Get smaller images, fix some issues and add new features.

[GinoHarlos]

Please make sure you considered the following things

• [x] I read the contribution guidelines.
• [x] I read the code of conduct.
• [x] I created a bug report in the Univention Bugzilla.
• [x] I've added a bugzilla comment about this pull request.

Link to the issue in Bugzilla

Please scroll to the end ( Live patches are included ).

Description of the changes

Please describe the changes with a few sentences. ( So sorry there are quite a lot of changes and now we have about a year after the first initial commit ... :)

Motivation

• get smaler container images
• fix the stability of any automated setup and join process
• fix losing manual changes ( restore/recreate a primary directory node )
• fix running docker in docker ... in docker
• new features ( LDIF import, wait for a primary node, restore/recreate and slimify )
• add self-evident facts and keep it simple
• and finally, always think of those who are just starting out with container

Documentation changes

• base system from UCS 4 are removed
• change to new version of UCS
• new section to build and run from podman
• add some notes about the system requirements
• add info for default dcuser
• fix the examples
• new section for container volumes

Dockerfile changes

• change to docker multistage build, to keep the container small and clean
• quick and dirty fix for chfn ( now also on debian based systems )
• quick and dirty fix for mandb ( needs a lot of disk I/O and freezes often )
• add slimify option ( do we realy need man pages inside the container? )
• remove any univention-config-registry form Dockerfile
• Acquire User Agent for anonymous statistics ( build, firstboot and recreate )
• clean up as much as we can ...
• add systemd default target ( last on boot, but first on halt )
• change default volumes

BugFixes

• detect systemd namespace issues and fix the service units
• fix minimal config for postfix
• fix Traceback in apt sources.list
• fix backward compatibility to UCS 4
• fix systemd mask vs start condition ( ExecConditions are friendlier )
• fix hostname detection
• fix domain name service
• add slapd.service for using Docker in Docker ( Refusing to accept PID outside of service control group ... )

Features

• add LDIF import to expand the LDAP on a primary directory node
• add dcwait to wait for a primary directory node ( very useful for docker-compose )
• add BACKUPS for restoring/recreating a primary directory node
• add slimify option to save resources

Unanswered questions

• add LDIF: I couldn't find any rules for creating new ucr keys in the documentation. Can the temporary ucr keys ( only during the import process ) be used as follows and what is the range of uidNumber?

  ucr search --brief ^net/get/domain
  net/get/domain/sid: S-1-5-21-0000000000-0000000000-0000000000
  net/get/domain/rid/admins: 512
  net/get/domain/rid/users:  513
  net/get/domain/rid/guests: 514
  net/get/domain/rid/max:    1099
  net/get/domain/gid/admins: 5000
  net/get/domain/gid/users:  5001
  net/get/domain/gid/guests: 5002
  net/get/domain/uid/max:    2099

• add BACKUPS: What should be recoverable on a primary directory node from univention's point of view? root/usr/lib/univention-container-mode/recreate/*-restore
• add slimify: Are the files ( for example /usr/share/doc/*/changelog.Debian.gz ) really mandatory for an installation process? Is there anything else inside a very slim container you could do without?

Is there more?

• Yes, could we change the dependencies in the pakages univention-container-role-server-common and univention-container-role-common? If that were possible like so and of course without any bootloader or linux kernel image. ( Bug#54342 )

diff --git a/base/univention-server/debian/control b/base/univention-server/debian/control
@@ -165,13 +165,21 @@ Description: UCS system server role common dependencies and files
 Package: univention-container-role-server-common
...
+ ntp | ntp-server,
+ ntpdate,
+ python-dns,
...
+ univention-home-mounter,
...
+ univention-maintenance,
+ univention-nfs-server,
+ univention-portal,
+ univention-quota,
...
 Package: univention-container-role-common
...
- univention-docker-container-mode,
+ univention-firewall,
  univention-join,
+ univention-pkgdb-tools,
...

• Based on the file /etc/apt/apt.conf.d/55user_agent from any UCS and Bug#54335. Would it make sense to expand this collection by the following points? With two/three different stages for build plus firstboot or recreate and finaly the default UCS file. But without the errata level. ( univention-updater are not installed and uuid/system, uuid/license are not initialized at this time ) Dokerfile and root/usr/lib/univention-container-mode/*/00-aA-APT-USER-AGENT-Aa-00

  VERSION="MAJOR.MINOR-PATCH"; UUID="00000000-0000-0000-0000-000000000000"; ROLE=(MASTER|SLAVE|BACKUP|MEMBER)
  => docker build . : User-Agent "UCS CONTAINER BUILD - ${VERSION} - ${UUID} - ${UUID}"
  => docker run ... : User-Agent "UCS CONTAINER FIRSTBOOT,<ROLE> - ${VERSION} - ${UUID} - ${UUID}"
  => docker run ... : User-Agent "UCS CONTAINER RECREATE,<ROLE> - ${VERSION} - ${UUID} - ${UUID}"

• Or maybe with a CI/CD flag too? ( but you can't detect the CI/CD system inside a docker or podman build ... )

  VERSION="MAJOR.MINOR-PATCH"; UUID="00000000-0000-0000-0000-000000000000"; ROLE=(MASTER|SLAVE|BACKUP|MEMBER)
  CICD=(PRODUCTION|...|BAMBOO|BUDDY|CIRCLECI|CODESHIP|GOCD|GITLAB|GITHUB|JENKINS|TEAMCITY|TRAVISCI|WERCKER|...)
  => docker build . : User-Agent "UCS CONTAINER,${CICD:-PRODUCTION} BUILD - ${VERSION} - ${UUID} - ${UUID}"
  => docker run ... : User-Agent "UCS CONTAINER,${CICD:-PRODUCTION} FIRSTBOOT,<ROLE> - ${VERSION} - ${UUID} - ${UUID}"
  => docker run ... : User-Agent "UCS CONTAINER,${CICD:-PRODUCTION} RECREATE,<ROLE> - ${VERSION} - ${UUID} - ${UUID}"

• Should a bug report be opened for the new slapd.service? Looking forward, we are on systemd.

