|
| 1 | +# Build on top of base AlmaLinux 10 image |
| 2 | +FROM docker.io/almalinux/10-init |
| 3 | + |
| 4 | +RUN groupadd -g 288 kdcproxy ; useradd -u 288 -g 288 -c 'IPA KDC Proxy User' -r -d / -s '/sbin/nologin' kdcproxy |
| 5 | +RUN groupadd -g 289 ipaapi; useradd -u 289 -g 289 -c 'IPA Framework User' -r -d / -s '/sbin/nologin' ipaapi |
| 6 | +RUN groupadd -g 285 sssd; useradd -u 285 -g 285 -c 'User for sssd' -r -d /run/sssd/ -s '/sbin/nologin' sssd |
| 7 | +RUN groupadd -g 225 ods; useradd -u 225 -g 225 -c 'opendnssec daemon account' -r -d / -s /sbin/nologin ods |
| 8 | +RUN groupadd -g 207 printadmin |
| 9 | + |
| 10 | +# Workaround 1615948 |
| 11 | +RUN ln -s /bin/false /usr/sbin/systemd-machine-id-setup |
| 12 | +RUN sed -i 's!%_install_langs.*!%_install_langs all!' /etc/rpm/macros.image-language-conf |
| 13 | +RUN dnf -y install --setopt=install_weak_deps=False ipa-server ipa-server-dns ipa-server-trust-ad patch ipa-healthcheck ipa-client-epn \ |
| 14 | + && dnf clean all |
| 15 | + |
| 16 | +# debug: RUN test $( getent passwd | grep -E "^(dirsrv:x:389|ipaapi:x:289|kdcproxy:x:288|pkiuser:x:17|sssd:x:285|named:x:25|ods:x:225|tss:x:59):" | wc -l ) -eq 8 |
| 17 | +# debug: RUN test $( getent group | grep -E "^(dirsrv:x:389|ipaapi:x:289|kdcproxy:x:288|pkiuser:x:17|sssd:x:285|named:x:25|utmp:x:22|wbpriv:x:88|systemd-journal:x:190|ods:x:225|printadmin:x:207|tss:x:59):" | wc -l ) -eq 12 |
| 18 | + |
| 19 | +COPY tmpfiles-ownership-fedora-41.conf /usr/lib/tmpfiles.d/ipa-ownership.conf |
| 20 | + |
| 21 | +# var-lib-nfs-rpc_pipefs.mount would run (and fail) nondeterministically |
| 22 | +RUN systemctl mask rpc-gssd.service |
| 23 | + |
| 24 | +RUN mkdir /usr/lib/systemd/system/sssd.service.d |
| 25 | +# Workaround https://bugzilla.redhat.com/show_bug.cgi?id=2334087 |
| 26 | +RUN ( echo '[Service]' ; sed '/^CapabilityBoundingSet=/!d; s/CAP_DAC_READ_SEARCH/& CAP_DAC_OVERRIDE/' /usr/lib/systemd/system/sssd.service ) > /usr/lib/systemd/system/sssd.service.d/capabilities.conf |
| 27 | +RUN setcap cap_dac_override+ep /usr/libexec/sssd/ldap_child |
| 28 | + |
| 29 | +# Container image which runs systemd |
| 30 | +# debug: RUN test -f /etc/machine-id && ! test -s /etc/machine-id |
| 31 | +# debug: RUN test -z "$container" |
| 32 | +ENV container oci |
| 33 | + |
| 34 | +# Establish reasonably low open files limit in the container |
| 35 | +COPY DefaultLimitNOFILE.conf /usr/lib/systemd/system.conf.d/DefaultLimitNOFILE.conf |
| 36 | + |
| 37 | +ENTRYPOINT [ "/usr/sbin/init" ] |
| 38 | +STOPSIGNAL RTMIN+3 |
| 39 | +# test: systemd-container-failed.sh |
| 40 | + |
| 41 | +# Minimize the systemd setup |
| 42 | +RUN find /etc/systemd/system /usr/lib/systemd/system/{basic,multi-user,sysinit}.target.wants -type l \! -lname /dev/null | xargs rm -v |
| 43 | +RUN systemctl mask systemd-logind.service |
| 44 | +COPY patches/minimal-fedora-42.patch /root/ |
| 45 | +RUN patch --verbose -p0 --fuzz=0 < /root/minimal-fedora-42.patch |
| 46 | +# debug: RUN ! find /etc/systemd/system /usr/lib/systemd/system/{basic,multi-user,sysinit}.target.wants /etc/tmpfiles.d -type f | grep . |
| 47 | + |
| 48 | +RUN ln -s /usr/lib/systemd/system/dbus-broker.service /usr/lib/systemd/system/dbus.service |
| 49 | +COPY container-ipa.target /usr/lib/systemd/system/ |
| 50 | +RUN systemctl set-default container-ipa.target |
| 51 | +RUN rmdir -v /etc/systemd/system/multi-user.target.wants \ |
| 52 | + && mkdir /etc/systemd/system/container-ipa.target.wants \ |
