Open financelurker opened 2 years ago
After setting up this container we were also spinning up a fusiondirectory container pointing to that openldap-fusiondirectory backend. With the openldap-fusiondirectory container version 1.4-7.1.5 the custom init scripts are not executed.
First spin up the openldap-fusiondirectory setup:
apiVersion: v1 kind: Secret metadata: name: openldap-passwords namespace: fusiondirectory data: ADMIN_PASS: <pw> CONFIG_PASS: <pw> FUSIONDIRECTORY_ADMIN_PASS: <pw> type: Opaque --- apiVersion: v1 kind: Secret metadata: name: openldap-readonly-password namespace: fusiondirectory data: secretKey: <ro-pw> type: Opaque --- apiVersion: v1 kind: Service metadata: name: openldap-headless namespace: fusiondirectory labels: app: openldap ver: v1 spec: ports: - port: 389 name: ldap selector: app: openldap ver: v1 --- apiVersion: v1 kind: Service metadata: name: openldap-writer namespace: fusiondirectory labels: app: openldap-writer ver: v1 spec: ports: - port: 389 name: ldap selector: statefulset.kubernetes.io/pod-name: openldap-0 ver: v1 --- apiVersion: apps/v1 kind: StatefulSet metadata: labels: app: openldap ver: v1 name: openldap namespace: fusiondirectory spec: replicas: 1 serviceName: openldap-headless selector: matchLabels: app: openldap ver: v1 volumeClaimTemplates: - metadata: name: openldap-data spec: accessModes: [ "ReadWriteOnce" ] storageClassName: "fusiondirectory-data-pv" resources: requests: storage: 1000Mi - metadata: name: openldap-config spec: accessModes: [ "ReadWriteOnce" ] storageClassName: "fusiondirectory-config-pv" resources: requests: storage: 500Mi template: metadata: labels: app: openldap ver: v1 spec: containers: - image: tiredofit/openldap-fusiondirectory:1.4-7.1.5 imagePullPolicy: IfNotPresent name: openldap volumeMounts: - mountPath: /var/lib/openldap name: openldap-data - mountPath: /etc/openldap/slapd.d name: openldap-config env: # Container ############################################ - name: ENABLE_CRON value: "TRUE" - name: ENABLE_ZABBIX value: "FALSE" - name: CONTAINER_LOG_LEVEL value: "NOTICE" - name: DEBUG_MODE value: "FALSE" # Settings ############################################### - name: INTERNAL_HOSTNAME valueFrom: fieldRef: fieldPath: metadata.name - name: HOSTNAME #TODO Setting the fqdn automatically value: "$(INTERNAL_HOSTNAME).openldap-headless.fusiondirectory.svc.cluster.local" - name: BACKEND value: "mdb" - name: ULIMIT_N value: "21000" - name: LOG_LEVEL value: "256" - name: DOMAIN value: "example.com" - name: ADMIN_PASS valueFrom: secretKeyRef: name: openldap-passwords key: ADMIN_PASS - name: CONFIG_PASS valueFrom: secretKeyRef: name: openldap-passwords key: CONFIG_PASS - name: KEEP_EXISTING_CONFIG value: "FALSE" # FUSIONDIRECTORY ACCESS ################################# - name: FUSIONDIRECTORY_ADMIN_USER value: "admin" - name: FUSIONDIRECTORY_ADMIN_PASS valueFrom: secretKeyRef: name: openldap-passwords key: FUSIONDIRECTORY_ADMIN_PASS - name: ORGANIZATION value: "organization" # LDAP Settings ########################################## - name: BASE_DN value: "dc=example,dc=com" - name: ENABLE_READONLY_USER value: "TRUE" - name: READONLY_USER_USER value: "reader" - name: READONLY_USER_PASS valueFrom: secretKeyRef: name: openldap-readonly-password key: secretKey # TLS ###################################################### - name: ENABLE_TLS value: "FALSE" # REPLICATION ############################################## - name: ENABLE_REPLICATION value: "FALSE" # Replication without tls tls_reqcert=never # - name: REPLICATION_CONFIG_SYNCPROV # value: "binddn=\"cn=config\" bindmethod=simple credentials=$(CONFIG_PASS) searchbase=\"cn=config\" type=refreshAndPersist retry=\"5 5 60 +\" timeout=1 filter=\"(!