#49005 lib389: Update lib389 to work in containers correctly.
Closed: Fixed None Opened 3 years ago by firstyear.

This update fixes a number of issues for Directory Server's operation in a container environment.

Important changes are the detection of systemd (from the paths module), fixing the installer to correctly set permissions, updating plugins to allow them to be enabled during the containerised install.


Test with dirsrv test suites, lib389 tests, fedora rawhide, el7, and can build a docker container out of DS with these changes.

{{{
FROM fedora:rawhide
MAINTAINER wibrown@redhat.com
EXPOSE 389 636
ENV container docker

Add the copr repos we need

RUN dnf install -y dnf-plugins-core && dnf copr enable firstyear/ds -y

Now upgrade, and install useful tools.

Httpd should be a dep on rest389

RUN /usr/bin/dnf upgrade -y && /usr/bin/dnf -y install httpd 389-ds-base procps-ng iputils && /usr/bin/dnf clean all;

Add the setup-inf, we have an example with the rest package though.

Build the instance from the new installer tools.

RUN dnf install -y https://copr-be.cloud.fedoraproject.org/results/firstyear/ds/fedora-rawhide-x86_64/00462962-python-lib389/python3-lib389-1.0.3-1.fc26.noarch.rpm python3-rest389 python3-idm389

RUN /usr/sbin/dsadm -v instance create -f /usr/share/rest389/examples/ds-setup-rest-admin.inf --IsolemnlyswearthatIamuptonogood --containerised

Finally add the volumes, they will inherit the contents of these directories.

VOLUME /etc/dirsrv
VOLUME /var/log/dirsrv
VOLUME /var/lib/dirsrv

WORKDIR /var/empty
CMD ["/usr/sbin/ns-slapd", "-d", "0", "-D", "/etc/dirsrv/slapd-localhost", "-i", "/var/run/dirsrv/slapd-localhost.pid"]
}}}

I think next we need to add:

  • New installer needs to stop slapd after complete install
  • Bug in DS where you make a backend but don't add dc=example,dc=com so you can't add it without ldif2db
  • DS to show signals it receives so that we can terminate properly when requested.
  • Capabilities so we can run as USER dirsrv, rather than root and drop privileges.
  • Detect ram / cpu in cgroup of the container (hard)
  • ns-slapd should be able to set some values in cn=config from ENV, ie Directory Manager password (or hash) so that this can be deployed securely.

I'll get back to these in the future.

Wow, #comment:2 looks very nice. Could you put it somewhere in port389.org? Maybe in the design doc section?

Regarding the review, Sorry, I only reviewed [1]. It looks good to me.

A question... Do the changes for Makefile and defaults.inf need to be back ported to 1.2.11, as well? If so, please put the Milestone to 1.2.11.33. Thanks!

[1] 0001-Ticket-49005-Update-lib389-to-work-in-containers-cor.patch​

I think the change I have made here for the defaults doesn't affect 1.2.11 too much. with_systemd on paths will set false if it can't find the option. As well 1.2.11 will never have this as "true".

Saying this, probably a good idea to keep it consistent, even if it will always be "false". So I'll make a patch for this for 1.2.11 as well. Is that okay?

I think you are right that I should make a design doc too, I probably need to open some more tickets also.

Replying to [comment:4 firstyear]:

I think the change I have made here for the defaults doesn't affect 1.2.11 too much. with_systemd on paths will set false if it can't find the option. As well 1.2.11 will never have this as "true".

Saying this, probably a good idea to keep it consistent, even if it will always be "false". So I'll make a patch for this for 1.2.11 as well. Is that okay?

Sure. Thank YOU.

So in plugin.py you set the required attributes for a plugin entry which includes:

nsslapd-plugin-depends-on-type

However, this attribute is not required.

It still gets my ack, but this should be updated.

commit 51572c39a3d969f7ffc4b7d9cb1a336d1d72d838
Writing objects: 100% (9/9), 1.06 KiB | 0 bytes/s, done.
Total 9 (delta 7), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
cbd6168..6a6bbc8 master -> master

commit 3e0de75
Writing objects: 100% (6/6), 828 bytes | 0 bytes/s, done.
Total 6 (delta 4), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
a5499cb..3e0de75 389-ds-base-1.2.11 -> 389-ds-base-1.2.11

commit 3d4fc0db520e637766b795fecf98070e49b4f496
Writing objects: 100% (16/16), 4.33 KiB | 0 bytes/s, done.
Total 16 (delta 13), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/lib389.git
deb6d71..3d4fc0d master -> master

William, could you please update Makefile.in? Otherwise I have in defaults.inf:
{{{
with_systemd = @with_systemd@
}}}

Replying to [comment:7 firstyear]:

commit 51572c39a3d969f7ffc4b7d9cb1a336d1d72d838
And where is this commit id coming from?
Writing objects: 100% (9/9), 1.06 KiB | 0 bytes/s, done.
Total 9 (delta 7), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
cbd6168..6a6bbc8 master -> master
Here 6a6bbc8 points to the one in the repo and 51572c39a3d969f7ffc4b7d9cb1a336d1d72d838 is nowhere to be found. It makes difficult to view changesets in trac.

commit 3e0de75
Writing objects: 100% (6/6), 828 bytes | 0 bytes/s, done.
Total 6 (delta 4), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
a5499cb..3e0de75 389-ds-base-1.2.11 -> 389-ds-base-1.2.11

commit 3d4fc0db520e637766b795fecf98070e49b4f496
Writing objects: 100% (16/16), 4.33 KiB | 0 bytes/s, done.
Total 16 (delta 13), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/lib389.git
deb6d71..3d4fc0d master -> master

Thanks!

Metadata Update from @firstyear:
- Issue assigned to firstyear
- Issue set to the milestone: 0.0 NEEDS_TRIAGE

3 years ago

Metadata Update from @vashirov:
- Issue set to the milestone: None (was: 0.0 NEEDS_TRIAGE)

6 months ago

Login to comment on this ticket.

Metadata