| |
@@ -40,6 +40,7 @@
|
| |
from lib389.instance.options import General2Base, Slapd2Base
|
| |
from lib389.passwd import password_generate
|
| |
from lib389.paths import Paths
|
| |
+ from lib389._constants import DSRC_CONTAINER
|
| |
|
| |
# We setup the logger in verbose mode to make sure debug info
|
| |
# is always available!
|
| |
@@ -47,7 +48,10 @@
|
| |
|
| |
# Handle any dead child process signals we receive. Wait for them to terminate, or
|
| |
# if they are not found, move on.
|
| |
- def _sigchild_handler():
|
| |
+ #
|
| |
+ # We take *args and **kwargs here to handle the fact that this signal gets args, but
|
| |
+ # we don't need or care about them.
|
| |
+ def _sigchild_handler(*args, **kwargs):
|
| |
log.debug("Received SIGCHLD ...")
|
| |
os.waitpid(-1, os.WNOHANG)
|
| |
|
| |
@@ -103,14 +107,15 @@
|
| |
'/data/logs'
|
| |
]:
|
| |
if not os.path.exists(d):
|
| |
- os.makedirs(d, mode=0o770)
|
| |
+ # Yolo, container security is from ns isolation, not unix perms. When we drop
|
| |
+ # privs we'll need this to support future writes.
|
| |
+ os.makedirs(d, mode=0o777)
|
| |
|
| |
# Do we have correct permissions to our volumes? With the power of thoughts and
|
| |
# prayers, we continue blindy and ... well hope.
|
| |
|
| |
- # Do we have an instance? We can only tell by the /data/config/container.inf
|
| |
- # marker file
|
| |
- if not os.path.exists('/data/config/container.inf'):
|
| |
+ # Do we have an instance? We can only tell by the DSRC_CONTAINER marker file
|
| |
+ if not os.path.exists(DSRC_CONTAINER):
|
| |
# Nope? Make one ...
|
| |
log.info("Initialising 389-ds-container due to empty volume ...")
|
| |
rpw = password_generate()
|
| |
@@ -162,10 +167,19 @@
|
| |
|
| |
log.info("IMPORTANT: Set cn=Directory Manager password to \"%s\"" % rpw)
|
| |
|
| |
- # Create the marker to say we exist. This is also a good writable permissions
|
| |
- # test for the volume.
|
| |
- with open('/data/config/container.inf', 'w') as f:
|
| |
- f.write('allocated')
|
| |
+ # Create the marker to say we exist. This is also a good writable permissions
|
| |
+ # test for the volume.
|
| |
+ with open(DSRC_CONTAINER, 'w') as f:
|
| |
+ f.write("""
|
| |
+ [localhost]
|
| |
+ # Note that '/' is replaced to '%%2f' for ldapi url format.
|
| |
+ # So this is pointing to /data/run/slapd-localhost.socket
|
| |
+ uri = ldapi://%%2fdata%%2frun%%2fslapd-localhost.socket
|
| |
+ binddn = cn=Directory Manager
|
| |
+ # Set your basedn here
|
| |
+ # basedn = dc=example,dc=com
|
| |
+ """)
|
| |
+ os.chmod(DSRC_CONTAINER, 0o755)
|
| |
|
| |
# TODO: All of this is contingent on the server starting *and*
|
| |
# ldapi working ... Perhaps these are better inside ns-slapd core
|
| |
Bug Description: In testing a production deployment of 389-ds-base
from the source tree, a new dockerfile was added to handle the release
build and proper image cleanups. Additionally, some issues with sigchld
handling were noted.
Fix Description:
Add a .release dockerfile for the suse base image which cleans up
after itself correctly.
Catch extra arguments to the sigchld handler
* Create directories in /data with more open permissions to account for
id changes.
Author: William Brown william@blackhats.net.au
Review by: ???