Hi all,
I am currently migrating a server from a locally installed FreeIPA setup to a CoreOS container setup and cannot find any documentation for this. I am assuming i am doing something wrong or missing something as i cannot find anyone else having an issue or even attempting it either. This is a fresh installed OS from an ignition file so should have no weirdness coming in from anywhere else.
podman launch line: bin/podman run --name ipa \ -h thenom-srv1.thenom.local --read-only \ -v /var/lib/ipa-data:/data:Z \ -e IPA_SERVER_IP=192.168.101.6 \ -p 80:80 -p 443:443 -p 389:389 -p 636:636 -p 88:88 -p 464:464 -p 88:88/udp -p 464:464/udp -p 123:123/udp \ quay.io/freeipa/freeipa-server:fedora-36
I have finally got a fresh install running in a container but i am now trying to restore a backup into it from my old server. I have copied a ipa-full directory from my old service into the containers data volume folder on the host. I bash exec into the running IPA container then run ipa-restore /data/ipa-full-2022-11-11-04-03-19, type in my directory manager password and accept the prompts then just get a mass stream of tar errors and then fail:
... tar: setfileconat: Cannot set SELinux context for file 'var/lib/ipa/pki-ca': Permission denied tar: var/lib/ipa: Directory renamed before its status could be extracted tar: setfileconat: Cannot set SELinux context for file 'var/lib/pki/pki-tomcat/lib': Permission denied tar: setfileconat: Cannot set SELinux context for file 'var/lib/pki/pki-tomcat/ca': Permission denied tar: setfileconat: Cannot set SELinux context for file 'var/lib/pki/pki-tomcat': Permission denied tar: var/lib/pki: Directory renamed before its status could be extracted tar: etc/httpd/alias: Directory renamed before its status could be extracted tar: setfileconat: Cannot set SELinux context for file 'etc/pki/pki-tomcat/ca': Permission denied tar: etc/pki/pki-tomcat: Directory renamed before its status could be extracted tar: Exiting with failure status due to previous errors
Restoring umask to 18 NSS is built without support of the legacy database(DBM) directory '/etc/ipa/nssdb' The ipa-restore command failed. See /data/var/log/iparestore.log for more information
I get similar in the iparestore.log: ... tar: setfileconat: Cannot set SELinux context for file './THENOM-LOCAL/DBVERSION': Operation not supported tar: setfileconat: Cannot set SELinux context for file './THENOM-LOCAL/dse_instance.ldif': Operation not supported tar: setfileconat: Cannot set SELinux context for file './THENOM-LOCAL/dse_index.ldif': Operation not supported tar: setfileconat: Cannot set SELinux context for file './THENOM-LOCAL': Operation not supported tar: setfileconat: Cannot set SELinux context for file './files.tar': Operation not supported tar: setfileconat: Cannot set SELinux context for file '.': Operation not supported
2022-11-13T11:55:38Z DEBUG Starting external process 2022-11-13T11:55:38Z DEBUG args=['tar', '--xattrs', '--selinux', '-xzf', '/tmp/tmp7pt67l7sipa/ipa/files.tar', 'etc/ipa/default.conf'] 2022-11-13T11:55:40Z DEBUG Process finished, return code=0 2022-11-13T11:55:40Z DEBUG stdout= 2022-11-13T11:55:40Z DEBUG stderr=tar: setfileconat: Cannot set SELinux context for file 'etc/ipa/default.conf': Operation not supported
This seems to make sense because from what i have read the selinux context on these /data files should be system_u:object_r:container_file_t and i am guessing unchanged\unchangeable due to the environment its running in.
Any advice appreciated, thanks in advance. Simon
Does anybody have any idea how i can migrate from tin install to a container?
Sorry about the delayed reply as i have been away.
Cheers for the reply Rob, i will try and do that then promote but does this mean there is currently no way to restore a backup into a containerised master?
I get that in production it is not recommended to run a single instance but even still i would have thought there would a DR process for this.
Simon Thorley via FreeIPA-users wrote:
Sorry about the delayed reply as i have been away.
Cheers for the reply Rob, i will try and do that then promote but does this mean there is currently no way to restore a backup into a containerised master?
I get that in production it is not recommended to run a single instance but even still i would have thought there would a DR process for this.
Outside of containers there is.
I honestly don't know how well tested ipa-restore/backup inside a container.
rob
freeipa-users@lists.fedorahosted.org