(objectclass=olcGlobal))\" tls_reqcert=never" # # Replication without tls tls_reqcert=never # - name: REPLICATION_DB_SYNCPROV # value: "binddn=\"cn=admin,$(BASE_DN)\" bindmethod=simple credentials=$(ADMIN_PASS) searchbase=\"$(BASE_DN)\" type=refreshAndPersist interval=00:00:00:10 retry=\"60 +\" timeout=1 tls_reqcert=never" # # #TODO Scaling of the Statefulset won't work -> olcServerID in the config database has to be changed! # # Please use the correct fqdn # - name: REPLICATION_HOSTS # value: "ldap://openldap-0.openldap-headless.fusiondirectory.svc.cluster.local ldap://openldap-1.openldap-headless.fusiondirectory.svc.cluster.local" - name: REMOVE_CONFIG_AFTER_SETUP value: "FALSE" # ZABBIX ################################################# - name: ZABBIX_HOSTNAME value: "openldap-fusiondirectory-app" - name: REAPPLY_PLUGIN_SCHEMAS value: "TRUE" - name: PLUGIN_ARGONAUT value: "TRUE" - name: PLUGIN_MAIL value: "TRUE" - name: PLUGIN_ALIAS value: "TRUE" - name: PLUGIN_PERSONAL value: "TRUE" - name: PLUGIN_POSIX value: "TRUE" - name: PLUGIN_DNS value: "TRUE" - name: PLUGIN_SUDO value: "TRUE" - name: PLUGIN_SYSTEMS value: "TRUE" - name: PLUGIN_NEXTCLOUD value: "TRUE" - name: PLUGIN_POSTFIX value: "TRUE" - name: PLUGIN_DOVECOT value: "TRUE" - name: PLUGIN_DHCP value: "TRUE" - name: PLUGIN_FUSIONINVENTORY value: "TRUE" - name: PLUGIN_GPG value: "TRUE" - name: PLUGIN_REPOSITORY value: "TRUE" - name: PLUGIN_SPAMASSASSIN value: "TRUE" - name: PLUGIN_SSH value: "TRUE" - name: PLUGIN_USER_REMINDER value: "TRUE" ports: - containerPort: 389 restartPolicy: Always
Then spin up the fusiondirectory UI:
apiVersion: v1 kind: Service metadata: name: fusiondirectory namespace: fusiondirectory labels: app: fusiondirectory ver: v1 spec: type: NodePort ports: - port: 80 targetPort: 80 nodePort: 30067 protocol: TCP name: http-fusiondirectory selector: app: fusiondirectory ver: v1 --- apiVersion: apps/v1 kind: Deployment metadata: labels: app: fusiondirectory ver: v1 name: fusiondirectory namespace: fusiondirectory spec: replicas: 1 selector: matchLabels: app: fusiondirectory ver: v1 strategy: rollingUpdate: maxSurge: 25% maxUnavailable: 25% type: RollingUpdate template: metadata: labels: app: fusiondirectory ver: v1 spec: volumes: - name: apachelogs emptyDir: {} containers: - image: tiredofit/fusiondirectory:1.4-2.7.11 imagePullPolicy: IfNotPresent name: fusiondirectory resources: limits: memory: 500Mi cpu: "0.5" requests: memory: 100Mi cpu: "0.1" volumeMounts: - mountPath: /www/logs name: apachelogs env: #- name: DEBUG_SMTP #value: TRUE #- name: DEBUG_MODE #value: TRUE - name: VIRTUAL_HOST value: "directory.example.com" - name: VIRTUAL_PORT value: "80" - name: ENABLE_ZABBIX value: "FALSE" - name: PLUGIN_ARGONAUT value: "TRUE" - name: PLUGIN_MAIL value: "TRUE" - name: PLUGIN_ALIAS value: "TRUE" - name: PLUGIN_PERSONAL value: "TRUE" - name: PLUGIN_POSIX value: "TRUE" - name: PLUGIN_DNS value: "TRUE" - name: PLUGIN_SUDO value: "TRUE" - name: PLUGIN_SYSTEMS value: "TRUE" - name: PLUGIN_NEXTCLOUD value: "TRUE" - name: