DS Container

From Dogtag
Jump to: navigation, search

Overview

This document describes the process to run DS in a container for use by PKI CA Container.

Creating DS Container

To create DS container from Fedora image: 

$ docker run \
    --name ds \
    --hostname ldap.example.com \
    --tmpfs /tmp \
    --tmpfs /run \
    --volume /sys/fs/cgroup:/sys/fs/cgroup:ro \
    --expose 10389 \
    --expose 10636 \
    --publish 389:10389 \
    --publish 636:10636 \
    --detach \
    fedora:29 "/usr/sbin/init"
$ docker exec ds mkdir -p /run/lock

To create DS instance: 

$ docker exec ds dnf install -y 389-ds-base
$ docker exec ds sh -c 'dscreate create-template | sed \
    -e "s/;root_password = .*/root_password = Secret.123/g" \
    -e "s/;suffix = .*/suffix = dc=example,dc=com/g" \
    -e "s/;selinux = .*/selinux = False/g" \
    -e "s/;port = .*/port = 10389/g" \
    -e "s/;secure_port = .*/secure_port = 10636/g" \
    > /root/ds.inf'
$ docker exec ds dscreate from-file /root/ds.inf

Accessing DS Container

To execute LDAP commands: 

$ ldapsearch -x -h $HOSTNAME -s base -b ""

To add LDAP entries for PKI: 

$ ldapadd -h $HOSTNAME -x -D "cn=Directory Manager" -w Secret.123 << EOF
dn: dc=example,dc=com
objectClass: domain
dc: example

dn: dc=pki,dc=example,dc=com
objectClass: domain
dc: pki
EOF

Removing DS Container

(Optional) To remove DS instance: 

$ docker exec ds dsctl localhost remove --do-it

To remove DS container: 

$ docker rm -f ds

Building DS Container Image (does not work)

Create the following Dockerfile: 

FROM fedora:29

ENV container docker
EXPOSE 10389 10636

RUN dnf install -y 389-ds-base
RUN dscreate create-template | sed \
    -e "s/;root_password = .*/root_password = Secret.123/g" \
    -e "s/;suffix = .*/suffix = dc=example,dc=com/g" \
    -e "s/;selinux = .*/selinux = False/g" \
    -e "s/;port = .*/port = 10389/g" \
    -e "s/;secure_port = .*/secure_port = 10636/g" \
    > /root/ds.inf
RUN dscreate from-file /root/ds.inf --containerised

USER dirsrv

CMD [ \
    "/usr/sbin/ns-slapd", \
    "-D", "/etc/dirsrv/slapd-localhost", \
    "-i", "/var/run/dirsrv/slapd-localhost.pid" \
]

To build DS container image: 

$ docker build -t ds .

To create DS container: 

$ docker run \
    --name ds \
    --publish 389:10389 \
    --publish 636:10636 \
    --rm \
    ds

Currently it doesn't work. See https://pagure.io/389-ds-base/issue/50343.

References

Retrieved from "http://www.dogtagpki.org/index.php?title=DS_Container&oldid=38632"