Backing up system configuration file '/etc/hostname'
freeipa    |   -> Not backing up - already have a copy of '/etc/hostname'
freeipa    | Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
freeipa    | Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
freeipa    | Starting external process
freeipa    | args=['/bin/hostnamectl', 'set-hostname', 'freeipa.server.dev']
freeipa    | Process finished, return code=1
freeipa    | stdout=
freeipa    | stderr=Could not set property: Failed to activate service 'org.freedesktop.hostname1': timed out (service_start_timeout=25000ms)
freeipa    | 
freeipa    |   File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 179, in execute
freeipa    |     return_value = self.run()
freeipa    |   File "/usr/lib/python3.6/site-packages/ipapython/install/cli.py", line 340, in run
freeipa    |     return cfgr.run()
freeipa    |   File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 360, in run
freeipa    |     return self.execute()
freeipa    |   File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 386, in execute
freeipa    |     for rval in self._executor():
freeipa    |   File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner
freeipa    |     exc_handler(exc_info)
freeipa    |   File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
freeipa    |     self._handle_exception(exc_info)
freeipa    |   File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
freeipa    |     six.reraise(*exc_info)
freeipa    |   File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
freeipa    |     raise value
freeipa    |   File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner
freeipa    |     step()
freeipa    |   File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda>
freeipa    |     step = lambda: next(self.__gen)
freeipa    |   File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
freeipa    |     six.reraise(*exc_info)
freeipa    |   File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
freeipa    |     raise value
freeipa    |   File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
freeipa    |     value = gen.send(prev_value)
freeipa    |   File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 655, in _configure
freeipa    |     next(executor)
freeipa    |   File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner
freeipa    |     exc_handler(exc_info)
freeipa    |   File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
freeipa    |     self._handle_exception(exc_info)
freeipa    |   File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 518, in _handle_exception
freeipa    |     self.__parent._handle_exception(exc_info)
freeipa    |   File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
freeipa    |     six.reraise(*exc_info)
freeipa    |   File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
freeipa    |     raise value
freeipa    |   File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 515, in _handle_exception
freeipa    |     super(ComponentBase, self)._handle_exception(exc_info)
freeipa    |   File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception
freeipa    |     six.reraise(*exc_info)
freeipa    |   File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
freeipa    |     raise value
freeipa    |   File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner
freeipa    |     step()
freeipa    |   File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda>
freeipa    |     step = lambda: next(self.__gen)
freeipa    |   File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
freeipa    |     six.reraise(*exc_info)
freeipa    |   File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
freeipa    |     raise value
freeipa    |   File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
freeipa    |     value = gen.send(prev_value)
freeipa    |   File "/usr/lib/python3.6/site-packages/ipapython/install/common.py", line 65, in _install
freeipa    |     for unused in self._installer(self.parent):
freeipa    |   File "/usr/lib/python3.6/site-packages/ipaserver/install/server/__init__.py", line 569, in main
freeipa    |     master_install(self)
freeipa    |   File "/usr/lib/python3.6/site-packages/ipaserver/install/server/install.py", line 276, in decorated
freeipa    |     func(installer)
freeipa    |   File "/usr/lib/python3.6/site-packages/ipaserver/install/server/install.py", line 807, in install
freeipa    |     tasks.set_hostname(host_name)
freeipa    |   File "/usr/lib/python3.6/site-packages/ipaplatform/redhat/tasks.py", line 587, in set_hostname
freeipa    |     ipautil.run([paths.BIN_HOSTNAMECTL, 'set-hostname', hostname])
freeipa    |   File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line 598, in run
freeipa    |     p.returncode, arg_string, output_log, error_log
freeipa    | 
freeipa    | The ipa-server-install command failed, exception: CalledProcessError: CalledProcessError(Command ['/bin/hostnamectl', 'set-hostname', 'freeipa.server.dev'] returned non-zero exit status 1: "Could not set property: Failed to activate service 'org.freedesktop.hostname1': timed out (service_start_timeout=25000ms)\n")
freeipa    | CalledProcessError(Command ['/bin/hostnamectl', 'set-hostname', 'freeipa.server.dev'] returned non-zero exit status 1: "Could not set property: Failed to activate service 'org.freedesktop.hostname1': timed out (service_start_timeout=25000ms)\n")
freeipa    | The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
freeipa    | FreeIPA server configuration failed.

ricosega commented 3 years ago

In both executions the result is the same:

 ubuntu@mininuc ~/freeipa$ docker exec freeipa hostname
freeipa.server.dev

abbra commented 3 years ago

For hostnamectl set-hostname failures in containers, make sure to add pidfd_open to the list of permitted syscalls to your seccomp profile. This is the syscall used by systemd since Linux 5.3 kernel and if your container host runs on newer kernel, you get this issue.

adelton commented 3 years ago

I've tried to build image from

diff --git a/Dockerfile.centos-8 b/Dockerfile.centos-8
index 04a54e2..d7ad635 100644
--- a/Dockerfile.centos-8
+++ b/Dockerfile.centos-8
@@ -94,3 +94,5 @@ RUN uuidgen > /data-template/build-id
 # docker run -ti -v /sys/fs/cgroup:/sys/fs/cgroup:ro --tmpfs /run --tmpfs /tmp -v /opt/ipa-data:/data:Z -h ipa.example.test ${NAME} [ options ]

 LABEL maintainer="FreeIPA Developers <freeipa-devel@lists.fedorahosted.org>"
+
+RUN rm -f /usr/bin/hostnamectl ; ln -s /bin/false /usr/bin/hostnamectl

to force hostnamectl to always fail.

Then I run

docker=podman ca=--external-ca replica=none tests/run-master-and-replica.sh local/freeipa-server:centos-8

(and the same with docker) and it did not fail. Which to me it means that hostnamectl was never actually called in this test.

While in @ricosega's docker-compose it gets called for some reason, even if the host_name option is not used.

adelton commented 3 years ago

Closing as I'm not able to reproduce the case when hostnamectl gets called.

freeipa / freeipa-container

How to install it with custom CA certificate? #397