freeipa / freeipa-container

FreeIPA server in containers — images at https://quay.io/repository/freeipa/freeipa-server?tab=tags
https://quay.io/repository/freeipa/freeipa-server?tab=tags
Apache License 2.0
614 stars 259 forks source link

Replica sets ipa-ca A record to the containers IP address instead of a given address #594

Open m3e-g opened 8 months ago

m3e-g commented 8 months ago

I've created a replica which was able to install itself successfully, with the following docker-compose.yml file (with some jinja2 templating):

networks:
  default:
    name: {{ network_name }}
    external: true

services:
  freeipa:
    image: freeipa/freeipa-server:{{ freeipa.version }}
    container_name: {{ role_name_local }}
    stdin_open: true
    tty: true
    sysctls:
     - net.ipv6.conf.all.disable_ipv6=0
    hostname: "ipa.{{ root_domain }}"
    read_only: true
    dns:
      - {{dns_ip}}
      - 127.0.0.1
    extra_hosts:
      - "ipa-re.{{root_domain}}:{{freeipa.src_replica_ip}}"
      - "ipa-re:{{freeipa.src_replica_ip}}"
      - "ipa.{{root_domain}}:{{freeipa.ip}}"
    environment:
      - TZ={{ tz }}
    command:
      - ipa-replica-install
      - --setup-ca
      - --admin-password={{ freeipa.ipa_admin_pass }}
      - --domain={{ root_domain }}
      - --realm={{ root_domain|upper }}
      - --setup-dns
      - --forwarder=8.8.8.8
      - --forwarder=8.8.4.4
      - --skip-mem-check
      - --force-join
      - --ip-address={{freeipa.ip}}
    ports:
      # FreeIPA WebUI
      #- "80:80"
      #- "443:443"
      # Kerberos
      - "88:88/udp"
      - "88:88"
      - "464:464/udp"
      - "464:464"
      # LDAP
      - "389:389"
      - "636:636"
      # DNS
      - "53:53/udp"
      - "53:53"
      # NTP
      - "123:123/udp"
    tmpfs:
      - /run
      - /var/run
      - /tmp
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - {{ role_appdata_dir }}:/data:Z
      - {{ role_log_dir }}:/data/var/log:Z
      - /sys/fs/cgroup/unified:/sys/fs/cgroup

I've been replicating from the ipa-re.{{root_domain}} to the ipa.{{root_domain}}, where ipa-re is a VM running the Rocky-9 with IPA 4.10.2.

Container used is freeipa/freeipa-server:rocky-9 (IPA 4.10.2), host is Ubuntu 22.04 LTS with Docker v25.

This seems work like it used to before (it's communicating with the other docker containers on the same network and with external hosts) and ipa-healthcheck in the container does not return anything.

But I've noticed that ipa-ca address is set to the 172.18.0.4 which is internal IP of the container. When I've originally created this IPA instance in container over 2years ago, I'm not sure if the ipa-ca had been set at all. When I search thought the snapshots I cannot find any mention of this field in the /var/named (it's mentioned only in the certmonger, pki-tomcatd and httpd configs).

When I issue the ipa dns-update-system-records --dry-run it still shows the 172.18.0.4 as the ipa-ca address, so I suppose that changing it manually won't last. What would be the expected solution for this?

As a sidenote: If I add the IPA_SERVER_IP to the docker-compose above it will configure replica as well but will never leave this loop https://github.com/freeipa/freeipa-container/blob/f94501d388675a8b05cea13967af8f0cd559aa1e/ipa-server-configure-first#L64 because it will be always resolved to the internal address by the docker dns service (127.0.0.11) (Also it does not fix the original issue anyway)

[root@ipa /]# dig -t A ipa.<root_domain>

; <<>> DiG 9.16.23-RH <<>> -t A ipa.<root_domain>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59419
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ipa.<root_domain>.             IN      A

;; ANSWER SECTION:
ipa.<root_domain>.      600     IN      A       172.18.0.4

;; Query time: 0 msec
;; SERVER: 127.0.0.11#53(127.0.0.11)
;; WHEN: Fri Mar 01 00:00:24 CET 2024
;; MSG SIZE  rcvd: 68
m3e-g commented 8 months ago

I've restored my freeipa instance from 2023-11-30 backup (rocky-8) and the ipa-ca had been correctly set to the external address, but ipa dns-update-system-records --dry-run is still suggesting the internal address

adelton commented 8 months ago

Last time we discussed this was in https://github.com/freeipa/freeipa-container/issues/321 and there we concluded that --ip-address (which you use) should be working. Albeit that was on a master, not replica. But with that and especially the extra_hosts which I assume set records in /etc/hosts in the container, there's not much more you could do to make FreeIPA happy.

Any chance you would be able to setup a replica in a VM with some nonstandard IP setup, instead of in a container, and see if the ipa dns-update-system-records works in that case?

m3e-g commented 8 months ago

I wish I'd stumble upon the #321 earlier, as it would save me some debugging time ;) For the record, when creating a new container with a master, using the --ip-address also sets the ipa-ca A record to the internal address. I suppose there is no mechanizm to override this address within the ipa itself or it's kept like this by design.

If time permits I'll try to recreate similar setup in the VMs, but I'd have to figure out proper NAT for those first.

adelton commented 3 days ago

Were you able to make some progress with this?

BTW, in https://github.com/freeipa/freeipa-container/pull/640 I'm proposing a way to disable the mechanism which puts the container's internal IP address to DNS, to avoid disrupting the general FreeIPA mechanisms (--ip-address and ipa dnsrecord-mod). Not sure if it might be in any way relevant to your setup.