Add IPA client-only mode

[zultron]

The freeipa-container client branch functionality has never been merged back into the master branch, as IIRC the other distro-specific server branches have. A container with client functionality does have use cases. In our cluster environment, hosts not running an IPA server instead run an IPA client container with certmonger monitoring system certs.

It appears that the scripts in this repo might be easy enough to modify. A container created with this very first stab is able to enroll with a remote IPA, and the kinit, ipa and ipa-getcert commands appear to work.

This proof-of-concept patch hasn't been polished, reviewed or tested, and is expected to have fundamental flaws.

[stlaz]

Hello,

This repository's purpose is to provide IPA server functionality in a container. For IPA client installation in a container, there's already a (tested) solution for you:

https://hub.docker.com/r/fedora/sssd/

[adelton]

I think the main problem here is, you do not want to run image which has all the huge number of FreeIPA server bits installed as client image. So any client image should likely come from separate Dockerfile.

Also, running ipa-server-configure-first.service to configure client does have a potential to bring confusion.

IIRC, the *client branches have never supported persistence and it'd be good to check if the server approach works for client setups out of box.

As Stanislav said, please check https://hub.docker.com/r/fedora/sssd/ which is based on https://github.com/fedora-cloud/Fedora-Dockerfiles/tree/master/sssd. That setup was specifically desidned to run containerized client bits for the host (Atomic, but any host should do) and its identity. If you are on RHEL, the same solution is also available as registry.access.redhat.com/rhel7/sssd.

[zultron]

On 08/22/2017 02:26 AM, Jan Pazdziora wrote:

I think the main problem here is, you do not want to run image which has
all the huge number of FreeIPA server bits installed as client image. So
any client image should likely come from separate Dockerfile.

I can understand why some folks would not want that. Other folks might think using the same container image with the same scripts running all IPA services, if certmonger may be called that, conveys benefits that outweigh the extra disk space and image bloat.

Also, running |ipa-server-configure-first.service| to configure client
does have a potential to bring confusion.

True. I bet there are ways to mitigate this confusion.

IIRC, the |*client| branches have never supported persistence and it'd
be good to check if the server approach works for client setups out of box.

Yes, I think this will be the first problem one would find while testing this PR's trivial patch.

As Stanislav said, please check https://hub.docker.com/r/fedora/sssd/
which is based on
https://github.com/fedora-cloud/Fedora-Dockerfiles/tree/master/sssd.
That setup was specifically desidned to run containerized client bits
for the host (Atomic, but any host should do) and its identity. If you
are on RHEL, the same solution is also available as
|registry.access.redhat.com/rhel7/sssd|.

That project has been abandoned. (And certmonger seems absent?)

---

Anyway, I hope there will someday be an organisationally-maintained client or certmonger container image. Perhaps that will come if/when the FreeIPA container is broken up into separate, smaller but linked httpd/ldap/tomcat/krb5/etc. containers. Perhaps that will not come as a result of this PR, and so I'll close it. Thanks for your comments.

[zultron]

FYI, the setup done to make the IPA service persistent also seems to make the IPA client persistent. Nice work!