Re: [Freeipa-users] FreeIPA and project Atomic
On (09/01/16 18:41), Marc Boorshtein wrote: >I'm moving an environment from one that uses all separate VMs to one using >project Atomic and Docker images. A couple of questions: > >1. Are there any known issues joining an atomic host to a FreeIPA domain? > (Or has anyone tried it?) I think the best source of information is http://www.projectatomic.io/blog/2015/12/fedora-atomic-sssd-container/ or longer verison http://www.adelton.com/docs/docker/fedora-atomic-sssd-container LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA and project Atomic
On Sat, Jan 09, 2016 at 06:41:53PM -0500, Marc Boorshtein wrote: > I'm moving an environment from one that uses all separate VMs to one using > project Atomic and Docker images. A couple of questions: > > 1. Are there any known issues joining an atomic host to a FreeIPA domain? > (Or has anyone tried it?) As Lukáš has noted, the fedora/sssd container exists which allows you to execute ipa-client-install (or realm join) and then run sssd: http://www.adelton.com/docs/docker/fedora-atomic-sssd-container The only outstanding issue is that sudo rules currently do not work on Fedora Atomic (but work on RHEL Atomic). > 2. Is there any reason I couldn't run FreeIPA in a container in this > setup? It seems odd to run FreeIPA on a container for a server in its own > domain. My first thought is to have the FreeIPA servers running on their > own VMs. The main reason against the FreeIPA server in a container, provided you use https://github.com/adelton/docker-freeipa https://hub.docker.com/r/adelton/freeipa-server/ would be the lack of SELinux isolation of the individual components, plus expectation that we sometimes see that containers are like virtual machines (and people treat them like those especially from security point of view) when they are not. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA and project Atomic
On (11/01/16 11:35), Jan Pazdziora wrote: >On Sat, Jan 09, 2016 at 06:41:53PM -0500, Marc Boorshtein wrote: >> I'm moving an environment from one that uses all separate VMs to one using >> project Atomic and Docker images. A couple of questions: >> >> 1. Are there any known issues joining an atomic host to a FreeIPA domain? >> (Or has anyone tried it?) > >As Lukáš has noted, the fedora/sssd container exists which allows >you to execute ipa-client-install (or realm join) and then run sssd: > > http://www.adelton.com/docs/docker/fedora-atomic-sssd-container > >The only outstanding issue is that sudo rules currently do not >work on Fedora Atomic (but work on RHEL Atomic). > Related sssd change for sudo might be in fedora in couple of days. The change is awaiting a review atm. So next release of Fedora Atomic might contain the change. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
