Currently dscreate will always create an LDAPI socket. This seems to be causing a problem for containerization. Presumably dscreate does not have a permission to create the LDAPI socket in the container, and also it may not be needed at all for containers, so having an option to skip LDAPI socket creation would probably avoid this problem.
To reproduce the problem, use the following Dockerfile:
ENV container docker
EXPOSE 10389 10636
RUN dnf install -y 389-ds-base
RUN dscreate create-template | sed \
-e "s/;root_password = .*/root_password = Secret.123/g" \
-e "s/;suffix = .*/suffix = dc=example,dc=com/g" \
-e "s/;selinux = .*/selinux = False/g" \
-e "s/;port = .*/port = 10389/g" \
-e "s/;secure_port = .*/secure_port = 10636/g" \
RUN dscreate from-file /root/ds.inf --containerised
CMD [ \
"-D", "/etc/dirsrv/slapd-localhost", \
"-i", "/var/run/dirsrv/slapd-localhost.pid" \
Then execute the following commands:
$ docker build -t ds .
$ docker run --rm --name ds ds
It will fail with the following error:
[26/Apr/2019:18:23:47.052692715 +0000] - ERR - createprlistensockets - PR_Bind()
on localhost file /var/run/slapd-localhost.socket failed: Netscape Portable Run
time error -5966 (Access Denied.)
Ideally the container should be able to run without errors.
Upstream has a "better" way to manage container builds now. Could you test with a different dockerfile based on: https://pagure.io/389-ds-base/blob/master/f/src/lib389/cli/dscontainer I can provide a dockerfile if required.
Metadata Update from @firstyear:
- Custom field origin adjusted to None
- Custom field reviewstatus adjusted to None
Hi, if you could provide the Dockerfile and the commands to build and run it that'll be great. Thanks!
EXPOSE 3389 3636
RUN zypper in -y 389-ds
RUN mkdir -p /data/config && \
mkdir -p /data/ssca && \
ln -s /data/config /etc/dirsrv/slapd-localhost && \
ln -s /data/ssca /etc/dirsrv/ssca
# Install 389-ds ...
# Temporal volumes for each instance
CMD [ "/usr/sbin/dscontainer", "-r" ]
THis is what I have been using: I'm sure you wouldl be able to adjust it for fedora/rhel easily.
Is this still a valid request? Do we need to disable LDAPI in docker?
We require it in docker :) if there is an issue with it in docker, that means there is a docker file issue.
to comment on this ticket.