-
Notifications
You must be signed in to change notification settings - Fork 260
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Windows Instructions #579
Conversation
Keep each step on new line.
I'm not fond of these detailed instructions -- they are bound to become a liability, getting obsolete, incomplete, or simply not working on specific combinations of WSL versions, WSL distributions, docker, and whatever else can impact the outcome. The instructions we have in https://github.com/freeipa/freeipa-container#running-freeipa-server-container are intentionally vague ("... may be necessary ...") because we simply cannot cover all the combinations and we leave it up to the person setting FreeIPA in their containerization environment to figure out the exact details and requirements with their vendor / community. I do support the idea of making things easier for people trying this out on Windows. But if Microsoft already has a documentation we can refer to, we should just link to it. (Over the years people seemed to duplicate the instructions for running the FreeIPA containers on other sites and we then saw people struggling with obsolete guidance, missing the fact that our README got updated with latest understanding of working steps since those other sites put their content on. And yes, cgroups was the typical problematic area.) I would go with a single sentence, something like
Except:
|
I agree maintaining good instructions is more work vs vague ones. No need to repeat Microsoft directions if we're keeping this short as a link will do. However, this project doesn't have a docker compose example so this PR text is a little more verbose than it otherwise would be to fill that gap. If someone is developing software with Docker containers they'll likely be using Docker Compose to avoid copy and pasting commands and managing multiple containers independently. Maybe the instructions could be shortened by simply taking the one-line sentence you propose and then appending the compose example? I'm not sure which cgroup version is being used, but WSL distro config for systemd does appear to be required as the example doesn't work until you add it. |
The reason why we don't have a specific docker-compose configuration example is pretty much the same as for the other setup guidance "vagueness" I explained -- docker-compose is merely For example, FreeIPA server really requires a FQDN hostname. We've had people using FQDN in Also, the docker-compose example that you show will likely not work on Linuxes with cgroupv2 ... meaning we'd immediately need to start showing multiple versions, repeating the "... may be necessary ...". We can discuss adding docker-compose example in separate PR but I thought it might be fair to state my general position upfront. The change / example would need to be done in such a way that it does not become a maintenance burden down the road. |
Can you figure out which cgroup version is used? What happens when you disable the v1 and just use v2? Is the I'm also afraid that you have the implication slightly reversed -- yes, adding If you have the Windows environment around, can you please test what gets or does not get mounted in the WSL environment without the Another thing to figure out are user namespaces. On Linuxes with cgroups v2, docker seems to only configure proper cgroup delegation when |
I think having the simplest possible working example is ideal for getting people up and running fast and it's going to hard to find a faster or simpler container quick start than It isn't clear what domainname is really for, which is even more reason for this freeipa container project to figure it out so each user doesn't have to. Some suggest it is only needed for NIS, which if true would mean not it's not necessary I think (I assume yp is optional in freeipa). The hostname and domainname behavior depends on networking mode. The current freeipa container README doesn't mention this. The default (and likely safest) network mode is bridge mode and that's a good target for a quick start compose demo. Regardless of Docker Compose vs Docker run the hostname/domainname issue needs to be explicitly explained. In my example above I assume I'm using cgroup v1, but it appears both V1 and V2 are installed on my Ubuntu distro (though only as single /sys/fs/cgroup path):
I think a cgroup v2 example is a good idea if it's different. Having two examples is more maintenance, but may be needed since cgroups V1 presumably isn't always available. I'll need to do some more testing to see if there are other combinations that work (and try to figure out how to use cgroup V2). If I remove |
From my old investigation when Fedora was thinking to remove NIS tools: FreeIPA does depend on nisdomainname utility (part of hostname package). SUDO depends on the correct value returned from getdomainname() in order to support netgroups in LDAP-stored SUDO rules. Same rules are implemented by FreeIPA and SSSD. However, I think this is not deprecated technology question. Domain name information is the part of UTS information in the kernel. According to glibc implementation, getdomainname() pulls the domain name from uname() syscall: where 'domainname' is GNU extension. It represents a name of the domain this host belongs to. Note that the domain name itself is not a DNS domain name as it represents a higher abstraction level entity which can be roughly mapped to a whole IPA or AD domain. This is how we actually are using it in FreeIPA. Someone has to set the domain name upon startup. So far, only nisdomainname tool was doing that. If that is removed, then SUDO will definitely break. This does not require presence of NIS infrastructure but does require properly configured NIS domain name on each client. Which means we must be able to continue configuring NIS domain name. |
My example above doesn't set domainname in Docker and appears to work. Setting domainname might be handled by the freeipa container entrypoint (given hostname) or possibly the |
So what is the output of |
The output of Edit:
|
Actually, in an unprivileged container we just block out We don't assume any sudo operations happening in the FreeIPA container, so this was not really a problem (IIRC). Anyway, let's keep this PR on the core "run FreeIPA in WSL, by primarily focusing on cgroups" issue, and perhaps let's have separate issue about the hostnames / domainnames. |
@slominskir Could you use microsoft/WSL#6662 (comment) and see if you get cgroupsv2 mounted directly on Based on the note in microsoft/WSL#10877 that That |
@adelton If I add
Docker Desktop starts, but then freeipa compose example fails (regardless of
You may be on to something with theory that |
Looks like getting cgroups V2 to work with Docker is tricky even directly on some Linux distros (no WSL): #429. There is a ton of complexity in this project due to freeipa running multiple services inside a single container via systemd and that turns out to not be very portable (and apparently not even possible in many environments until recently). Is it possible to separate the 389 LDAP server, Apache httpd web server, Tomcat PKI CA app server, and MIT Kerberos KDC service, and anything else I'm forgetting into separate containers that communicate through ports and are all launched via a Docker Compose? This would presumably side-step this entire systemd / cgroups hassle and be more portable. In my particular use case we use a cluster of yum installed Red Hat Identity Manager on RHEL servers in production and I'm simply attempting to have a test/dev freeipa server spin up in a container so I can develop apps that interface with freeipa in isolation from prod and avoid a dedicated test VM subnet. I actually only need the 389 LDAP server at the moment so spinning up that server in a container and applying the freeipa flat LDAP schema appears to be the way to go. |
For Linux and cgroupsv2 and docker, the #429 (comment) guidance is in the README since August 2022 (9f7e452#diff-2b7814d3fca2e99e56c51b6ff2aa313ea6e9da6424804240aa8ad891fdfe0900) and I don't remember anyone reporting a problem with that. |
If you have access to RHEL / RHEL-like platforms, I'd strongly suggest to just go with podman or docker there, rather than the WSL thing. I don't think we heard reports of anyone else trying things on Windows. |
Sure it is theoretically possible and you are welcome to try that. But note that you will be re-implementing large portions of the To copy my response from #386 (comment): I'm not particularly happy that freeipa-container depends on systemd but the proper solution would be to make FreeIPA itself configurable across multiple hosts / VMs, in other words FreeIPA natively offering itself for containerized split, including any configuration and setup tools. In freeipa-container project we just consume FreeIPA in the way matching its deployment on hosts (outside of containers), based on packaging for the specific OS versions (RHEL, CentOS, Fedora). |
Windows still makes up majority of desktop and laptop OSes I believe so simply not recommending/supporting their use with freeipa container isn't a great option. Plus many people have Windows gaming machines at home that double as great container hosts! Each upstream service that makes up freeipa is likely to eventually land on having a container option anyways if it hasn't already simply for ease of testing, development, and demos. I guess at that point it will be easier for freeipa to adopt the one service per container design. Docker Compose examples are a great additional form of documentation: an easily launched working example cleanly modularized that can be easily interrogated is very valuable. It's also a great way to recreate bugs and communicate them to devs via a relatively small package. Modular also means users can work with only the portion needed (in my case just 389 LDAP). These benefits are really only true if the containers work easily and portably and that may require the software within to be made such that it works well in-container and is portable. The freeipa project that integrates all theses services could separate the setup scripts into modules, one per service such that they could be run separately. It appears there are some IPC mechanisms currently required as well that would need to be configurable to optionally use ports instead. A lot of the updating probably involves making hard-coded assumptions configurable and organizing modularly. In the meantime, I guess we can close this PR and just wait and see what develops in the container world. I'm not sure how to reliably run freeipa in a container on Windows at this point. I got it working with trial and error. I thought it was simply |
Fixes #578