• Lastly, could we patch /usr/sbin/univention-certificate for the new dcwait feature. Bug#54311

What were and are your test criteria?

1. univention-check-join-status | grep -E -q "^Joined successfully" && echo SUCCESSFULY
2. docker run ... --env DEBUG=TRUE ... looks nice and all run-parts are successfuly
3. systemctl list-units --state failed looks nice after restarting the container once

   test $(
   docker exec ${container} systemctl list-units --state failed --no-pager --no-legend | wc -l
   ) -eq 0 && echo SUCCESSFULY

Is there any fork to test it?

• Yes, of course GitHub
• Or, try this ( repository on docker hub )

  docker search univention-corporate-server | awk '/^ginoharlos\//{ print $1 }'

Live patches are included!

• Bug#52575 root/usr/lib/univention-container-mode/*/{40,60}-setup-pre-secret-max-len-patch

  docker run ... --env machine_password_length=64 ...

• Bug#54311 root/usr/lib/univention-container-mode/*/40-setup-pre-certificate-patch
• Bug#54342 root/usr/lib/univention-container-mode/*/50-setup-system-container-role-common
• Bug#?NEW? root/usr/lib/univention-container-mode/*/50-setup-patches

[GinoHarlos]

Please be lenient because this is my first pull request. Feel free to give any kind of feedback so that I can improve myself :)

[GinoHarlos]

Get smaller images, fix some issues and add new features ( update )

Please make sure you considered the following things

• [x] I read the contribution guidelines.
• [x] I read the code of conduct.
• [x] I updated a bug report in the Univention Bugzilla.
• [x] I've added a bugzilla comment about this pull request.

Link to the issue in Bugzilla

• Bug#54342

Description of the changes

Please describe the changes with a few sentences.

Motivation

• fix missing machine secret ( cleanup ldap databases from installer )
• fix systemd PrivateTemp detection to keep systemd units running
• fix running docker in docker ... ( volume vs. device )
• fix slimyfy version and keep the apt cache if mounted
• add bootstrap known issue ( missing usr-is-merged )
• add UCS 5.0-2
• add delete python cache to slimyfy section ( bootstrap and Dockerfile )
• add future compatibility and omit SysV in the Dockerfile
• fix minimize package dependencies and add continuous review ( univention-role-common )

Documentation changes

• change to new version of UCS
• fix container volume vs. device

Dockerfile changes

• fix slimify to clean the python cache and save another 10MB
• switch the default entrypoint to real systemd ( /sbin/init form systemd-sysv is pointing a link to /bin/systemd )

BugFixes

• cleanup ldap databases from installer, if we don't have any machine secret for a primary directory node
• detect systemd namespace issues and fix the service units ( univention-container-mode-private-temp.service )
• fix Traceback and repository online for UCS 4 in apt sources.list and force remove sources.list.*.old

[GinoHarlos]

Get smaller images, fix some issues and add new features ( fixes )

Please make sure you considered the following things

• [x] I read the contribution guidelines.
• [x] I read the code of conduct.
• [x] I updated a bug report in the Univention Bugzilla.
• [x] I've added a bugzilla comment about this pull request.

Link to the issue in Bugzilla

• Bug#55391

Description of the changes

Please describe the changes with a few sentences.

Motivation

• fix change IP address(es) ( domain-name-service-change-host-address )
• fix unsupported UCS lower then 4.4-5 ( add gpg keys )
• add sources.list errata mirror for UCS 4 ( bootstartp and force recreate )
• fix restore/recreate ( set force an nice version compare )
• fix set repository online ( force cleanup and better match Traceback )
• fix apt-mark hold after 3 days ( prevent updateability )

Documentation changes

• add restore/recreate environment available ( RESTORE=FORCE )

BugFixes

• the container can't restore/recreate if the version not exacly match, now you can set force the version from backup
• fix Traceback and repository.online.true in apt sources.list and force remove sources.list.d/{.old,.commit*}

Known issues

• you can't upgrade the system to the next patch level for UCS lower then 5.0-1

[GinoHarlos]

Get smaller images, fix some issues and add new features ( fixes and defaults )

Please make sure you considered the following things

• [x] I read the contribution guidelines.
• [x] I read the code of conduct.
• [ ] I updated a bug report in the Univention Bugzilla.
• [ ] I've added a bugzilla comment about this pull request.

Link to the issue in Bugzilla

• Bug#

Description of the changes

Please describe the changes with a few sentences.

Motivation

• update to new version ( bootstrap.sh.json )
• add default sources.list for latest UCS version based on GitHub default branch
• fix restore/recreate ( set the right ownership and expand the ucr exclude key filter )
• fix docker in docker ( docker and containerd service units didn't want to start )
• add default service unit ntp ( system-cleanup )

Documentation changes

• update to new version 5.0-3
• add firsboot environment LATEST with default TRUE ( each new container will get the latest version form GitHub )
• add firsboot environment VERSION to set a specific version and overwrite the LATEST value
• fix missing DEK info header from OpenSSL 3 and add fallback command option ( openssl ... -traditional ... )

Known issues

• you can't upgrade the system to the next patch level for UCS lower then 5.0-1

[reqa]

Ok, merged manually (via detour of Univention gitlab).

Updated docker image is uploaded too: https://hub.docker.com/r/univention/univention-corporate-server/tags