[Freeipa-users] Re: FreeIPA running in Kubernetes
That's my approach for a deployment in kubernetes but the container doesn't start at all. I try to get it running in a KinD. apiVersion: apps/v1 kind: Deployment metadata: name: freeipa-server spec: selector: matchLabels: app: freeipa template: metadata: labels: app: freeipa spec: containers: - name: freeipa image: freeipa/freeipa-server:fedora-38-4.10.2 securityContext: privileged: true allowPrivilegeEscalation: true env: - name: IPA_SERVER_HOSTNAME value: myhost.freeipa - name: IPA_SERVER_IP value: "" args: - -U - --unattended But I don't get any logs or other information: Name: freeipa-server-7d995b9c7c-nxwf5 Namespace:default Priority: 0 Service Account: default Node: meerstack-worker/172.19.0.3 Start Time: Fri, 27 Oct 2023 19:32:17 + Labels: app=freeipa pod-template-hash=7d995b9c7c Annotations: Status: Running IP: 10.244.1.10 IPs: IP: 10.244.1.10 Controlled By: ReplicaSet/freeipa-server-7d995b9c7c Containers: freeipa: Container ID: containerd://7eb82d668bd0f124004ceb4307db64f9cb39ff09bc9d3cae2174edcb898a6827 Image: freeipa/freeipa-server:fedora-38-4.10.2 Image ID: docker.io/freeipa/freeipa-server@sha256:12e7763a5e6f29ca893e698c23f632af478c2cee472786d89606fd011338c3a9 Port: Host Port: Args: -U --unattended State: Waiting Reason: CrashLoopBackOff Last State: Terminated Reason: Error Exit Code:123 Started: Fri, 27 Oct 2023 19:35:20 + Finished: Fri, 27 Oct 2023 19:35:22 + Ready: False Restart Count: 5 Environment: IPA_SERVER_HOSTNAME: myhost.freeipa IPA_SERVER_IP: Mounts: /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-x84ww (ro) Conditions: Type Status Initialized True Ready False ContainersReady False PodScheduled True Volumes: kube-api-access-x84ww: Type:Projected (a volume that contains injected data from multiple sources) TokenExpirationSeconds: 3607 ConfigMapName: kube-root-ca.crt ConfigMapOptional: DownwardAPI: true QoS Class: BestEffort Node-Selectors: Tolerations: node.kubernetes.io/not-ready:NoExecute op=Exists for 300s node.kubernetes.io/unreachable:NoExecute op=Exists for 300s Events: Type Reason Age From Message -- --- Normal Scheduled 3m29s default-scheduler Successfully assigned default/freeipa-server-7d995b9c7c-nxwf5 to meerstack-worker Normal Pulled 117s (x5 over 3m29s) kubeletContainer image "freeipa/freeipa-server:fedora-38-4.10.2" already present on machine Normal Created117s (x5 over 3m29s) kubeletCreated container freeipa Normal Started117s (x5 over 3m29s) kubeletStarted container freeipa Warning BackOff79s (x10 over 3m24s) kubeletBack-off restarting failed container freeipa in pod freeipa-server-7d995b9c7c-nxwf5_default(68f5147e-7966-46e1-8e69-a137e1737a60) ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: FreeIPA running in Kubernetes
Jay Smith via FreeIPA-users wrote: > It is possible to run FreeIPA in a Kubernetes cluster as a Pod? > If Yes. It is a good idea? > > I'm new in Kubernetes. I'm currently running FreeIPA as a docker container > and it's working very well. The problem in K8s is, there's no fix IP address > and the privileged permission could be a problem. Take a look at https://github.com/freeipa/freeipa-container/issues/529 rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] FreeIPA running in Kubernetes
It is possible to run FreeIPA in a Kubernetes cluster as a Pod? If Yes. It is a good idea? I'm new in Kubernetes. I'm currently running FreeIPA as a docker container and it's working very well. The problem in K8s is, there's no fix IP address and the privileged permission could be a problem. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: unable to Authenticate users from Ubuntu Desktops
md tabrez via FreeIPA-users wrote: > Hi Everyone, > got an issue with our ipa server, users cannot login into > there ipa account. > > failed to initialize credentials using keytab [MEMORY:/ETC/KRB5.KEYTAB]: > cannot contact any kdc for realm 'ABC.COM' unable to create GSSAPI-encrypted > ldap connection > > kerberos 5 kdc service status > krb5kdc.service - Kerberos 5 KDC > Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled; > vendor preset: disabled) > Active: active (running) since Thu 2023-10-26 14:40:05 UTC; 2h 27min ago > Process: 927 ExecStart=/usr/sbin/krb5kdc -P /run/krb5kdc.pid > $KRB5KDC_ARGS (code=exited, status=0/SUCCESS) >Main PID: 928 (krb5kdc) > Tasks: 3 (limit: 9191) > Memory: 11.4M > CPU: 9.916s > CGroup: /system.slice/krb5kdc.service > ├─928 /usr/sbin/krb5kdc -P /run/krb5kdc.pid -w 2 > ├─929 /usr/sbin/krb5kdc -P /run/krb5kdc.pid -w 2 > └─930 /usr/sbin/krb5kdc -P /run/krb5kdc.pid -w 2 > > Oct 26 14:40:05 ipa.zerodha.com systemd[1]: Starting Kerberos 5 KDC... > Oct 26 14:40:05 ipa.zerodha.com systemd[1]: krb5kdc.service: Can't open PID > file /run/krb5kdc.pid (yet?) after start: Operation not permitted > Oct 26 14:40:05 ipa.zerodha.com systemd[1]: Started Kerberos 5 KDC. What does ipactl say the status of the services are? Does /run/krb5kdc.pid exist? rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Web UI thinks PEM-encoded CSR is Base64
On 10/27/23 10:05, Ian Pilcher wrote: I am attempting to generate a host certificate, but the FreeIPA web interface will not accept the PEM-encoded CSR. I am receiving the following error: IPA Error 4015: Base64DecodeError Base64 decoding failed: Incorrect padding The CSR is in PEM format, rather than Base64: -BEGIN CERTIFICATE REQUEST- MIHXMH8CAQEwHTEbMBkGA1UEAwwSZXQtMjgwMC5wZW51cmlvLnVzMFkwEwYHKoZI zj0CAQYIKoZIzj0DAQcDQgAEH/Eg1/91MD611DkgngyafpnckA6Ki8yxrGl0tQ1s yi09mqW09bQMDvy8v/tRdKjpDeLwoZs6CE8z/O0CwY0x76AAMAoGCCqGSM49BAMC A0gAMEUCIQCr+k6iSKQslOT21u2RsOXtFdFMkO7qFghHYOSxbD0eNAIgZetAu95e 8AJSxJGMqQYRgC4r6hOWKMv1XVKf8Rf23Cw= -END CERTIFICATE REQUEST- Any ideas? Never mind. I'm an idiot. It's expecting a certificate, not a CSR, so of course it doesn't work. Sorry for the noise! -- If your user interface is intuitive in retrospect ... it isn't intuitive ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Web UI thinks PEM-encoded CSR is Base64
I am attempting to generate a host certificate, but the FreeIPA web interface will not accept the PEM-encoded CSR. I am receiving the following error: IPA Error 4015: Base64DecodeError Base64 decoding failed: Incorrect padding The CSR is in PEM format, rather than Base64: -BEGIN CERTIFICATE REQUEST- MIHXMH8CAQEwHTEbMBkGA1UEAwwSZXQtMjgwMC5wZW51cmlvLnVzMFkwEwYHKoZI zj0CAQYIKoZIzj0DAQcDQgAEH/Eg1/91MD611DkgngyafpnckA6Ki8yxrGl0tQ1s yi09mqW09bQMDvy8v/tRdKjpDeLwoZs6CE8z/O0CwY0x76AAMAoGCCqGSM49BAMC A0gAMEUCIQCr+k6iSKQslOT21u2RsOXtFdFMkO7qFghHYOSxbD0eNAIgZetAu95e 8AJSxJGMqQYRgC4r6hOWKMv1XVKf8Rf23Cw= -END CERTIFICATE REQUEST- Any ideas? -- If your user interface is intuitive in retrospect ... it isn't intuitive ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue