forked from freeipa/freeipa-container
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Dockerfile.rhel-7
90 lines (72 loc) · 5.76 KB
/
Dockerfile.rhel-7
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
# Clone from the RHEL 7
FROM rhel7
MAINTAINER FreeIPA Developers <[email protected]>
# Moving groupadd before freeipa installation to ensure uid and guid will be same
RUN groupadd -g 288 kdcproxy ; useradd -u 288 -g 288 -c 'IPA KDC Proxy User' -d '/var/lib/kdcproxy' -s '/sbin/nologin' kdcproxy
RUN groupadd -g 289 ipaapi; useradd -u 289 -g 289 -c 'IPA Framework User' -r -d / -s '/sbin/nologin' ipaapi
# Workaround 1615948
RUN ln -s /bin/false /usr/sbin/systemd-machine-id-setup
RUN yum install --disablerepo='*' --enablerepo=rhel-7-server-rpms -y ipa-server ipa-server-dns ipa-server-trust-ad && yum clean all
# Workaround 1364139
RUN sed -i '/installutils.verify_fqdn(config.master_host_name, options.no_host_dns)/s/)/, local_hostname=False)/' /usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py && python -m compileall /usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py
# Workaround 1377973
RUN sed -i 's/ips.append(ipautil.CheckedIPAddress(ha, match_local=True))/ips.append(ipautil.CheckedIPAddress(ha, match_local=False))/' /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py && python -m compileall /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py
# Workaround https://fedorahosted.org/freeipa/ticket/6518
RUN sed -i 's/getaddrinfo(fqdn/getaddrinfo(fqdn.rstrip(".")/' /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py && python -m compileall /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py
RUN find /etc/systemd/system/* '!' -name '*.wants' | xargs rm -rvf
RUN for i in basic.target sysinit.target network.service netconsole.service ; do rm -f /usr/lib/systemd/system/$i && ln -s /dev/null /usr/lib/systemd/system/$i ; done
RUN /sbin/ldconfig -X
COPY init-data /usr/local/sbin/init
COPY ipa-server-configure-first exit-with-status ipa-volume-upgrade-* /usr/sbin/
COPY install.sh uninstall.sh /bin/
RUN mv /bin/hostnamectl /bin/hostnamectl.orig
RUN mv /usr/bin/domainname /usr/bin/domainname.orig
ADD hostnamectl-wrapper /bin/hostnamectl
ADD hostnamectl-wrapper /usr/bin/domainname
RUN chmod -v +x /usr/local/sbin/init /usr/sbin/ipa-server-configure-first /usr/sbin/exit-with-status /usr/sbin/ipa-volume-upgrade-* /bin/install.sh /bin/uninstall.sh /bin/hostnamectl /usr/bin/domainname
COPY container-ipa.target ipa-server-configure-first.service ipa-server-upgrade.service ipa-server-update-self-ip-address.service /usr/lib/systemd/system/
RUN rmdir -v /etc/systemd/system/multi-user.target.wants \
&& mkdir /etc/systemd/system/container-ipa.target.wants \
&& ln -s /etc/systemd/system/container-ipa.target.wants /etc/systemd/system/multi-user.target.wants
RUN systemctl set-default container-ipa.target
RUN systemctl enable ipa-server-configure-first.service
# debug: RUN test -f /etc/machine-id && ! test -s /etc/machine-id
RUN echo 0123456789abcdef0000000000000000 > /etc/machine-id && systemd-tmpfiles --remove --create && echo -n > /etc/machine-id
COPY exit-via-chroot.conf /usr/lib/systemd/system/systemd-poweroff.service.d/
COPY atomic-install-help /usr/share/ipa/
COPY volume-data-list volume-data-mv-list volume-data-autoupdate /etc/
RUN set -e ; cd / ; mkdir /data-template ; cat /etc/volume-data-list | while read i ; do echo $i ; if [ -e $i ] ; then tar cf - .$i | ( cd /data-template && tar xf - ) ; else mkdir -p /data-template$( dirname $i ) ; fi ; mkdir -p $( dirname $i ) ; if [ "$i" == /var/log/ ] ; then mv /var/log /var/log-removed ; else rm -rf $i ; fi ; ln -sf /data${i%/} ${i%/} ; done
RUN rm -rf /var/log-removed
RUN sed -i 's!^d /var/log.*!L /var/log - - - - /data/var/log!' /usr/lib/tmpfiles.d/var.conf
RUN rm -f /data-template/var/lib/systemd/random-seed
RUN echo 1.1 > /etc/volume-version
# debug: RUN test "$container" = oci
EXPOSE 53/udp 53 80 443 389 636 88 464 88/udp 464/udp 123/udp 7389 9443 9444 9445
VOLUME [ "/tmp", "/run", "/data" ]
STOPSIGNAL RTMIN+3
ENTRYPOINT [ "/usr/local/sbin/init" ]
RUN uuidgen > /data-template/build-id
# Invocation:
# docker run -ti -v /sys/fs/cgroup:/sys/fs/cgroup:ro --tmpfs /run --tmpfs /tmp -v /opt/ipa-data:/data:Z -h ipa.example.test ${NAME} [ options ]
# For atomic, we run INSTALL --privileged but install.sh will start another unprivileged container.
# We do it this way to be able to set hostname for the unprivileged container.
LABEL install 'docker run -ti --rm --privileged -v /:/host -e HOST=/host -e DATADIR=/var/lib/${NAME} -e NAME=${NAME} -e IMAGE=${IMAGE} ${IMAGE} /bin/install.sh'
LABEL run 'docker run ${RUN_OPTS} --name ${NAME} -v /var/lib/${NAME}:/data:Z -v /sys/fs/cgroup:/sys/fs/cgroup:ro --tmpfs /run --tmpfs /tmp -v /dev/urandom:/dev/random:ro ${IMAGE}'
LABEL RUN_OPTS_FILE '/var/lib/${NAME}/docker-run-opts'
LABEL stop 'docker stop ${NAME}'
LABEL uninstall 'docker run --rm --privileged -v /:/host -e HOST=/host -e DATADIR=/var/lib/${NAME} ${IMAGE} /bin/uninstall.sh'
LABEL summary="Identity Management (IdM) for Linux provides centralized \
management of identities and policies for Atomic Host"
LABEL description="IPA is an integrated solution to provide centrally managed \
Identity (users, hosts, services), Authentication (SSO, 2FA), and \
Authorization (host access control, SELinux user roles, services). The \
solution provides features for further integration with Linux based clients \
(SUDO, automount) and integration with Active Directory based infrastructures \
(Trusts)."
LABEL io.k8s.display-name="Identity Management (IdM) for Linux"
LABEL io.k8s.description="IPA is an integrated solution to provide centrally \
managed Identity (users, hosts, services), Authentication (SSO, 2FA), and \
Authorization (host access control, SELinux user roles, services). The \
solution provides features for further integration with Linux based clients \
(SUDO, automount) and integration with Active Directory based infrastructures \
(Trusts)."