On pe, 17 maalis 2023, Rob Crittenden via FreeIPA-users wrote:
Ronald Wimmer via FreeIPA-users wrote:
> On 14.05.21 11:26, Ronald Wimmer via FreeIPA-users wrote:
>> are there any plans (or maybe ongoing work already) to let FreeIPA run
>> in a K8s environment?
> What about tearing all the tightly coupled parts (389DS, DNS, PKI,
> HTTPD, KDC, Samba, ...) apart, let them run in K8s and do the coupling
> Could that work if somebody took the effort (with support from the IPA
> devs I would be willing to) or are there real showstoppers preventing
> such an adventure?
It could require a re-architecture of IPA. Some services rely on ldapi
bind to connect to 389. You'd need to switch from that socket to a TCP
socket and pass the requisite bind credentials (DM). Services rely on
files in various places which if done systematically might not be too
bad, but might require creative bind mounting and/or duplicating files.
Installing it might require a pretty massive rewrite as it assumes a
monolith. Upgrades would be another challenge.
I don't know enough about K8S to know how naming would work to tie a
bunch of different nodes into a single "service" with a common name.
I don't know how well scaling would work either, if that's a goal.
It will not work well.
Performance differences between TCP/IP and UNIX domain sockets are huge.
There is roughly 60% of latency difference. There is 9x throughput
difference on a bare metal system. See https://github.com/rigtorp/ipc-bench
the test code.
On virtual machines in a datacenter using KVM I am reliably getting
roughly 2x slowdown in both throughput and latency.
That is a starting point. I would not even go into technical details
requiring a tight collaboration between multiple DC components we have
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland