{"id":13558751,"url":"https://github.com/freeipa/freeipa-container","last_synced_at":"2026-03-11T21:37:54.127Z","repository":{"id":18143280,"uuid":"21234996","full_name":"freeipa/freeipa-container","owner":"freeipa","description":"FreeIPA server in containers — images at https://quay.io/repository/freeipa/freeipa-server?tab=tags","archived":false,"fork":false,"pushed_at":"2025-11-28T09:33:57.000Z","size":1089,"stargazers_count":678,"open_issues_count":0,"forks_count":270,"subscribers_count":39,"default_branch":"master","last_synced_at":"2025-11-30T09:23:18.718Z","etag":null,"topics":["container","container-image","docker","freeipa","freeipa-server","identity-management","k3s","kubernetes","moby-engine","openshift","podman"],"latest_commit_sha":null,"homepage":"https://quay.io/repository/freeipa/freeipa-server?tab=tags","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/freeipa.png","metadata":{"files":{"readme":"README","changelog":null,"contributing":null,"funding":null,"license":"LICENSE-2.0","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2014-06-26T09:17:27.000Z","updated_at":"2025-11-28T16:31:50.000Z","dependencies_parsed_at":"2023-10-01T15:10:20.071Z","dependency_job_id":"e98372d1-7189-427d-9187-31cb5799d302","html_url":"https://github.com/freeipa/freeipa-container","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/freeipa/freeipa-container","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/freeipa%2Ffreeipa-container","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/freeipa%2Ffreeipa-container/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/freeipa%2Ffreeipa-container/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/freeipa%2Ffreeipa-container/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/freeipa","download_url":"https://codeload.github.com/freeipa/freeipa-container/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/freeipa%2Ffreeipa-container/sbom","scorecard":{"id":410761,"data":{"date":"2025-08-11","repo":{"name":"github.com/freeipa/freeipa-container","commit":"4cd410808066396bb1b2bc9f83b54ef0ace578f8"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":4.8,"checks":[{"name":"Maintained","score":10,"reason":"29 commit(s) and 17 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Code-Review","score":0,"reason":"Found 0/30 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/build-test.yaml:1","Warn: no topLevel permission defined: .github/workflows/run-partial-tests.yaml:1","Warn: no topLevel permission defined: .github/workflows/test-rhel.yaml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE-2.0:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE-2.0:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 7 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-test.yaml:68: update your workflow using https://app.stepsecurity.io/secureworkflow/freeipa/freeipa-container/build-test.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-test.yaml:99: update your workflow using https://app.stepsecurity.io/secureworkflow/freeipa/freeipa-container/build-test.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-test.yaml:131: update your workflow using https://app.stepsecurity.io/secureworkflow/freeipa/freeipa-container/build-test.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-test.yaml:149: update your workflow using https://app.stepsecurity.io/secureworkflow/freeipa/freeipa-container/build-test.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-test.yaml:150: update your workflow using https://app.stepsecurity.io/secureworkflow/freeipa/freeipa-container/build-test.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-test.yaml:209: update your workflow using https://app.stepsecurity.io/secureworkflow/freeipa/freeipa-container/build-test.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-test.yaml:232: update your workflow using https://app.stepsecurity.io/secureworkflow/freeipa/freeipa-container/build-test.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-test.yaml:261: update your workflow using https://app.stepsecurity.io/secureworkflow/freeipa/freeipa-container/build-test.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-test.yaml:267: update your workflow using https://app.stepsecurity.io/secureworkflow/freeipa/freeipa-container/build-test.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-test.yaml:306: update your workflow using https://app.stepsecurity.io/secureworkflow/freeipa/freeipa-container/build-test.