[Freeipa-users] FreeIPA and project Atomic
Jan Pazdziora
jpazdziora at redhat.com
Mon Jan 11 10:35:05 UTC 2016
On Sat, Jan 09, 2016 at 06:41:53PM -0500, Marc Boorshtein wrote:
> I'm moving an environment from one that uses all separate VMs to one using
> project Atomic and Docker images. A couple of questions:
>
> 1. Are there any known issues joining an atomic host to a FreeIPA domain?
> (Or has anyone tried it?)
As Lukáš has noted, the fedora/sssd container exists which allows
you to execute ipa-client-install (or realm join) and then run sssd:
http://www.adelton.com/docs/docker/fedora-atomic-sssd-container
The only outstanding issue is that sudo rules currently do not
work on Fedora Atomic (but work on RHEL Atomic).
> 2. Is there any reason I couldn't run FreeIPA in a container in this
> setup? It seems odd to run FreeIPA on a container for a server in its own
> domain. My first thought is to have the FreeIPA servers running on their
> own VMs.
The main reason against the FreeIPA server in a container, provided
you use
https://github.com/adelton/docker-freeipa
https://hub.docker.com/r/adelton/freeipa-server/
would be the lack of SELinux isolation of the individual components,
plus expectation that we sometimes see that containers are like
virtual machines (and people treat them like those especially from
security point of view) when they are not.
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
More information about the Freeipa-users
mailing list