FreeIPA container replica not starting after updating to Docker host to Ubuntu 24.04

[StefanAbl]

After updating the host on which I run a FreeIPA replica in a container to Ubuntu 22.04 and then to 24.04 the replica will no longer start. This happens with both versions. Before I used 20.04 with which the container worked. I added the DEBUG_NO_EXIT env variable however the container still crashes.

These are the last logs the container prints:

+ read i
+ '[' -e /data-template/var/log/lastlog -a -e /data/var/log/lastlog ']'
+ chown --reference=/data-template/var/log/lastlog /data/var/log/lastlog
+ chmod --reference=/data-template/var/log/lastlog /data/var/log/lastlog
+ read i
+ '[' -e /data-template/var/log/pki/ -a -e /data/var/log/pki/ ']'
+ chown --reference=/data-template/var/log/pki/ /data/var/log/pki/
+ chmod --reference=/data-template/var/log/pki/ /data/var/log/pki/
+ read i
+ '[' -e /data-template/var/log/samba/ -a -e /data/var/log/samba/ ']'
+ chown --reference=/data-template/var/log/samba/ /data/var/log/samba/
+ chmod --reference=/data-template/var/log/samba/ /data/var/log/samba/
+ read i
+ '[' -e /data-template/var/log/sssd/ -a -e /data/var/log/sssd/ ']'
+ chown --reference=/data-template/var/log/sssd/ /data/var/log/sssd/
+ chmod --reference=/data-template/var/log/sssd/ /data/var/log/sssd/
+ read i
+ '[' -e /data-template/var/log/wtmp -a -e /data/var/log/wtmp ']'
+ chown --reference=/data-template/var/log/wtmp /data/var/log/wtmp
+ chmod --reference=/data-template/var/log/wtmp /data/var/log/wtmp
+ read i
+ '[' -e /data-template/var/named/ -a -e /data/var/named/ ']'
+ chown --reference=/data-template/var/named/ /data/var/named/
+ chmod --reference=/data-template/var/named/ /data/var/named/
+ read i
+ SYSTEMD_OPTS=--unit=ipa-server-upgrade.service
+ '[' -f /etc/ipa/ca.crt ']'
+ rm -f /data/etc/systemd/system/multi-user.target.wants/ipa-server-configure-first.service
++ date
+ echo 'Sat Aug 24 12:01:34 UTC 2024 /usr/local/sbin/init '
+ SHOW_LOG=1
+ '[' 1 == 1 ']'
+ for i in /var/log/ipa-server-configure-first.log /var/log/ipa-server-run.log
+ '[' -f /var/log/ipa-server-configure-first.log ']'
+ for i in /var/log/ipa-server-configure-first.log /var/log/ipa-server-run.log
+ '[' -f /var/log/ipa-server-run.log ']'
+ trap '' SIGHUP
+ tail --silent -n 0 -f --retry /var/log/ipa-server-configure-first.log /var/log/ipa-server-run.log
+ '[' -n '' ']'
+ exec /usr/sbin/init --show-status=false --unit=ipa-server-upgrade.service

In /var/log/ipa-server-configure-first.log it prints: Sat Aug 24 12:03:38 UTC 2024 /usr/local/sbin/init And in `/var/log/ipa-server-run.log :

Fri Aug  2 10:07:27 UTC 2024 /usr/sbin/ipa-server-configure-first update-self-ip-address
FreeIPA server does not run DNS server, skipping update-self-ip-address.
FreeIPA server started.

The test script is also not successful, however it's output does not help me solve my issue:

root@linode0:/home/stefan/freeipa-container# docker=docker tests/run-partial-tests.sh Dockerfile.fedora-40
[+] Building 0.5s (17/17) FINISHED                                                                                                                                              docker:default
 => [internal] load build definition from Dockerfile.fedora-40.part                                                                                                                       0.0s

...

 => => naming to localhost/freeipa-server-test-addons:fedora-40                                                                                                                           0.0s
+ docker run --name freeipa-server-container-fedora-40 -d -h ipa.example.test --tmpfs /run --tmpfs /tmp --sysctl net.ipv6.conf.all.disable_ipv6=0 localhost/freeipa-server-test-addons:fedora-40
e20e9635d97638e2c1997c72998192e6c8d6459c5294ad0e9d46835cd5578797
Executing tests/systemd-container-failed.sh freeipa-server-container-fedora-40
Error response from daemon: container e20e9635d97638e2c1997c72998192e6c8d6459c5294ad0e9d46835cd5578797 is not running

I created the container using ansible with the following options:

    - name: start freeipa replica docker
      docker_container:
        name: replica
        image: "freeipa/freeipa-server:fedora-40-4.12.1"
        state: started
        detach: true
        recreate: no
        restart_policy: always
        hostname: "{{mailserver_replica_name}}"
        sysctls:
          net.ipv6.conf.all.disable_ipv6: "0"
          net.ipv6.conf.lo.disable_ipv6: "0"
        dns_servers: "{{ipa_server_ip}}"
        env:
          DEBUG_NO_EXIT: "1"
          DEBUG_TRACE: "1"
        networks:
          - name: primary
            ipv4_address: "172.18.0.17"
          - name: macvlan2
            ipv4_address: "{{mailserver_replica_container_macvlan_ip}}"
        published_ports:
          - "127.0.0.1:443:443"
          - "127.0.0.1:53:53"
        volumes:
          - "/sys/fs/cgroup:/sys/fs/cgroup:ro"
          - "{{freeipa_dir}}:/data:Z"
        log_driver: json-file
        log_options:
          tag: "{% raw %}{{.ImageName}}|{{.Name}}|{{.ImageFullID}}|{{.FullID}}{% endraw %}"

Thank you for helping me!

[adelton]

I see /sys/fs/cgroup:/sys/fs/cgroup:ro in your docker-compose.yaml. That suggests that the original host was a cgroups v1 system. I assume that Ubuntu 24.04 is cgroups v2.

A quick suggestion might be to try to change that :ro to :rw. However, on Ubuntu 24.04 you might also be able to take advantage of rootless docker, so I'd suggest to do a fresh testing setup following the fresh README from this repository, and only after getting solid setup migrate your original container.

[adelton]

We seem to have lost traction here.

[StefanAbl]

Sorry for not answering sooner. Your tip with mounting the volume as rw helped me to get the container up temporarily.

Regarding a permanent solution, I've read that using cgroup v2 in docker can be quite difficult. Do you recommend using podman instead of docker, as this article suggests that systemd is supported whithout any tweaks by podman?

Thank you for your help!

[adelton]

We document both docker and podman setups in our README at https://github.com/freeipa/freeipa-container. Yes, the systemd-in-container integration in podman is better, so fewer manual options are required.