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-test.yaml:324: update your workflow using https://app.stepsecurity.io/secureworkflow/freeipa/freeipa-container/build-test.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-test.yaml:365: update your workflow using https://app.stepsecurity.io/secureworkflow/freeipa/freeipa-container/build-test.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-test.yaml:369: update your workflow using https://app.stepsecurity.io/secureworkflow/freeipa/freeipa-container/build-test.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-test.yaml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/freeipa/freeipa-container/build-test.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/run-partial-tests.yaml:64: update your workflow using https://app.stepsecurity.io/secureworkflow/freeipa/freeipa-container/run-partial-tests.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test-rhel.yaml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/freeipa/freeipa-container/test-rhel.yaml/master?enable=pin","Warn: containerImage not pinned by hash: Dockerfile.almalinux-10:2: pin your Docker image by updating docker.io/almalinux/10-init to docker.io/almalinux/10-init@sha256:7ef8cf1277e4e4707345067c5ffa600a589aaed86cf958de11d362f96def306c","Warn: containerImage not pinned by hash: Dockerfile.almalinux-8:2: pin your Docker image by updating docker.io/almalinux/8-init to docker.io/almalinux/8-init@sha256:b0fe757d94799429bed66b315a75b03c6c27cacbdd4002f304a2d25518b11f9a","Warn: containerImage not pinned by hash: Dockerfile.almalinux-9:2: pin your Docker image by updating docker.io/almalinux/9-init to docker.io/almalinux/9-init@sha256:0a4f8e59b1515837ed9f8e9ea2505640ad292e3ba8ba6172c7ef0ca1da6fc19c","Warn: containerImage not pinned by hash: Dockerfile.centos-10-stream:2: pin your Docker image by updating quay.io/centos/centos:stream10 to quay.io/centos/centos:stream10@sha256:434ff0cde27336a76e52c42d87d4c235290ef614372a425b3c8d17208972fe32","Warn: containerImage not pinned by hash: Dockerfile.centos-9-stream:2: pin your Docker image by updating quay.io/centos/centos:stream9 to quay.io/centos/centos:stream9@sha256:11e44d30c45661567009402629a7eeb3579739957fe3827d469a353d0fe1801f","Warn: containerImage not pinned by hash: Dockerfile.fedora-41:2: pin your Docker image by updating registry.fedoraproject.org/fedora:41 to registry.fedoraproject.org/fedora:41@sha256:d07f1659062b38bdf9fc7415bdf322a54f4c5b56df175524ac23b95ff9fad7b9","Warn: containerImage not pinned by hash: Dockerfile.fedora-42:2: pin your Docker image by updating registry.fedoraproject.org/fedora:42 to registry.fedoraproject.org/fedora:42@sha256:7285bff1cb15fc5ed4f73ea995180feaf12bb48673d2a0b66357af22c04647e7","Warn: containerImage not pinned by hash: Dockerfile.fedora-rawhide:2: pin your Docker image by updating registry.fedoraproject.org/fedora:rawhide to registry.fedoraproject.org/fedora:rawhide@sha256:5191d9fd7771a4b2bc30b28a09816a1cecce55ee7a3532f9b2915c38fa9fc611","Warn: containerImage not pinned by hash: Dockerfile.rhel-10:2: pin your Docker image by updating registry.access.redhat.com/ubi10/ubi-init to registry.access.redhat.com/ubi10/ubi-init@sha256:c7df6520a93e4c3c603cc2ef388f5c5b6e2e582dde586a112dc5f929aa535396","Warn: containerImage not pinned by hash: Dockerfile.rhel-8:2: pin your Docker image by updating registry.access.redhat.com/ubi8-init to registry.access.redhat.com/ubi8-init@sha256:3510d89e60b3e7ff75f4235a63db710127ab0a30ef7bb7d9095c3d232f41523e","Warn: containerImage not pinned by hash: Dockerfile.rhel-9:2: pin your Docker image by updating registry.access.redhat.com/ubi9-init to registry.access.redhat.com/ubi9-init@sha256:28fa5bdcafa3392aaf1a60b9dcc8174e1e3949bfd163eea9eedec44568db89af","Warn: containerImage not pinned by hash: Dockerfile.rocky-8:2: pin your Docker image by updating docker.io/rockylinux/rockylinux:8 to docker.io/rockylinux/rockylinux:8@sha256:e8a49c5403b687db05d4d67333fa45808fbe74f36e683cec7abb1f7d0f2338c6","Warn: containerImage not pinned by hash: Dockerfile.rocky-9:2: pin your Docker image by updating docker.io/rockylinux/rockylinux:9 to docker.io/rockylinux/rockylinux:9@sha256:91bbb8eb52ca462611c1f9ce5c4cede4172a31bfe64f336e82f29648694a3cfe","Warn: downloadThenRun not pinned by hash: .github/workflows/build-test.yaml:228","Info:   0 out of  16 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of  13 containerImage dependencies pinned","Info:   