#50343 Option to disable LDAPI in dscreate
Opened 2 months ago by edewata. Modified 12 days ago

Currently dscreate will always create an LDAPI socket. This seems to be causing a problem for containerization. Presumably dscreate does not have a permission to create the LDAPI socket in the container, and also it may not be needed at all for containers, so having an option to skip LDAPI socket creation would probably avoid this problem.

To reproduce the problem, use the following Dockerfile:

FROM fedora:29

ENV container docker
EXPOSE 10389 10636

RUN dnf install -y 389-ds-base
RUN dscreate create-template | sed \
    -e "s/;root_password = .*/root_password = Secret.123/g" \
    -e "s/;suffix = .*/suffix = dc=example,dc=com/g" \
    -e "s/;selinux = .*/selinux = False/g" \
    -e "s/;port = .*/port = 10389/g" \
    -e "s/;secure_port = .*/secure_port = 10636/g" \
    > /root/ds.inf
RUN dscreate from-file /root/ds.inf --containerised

USER dirsrv

CMD [ \
    "/usr/sbin/ns-slapd", \
    "-D", "/etc/dirsrv/slapd-localhost", \
    "-i", "/var/run/dirsrv/slapd-localhost.pid" \
]

Then execute the following commands:

$ docker build -t ds .
$ docker run --rm --name ds ds

It will fail with the following error:

[26/Apr/2019:18:23:47.052692715 +0000] - ERR - createprlistensockets - PR_Bind()
 on localhost file /var/run/slapd-localhost.socket failed: Netscape Portable Run
time error -5966 (Access Denied.)

Ideally the container should be able to run without errors.


Upstream has a "better" way to manage container builds now. Could you test with a different dockerfile based on: https://pagure.io/389-ds-base/blob/master/f/src/lib389/cli/dscontainer I can provide a dockerfile if required.

Metadata Update from @firstyear:
- Custom field origin adjusted to None
- Custom field reviewstatus adjusted to None

2 months ago

Hi, if you could provide the Dockerfile and the commands to build and run it that'll be great. Thanks!

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
FROM opensuse/tumbleweed:latest
MAINTAINER wbrown@suse.de

EXPOSE 3389 3636

RUN zypper in -y 389-ds

RUN mkdir -p /data/config && \
    mkdir -p /data/ssca && \
    ln -s /data/config /etc/dirsrv/slapd-localhost && \
    ln -s /data/ssca /etc/dirsrv/ssca

# Install 389-ds ...

# Temporal volumes for each instance

VOLUME /data/

CMD [ "/usr/sbin/dscontainer", "-r" ]

THis is what I have been using: I'm sure you wouldl be able to adjust it for fedora/rhel easily.

Is this still a valid request? Do we need to disable LDAPI in docker?

We require it in docker :) if there is an issue with it in docker, that means there is a docker file issue.

Login to comment on this ticket.

Metadata