search

freeipa / freeipa-container

FreeIPA server in containers — images at https://quay.io/repository/freeipa/freeipa-server?tab=tags
https://quay.io/repository/freeipa/freeipa-server?tab=tags
Apache License 2.0
609 stars 259 forks source link

Failed to create /init.scope control group: Read-only file system #410

Closed FrozenSource closed 3 years ago

FrozenSource commented 3 years ago

Hi guys,

Trying freeipa out through docker-compose though tried pretty much everything now including podman.

I have created this sample from the instructions on this repo and have also used many other configurations but I keep getting:

Failed to create /init.scope control group: Read-only file system

I am running the host on Fedora 34 with docker and the container_manage_cgroup bool enabled and SeLinux enforcing. I tried privileged, without tmpfs, all capabilities with multiple combinations of those. Is anybody able to help since I can't find any working solution either.

version: '3'

services:
  freeipa:
    image: freeipa/freeipa-server:fedora-rawhide
    container_name: ipa.*.nl
#    sysctls:
#      - net.ipv6.conf.all.disable_ipv6=1
    hostname: ipa.*.nl
#    read_only: true
    privileged: true
    tty: true
    stdin_open: true
    environment:
      - DEBUG_TRACE=1
#      - IPA_SERVER_HOSTNAME=ipa.*.nl
    command:
      - --admin-password=*
      - --ds-password=*
      - --realm=*.nl
#      - --unattended
      - --domain=*.nl
    ports:
      # FreeIPA WebUI
      - "8080:80"
#      - "443:443"
      # Kerberos
#      - "88:88/udp"
#      - "88:88"
#      - "464:464/udp"
#      - "464:464"
      # LDAP
#      - "389:389"
#      - "636:636"
      # DNS
      # - "53:53/udp"
      # - "53:53"
      # NTP
#      - "123:123/udp"
      # other
#      - "7389:7389"
#      - "9443:9443"
#      - "9444:9444"
#      - "9445:9445"
    tmpfs:
      - /run
      - /tmp
    volumes:
      - ./data:/data:Z # Z not really needed since I managed the permissions for this directory.
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
    networks:
      - services
    cap_add:
      - SYS_ADMIN

networks:
  services:
    external: true
adelton commented 3 years ago

Where does the guidance for running the container as privileged come from? Is it in some documentation somewhere?

adelton commented 3 years ago

Based on information in https://github.com/freeipa/freeipa-container/issues/407, you might want to use systemd.unified_cgroup_hierarchy=0 on your host.

FrozenSource commented 3 years ago

I thought maybe it could not get to a certain resource as thus I started adding possibly unnessecary permissions for the container; saw privileged somewhere but don't remember.

This did indeed fix it and looked a bit further into it. Apparently Fedora is one of the first distro's to move to V2 cgroups which the Moby Engine still does not support as opposed to podman... this apparently has been going on since Fedora 31 it might be something to put in the documentation as I imagine people might give up on freeipa because of it (which would be a waste).

I have everything in docker and as such I don't wish to move partially to podman yet, thus this workaround giving me that ability, thanks!

adelton commented 3 years ago

Good point, I've added a note to the README now. Thanks.