0 out of   1 downloadThenRun dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}}]},"last_synced_at":"2025-08-18T22:39:33.217Z","repository_id":18143280,"created_at":"2025-08-18T22:39:33.217Z","updated_at":"2025-08-18T22:39:33.217Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":27782844,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-12-17T02:00:08.291Z","response_time":55,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["container","container-image","docker","freeipa","freeipa-server","identity-management","k3s","kubernetes","moby-engine","openshift","podman"],"created_at":"2024-08-01T12:05:08.153Z","updated_at":"2025-12-17T12:03:54.387Z","avatar_url":"https://github.com/freeipa.png","language":"Shell","funding_links":[],"categories":["Shell","docker"],"sub_categories":[],"readme":"# FreeIPA server container\n\nThis repository contains `Dockerfile`s and additional files for\ncreating FreeIPA server container images from the official yum/dnf\nrepositories of multiple Linux distributions.\n\nThe choice of the OS and version depends on the purpose of the FreeIPA\nsetup, the same as it would when installing FreeIPA on a bare metal host\nor in a virtual machine. Newer versions are typically better and are\nalso useful for testing interoperability with latest version of FreeIPA;\nfor long term production setups, Fedora might be updating too quickly\nand sometimes be too new, compared to the other systems.\n\nEstablish an upgrade plan before putting the FreeIPA containers to\nproduction or you will find yourself with end-of-life FreeIPA cluster\nwith known security issues three years later.\n\n## Available images\n\nFreeIPA server container images are built from this repository\nautomatically and pushed to\n\n* https://quay.io/repository/freeipa/freeipa-server?tab=tags\n* https://hub.docker.com/r/freeipa/freeipa-server/tags\n\nSo the full canonical path for pulling images from container registry\nis one of\n\n* `quay.io/freeipa/freeipa-server:\u003ctag\u003e`\n* `docker.io/freeipa/freeipa-server:\u003ctag\u003e`\n\nThe tag matches the `Dockerfile` suffix, identifying the operating\nsystem the image is based on.\n\nThe images get rebuilt regularly, with latest version of both the FreeIPA\nand dependent packages in the given operating system version, both for\nsecurity and bug fixes. If you require stricter control over pulling in\nnew image builds into your deployments, tag them into your namespace\nor push to your registry and set up a testing/stage/production\nregression testing and process.\n\nThe container images registries also contain more specific tags that\nidentify the version of FreeIPA in the given image. Note however that\nthe underlying dependency packages could have been updated many times\neven if the FreeIPA packages stayed the same.\n\n## Building images locally\n\nWhen building the FreeIPA server container images locally, for\ndevelopment or debugging, use the `-f` option to `podman build`\nor `docker build` to pick a `Dockerfile` for the specific operating\nsystem and version.\n\nFor example, to build image based on CentOS 9 Stream packages using podman,\nuse\n\n    podman build -t localhost/freeipa-server -f Dockerfile.centos-9-stream .\n\nand to create FreeIPA image based on Fedora rawhide with docker, call\n\n    docker build -t localhost/freeipa-server -f Dockerfile.fedora-rawhide .\n\nNote that when using docker / moby-engine, the docker daemon needs\nto be running.\n\n## Running FreeIPA server container\n\nWhile in an ideal case the use of FreeIPA server container can simplify\nthe setup, prior experience with FreeIPA is definitely useful. For the\ngeneral FreeIPA topics, refer to the\n[FreeIPA documentation](https://www.freeipa.org/page/Documentation.html).\nHere we only focus on the aspects that are specific to running FreeIPA\ncontainerized.\n\nNote that getting the FreeIPA container set up and running can be more\nchallenging than other typical containerized workloads.\n\n### Running the container\n\nThe FreeIPA container runs systemd to manage all the necessary services\nwithin a single container. Running a systemd-based container may\nrequire special handling or parameters to be passed to the container\nruntime. When you hit an issue, debug by simplifying the setup, retry\nwith basic podman or docker instead of continuing with more complex\norchestration like docker-compose or Kubernetes, try to get plain\nsystemd running in container properly first (see Debugging section below).\n\nNote that privileged setup is not supported and will not work — we\nwant the FreeIPA server container to be reasonably isolated from the\nhost and vice versa.\n\nWith podman, normal `podman run` is typically enough and works for\nrootless setups as well.\n\nUse of [rootless docker](https://docs.docker.com/engine/security/rootless/)\n(check with `docker info --format '{{ .ClientInfo.Context }}'`)\nis only supported on systems with cgroups v2 (determine by existence of\n`/sys/fs/cgroup/cgroup.controllers`). It may then be necessary to\nuse `docker run` option\n\n    --cgroupns=host -v /sys/fs/cgroup:/sys/fs/cgroup:rw\n\nWith rootful docker daemon,\n[user namespace remapping](https://docs.docker.com/engine/security/userns-remap/)\nmay be needed for the container cgroup to be properly created and mounted\nwithin the container read-write as systemd expects it, with\n\n    { \"userns-remap\": \"default\" }\n\nin `/etc/docker/daemon.json`. Restart of the docker service is needed\nafter this configuration change. This approach also isolates the root\nin the container from the root on the host, which is a good thing in\ngeneral. On the other hand, it is a global daemon configuration so it\nwill affect other containers as well.\n\nWith docker on systems with cgroups v1, there is often a hybrid setup\npresent with cgroups v2 as well, available as `/sys/fs/cgroup/unified`,\nso invoking `docker run` with option\n\n    -v /sys/fs/cgroup/unified:/sys/fs/cgroup:rw\n\nshould work.\n\nOn SELinux enabled systems, it may be also necessary to enable running\nsystemd in containers by setting SELinux boolean `container_manage_cgroup`\non the host with\n\n    setsebool -P container_manage_cgroup 1\n\n### Server configuration and data\n\nThe FreeIPA container will store all its configurations, data, and logs\non volume mounted to `/data` directory in the container. If we create\ndirectory which will hold the server data on the host with\n\n    mkdir ipa-data\n\nwe can then create the FreeIPA container with podman using\n\n    podman run --name freeipa-server-container -ti \\\n        -h ipa.example.test --read-only \\\n        -v $(pwd)/ipa-data:/data:Z \u003cimage\u003e [ ... ]\n\nand with docker using\n\n    docker run --name freeipa-server-container -ti \\\n        -h ipa.example.test --read-only \\\n        -v $(pwd)/ipa-data:/data:Z \u003cimage\u003e [ ... ]\n\nWhen running in rootless mode, make sure the volume directory on\nthe host is owned by uid which becomes uid 0 in the container.\n\nOf course, the volume can also be created in the container system,\nfor example with\n\n    podman volume create freeipa-data\n    podman run --name freeipa-server-container -ti \\\n        -h ipa.example.test --read-only \\\n        -v freeipa-data:/data:Z \u003cimage\u003e [ ... ]\n\n### Initial FreeIPA master setup\n\nUpon the first invocation with empty directory mounted to `/data`,\nthe container will run `ipa-server-install` (or `ipa-replica-install`)\nto configure FreeIPA master or replica. For example\n\n    podman run -ti -h ipa.example.test --read-only \\\n        -v /var/lib/ipa-data:/data:Z \\\n        \u003cimage\u003e ipa-server-install -r EXAMPLE.TEST --no-ntp\n\nwill run interactive `ipa-server-install` and configure the FreeIPA master\nusing the inputs provided. For unattended initial installation, use\nthe `-U` argument to `ipa-server-install` and specify all the necessary\ninputs as argument on the command line, for example\n\n    docker run -h ipa.example.test --read-only \\\n        -v /var/lib/ipa-data:/data:Z \\\n        -e PASSWORD=Secret123 \\\n        \u003cimage\u003e ipa-server-install -U -r EXAMPLE.TEST --no-ntp\n\nThe environment variable `PASSWORD` sets both the Directory Manager\nand admin passwords, an equivalent of specifying `--admin-password`\nand `--ds-password` on the command line.\n\nThe `ipa-server-install` command is the default and can be omitted.\n\nSometimes it is not convenient or possible to specify the arguments\nto `ipa-server-install` as arguments to `podman run` or `docker run`.\nIn the case they can be specified either using environment variable\n`IPA_SERVER_INSTALL_OPTS` using the `-e` option, or they can be passed\nin using file `ipa-server-install-options` in the directory mounted\nto the container as `/data`. For example, when\n`/var/lib/ipa-data/ipa-server-install-options` contains\n\n    --realm=EXAMPLE.TEST\n    --ds-password=The-directory-server-password\n    --admin-password=The-admin-password\n\nand `podman run` or `docker run` is executed with\n`-v /var/lib/ipa-data:/data:Z`, the content of\n`ipa-server-install-options` will be passed as arguments to\n`ipa-server-install`.\n\nSince the `ipa-server-install-options` typically contains passwords,\nit is also possible to use `podman secret create` to store the whole\ncontent of that file, and the invoke `podman run` with options like\n\n    --secret source=options-with-credentials,target=/data/ipa-server-install-options\n\nto expose the options in the container. The same holds for `docker`\ninvocation.\n\nIf you want to instruct the container to create a replica, specify the\n`ipa-replica-install` command in the `podman run` or `docker run`\nparameters:\n\n    podman run -ti -h ipa.example.test --read-only \\\n       -v /var/lib/ipa-data:/data:Z \\\n       \u003cimage\u003e ipa-replica-install [ opts ]\n\nUsing `ipa-replica-install-options` also works and will invoke\n`ipa-replica-install` and pass it its content as argument, the same\nway `ipa-server-install-options` works for `ipa-server-install`.\n\n### Routine invocation\n\nUpon subsequent invocations when `/data` is found already populated\nwith FreeIPA server configuration and data, the options are ignored\nand just the necessary services get started in the container.\n\n### Upgrades\n\nIf you have existing container with data volume, it should be safe\nto shut it down and run new one based on newer image, with the same\ndata directory bind-mounted to `/data`. The container logic will detect\nthat it is running with data produced by different image and attempt\nto upgrade the configuration and data.\n\nThis in-place upgrade with newer container image only works within\nthe same major version of the operating system used in container,\nso for example upgrades from AlmaLinux 9-based container to newer\nAlmaLinux 9-based images are supported but upgrades to AlmaLinux 10\nare not. With Fedoras, upgrades across major versions are known\nto work as well but it is recommended to upgrade along the sequential\nFedora versions; don't make jumps across multiple Fedora versions.\n\nOf course, keeping backup of the data directory for cases when the\nupgrade process fails is recommended. If in doubt, copy the volume\ncontent and start another throwaway container in a completely isolated\ntestbed environment using the original data and new image and verify\nthe upgrade and stability post upgrade.\n\nIf the in-place upgrade fails and for upgrades across major\noperating system versions, the easiest way forward is to take\nadvantage of FreeIPA's replication — add replica containers to the\nexisting FreeIPA cluster and remove the original containers after\nthe new ones have been verified stable.\n\n### Backup and restore\n\nThe FreeIPA server container stores all configuration, data, and logs\nin one volume mounted at `/data`. Instead of using `ipa-backup` and\n`ipa-restore`, the easiest way to backup the container is to stop it\nand just backup the content of the directory mounted to `/data`.\n\nIf you transfer that backup to different machine and you've been\nusing setup with user namespace remapping (rootless containers),\ncheck that the `/etc/subuid` and `/etc/subgid` values used by the\ndocker/podman match on both machines.\n\nYou then restore the server by running a new container with a copy\nof that backup mounted to `/data`.\n\n### Other runtime considerations\n\nIf you receive error like\n\n    IPv6 stack is enabled in the kernel but there is no interface that\n    has ::1 address assigned. Add ::1 address resolution to 'lo' interface.\n    You might need to enable IPv6 on the interface 'lo' in sysctl.conf.\n\nyou might also need to add option `--sysctl net.ipv6.conf.all.disable_ipv6=0`.\n\nIf you receive error like\n\n    Unable to determine the amount of available RAM\n\nyou might need to use `ipa-server-install` option `--skip-mem-check`.\n\nWhen running DNS server (the `--setup-dns` argument to `ipa-server-install`)\nin the FreeIPA container, add `--dns=127.0.0.1` option to the\n`podman run` or `docker run` invocation to allow the FreeIPA server\nto reach its own DNS server.\n\nTo allow for unprivileged container operation, use the `-h ...`\noption to set the hostname for the FreeIPA server in the container.