Difference between revisions of "DS OpenShift"

From Dogtag
Jump to: navigation, search
m (See Also)
m (Updating Container Image)
(One intermediate revision by the same user not shown)
Line 12: Line 12:
 
The current DS cannot run in OpenShift because of the following issues:
 
The current DS cannot run in OpenShift because of the following issues:
  
* The DS instance files need to be created locally, then uploaded to OpenShift.
+
* DS instance cannot be crated in the container yet. The instance needs to be created locally, then uploaded to OpenShift.
 
* DS cannot create Unix socket.
 
* DS cannot create Unix socket.
 
* DS cannot change the ownership of directories and files.
 
* DS cannot change the ownership of directories and files.
Line 203: Line 203:
  
 
<pre>
 
<pre>
$ oc import-image <username>/ds
+
$ oc import-image <username>/ds:latest
 
</pre>
 
</pre>
  

Revision as of 20:35, 12 July 2019

Overview

This page describes the procedure to deploy a DS instance on OpenShift.

Notes:

  • This is still a work in progress.
  • The code changes has not been merged upstream.

Current Issues

The current DS cannot run in OpenShift because of the following issues:

  • DS instance cannot be crated in the container yet. The instance needs to be created locally, then uploaded to OpenShift.
  • DS cannot create Unix socket.
  • DS cannot change the ownership of directories and files.
  • DS cannot change the UID it's running as.
  • The default nsslapd-dbcachesize is too large.

Code Changes

Some changes in DS code are required in order to support OpenShift.

The code is available in this branch:

The build with these changes is available in this repository:

Note that these changes are not ready to be merged upstream.

Creating Local DS Instance

Create a DS instance in the local machine:

$ dscreate create-template | sed \
    -e 's/;root_password = .*/root_password = Secret.123/g' \
    -e 's/;suffix = .*/suffix = dc=example,dc=com/g' \
    -e 's/;systemd = .*/systemd = False/g' \
    -e 's/;port = .*/port = 10389/g' \
    -e 's/;secure_port = .*/secure_port = 10636/g' \
    > ds.inf
$ dscreate from-file ds.inf

Then create a backup:

$ systemctl stop dirsrv@localhost.service
$ tar czvf slapd-localhost.tar.gz -C / \
    etc/dirsrv/slapd-localhost \
    etc/dirsrv/ssca \
    etc/sysconfig/dirsrv-localhost \
    var/lib/dirsrv/slapd-localhost \
    var/log/dirsrv/slapd-localhost

Put the slapd-localhost.tar.gz in a <backup dir>.

Creating Persistent Storage

Create a configuration file (e.g. ds-pvc.yaml):

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: ds
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi

Then execute:

$ oc create -f ds-pvc.yaml

Uploading DS Instance Files

Deploy a temporary application (e.g. Fedora OpenShift).

Mount the storage into the application's pod into /data.

Upload the backup file:

$ oc rsync <backup dir> <pod>:/data

Open a remote shell:

$ oc rsh <pod>

Execute the following commands:

$ cd /data
$ tar xvf slapd-localhost.tar.gz
$ rm slapd-localhost.tar.gz

Edit /data/etc/dirsrv/slapd-localhost/dse.ldif:

dn: cn=config
nsslapd-port: 10389
nsslapd-securePort: 10636
# nsslapd-ldapifilepath: /var/run/slapd-localhost.socket
# nsslapd-ldapilisten: on
# nsslapd-ldapiautobind: on
# nsslapd-ldapimaprootdn: cn=Directory Manager

dn: cn=config,cn=ldbm database,cn=plugins,cn=config
nsslapd-dbcachesize: 100000000

Unmount the storage. The temporary application can be undeployed as well.

Dockerfile

FROM fedora:30

EXPOSE 10389 10636

# Install tweaked 389-ds-base package from edewata/pki
RUN dnf install -y dnf-plugins-core && dnf copr enable -y edewata/pki
RUN dnf install -y 389-ds-base && dnf clean all

# Create links to DS instance files on persistent storage
RUN ln -s /data/etc/dirsrv/slapd-localhost /etc/dirsrv/slapd-localhost & \
    ln -s /data/etc/dirsrv/ssca /etc/dirsrv/ssca && \
    ln -s /data/etc/sysconfig/dirsrv-localhost /etc/sysconfig/slapd-localhost & \
    ln -s /data/var/lib/dirsrv/slapd-localhost /var/lib/dirsrv/slapd-localhost & \
    ln -s /data/var/log/dirsrv/slapd-localhost /var/log/dirsrv/slapd-localhost & \

# Create non-persistent directory for runtime files
RUN mkdir -p /var/run/dirsrv/slapd-localhost && \
    chgrp -Rf root /var/run/dirsrv && \
    chmod -Rf g+w /var/run/dirsrv

# Create non-persistent directory for lock files
RUN mkdir -p /var/lock/dirsrv/slapd-localhost && \
    chgrp -Rf root /var/lock/dirsrv && \
    chmod -Rf g+w /var/lock/dirsrv

USER dirsrv

CMD [ "/usr/sbin/ns-slapd", "-D", "/etc/dirsrv/slapd-localhost", "-d", "266354688" ]

Building Container Image

$ docker build -t ds .

Publishing Container Image

$ docker tag ds:latest <username>/ds:latest
$ docker push <username>/ds:latest

Available Images

Deploying Container Image

Deploy the DS container image to OpenShift.

Configure the following environment variables:

  • LD_PRELOAD=/usr/lib64/dirsrv/lib/libjemalloc.so.2
  • SERVER_DIR=/usr/lib64
  • SERVERBIN_DIR=/usr/sbin
  • CONFIG_DIR=/etc/dirsrv/slapd-localhost
  • INST_DIR=/usr/lib64/dirsrv/slapd-localhost
  • RUN_DIR=/var/run/dirsrv
  • DS_ROOT=
  • PRODUCT_NAME=slapd

Mount the persistent storage into /data.

Check the pod's logs to make sure the DS instance is running, or execute the following command in the terminal:

$ ldapsearch -h $HOSTNAME -p 10389 -x -s base -b "" * +

Updating Container Image

If newer container image is available, it can be deployed with the following command:

$ oc import-image <username>/ds:latest

See Also