Add support for running in Kubernetes

[bradbeam]

With some of the recent changes to Kubernetes [1], systemd can no longer be pid1 inside of a container. This causes issues when trying to run the freeipa-containers which result in an error similar to [2] Couldn't find an alternative telinit implementation to spawn. When applying the workaround proposed in [3] to init-data [4], the container starts up, but hangs during the installation at [2/47]: creating directory server instance. Even after adding in --debug there isn't much information to go off of [5].

Versions:
Kubernetes: 1.6.4 works, 1.7.2 broken
Docker: 1.13.1
freeipa-container: Dockerfile.centos-7-upstream // Dockerfile.fedora-26

freeipa-deployment.yaml

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  annotations:
    deployment.kubernetes.io/revision: "1"
  labels:
    app: freeipa-server
    chart: freeipa-server-0.1.0
    heritage: Tiller
    release: precise-sparrow
  name: precise-sparrow-freeipa-server
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      app: freeipa-server
      release: precise-sparrow
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: freeipa-server
        release: precise-sparrow
    spec:
      containers:
      - args:
        - --hostname=ipa.default.svc.cluster.local
        - --realm=CLUSTER.LOCAL
        - --domain=cluster.local
        - --ds-password=dspassword
        - --admin-password=adminpass
        - --ssh-trust-dns
        - --unattended
        env:
        - name: POD_NAME
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: metadata.name
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: metadata.namespace
        - name: container
          value: docker
        image: bradbeam/freeipa-server:v0.0.7
        imagePullPolicy: IfNotPresent
        name: freeipa-server
        resources: {}
        volumeMounts:
        - mountPath: /data
          name: data
        - mountPath: /sys/fs/cgroup
          name: cgroups
          readOnly: true
        - mountPath: /run
          name: run
        - mountPath: /run/systemd
          name: run-sysd
        - mountPath: /tmp
          name: tmp
      volumes:
      - name: data
        persistentVolumeClaim:
          claimName: precise-sparrow-freeipa-server
      - hostPath:
          path: /sys/fs/cgroup
        name: cgroups
      - emptyDir:
          medium: Memory
        name: run
      - emptyDir:
          medium: Memory
        name: run-sysd
      - emptyDir:
          medium: Memory
        name: tmp

[1]
kubernetes/kubernetes#45236
[2]
kubernetes/kubernetes#48937
[3]
kubernetes/kubernetes#48937 (comment)
[4]

diff --git a/init-data b/init-data
index 6089b65..d5e17ce 100755
--- a/init-data
+++ b/init-data
@@ -239,6 +239,9 @@ if [ -n "$IPA_SERVER_IP" ] ; then
        echo "$IPA_SERVER_IP" > /run/ipa/ipa-server-ip
 fi
 
-exec /usr/sbin/init --show-status=false
+export SYSTEMD_IGNORE_CHROOT=1
+exec /usr/lib/systemd/systemd --system --show-status=false
 
 exit 10

[5]

ipa         : DEBUG      [2/47]: creating directory server instance
ipa         : DEBUG    Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
ipa         : DEBUG    Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
ipa         : DEBUG    Backing up system configuration file '/etc/sysconfig/dirsrv'
ipa         : DEBUG    Saving Index File to '/var/lib/ipa/sysrestore/sysrestore.index'
ipa         : DEBUG    
dn: dc=example,dc=local
objectClass: top
objectClass: domain
objectClass: pilotObject
dc: example
info: IPA V2.0

ipa         : DEBUG    writing inf template
ipa         : DEBUG    
[General]
FullMachineName=   ipa.example.local
SuiteSpotUserID=   dirsrv
SuiteSpotGroup=    dirsrv
ServerRoot=    /usr/lib64/dirsrv
[slapd]
ServerPort=   389
ServerIdentifier=   EXAMPLE-LOCAL
Suffix=   dc=example,dc=local
RootDN=   cn=Directory Manager
InstallLdifFile= /var/lib/dirsrv/boot.ldif
inst_dir=   /var/lib/dirsrv/scripts-EXAMPLE-LOCAL

ipa         : DEBUG    calling setup-ds.pl
ipa         : DEBUG    Starting external process
ipa         : DEBUG    args=/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpyZ1UVs
ipa         : DEBUG    Process finished, return code=1
ipa         : DEBUG    stdout=[17/08/11:15:26:33] - [Setup] Info Could not start the directory server using command '/bin/systemctl start dirsrv@EXAMPLE-LOCAL.service'.  The last line from the error log was '[11/Aug/2017:15:16:33.642212034 +0000] import userRoot: Import complete.  Processed 1 entries in 1 seconds. (1.00 entries/sec)
'.  Error: 
Could not start the directory server using command '/bin/systemctl start dirsrv@EXAMPLE-LOCAL.service'.  The last line from the error log was '[11/Aug/2017:15:16:33.642212034 +0000] import userRoot: Import complete.  Processed 1 entries in 1 seconds. (1.00 entries/sec)
'.  Error: 
[17/08/11:15:26:33] - [Setup] Fatal Error: Could not create directory server instance 'EXAMPLE-LOCAL'.
Error: Could not create directory server instance 'EXAMPLE-LOCAL'.
[17/08/11:15:26:33] - [Setup] Fatal Exiting . . .

[adelton]

Thanks for the bug report. I will test vanilla systemd in latest Kubernetes and report back.

[LorbusChris]

possibly related to this:
In Kubernetes 1.7 PID 1 is unavailable for container processes: kubernetes/kubernetes#48937 (comment)

this issue has also come up here: container-images/postfix#9

[mmacfadden]

Just ran in to this. We currently have a FreeIPA instance running on a plain VM that we would love to move into our Kubernetes cluster. Wondering if this is still an issue before starting to experiment.

[bradbeam]

Nope, works just fine on k8s 1.8+.

[bradbeam]

Going to close this out since it's no longer an issue.

[mmacfadden]

@bradbeam do you happen to have a working example of freeipa and kubernetes? Or is the above working now?

[bradbeam]

The above should work.

[mmacfadden]

Do you have an ingress or anything that maps an externally routable DNS name to this instance. When I do that, IPA seems to redirect immediately to the internal cluster hostname. In your case ipa.default.svc.cluster.local which obviously can't be hit from the browser.

I have seen articles on how to avoid this redirect by changing the apache config inside IPA. Wondering if you ran into this.

[bradbeam]

We don't use ingress; we use calico + bgp along with a headless service. So in our case, ipa.default.svc.cluster.local is the actual hostname people would hit from outside the cluster.

[dharmendrakariya]

@bradbeam hey I applied that deployment.yaml, but when I try to access it via pod's ip or port-forwarding, it gives me "404 page not found" have u encountered this one?

[adelton]

Please open new issue and provide exactly the kubectl commands you use. Ideally extend tests/run-master-in-k3s.sh to show what you try to do and what fails.

[dharmendrakariya]

Do you have an ingress or anything that maps an externally routable DNS name to this instance. When I do that, IPA seems to redirect immediately to the internal cluster hostname. In your case ipa.default.svc.cluster.local which obviously can't be hit from the browser.

I have seen articles on how to avoid this redirect by changing the apache config inside IPA. Wondering if you ran into this.

Hey I ran into the same problem, when I set ingress for this, its giving me error "too many redirect" .

do you know how to encounter this? @mmacfadden I have created helm-chart. and I am using this.