\nIf it's not possible to set the hostname for the container, specify it\nwith `IPA_SERVER_HOSTNAME` environment variable, for example with\n`podman run -e IPA_SERVER_HOSTNAME=...`. This might however not work\nwith read-only containers.\nDo not use the `ipa-server-install --hostname ...` argument.\n\n### Exposing ports\n\nIf you want to use the FreeIPA server not just from the host\nwhere it is running but from external machines as well, you\nmight want to use the `-p` options to make the services accessible\nexternally.\n\n    docker run -p 53:53/udp -p 53:53 \\\n        -p 80:80 -p 443:443 -p 389:389 -p 636:636 -p 88:88 -p 464:464 \\\n\t-p 88:88/udp -p 464:464/udp -p 123:123/udp ...\n\nYou will then likely want to also specify the `--ip-address`\noption to `ipa-server-install` with the IP address of the host,\nand also use the `--add-host` option to the `docker run` / `podman run`\nwith the same IP address, especially when running the container\nas read only.\n\nBy default the container will attempt to update the FreeIPA\nserver's IPv4 address in the internal DNS server to its internal\naddress (as seen in the container) upon each startup, using the\nsystemd service `ipa-server-update-self-ip-address` in the container.\nYou can disable this mechanism by setting the `IPA_SERVER_IP`\nenvironment variable to `no-update`, via the `-e` option to\n`docker run` / `podman run`, or by exec-ing to the container and running\n`systemctl disable ipa-server-update-self-ip-address.service`.\n\nAlternatively, the `IPA_SERVER_IP` environment variable can be\nused to force the IPv4 address DNS record to a specific value.\nUsing this mechanism will however not update the `ipa-ca` record.\n\n### Running in Kubernetes\n\nAn example Pod YAML for running FreeIPA server in Kubernetes is shown\nin [tests/freeipa-k8s.yaml](tests/freeipa-k8s.yaml). It is also used\nby the CI workflows of this repo which you are welcome so check for\nany workarounds that might be needed.\n\nThe crucial value is the `spec.hostUsers: false` which ensures the Pod\nruns in its user namespace, with its root (and other uids) isolated\nfrom the host. For this to work, the `UserNamespacesSupport`\nKubernetes feature gate needs to be set to `true` in the cluster.\nThe feature gate is present starting with Kubernetes 1.28, and it\nis `true` by default since Kubernetes 1.33.\n\nThe second prerequisite is the support for user namespaces and writable\ncgroups in runtimes. Runtimes known to work include\n\n- containerd 2.1+, with [writable systemd cgroups configuration](tests/containerd-2.1-config.toml)\n- CRI-O 1.32+\n\nwith either of\n\n- runc 1.2+\n- crun 1.9+\n\nWhen docker is used as a runtime for Kubernetes, the user namespace\nremapping with `userns-remap` described above needs to be used instead\nof `spec.hostUsers`.\n\n## Debugging\n\nThe container scripts provide some options for debugging:\n\n- Enable shell script tracing in both the top-level `init-data` script\n  and the `ipa-server-configure-first` script by setting the\n  `$DEBUG_TRACE` environment variable.\n\n- Disable container exit after script failure by setting the\n  `$DEBUG_NO_EXIT` environment variable.  After failure, the\n  container will continue running, and can be entered for debugging\n  with e.g. `podman exec -it freeipa-server-container bash`.\n  This can also be achieved by specifying `no-exit` as the first\n  word in the [opts] to the container.\n\n- Force container exit after successfully configuring the FreeIPA\n  server by specifying `exit-on-finished` as the first word in the\n  [opts] to the container.\n\nExample usage:\n\n    podman run [...] -e DEBUG_TRACE=1 -e DEBUG_NO_EXIT=1 localhost/freeipa-server ...\n\nor\n\n    docker run [...] localhost/freeipa-server exit-on-finished -U -r EXAMPLE.TEST\n\nYou can also try to run\n\n    docker=podman tests/run-partial-tests.sh Dockerfile\n\nor\n\n    docker=docker tests/run-partial-tests.sh Dockerfile\n\nwhich can uncover the general issues with running systemd in containers.\n\n## CI in GitHub Actions\n\nTo check the general health of the project, see\nhttps://github.com/freeipa/freeipa-container/actions\nwhere tests are run for various OS versions in the containers.\n\n## License\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n    http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffreeipa%2Ffreeipa-container","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffreeipa%2Ffreeipa-container","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffreeipa%2Ffreeipa-container/lists"}