On Wed, 2018-03-07 at 23:50 +0000, tda...@email.arizona.edu wrote:
> > On Wed, 2018-03-07 at 08:52 +0100, Alberto García Sola wrote:
> > 
> > Hi there,
> > 
> > I'm currently working on docker support in 389-ds.
> 
> William, I'm really glad to hear this. We've been running 389 server
> in docker in EC2 instances for months now and it works great. We have
> home grown scripts for automating the DS installation and replication
> between 2 DS instances, but it would be awesome to use a supported
> setup instead, so I'd really like to try what you have. Our setup
> uses mounted EBS volumes that contain all the necessary DS folders so
> that the EC2s can be blown away and recreated any time we want.

Hope you don't mind, but this is a bit of a brain dump. we have some
open tickets about this. Currently we have LOADS of support here for
containers, like detection of container memory and process limits,
support for containerised installs in dscreate, and more.

But first I want to describe the general picture and situation.

It would be great to have a temporary demo instance like:

docker run 389ds:1.4.0

And that *works*.

Now, when you want to really use it in production something more like:

docker run -v /etc/dirsrv:/etc/dirsrv -v
/var/lib/dirsrv:/var/lib/dirsrv 389ds:1.4.0

And now you have persistance, and can pull, upgrade, destroy,
everything.

If you want a readonly ephemeral replica, something maybe like:

docker run -e replication_manager=12345 389ds:1.4.0

Which would trigger the replica ID to become 65535 and set the
replication manager password (which could now be pushed to from another
instance).

So what are the challenges to these scenarios? 

Well, the first scenario "kinda works" today, but you don't get
persistence, and we have to ship a known password. The barrier here is
that ns-slapd (our server binary) needs assistance from dscreate/setup-
ds.pl to create dse.ldif and it's related instance parts.

So we need to move the *SETUP* logic of DS out of python and INTO an
early runtime part of ns-slapd, to be able to process a .inf +
envvariables to create dse.ldif on startup if it does not exist.

Thankfully this also solves the second case with a persistant image,
with backed storage.

The challenge here is the inplace upgrade. When you do say:

docker run -v ... 389ds:1.4.0
docker kill ...
docker run -v ... 389ds:1.5.0

Because our current upgrade scripts run in perl at RPM upgrade time,
when we launch the 1.5.0 container, it would NOT have the upgraded
configuration/plugin/other data that we may need.

Thankfully, this is in the process of being fixed via some patches that
are currently underreview, so this concern is "mostly" fixed, and the
team is pretty aware that upgrade perl scripts aren't a future
acceptable thing.


Finally, is the stateless instance - again, this requires more
interaction at start up to get the replica setup like this, but it also
requires us to coordinate docker networking / others for "what IP do we
replicate to?". This is a tougher challenge. Today we could solve this
externally by just reconfiguring our various instances, but this
automation would be nice to achieve.


Now there are still other issues - certificates and load balancing is a
big one. We have the concept of "SSF" in the server (despite ssf's
flaws). We won't let you do password changes or other operations
WITHOUT a secure connection, but today that means putting cert and key
material INTO the container.

So another area we need to improve is load balancer support for
haproxy. There is an open ticket for parsing HAproxy metadata for
proper log data, but we need to have an "SSF override" value so that DS
on plaintext 389 "treats it" like it's a secure connection, and haproxy
ONLY advertises 636 (ldaps). 


Another concern is backups and how to take them effectively, or how to
do datarestore correctly. I haven't decided on a good method for this
yet (we could have different containers thatj ust use the same volumes
and handle it correctly, or we could rely on the online tasks)


---- But william, show me the code!!! ----

Okay, okay. Today, you can build and test our docker container from git
master ONLY. We rely on a few too many things that are only in 1.4.0
and this is a fast-ish moving target today. I won't promise we have a
stable solution for you, but I'd love to hear your thoughts on how we
can improve.

If you want to test this today:

http://www.port389.org/docs/389ds/contributing.html#get-the-code

git clone https://pagure.io/389-ds-base.git
cd 389-ds-base
make -f docker.mk poc

This builds a container called "389-poc:latest", which functions like
the "demo" instance. We statically create an instance in the container
called "localhost" with the dm password of "directory manager
password". There is an updated to this poc in pagure in the following
ticket: https://pagure.io/389-ds-base/issue/49570

There is still quite a bit of integration work to go, but I'd love some
feedback and review of this. 

Really hope this helps, and I'm really happy to hear you want to use
389-ds in a container! 

> _______________________________________________
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.o
> rg
-- 
Thanks,

William Brown
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org

Reply via email to