| 53 | + && ln -s /etc/systemd/system/container-ipa.target.wants /etc/systemd/system/multi-user.target.wants |
| 54 | +RUN systemd-sysusers |
| 55 | +# podman in systemd mode mounts /var/log/journal volume which creates |
| 56 | +# the directory anyway and pollutes podman diff, just pre-create it |
| 57 | +RUN mkdir /var/log/journal |
| 58 | +RUN systemd-tmpfiles --remove --create |
| 59 | +# debug: RUN ! test -f /var/lib/systemd/random-seed |
| 60 | +# test-addon: VOLUME [ "/var/tmp" ] |
| 61 | +# test: systemd-container-diff.sh list-dependencies-rhel-9.out /dev/null docker-diff-minimal-fedora-23.out |
| 62 | + |
| 63 | +# Prepare for basic ipa-server-install in container |
| 64 | +# Address failing nis-domainname.service in the ipa-client-install step |
| 65 | +RUN mv /usr/bin/nisdomainname /usr/bin/nisdomainname.orig |
| 66 | +ADD hostnamectl-wrapper /usr/bin/nisdomainname |
| 67 | + |
| 68 | +## # test: systemd-container-ipa-server-install.sh |
| 69 | + |
| 70 | +# Move configuration and data to data volume |
| 71 | +COPY patches/ipa-data-fedora-39.patch /root |
| 72 | +RUN set -o pipefail ; patch --verbose -p0 --fuzz=0 < /root/ipa-data-fedora-39.patch | tee /dev/null | sed -n 's/^patching file //;T;/\.py$/p' | xargs /usr/libexec/platform-python -m compileall |
| 73 | +COPY ipaplatform-rhel.conf /usr/lib/systemd/system.conf.d/ipaplatform-override.conf |
| 74 | +ENV IPAPLATFORM_OVERRIDE=rhel_container |
| 75 | + |
| 76 | +COPY journald-storage.conf /usr/lib/systemd/journald.conf.d/storage.conf |
| 77 | + |
| 78 | +RUN authselect select sssd with-sudo --force |
| 79 | + |
| 80 | +COPY utils/prepare-volume-template utils/populate-volume-from-template utils/extract-rpm-upgrade-scriptlets /usr/local/bin/ |
| 81 | +COPY volume-data-list volume-tmp-list volume-data-autoupdate /etc/ |
| 82 | +RUN /usr/local/bin/prepare-volume-template /etc/volume-data-list /data |
| 83 | +RUN /usr/local/bin/prepare-volume-template /etc/volume-tmp-list /tmp |
| 84 | +RUN /usr/local/bin/extract-rpm-upgrade-scriptlets |
| 85 | + |
| 86 | +RUN echo 2.0 > /etc/volume-version |
| 87 | +VOLUME [ "/tmp", "/run", "/data" ] |
| 88 | + |
| 89 | +COPY init-data-minimal /usr/local/sbin/init |
| 90 | +ENTRYPOINT [ "/usr/local/sbin/init" ] |
| 91 | +# test: systemd-container-ipa-server-install-data.sh /dev/null |
| 92 | + |
| 93 | +# Configure master/replica upon the first invocation |
| 94 | +COPY init-data /usr/local/sbin/init |
| 95 | +COPY ipa-server-configure-first systemctl-exit-with-status ipa-volume-upgrade-* /usr/sbin/ |
| 96 | +COPY ipa-server-configure-first.service ipa-server-upgrade.service ipa-server-update-self-ip-address.service /usr/lib/systemd/system/ |
| 97 | +COPY service-success-poweroff.conf /usr/lib/systemd/system/ipa-server-configure-first.service.d/service-success-poweroff.conf.template |
| 98 | +RUN ln -sv /usr/lib/systemd/system/ipa-server-configure-first.service /data-template/etc/systemd/system/container-ipa.target.wants/ipa-server-configure-first.service |
| 99 | +COPY exit-status.conf /usr/lib/systemd/system/systemd-poweroff.service.d/ |
| 100 | + |
| 101 | +EXPOSE 53/udp 53 80 443 389 636 88 464 88/udp 464/udp 123/udp |
| 102 | + |
| 103 | +RUN uuidgen > /data-template/build-id |
| 104 | + |
| 105 | +LABEL org.opencontainers.image.title="FreeIPA server" |
| 106 | +LABEL org.opencontainers.image.authors="FreeIPA Developers < [email protected]>" |
0 commit comments