So. this is an interesting read thanks for that.
But just a FYI to the OP, if you are using any Ubuntu 18.04 clients (i haven’t tried it with Fedora/CentOS) there is an issue with not having local docker groups on the system.
What ends up happening is on a boot, docker services try starting up, but look for a local docker group when they do. If there is no docker group the service times out. When the machine does finally boot up, DNS resolution for some reason is broken. Networking works fine (e.g can ping 8.8.8.8 or any local ip). But without DNS resolution the machine won’t properly find the IPA server and won’t allow users to login.
Docker made this service change from 16.04 to 18.04.
Here I detailed how I determined what the issue was. I put in another ticket with this information but was told it wasn’t an issue with docker.
https://github.com/docker/libnetwork/issues/2335
-Kevin
On Oct 24, 2019, at 6:18 PM, Simo Sorce via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
I strongly recommend reading this article: https://www.projectatomic.io/blog/2015/08/why-we-dont-let-non-root-users-run...
And based on it, I would a) reconsider if using sudo is not a better idea, b) recommend, if possible, to create the docker group locally and add users explicitly on the specific machines.
I would fallback to a global docker group that basically gives root to any user on any machine with docker installed they have access to only as a least resort.
Simo.
On Wed, 2019-10-23 at 19:07 +0000, Jason Dunham via FreeIPA-users wrote: Hi I'm trying to figure out the best practice for groups on my client servers. I have several computation workstation hosts that have been added as freeipa clients, and several engineers who want to run docker on them Members of the 'docker' group (gid=999 on some machines, for example) can run docker without needing sudo, which is what I want to roll out to all machines. Ideally this would be managed from freeipa with LDAP groups, and so anyone in the 'engineers' group should also be a member of the 'docker' group. When I create a 'docker' group on freeIPA it will have some other gid and the client sees that. Should I just delete the original docker group from my hosts and let it get it from ldap, or should I go into /etc/group and change the gid to the one that matches the right ldap gid, or preferably something easier than that? _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
-- Simo Sorce RHEL Crypto Team Red Hat, Inc
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org