FreeIPA Server在almalinux-8容器的初始化与运行

1)初始化安装

  • 生成数据文件夹,存放在/data/ipa-data目录
  • 直接使用宿主机网络
    mkdir -p /data/ipa-data
    podman run \
    --rm \
    --shm-size=2GB \
    --name ipa-01.icinfra.cn \
    --net host \
    -ti \
    -h ipa-01.icinfra.cn \
    --read-only \
    -e PASSWORD=Secret123 \
    -v /data/ipa-data:/data:Z \
    --dns=127.0.0.1 \
    -e TZ=Asia/Shanghai \
    -v /etc/localtime:/etc/localtime:ro \
    --add-host=ipa-01.icinfra.cn:172.16.0.13 \
    docker.io/freeipa/freeipa-server:almalinux-8 \
    --allow-zone-overlap \
    --no-ntp
    

    其中, podman的选项与参数,

  • /data/ipa-data用于存放于ipa相关的配置文件与数据。
  • --rm使得容器停止就删除。由于配置文件与数据都持久化到了/data/ipa-data,因此容器是无状态容器,可以随时删除并重新运行一个。
  • --shm-size=2GB如果不指定,默认分配64MB共享内存。
  • --name ipa-01.icinfra.cn用于指定容器名称。
  • --net host使用宿主机的网络。
  • ti分配tty,以及交互式。
  • -h ipa-01.icinfra.cn容器内的主机名。
  • --read-only使根文件系统只读。状态全部持久化到/data/ipa-data
  • -e PASSWROD=Secret123传入PASSWORD环境变量。
  • -v /data/ipa-data:/data:Z将卷绑定挂载到容器中。
  • --dns=127.0.0.1修改/etc/resolv.conf文件内容
  • --add-host=ipa-01.icinfra.cn:172.16.0.13/etc/hosts增加一行

ipa-server-install的选项与参数,

  • --allow-zone-overlap
  • --no-ntp

修改DNS Server配置并重启,使得允许全部查询。

[root@ipa-01 /]# cat /etc/named/ipa-options-ext.conf
/* User customization for BIND named
 *
 * This file is included in /etc/named.conf and is not modified during IPA
 * upgrades.
 *
 * It must only contain "options" settings. Any other setting must be
 * configured in /data/etc/named/ipa-ext.conf.
 *
 * Examples:
 * allow-recursion { trusted_network; };
 * allow-query-cache { trusted_network; };
 */

/* turns on IPv6 for port 53, IPv4 is on by default for all ifaces */
listen-on-v6 { any; };

/* dnssec-enable is obsolete and 'yes' by default */
dnssec-validation no;
allow-query { any; };
[root@ipa-01 /]# systemctl status | grep name
           ├─948 grep --color=auto name
             ├─named-pkcs11.service
             │ └─286 /usr/sbin/named-pkcs11 -u named -c /etc/named.conf
[root@ipa-01 /]# systemctl restart named-pkcs11

2) 在后台运行 去掉交互式,增加-d

podman stop `podman ps -q` #停止刚才交互式运行的容器。
podman run \
--rm \
--shm-size=2GB \
--name ipa-01.icinfra.cn \
--net host \
-d \
-h ipa-01.icinfra.cn \
--read-only \
-e PASSWORD=Secret123 \
-v /data/ipa-data:/data:Z \
--dns=127.0.0.1 \
-e TZ=Asia/Shanghai \
-v /etc/localtime:/etc/localtime:ro \
--add-host=ipa-01.icinfra.cn:172.16.0.13 \
docker.io/freeipa/freeipa-server:almalinux-8 \
--allow-zone-overlap \
--no-ntp

增加DNS Forwarder, image

FreeIPA Client在almalinux-8安装与使用

[root@Copy-of-VM-AlmaLinux8-tmpl-cloudinit-gui-5 ~]# cat /etc/resolv.conf
; Created by cloud-init on instance boot automatically, do not edit.
;
# Generated by NetworkManager
search lan icinfra.cn
nameserver 172.16.0.13
[root@Copy-of-VM-AlmaLinux8-tmpl-cloudinit-gui-5 ~]# ipa-client-install --hostname=ipa-client-001.icinfra.cn --server=ipa-01.icinfra.cn --domain=icinfra.cn --realm=ICINFRA.CN --principal=admin --password=Secret123 --unattended
This program will set up IPA client.
Version 4.9.12

Client hostname: ipa-client-001.icinfra.cn
Realm: ICINFRA.CN
DNS Domain: icinfra.cn
IPA Server: ipa-01.icinfra.cn
BaseDN: dc=icinfra,dc=cn

Synchronizing time
No SRV records of NTP servers found and no NTP server or pool address was provided.
Using default chrony configuration.
Attempting to sync time with chronyc.
Time synchronization was successful.
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=ICINFRA.CN
    Issuer:      CN=Certificate Authority,O=ICINFRA.CN
    Valid From:  2023-12-17 03:55:11
    Valid Until: 2043-12-17 03:55:11

Enrolled in IPA realm ICINFRA.CN
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Systemwide CA database updated.
Hostname (ipa-client-001.icinfra.cn) does not have A/AAAA record.
Missing reverse record(s) for address(es): 172.16.0.78.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring icinfra.cn as NIS domain.
Configured /etc/krb5.conf for IPA realm ICINFRA.CN
Client configuration complete.
The ipa-client-install command was successful
[root@Copy-of-VM-AlmaLinux8-tmpl-cloudinit-gui-5 ~]# id admin
uid=196400000(admin) gid=196400000(admins) groups=196400000(admins)

参考资料

https://quay.io/repository/freeipa/freeipa-server?tab=info

https://github.com/freeipa/freeipa-container