4:20 a.m.
Hello all,
we have setup a test system with FreeIPA running on a docker (swarm) host and are very
happy with the tool. Now we are moving forward towards the planning for implementation and
considering wthether to run in in Containers or VMs.
On the FreeIPA website it says "the team also maintains PoC container release of
FreeIPA". That's why I am wondering, if running FreeIPA in containers is
generally considered as something for testing environments or PoC, but not for production.
Are there any experiences running it in containers for production? Or is everybody using
bare metal/VMs? We are planning an environment with 40-50 clients on one site.
Thanks,
Jonas
4:41 a.m.
As I understood the devs the only option would be an all-in-one container as splitting up
the components would introduce several challenges that would need to be solved. And
everything in one container is exactly the opposite what a container should be...
So... we do not consider the current container solution as ready for production.
Cheers,
Ronald
Am 17. August 2023 11:20:22 MESZ schrieb Jonas R via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org>:
Hello all,
we have setup a test system with FreeIPA running on a docker (swarm) host and are very
happy with the tool. Now we are moving forward towards the planning for implementation and
considering wthether to run in in Containers or VMs.
On the FreeIPA website it says "the team also maintains PoC container release of
FreeIPA". That's why I am wondering, if running FreeIPA in containers is
generally considered as something for testing environments or PoC, but not for production.
Are there any experiences running it in containers for production? Or is everybody using
bare metal/VMs? We are planning an environment with 40-50 clients on one site.
Thanks,
Jonas
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
4:54 a.m.
We are running it successfully on VMs for several thousand IPA clients.
Am 17. August 2023 11:44:53 MESZ schrieb Jonas R via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org>:
Thank you for your fast reply, Ronald!
I guess we'll go for VMs then.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
4:36 a.m.
On Thu, Aug 17, 2023 at 09:20:22AM -0000, Jonas R via FreeIPA-users wrote:
Hello all,
we have setup a test system with FreeIPA running on a docker (swarm) host and are very
happy with the tool. Now we are moving forward towards the planning for implementation and
considering wthether to run in in Containers or VMs.
On the FreeIPA website it says "the team also maintains PoC container release of
FreeIPA". That's why I am wondering, if running FreeIPA in containers is
generally considered as something for testing environments or PoC, but not for production.
Are there any experiences running it in containers for production? Or is everybody using
bare metal/VMs? We are planning an environment with 40-50 clients on one site.
Based on the feedback and issues reported on the
https://github.com/freeipa/freeipa-container repo, there are numerous
people running FreeIPA containers in production. The biggest hurdles
seem to be to get the container running and the ipa-server-install
properly finished the first time the container is started.
If you have infrastructure that is biased towards containers
(for example Kubernetes all over), you might pick that. You might gain
more flexibility in the setup and potentially a bit leaner solution.
It's also easier to get things confused and broken.
If it's easy for you to spin up VMs and deal with keeping the
up-to-date and regularly restarted, go with VMs.
Since for production deployment you will want to have a master plus
a couple of replicas, you can even mix and match.
On Thu, Aug 17, 2023 at 11:41:22AM +0200, Ronald Wimmer via FreeIPA-users wrote:
As I understood the devs the only option would be an all-in-one
container as splitting up the components would introduce several challenges that would
need to be solved. And everything in one container is exactly the opposite what a
container should be...
It is exacly the opposite of what the container purists say a container
should be.
Since the main value of FreeIPA is the integration of services under
one umbrella, I question what value people would get if instead of one
container they had ten containers and they had the freedom and means
to mix'n'match their configuration in some docker-compose YAML.
I assume people would end up with many more broken deployments than if
they get it all in one systemd-based container. If only because you'd
likely lose the ipa-server-install that sets many of the things for you.
So... we do not consider the current container solution as ready for
production.
The VM with IdM on RHEL might be preferred for production deployments
but for completely different reason than having FreeIPA container an
all-in-one setup. Handling of data persistence and upgrades might
be the weakest point ... but you'd get that challenge even if you
had the solution broken into multiple containers.
--
Jan Pazdziora | Sr. Principal Software Engineer | Red Hat
7:03 a.m.
Hi Jan,
thank you for your thoughts.
The biggest hurdles
seem to be to get the container running and the ipa-server-install
properly finished the first time the container is started.
We simply run the
container manually from command line once, for further restarts we use a compose file for
docker swarm - we didn't encounter any issues there.
If you have infrastructure that is biased towards containers
(for example Kubernetes all over), you might pick that. You might gain
more flexibility in the setup and potentially a bit leaner solution.
It's also easier to get things confused and broken.
Since all the VMs we use
run Debian, setting up VMs with Fedora or RHEL would require an additional effort for us.
That's one of the main reasons why we'd like to go for containerization. As most
other things we run is in containers that fits well into our landscape.
Since for production deployment you will want to have a master plus
a couple of replicas, you can even mix and match.
That's something I had not
considered but is interesting and problably a help in case we need to migrate to VMs
later.
Thanks,
Jonas
5:42 a.m.
On Tue, Aug 22, 2023 at 12:03:25PM -0000, Jonas R via FreeIPA-users wrote:
> If you have infrastructure that is biased towards containers
> (for example Kubernetes all over), you might pick that. You might gain
> more flexibility in the setup and potentially a bit leaner solution.
> It's also easier to get things confused and broken.
Since all the VMs we use run Debian, setting up VMs with Fedora or RHEL would require an
additional effort for us. That's one of the main reasons why we'd like to go for
containerization. As most other things we run is in containers that fits well into our
landscape.
Right, the OS standardization and availability of the payload on that
platform might be another good reason to go the container route.
--
Jan Pazdziora | Sr. Principal Software Engineer | Red Hat
264
days inactive
272
days old
freeipa-users@lists.fedorahosted.org
6 comments
3 participants
participants (3)
-
Jan Pazdziora -
Jonas R -
Ronald Wimmer