Hello,
in the past couple of week I've pushed multiple changes to the
https://github.com/freeipa/freeipa-container
repository, fixing and enabling Fedora 28 and Fedora 29 Dockerfiles,
adding Travis CI configuration where we currently test IPA master and
replica setups in images of Fedoras from 23 to rawhide and on CentOS 7:
https://travis-ci.org/freeipa/freeipa-container/branches
Testing on Travis' Ubuntus allowed me to reproduce and fix some issues
that people have observed on non-RHEL/CentOS/Fedora docker hosts. One
of the results is that docker run's --privileged or --cap-add
SYS_ADMIN options should not be needed anymore, making things more
confined and more secure. In fact, it's quite likely that running the
FreeIPA server containers as privileged will result in
https://github.com/freeipa/freeipa-container/issues/254
... so just don't do it.
Another focus of the effort was to make it possible to run the
containers as read-only (docker run --read-only), making all the
changes that are done during the initial ipa-server-install or during
runtime properly confined to the /data volume, or pointed to
discardable /tmp. While things pass in my local read-only tests, in
Travis CI the initial ipa-server-install phase runs fine but starting
the read-only container afterwars seems to hang:
https://travis-ci.org/adelton/freeipa-container/builds/459418370
Any help with investigating why this is happening would be
appreciated.
--
Jan Pazdziora
Senior Principal Software Engineer, Security Engineering, Red Hat
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
