Hi all,
I am currently migrating a server from a locally installed FreeIPA setup to a
CoreOS container setup and cannot find any documentation for this. I am
assuming i am doing something wrong or missing something as i cannot find
anyone else having an issue or even attempting it either. This is a fresh
installed OS from an ignition file so should have no weirdness coming in from
anywhere else.
podman launch line:
bin/podman run --name ipa \
-h thenom-srv1.thenom.local --read-only \
-v /var/lib/ipa-data:/data:Z \
-e IPA_SERVER_IP=192.168.101.6 \
-p 80:80 -p 443:443 -p 389:389 -p 636:636 -p 88:88 -p 464:464 -p 88:88/udp
-p 464:464/udp -p 123:123/udp \
quay.io/freeipa/freeipa-server:fedora-36
I have finally got a fresh install running in a container but i am now trying
to restore a backup into it from my old server. I have copied a ipa-full
directory from my old service into the containers data volume folder on the
host. I bash exec into the running IPA container then run ipa-restore
/data/ipa-full-2022-11-11-04-03-19, type in my directory manager password and
accept the prompts then just get a mass stream of tar errors and then fail:
...
tar: setfileconat: Cannot set SELinux context for file 'var/lib/ipa/pki-ca':
Permission denied
tar: var/lib/ipa: Directory renamed before its status could be extracted
tar: setfileconat: Cannot set SELinux context for file
'var/lib/pki/pki-tomcat/lib': Permission denied
tar: setfileconat: Cannot set SELinux context for file
'var/lib/pki/pki-tomcat/ca': Permission denied
tar: setfileconat: Cannot set SELinux context for file
'var/lib/pki/pki-tomcat': Permission denied
tar: var/lib/pki: Directory renamed before its status could be extracted
tar: etc/httpd/alias: Directory renamed before its status could be extracted
tar: setfileconat: Cannot set SELinux context for file 'etc/pki/pki-tomcat/ca':
Permission denied
tar: etc/pki/pki-tomcat: Directory renamed before its status could be extracted
tar: Exiting with failure status due to previous errors
Restoring umask to 18
NSS is built without support of the legacy database(DBM) directory
'/etc/ipa/nssdb'
The ipa-restore command failed. See /data/var/log/iparestore.log for more
information
I get similar in the iparestore.log:
...
tar: setfileconat: Cannot set SELinux context for file
'./THENOM-LOCAL/DBVERSION': Operation not supported
tar: setfileconat: Cannot set SELinux context for file
'./THENOM-LOCAL/dse_instance.ldif': Operation not supported
tar: setfileconat: Cannot set SELinux context for file
'./THENOM-LOCAL/dse_index.ldif': Operation not supported
tar: setfileconat: Cannot set SELinux context for file './THENOM-LOCAL':
Operation not supported
tar: setfileconat: Cannot set SELinux context for file './files.tar': Operation
not supported
tar: setfileconat: Cannot set SELinux context for file '.': Operation not
supported
2022-11-13T11:55:38Z DEBUG Starting external process
2022-11-13T11:55:38Z DEBUG args=['tar', '--xattrs', '--selinux', '-xzf',
'/tmp/tmp7pt67l7sipa/ipa/files.tar', 'etc/ipa/default.conf']
2022-11-13T11:55:40Z DEBUG Process finished, return code=0
2022-11-13T11:55:40Z DEBUG stdout=
2022-11-13T11:55:40Z DEBUG stderr=tar: setfileconat: Cannot set SELinux context
for file 'etc/ipa/default.conf': Operation not supported
This seems to make sense because from what i have read the selinux context on
these /data files should be system_u:object_r:container_file_t and i am
guessing unchanged\unchangeable due to the environment its running in.
Any advice appreciated, thanks in advance.
Simon
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
