DS OpenShift

From Dogtag
Revision as of 14:58, 1 September 2022 by Edewata (talk | contribs) (See Also)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search


This page describes the procedure to deploy a DS instance on OpenShift.

Current Issues

  • This is still a work in progress.
  • The code changes has not been merged upstream.
  • DS instance cannot be created in OpenShift yet. The instance needs to be created locally, then uploaded to OpenShift.
  • DS cannot create Unix socket in OpenShift.
  • DS cannot change the ownership of directories and files in OpenShift.
  • DS cannot change the UID it's running as in OpenShift.
  • The default nsslapd-dbcachesize is too large in OpenShift.
  • If the DS crashes, the data may become corrupted and the data has to be uploaded again.

Code Changes

Some changes in DS code are required in order to support OpenShift.

The code is available in this branch:

The build with these changes is available in this repository:

Note that these changes are not ready to be merged upstream.

Creating Local DS Instance

Install a DS instance in the local machine:

$ dscreate create-template | sed \
    -e 's/;root_password = .*/root_password = Secret.123/g' \
    -e 's/;suffix = .*/suffix = dc=example,dc=com/g' \
    -e 's/;systemd = .*/systemd = False/g' \
    -e 's/;port = .*/port = 10389/g' \
    -e 's/;secure_port = .*/secure_port = 10636/g' \
    > ds.inf
$ dscreate from-file ds.inf

Then create a backup:

$ systemctl stop dirsrv@localhost.service
$ tar czvf slapd-localhost.tar.gz -C / \
    etc/dirsrv/slapd-localhost \
    etc/dirsrv/ssca \
    etc/sysconfig/dirsrv-localhost \
    var/lib/dirsrv/slapd-localhost \

Put the slapd-localhost.tar.gz in a <backup dir>.

Creating Persistent Storage

Create a configuration file (e.g. ds-pvc.yaml):

apiVersion: v1
kind: PersistentVolumeClaim
  name: ds
  - ReadWriteOnce
      storage: 1Gi

Then execute:

$ oc create -f ds-pvc.yaml

Uploading DS Instance Files

Deploy a temporary application (e.g. Fedora OpenShift).

Mount the storage into the application's pod into /data.

Upload the backup file:

$ oc rsync <backup dir> <pod>:/data

Open a remote shell:

$ oc rsh <pod>

Execute the following commands:

$ cd /data
$ tar xvf slapd-localhost.tar.gz
$ rm slapd-localhost.tar.gz

Edit /data/etc/dirsrv/slapd-localhost/dse.ldif:

dn: cn=config
nsslapd-port: 10389
nsslapd-securePort: 10636
# nsslapd-ldapifilepath: /var/run/slapd-localhost.socket
# nsslapd-ldapilisten: on
# nsslapd-ldapiautobind: on
# nsslapd-ldapimaprootdn: cn=Directory Manager

dn: cn=config,cn=ldbm database,cn=plugins,cn=config
nsslapd-dbcachesize: 50000000

Unmount the storage. The temporary application can be undeployed as well.


FROM fedora:30

EXPOSE 10389 10636

# Install tweaked 389-ds-base package from edewata/pki
RUN dnf install -y dnf-plugins-core && dnf copr enable -y edewata/pki
RUN dnf install -y 389-ds-base && dnf clean all

# Create links to DS instance files on persistent storage
RUN ln -s /data/etc/dirsrv/slapd-localhost /etc/dirsrv/slapd-localhost & \
    ln -s /data/etc/dirsrv/ssca /etc/dirsrv/ssca && \
    ln -s /data/etc/sysconfig/dirsrv-localhost /etc/sysconfig/slapd-localhost & \
    ln -s /data/var/lib/dirsrv/slapd-localhost /var/lib/dirsrv/slapd-localhost & \
    ln -s /data/var/log/dirsrv/slapd-localhost /var/log/dirsrv/slapd-localhost & \

# Create non-persistent directory for runtime files
RUN mkdir -p /var/run/dirsrv/slapd-localhost && \
    chgrp -Rf root /var/run/dirsrv && \
    chmod -Rf g+w /var/run/dirsrv

# Create non-persistent directory for lock files
RUN mkdir -p /var/lock/dirsrv/slapd-localhost && \
    chgrp -Rf root /var/lock/dirsrv && \
    chmod -Rf g+w /var/lock/dirsrv

USER dirsrv

VOLUME /data

CMD [ "/usr/sbin/ns-slapd", "-D", "/etc/dirsrv/slapd-localhost", "-d", "266354688" ]

Building Container Image

$ docker build -t ds .

Publishing Container Image

$ docker tag ds:latest <username>/ds:latest
$ docker push <username>/ds:latest

Available Images

Creating DS Image Stream

Prepare a configuration file (e.g. ds-is.yaml):

apiVersion: v1
kind: ImageStream
    app: ds
  name: ds
    - from:
        kind: DockerImage
        name: edewata/ds
      name: latest

Then execute the following command:

$ oc create -f ds-is.yaml

Creating DS Application

Prepare a configuration file (e.g. ds-dc.yaml):

apiVersion: v1
kind: DeploymentConfig
    app: ds
  name: ds
    app: ds
    deploymentconfig: ds
        app: ds
        deploymentconfig: ds
        - env:
            - name: LD_PRELOAD
              value: /usr/lib64/dirsrv/lib/libjemalloc.so.2
            - name: SERVER_DIR
              value: /usr/lib64
            - name: SERVERBIN_DIR
              value: /usr/sbin
            - name: CONFIG_DIR
              value: /etc/dirsrv/slapd-localhost
            - name: INST_DIR
              value: /usr/lib64/dirsrv/slapd-localhost
            - name: RUN_DIR
              value: /var/run/dirsrv
            - name: DS_ROOT
            - name: PRODUCT_NAME
              value: slapd
          image: edewata/ds
          name: ds
            - containerPort: 10389
              protocol: TCP
            - containerPort: 10636
              protocol: TCP
            - mountPath: /data
              name: data
        - name: data
            claimName: ds
  test: false
    - type: ConfigChange
    - imageChangeParams:
        automatic: true
          - ds
          kind: ImageStreamTag
          name: 'ds:latest'
      type: ImageChange

Then execute the following command:

$ oc create -f ds-dc.yaml

Check the pod's logs to make sure the DS instance is running, or execute the following command in the terminal:

$ ldapsearch -h $HOSTNAME -p 10389 -x -s base -b "" * +

Updating Container Image

If newer container image is available, it can be deployed with the following command:

$ oc import-image <username>/ds:latest

See Also