For a test setup I try to get running a FreeIPA server within a docker container(DinD). But I get some errors and I don't know why.
1. Create docker in docker container => docker run --privileged -itd --name docker_swarm -v /sys/fs/cgroup:/sys/fs/cgroup docker
2. Connect to docker container and run the FreeIPA server => docker exec -it docker_swarm \ sh -c "docker run --sysctl net.ipv6.conf.all.disable_ipv6=0 --privileged=true --name ipa -ti -h ipa.example.test --cgroupns=host \ -v /sys/fs/cgroup:/sys/fs/cgroup:rw -v /tmp/freeipa-data:/data freeipa/freeipa-server:fedora-38-4.10.2 --skip-mem-check --no-ntp"
The error I get is: docker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: unable to apply cgroup configuration: failed to write 670: write /sys/fs/cgroup/docker/3c2cc48a075d3f62143d70718aefe4c55938e4332262894e67f31328eaa5a006/cgroup.procs: no such file or directory: unknown. ERRO[0038] error waiting for container:
The command is working outside of Docker in Docker. Maybe it is possible to deactivated all the cgroups stuff? I don't need all features of FreeIPA just certificates, authentication(LDAP), DNS, ...
On 20.09.23 09:05, Jay Smith via FreeIPA-users wrote:
For a test setup I try to get running a FreeIPA server within a docker container(DinD). But I get some errors and I don't know why.
- Create docker in docker container
=> docker run --privileged -itd --name docker_swarm -v /sys/fs/cgroup:/sys/fs/cgroup docker
- Connect to docker container and run the FreeIPA server
=> docker exec -it docker_swarm \ sh -c "docker run --sysctl net.ipv6.conf.all.disable_ipv6=0 --privileged=true --name ipa -ti -h ipa.example.test --cgroupns=host \ -v /sys/fs/cgroup:/sys/fs/cgroup:rw -v /tmp/freeipa-data:/data freeipa/freeipa-server:fedora-38-4.10.2 --skip-mem-check --no-ntp"
The error I get is: docker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: unable to apply cgroup configuration: failed to write 670: write /sys/fs/cgroup/docker/3c2cc48a075d3f62143d70718aefe4c55938e4332262894e67f31328eaa5a006/cgroup.procs: no such file or directory: unknown. ERRO[0038] error waiting for container:
From my knowledge:
* We have cgroups v2 nowadays, please remove the volume /sys/fs/cgroup (from both commands) * you need cgroup nesting, please read the link below:
https://github.com/containerd/containerd/issues/6659
Best regards Ulf
Hi Jay,
For running FreeIPA in a container you may want to check https://github.com/freeipa/freeipa-container
The setup for it to work is somewhat sensible and following their recommendations will prevent a lot of headaches.
Rafael
P.S.: Sorry for the top post.
On Wed, Sep 20, 2023 at 10:10 AM Ulf Volmer via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
On 20.09.23 09:05, Jay Smith via FreeIPA-users wrote:
For a test setup I try to get running a FreeIPA server within a docker
container(DinD).
But I get some errors and I don't know why.
- Create docker in docker container
=> docker run --privileged -itd --name docker_swarm -v
/sys/fs/cgroup:/sys/fs/cgroup docker
- Connect to docker container and run the FreeIPA server
=> docker exec -it docker_swarm \ sh -c "docker run --sysctl
net.ipv6.conf.all.disable_ipv6=0 --privileged=true --name ipa -ti -h ipa.example.test --cgroupns=host \
-v /sys/fs/cgroup:/sys/fs/cgroup:rw -v
/tmp/freeipa-data:/data freeipa/freeipa-server:fedora-38-4.10.2 --skip-mem-check --no-ntp"
The error I get is: docker: Error response from daemon: failed to create task for container:
failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: unable to apply cgroup configuration: failed to write 670: write /sys/fs/cgroup/docker/3c2cc48a075d3f62143d70718aefe4c55938e4332262894e67f31328eaa5a006/cgroup.procs: no such file or directory: unknown.
