[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [atomic-devel] [PATCH] Adding SSSD client bits to Fedora Atomic Host



On Thu, Nov 12, 2015 at 09:00:31PM -0500, Colin Walters wrote:
> 
> Can you improve the commit message?  It currently is mostly "what"
> but not much "why" (and the subject line should be imperative tense matching
> the rest of the style).
> Something like:
> 
> ```
> manifest: Add requirements for host fedora/sssd container
> 
> Having these dependencies on the host are necessary in order for the
> new `fedora/sssd` container to work.  For more information, see:
> 
> https://lists.projectatomic.io/projectatomic-archives/atomic-devel/2015-October/msg00055.html

Please find fixed patch in attachment.

> I took a quick look at the container source.
> 
> - What is up with:
> ```
> [Service]
> ExecStartPre=/bin/systemctl start dbus.service
> ```
> in https://github.com/fedora-cloud/Fedora-Dockerfiles/blob/master/sssd/oddjobd.service ?
> 
> Ah wait, we're running another system bus inside the container?  Hmm.
> Regardless couldn't we just do `Requires=dbus.service` in sssd.service or so?

I'll check that, thanks for noticing it.

> Also, am I right in that things like:
> ```
> -v /var/lib/sss/:/var/lib/sss/ 
> ```
> 
> will hard require UID/GID matching between host and container?

Yes. We pull host's uids to the container in runtime

	https://github.com/fedora-cloud/Fedora-Dockerfiles/blob/master/sssd/run.sh#L11

so that hopefully covers at least some of the use cases -- for example,
you can use host's usernames in /etc/sssd/sssd.conf (think apache) and
the sssd in the container will not complain because it will know about
them.

> Do you have a sense for the degree to which container and host versions can vary?
> Are we expecting to support e.g. a Fedora 23 host
> with version X of /usr/lib64/libnss_sss.so.2 talking to a Fedora 24 container sssd
> version Y (where X < Y, or X > Y)?

SSSD teams says the protocol used on the Unix sockets is and remains
compatible. Ideally we'd probably like to have the versions in sync.

How are other "system" containers addressing it? What is the process
of rebuilding these containers to keep them en par with the Atomic
versions, and the naming?

Currently,

	https://github.com/fedora-cloud/Fedora-Dockerfiles/blob/master/sssd/Dockerfile

uses fedora:22 (it was the latest released version when it was added)
while it does not exist in f22 and f23 branches at all.

-- 
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
>From 352899a8cedb25af0460eda7fe9feb47efa65e0b Mon Sep 17 00:00:00 2001
From: Jan Pazdziora <jpazdziora redhat com>
Date: Tue, 27 Oct 2015 11:43:40 +0100
Subject: [PATCH] Add sssd-client for PAM and NSS and oddjob-mkhomedir for
 homedir population.

With SSSD in a container (fedora/sssd), we still need some bits on the host
to talk to the SSSD.

See:
- https://lists.projectatomic.io/projectatomic-archives/atomic-devel/2015-October/msg00055.html
---
 fedora-atomic-docker-host.json | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/fedora-atomic-docker-host.json b/fedora-atomic-docker-host.json
index ae883da..cebebf9 100644
--- a/fedora-atomic-docker-host.json
+++ b/fedora-atomic-docker-host.json
@@ -23,7 +23,7 @@
     "check-groups": { "type": "file", "filename": "group" },
 
     "packages": ["atomic",
-		 "glibc", "nss-altfiles", "shadow-utils",
+		 "glibc", "nss-altfiles", "shadow-utils", "sssd-client",
 		 "fedora-release",
 		 "dracut-config-generic", "kernel",
 		 "dracut-network",
@@ -69,7 +69,8 @@
 		 "flannel",
 		 "docker",
 		 "python-docker-py",
-		 "iscsi-initiator-utils"],
+		 "iscsi-initiator-utils",
+		 "oddjob-mkhomedir"],
 
     "default_target": "multi-user.target",
 
-- 
2.5.0


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]