Chapter 3. Deploying an Identity Management Replica in a Container
This chapter describes how you can install an Identity Management replica. For example, creating a container-based replica can be useful if you want to gradually transfer the workload in your existing topology to container-based servers.
Before you begin, read Section 3.1, “Prerequisites” and Section 3.2, “Available Configuration in Server and Replica Containers”.
Choose one of the following installation procedures. If you are not sure which certificate authority (CA) configuration fits your situation, see Determining What CA Configuration to Use in the Linux Domain Identity, Authentication, and Policy Guide.
After you are done, read Section 3.5, “Next Steps After Installation”.
3.1. Prerequisites
- Upgrade the Atomic Host system before installing the container. See Upgrading and Downgrading in the Red Hat Enterprise Linux Atomic Host 7 Installation and Configuration Guide.
3.2. Available Configuration in Server and Replica Containers
What Is Available
- Domain level 1 or higher
Domain level 0 is not available for containers. See also Displaying and Raising the Domain Level.
As a consequence, servers running in containers can be joined in a replication agreement only with Identity Management servers based on Red Hat Enterprise Linux 7.3 or later.
- Mixed container and non-container deployments
- A single Identity Management domain topology can include both container-based and RPM-based servers.
What Is Not Available
- Changing server components in a deployed container
- Do not make runtime modifications of deployed containers. If you need to change or reinstall a server component, such as integrated DNS or Vault, create a new replica.
- Upgrading between different Linux distributions
Do not change the platform on which an ipa-server container image runs. For example, do not change an image running on Red Hat Enterprise Linux to Fedora, Ubuntu, or CentOS. Similarly, do not change an image running on Fedora, Ubuntu, or CentOS to Red Hat Enterprise Linux.
Identity Management supports only upgrades to later versions of Red Hat Enterprise Linux.
- Downgrading the system with a running container
- Do not downgrade the system on which an ipa-server container image runs.
- Upstream containers on Atomic Host
- Do not install upstream container images, such as the FreeIPA ipa-server image, on Atomic Host. Install only the container images available in Red Hat Enterprise Linux.
- Multiple containers on a single Atomic Host
- Install only one ipa-server container image on a single Atomic Host.
3.3. Installing an Identity Management Replica in a Container: Basic Installation
This procedure shows how to install a containerized Identity Management server in the default certificate authority (CA) configuration with an integrated CA.
Before You Start
Note that the container installation uses the same default configuration as a non-container installation using
ipa-replica-install. To specify custom configuration, add additional options to theatomic installcommand used in the procedure below:- Atomic options available for the ipa-server container. For a complete list, see the container help page.
-
Identity Management installer options accepted by
ipa-replica-install, described in Installing and Uninstalling Identity Management Replicas in the Linux Domain Identity, Authentication, and Policy Guide.
- You must have an installed server available: either on a bare metal machine, or on another Atomic Host system.
Procedure
- If you want to install a replica against a master server in a container, enable two-way communication to the master container over the ports specified in Installing and Uninstalling an Identity Management Server in the Linux Domain Identity, Authentication, and Policy Guide.
Use the
atomic install rhel7/ipa-server publish --hostname fully_qualified_domain_name ipa-replica-installcommand to start the installation. Include the--serverand--domainoptions to specify the host name and domain name of your Identity Management server.The container requires its own host name. Use a different host name for the container than the host name of the Atomic Host system. The container’s host name must be resolvable via DNS or the /etc/hosts file.
NoteInstalling a server or replica container does not enroll the Atomic Host system itself to the Identity Management domain. If you use the Atomic Host system’s host name for the server or replica, you will be unable to enroll the Atomic Host system later.
ImportantAlways use the
--hostnameoption withatomic installwhen installing the server or replica container. Because--hostnameis considered an Atomic option in this case, not an Identity Management installer option, use it before theipa-server-installoption. The installation ignores--hostnamewhen used afteripa-server-install.-
If you are installing a server with integrated DNS, add also the
--ip-addressoption to specify the public IP address of the Atomic Host that is reachable from the network. You can use--ip-addressmultiple times. Due to a known issue in the interactive replica installation mode, add standard
ipa-replica-installoptions to specify one of the following:- A privileged user’s credentials. See Example 3.1, “Installation Command Examples”.
- Random password for bulk enrollment. See Installing a Replica Using a Random Password in the Linux Domain Identity, Authentication, and Policy Guide.
WarningUnless you want to install the container for testing purposes only, always use the
publishoption. Withoutpublish, no ports will be published to the Atomic Host system, and the server will not be reachable from outside the container.