PLUGIN_POSTFIX value: "TRUE" - name: PLUGIN_DOVECOT value: "TRUE" - name: PLUGIN_DHCP value: "TRUE" - name: PLUGIN_FUSIONINVENTORY value: "TRUE" - name: PLUGIN_GPG value: "TRUE" - name: PLUGIN_REPOSITORY value: "TRUE" - name: PLUGIN_SPAMASSASSIN value: "TRUE" - name: PLUGIN_SSH value: "TRUE" - name: PLUGIN_USER_REMINDER value: "TRUE" - name: PLUGIN_LDAPDUMP value: "TRUE" - name: PLUGIN_LDAPMANAGER value: "TRUE" - name: PLUGIN_WEBSERVICE value: "TRUE" # Connect to only one openldap server # in case of a openldap replication setup - name: LDAP1_HOST value: "openldap-writer" - name: LDAP1_TLS value: "FALSE" - name: LDAP1_SSL value: "FALSE" - name: LDAP1_BASE_DN value: "dc=example,dc=com" - name: LDAP1_ADMIN_DN value: "cn=admin,dc=example,dc=com" # Defined in the openldap-fusiondirectory # kubernetes exampel installation # using the same password/secret - name: LDAP1_ADMIN_PASS valueFrom: secretKeyRef: name: openldap-passwords key: ADMIN_PASS - name: LDAP1_PORT value: "389" - name: LDAP1_NAME value: "ldap" - name: ENABLE_SMTP value: "FALSE" # - name: ENABLE_SMTP # value: "TRUE" # - name: SMTP_HOST # value: "smtp.example.net" # - name: SMTP_PORT # value: "25" # - name: SMTP_DOMAIN # value: "example.net" # - name: SMTP_MAILDOMAIN # value: "example.net" # - name: SMTP_TLS # value: "off" ports: - containerPort: 80 restartPolicy: Always
The login through the fusiondirectory UI is possible. The scripts being executed, so that the fusiondirectory UI can actually access.
While starting the docker container the first time, the logs show:
2021-10-20-05:30:08 [NOTICE] ** [openldap] Found custom scripts to execute /assets/functions/10-openldap: line 558: /assets/custom-scripts/001-install-fusiondirectory.sh: Permission denied /assets/functions/10-openldap: line 558: /assets/custom-scripts/002-update-schemas.sh: Permission denied
After getting a listing of the custom-scripts directory within the container it shows that the scripts are not executable:
total 36K drwxr-xr-x 2 root root 4.0K Oct 16 17:06 . drwxr-xr-x 1 root root 4.0K Oct 20 05:30 .. -rw-r--r-- 1 root root 19K Oct 16 17:06 001-install-fusiondirectory.sh -rw-r--r-- 1 root root 969 Oct 16 17:06 002-update-schemas.sh
Not only chmod +x /usr/sbin/fusiondirectory-insert-schema but also chmod +x the other necessary scripts.
chmod +x
Actually, adding the line in the Dockerfile worked for me:
chmod +x /assets/custom-scripts/*.sh && \
Summary
After setting up this container we were also spinning up a fusiondirectory container pointing to that openldap-fusiondirectory backend. With the openldap-fusiondirectory container version 1.4-7.1.5 the custom init scripts are not executed.
Steps to reproduce
First spin up the openldap-fusiondirectory setup:
Then spin up the fusiondirectory UI:
What is the expected correct behavior?
The login through the fusiondirectory UI is possible. The scripts being executed, so that the fusiondirectory UI can actually access.
Relevant logs and/or screenshots
While starting the docker container the first time, the logs show:
After getting a listing of the custom-scripts directory within the container it shows that the scripts are not executable:
Environment
Any logs | docker-compose.yml
Possible fixes
Not only chmod +x /usr/sbin/fusiondirectory-insert-schema but also
chmod +xthe other necessary scripts.Actually, adding the line in the Dockerfile worked for me: