On Thu, Aug 17, 2023 at 09:20:22AM -0000, Jonas R via FreeIPA-users wrote:
Hello all,
we have setup a test system with FreeIPA running on a docker (swarm) host and are very
happy with the tool. Now we are moving forward towards the planning for implementation and
considering wthether to run in in Containers or VMs.
On the FreeIPA website it says "the team also maintains PoC container release of
FreeIPA". That's why I am wondering, if running FreeIPA in containers is
generally considered as something for testing environments or PoC, but not for production.
Are there any experiences running it in containers for production? Or is everybody using
bare metal/VMs? We are planning an environment with 40-50 clients on one site.
Based on the feedback and issues reported on the
https://github.com/freeipa/freeipa-container repo, there are numerous
people running FreeIPA containers in production. The biggest hurdles
seem to be to get the container running and the ipa-server-install
properly finished the first time the container is started.
If you have infrastructure that is biased towards containers
(for example Kubernetes all over), you might pick that. You might gain
more flexibility in the setup and potentially a bit leaner solution.
It's also easier to get things confused and broken.
If it's easy for you to spin up VMs and deal with keeping the
up-to-date and regularly restarted, go with VMs.
Since for production deployment you will want to have a master plus
a couple of replicas, you can even mix and match.
On Thu, Aug 17, 2023 at 11:41:22AM +0200, Ronald Wimmer via FreeIPA-users wrote:
As I understood the devs the only option would be an all-in-one
container as splitting up the components would introduce several challenges that would
need to be solved. And everything in one container is exactly the opposite what a
container should be...
It is exacly the opposite of what the container purists say a container
should be.
Since the main value of FreeIPA is the integration of services under
one umbrella, I question what value people would get if instead of one
container they had ten containers and they had the freedom and means
to mix'n'match their configuration in some docker-compose YAML.
I assume people would end up with many more broken deployments than if
they get it all in one systemd-based container. If only because you'd
likely lose the ipa-server-install that sets many of the things for you.
So... we do not consider the current container solution as ready for
production.
The VM with IdM on RHEL might be preferred for production deployments
but for completely different reason than having FreeIPA container an
all-in-one setup. Handling of data persistence and upgrades might
be the weakest point ... but you'd get that challenge even if you
had the solution broken into multiple containers.
--
Jan Pazdziora | Sr. Principal Software Engineer | Red Hat