ERRO[0038] error waiting for container:
From my knowledge:
- We have cgroups v2 nowadays, please remove the volume /sys/fs/cgroup
(from both commands)
- you need cgroup nesting, please read the link below:
https://github.com/containerd/containerd/issues/6659
Best regards Ulf
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Thank you very much for your hint Ulf. That's working for me.
docker run -it \ -h ${MK_FREEIPA_SERVER_DOMAIN_NAME} \ --name ipa \ --sysctl net.ipv6.conf.all.disable_ipv6=0 \ -v /tmp/freeipa-data/data:/data \ -e "IPA_SERVER_HOSTNAME=${MK_FREEIPA_SERVER_DOMAIN_NAME}" \ -e "IPA_SERVER_IP=${MK_FREEIPA_SERVER_IP}" \ -e "DEBUG_TRACE=1" \ -e "DEBUG_NO_EXIT=1" \ --privileged=true \ --ip "${MK_FREEIPA_SERVER_IP}" \ --add-host "${MK_FREEIPA_SERVER_DOMAIN_NAME}:${MK_FREEIPA_SERVER_IP}" \ -p "443:443" \ freeipa/freeipa-server:fedora-38-4.10.2 \ --skip-mem-check \ --domain=${MK_INTERNAL_SUB_DOMAIN} \ --realm=${MK_FREEIPA_SERVER_REALM} \ --ds-password=${MK_FREEIPA_SERVER_DS_PASSWORD} \ --ip-address=${MK_FREEIPA_SERVER_IP} \ --admin-password=${MK_FREEIPA_SERVER_ADMIN_PASSWORD} \ --no-host-dns \ --unattended \ --setup-dns \ --allow-zone-overlap \ --auto-reverse \ --reverse-zone=${MK_FREEIPA_SERVER_DNS_REVERSE_ZONE} \ --auto-forwarders \ --no-ntp
On Fri, Sep 22, 2023 at 12:03:19PM -0000, Jay Smith via FreeIPA-users wrote:
Thank you very much for your hint Ulf. That's working for me.
docker run -it \ -h ${MK_FREEIPA_SERVER_DOMAIN_NAME} \ --name ipa \ --sysctl net.ipv6.conf.all.disable_ipv6=0 \ -v /tmp/freeipa-data/data:/data \ -e "IPA_SERVER_HOSTNAME=${MK_FREEIPA_SERVER_DOMAIN_NAME}" \ -e "IPA_SERVER_IP=${MK_FREEIPA_SERVER_IP}" \ -e "DEBUG_TRACE=1" \ -e "DEBUG_NO_EXIT=1" \ --privileged=true \
Where did you find the guidance to use --privileged=true?
Is it actively harmful to the general security posture of the system and should be avoided. It hasn't been needed for FreeIPA server containers for ages.
--ip "${MK_FREEIPA_SERVER_IP}" \ --add-host "${MK_FREEIPA_SERVER_DOMAIN_NAME}:${MK_FREEIPA_SERVER_IP}" \ -p "443:443" \ freeipa/freeipa-server:fedora-38-4.10.2 \ --skip-mem-check \ --domain=${MK_INTERNAL_SUB_DOMAIN} \ --realm=${MK_FREEIPA_SERVER_REALM} \ --ds-password=${MK_FREEIPA_SERVER_DS_PASSWORD} \ --ip-address=${MK_FREEIPA_SERVER_IP} \ --admin-password=${MK_FREEIPA_SERVER_ADMIN_PASSWORD} \ --no-host-dns \ --unattended \ --setup-dns \ --allow-zone-overlap \ --auto-reverse \ --reverse-zone=${MK_FREEIPA_SERVER_DNS_REVERSE_ZONE} \ --auto-forwarders \ --no-ntp
freeipa-users@lists.fedorahosted.org