Example 3.1. Installation Command Examples
Command syntax for installing the ipa-server container:
$ atomic install [ --name <container_name> ] rhel7/ipa-server [ Atomic options ] [ ipa-server-install | ipa-replica-install ] [ ipa-server-install or ipa-replica-install options ]To install a replica container named replica-container using the administrator’s credentials, while using default values for the Identity Management replica settings:
$ atomic install --name replica-container rhel7/ipa-server publish \ --hostname replica.example.com \ ipa-replica-install \ --server server.example.com \ --domain example.com \ --ip-address 2001:DB8::1111 \ --principal admin \ --admin-password <admin_password>
3.4. Installing an Identity Management Replica in a Container: Without a CA
This procedure describes how to install a server without an integrated Identity Management certificate authority (CA).
A containerized Identity Management server and the Atomic Host system share only the parts of the file system that are mounted using a bind mount into the container. Therefore, operations related to external files must be performed from within this volume.
The ipa-server container image uses the /var/lib/<container_name>/ directory to store persistent files on the Atomic Host file system. The persistent storage volume maps to the /data/ directory inside the container.
Before You Start
Note that the container installation uses the same default configuration as a non-container installation using
ipa-replica-install. To specify custom configuration, add additional options to theatomic installcommand used in the procedure below:- Atomic options available for the ipa-server container. For a complete list, see the container help page.
-
Identity Management installer options accepted by
ipa-replica-install, described in Installing and Uninstalling Identity Management Replicas in the Linux Domain Identity, Authentication, and Policy Guide.
- You must have an installed server available: either on a bare metal machine, or on another Atomic Host system.
Procedure
- If you want to install a replica against a master server in a container, enable two-way communication to the master container over the ports specified in Installing and Uninstalling an Identity Management Server in the Linux Domain Identity, Authentication, and Policy Guide.
Manually create the persistent storage directory for the container at
/var/lib/<container_name>/:$ mkdir -p /var/lib/ipa-serverCopy the files containing the certificate chain into the directory:
$ cp /root/server-*.p12 /var/lib/ipa-server/.See Installing Without a CA in the Linux Domain Identity, Authentication, and Policy Guide for details on the required files.
Use the
atomic install rhel7/ipa-server publish --hostname fully_qualified_domain_name ipa-replica-installcommand, include the--serverand--domainoptions to specify the host name and domain name of your Identity Management server, and provide the required certificates from the third-party authority:$ atomic install --name replica-container rhel7/ipa-server publish \ --hostname replica.example.com \ ipa-replica-install \ --server server.example.com \ --domain example.com \ --dirsrv-cert-file=/data/replica-dirsrv-cert.p12 \ --dirsrv-pin=1234 \ --http-cert-file=/data/replica-http-cert.p12 \ --http-pin=1234 \ --pkinit-cert-file=/data/replica-pkinit-cert.p12 \ --pkinit-pin=1234
NoteThe paths to the certificates include
/data/because the persistent storage volume maps to/data/inside the container.The container requires its own host name. Use a different host name for the container than the host name of the Atomic Host system. The container’s host name must be resolvable via DNS or the /etc/hosts file.
NoteInstalling a server or replica container does not enroll the Atomic Host system itself to the Identity Management domain. If you use the Atomic Host system’s host name for the server or replica, you will be unable to enroll the Atomic Host system later.
ImportantAlways use the
--hostnameoption withatomic installwhen installing the server or replica container. Because--hostnameis considered an Atomic option in this case, not an Identity Management installer option, use it before theipa-server-installoption. The installation ignores--hostnamewhen used afteripa-server-install.-
If you are installing a server with integrated DNS, add also the
--ip-addressoption to specify the public IP address of the Atomic Host that is reachable from the network. You can use--ip-addressmultiple times. Due to a known issue in the interactive replica installation mode, add standard
ipa-replica-installoptions to specify one of the following:- A privileged user’s credentials. See Example 3.1, “Installation Command Examples”.
- Random password for bulk enrollment. See Installing a Replica Using a Random Password in the Linux Domain Identity, Authentication, and Policy Guide.
WarningUnless you want to install the container for testing purposes only, always use the
publishoption. Withoutpublish, no ports will be published to the Atomic Host system, and the server will not be reachable from outside the container.
3.5. Next Steps After Installation
To run the container, use the
atomic runcommand:$ atomic run rhel7/ipa-serverIf you specified a name for the container when you installed it:
$ atomic run --name replica-container rhel7/ipa-server- A running ipa-server container works in the same way as in a standard Identity Management deployment on bare-metal or virtual machine systems. For example, you can enroll hosts to the domain or manage the topology using the command-line interface, the web UI, or JSONRPC-API in the same way as RPM-based Identity Management systems.
