Hi all,
I am currently migrating a server from a locally installed FreeIPA setup to a CoreOS
container setup and cannot find any documentation for this. I am assuming i am doing
something wrong or missing something as i cannot find anyone else having an issue or even
attempting it either. This is a fresh installed OS from an ignition file so should have
no weirdness coming in from anywhere else.
podman launch line:
bin/podman run --name ipa \
-h thenom-srv1.thenom.local --read-only \
-v /var/lib/ipa-data:/data:Z \
-e IPA_SERVER_IP=192.168.101.6 \
-p 80:80 -p 443:443 -p 389:389 -p 636:636 -p 88:88 -p 464:464 -p 88:88/udp -p
464:464/udp -p 123:123/udp \
quay.io/freeipa/freeipa-server:fedora-36
I have finally got a fresh install running in a container but i am now trying to restore a
backup into it from my old server. I have copied a ipa-full directory from my old service
into the containers data volume folder on the host. I bash exec into the running IPA
container then run ipa-restore /data/ipa-full-2022-11-11-04-03-19, type in my directory
manager password and accept the prompts then just get a mass stream of tar errors and then
fail:
...
tar: setfileconat: Cannot set SELinux context for file 'var/lib/ipa/pki-ca':
Permission denied
tar: var/lib/ipa: Directory renamed before its status could be extracted
tar: setfileconat: Cannot set SELinux context for file
'var/lib/pki/pki-tomcat/lib': Permission denied
tar: setfileconat: Cannot set SELinux context for file
'var/lib/pki/pki-tomcat/ca': Permission denied
tar: setfileconat: Cannot set SELinux context for file 'var/lib/pki/pki-tomcat':
Permission denied
tar: var/lib/pki: Directory renamed before its status could be extracted
tar: etc/httpd/alias: Directory renamed before its status could be extracted
tar: setfileconat: Cannot set SELinux context for file 'etc/pki/pki-tomcat/ca':
Permission denied
tar: etc/pki/pki-tomcat: Directory renamed before its status could be extracted
tar: Exiting with failure status due to previous errors
Restoring umask to 18
NSS is built without support of the legacy database(DBM) directory
'/etc/ipa/nssdb'
The ipa-restore command failed. See /data/var/log/iparestore.log for more information
I get similar in the iparestore.log:
...
tar: setfileconat: Cannot set SELinux context for file './THENOM-LOCAL/DBVERSION':
Operation not supported
tar: setfileconat: Cannot set SELinux context for file
'./THENOM-LOCAL/dse_instance.ldif': Operation not supported
tar: setfileconat: Cannot set SELinux context for file
'./THENOM-LOCAL/dse_index.ldif': Operation not supported
tar: setfileconat: Cannot set SELinux context for file './THENOM-LOCAL': Operation
not supported
tar: setfileconat: Cannot set SELinux context for file './files.tar': Operation
not supported
tar: setfileconat: Cannot set SELinux context for file '.': Operation not
supported
2022-11-13T11:55:38Z DEBUG Starting external process
2022-11-13T11:55:38Z DEBUG args=['tar', '--xattrs', '--selinux',
'-xzf', '/tmp/tmp7pt67l7sipa/ipa/files.tar',
'etc/ipa/default.conf']
2022-11-13T11:55:40Z DEBUG Process finished, return code=0
2022-11-13T11:55:40Z DEBUG stdout=
2022-11-13T11:55:40Z DEBUG stderr=tar: setfileconat: Cannot set SELinux context for file
'etc/ipa/default.conf': Operation not supported
This seems to make sense because from what i have read the selinux context on these /data
files should be system_u:object_r:container_file_t and i am guessing
unchanged\unchangeable due to the environment its running in.
Any advice appreciated, thanks in advance.
Simon