On Sat, Jan 09, 2016 at 06:41:53PM -0500, Marc Boorshtein wrote:
> I'm moving an environment from one that uses all separate VMs to one using
> project Atomic and Docker images. A couple of questions:
>
> 1. Are there any known issues joining an atomic host to a FreeIPA domain?
> (Or has anyone tried it?)
As Lukáš has noted, the fedora/sssd container exists which allows
you to execute ipa-client-install (or realm join) and then run sssd:
http://www.adelton.com/docs/docker/fedora-atomic-sssd-container
The only outstanding issue is that sudo rules currently do not
work on Fedora Atomic (but work on RHEL Atomic).
> 2. Is there any reason I couldn't run FreeIPA in a container in this
> setup? It seems odd to run FreeIPA on a container for a server in its own
> domain. My first thought is to have the FreeIPA servers running on their
> own VMs.
The main reason against the FreeIPA server in a container, provided
you use
https://github.com/adelton/docker-freeipa
https://hub.docker.com/r/adelton/freeipa-server/
would be the lack of SELinux isolation of the individual components,
plus expectation that we sometimes see that containers are like
virtual machines (and people treat them like those especially from
security point of view) when they are not.
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
