Chapter 1. Overview of the Containerized Identity Management Services


The following sections provide an overview of the containerized Identity Management services in Red Hat Enterprise Linux.

Warning

The rhel7/ipa-server container is a Technology Preview feature. See Technology Preview Features Support Scope in the Red Hat Knowledgebase for details.

1.1. Introduction to the ipa-server and sssd Containers

Using Identity Management or the System Security Services Daemon (SSSD) in a container ensures that all Identity Management or SSSD processes run in isolation from the host system. This enables the host system to run other software without conflicts with these processes.

Important

The ipa-server and sssd containers are designed to be used on Red Hat Enterprise Linux Atomic Host systems. For details on Atomic Host, see Getting Started with Atomic in the Atomic documentation.

Additional Resources

1.2. Available Container Images

The rhel7/ipa-server Container Image

  • Enables you to run Identity Management servers and related services in a container.
  • Provides Identity Management server services.

The rhel7/sssd Container Image

  • Enables you to run the System Security Services Daemon (SSSD) in a container.
  • Provides identity and authentication services to Atomic Host systems by enrolling the system to an Identity Management server or connecting it to an Active Directory domain.
  • Provides identity and authentication services to applications running in other containers.

Additional Resources

1.3. Benefits and drawbacks of using Identity Management in containers

Benefits

Drawbacks

  • The Identity Management processes run under Atomic. For example, if the docker daemon terminates, the Identity Management server running under it also terminates. However, maintaining multiple replicas counters this drawback.
  • SELinux separation is not applied to the components within a container. However, the components are still separated using process UIDs.

    • Note that although SELinux does not apply its mandatory access control (MAC) between the components, the sVirt project applies MAC to the container environment. This ensures that the container as a whole is protected from other containers.
    • The ipa-server container runs only the components required to run the Identity Management server itself. The container does not run any third-party components that can attack Identity Management due to the lack of SELinux isolation.
    • See also Secure Containers with SELinux in Atomic documentation.
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.