These containers and images are intended to be used in SSSD CI and they should not be used in production. However, you can use them during SSSD local testing and development.
$ sudo dnf install -y podman podman-docker docker-compose
$ sudo systemctl enable --now podman.socket
$ sudo setsebool -P container_manage_cgroup true
$ cp .env.example .env
$ sudo make up
$ sudo podman exec -it client /bin/bashNote: once you get a console on the client container, you may want to bring
SSSD online because it has been most probably started before the other services
and therefore it went offline: pkill --signal SIGUSR2 sssd.
First, create an environment file that is consumed by docker-compose:
$ cp .env.example .envThen you can run the following make targets in order to start, stop and
destroy the containers.
sudo make upreadsdocker-compose.ymland starts all services in containerssudo make stopstops the containers, keeps theirs contentsudo make downdestroys and removes the containers
You can gain console access once the containers are started, either through podman or ssh. For example:
$ sudo podman exec -it client /bin/bash
$ sudo podman exec -it -u ci client /bin/bash
$ sudo podman exec -it client /bin/tmux
$ ssh -l ci -i ./data/ssh-keys/ci.id_rsa 172.16.100.40
$ ssh -l root -i ./data/ssh-keys/root.id_rsa 172.16.100.40See Available containers for container names, IP adresses and DNS names. See Host configuration to configure your system DNS resolver so you can use DNS names directly instead of using IP addresses in the ssh command.
You can trust sssd-ci self signed CA certificate and setup DNS forwarding on
your local host in order to access provided services directly outside the
containers (for example accessing IPA Web UI at https://master.ipa.test or
perfoming an ldapsearch).
sudo make trust-caconfigure your system to trust sssd-ci CAsudo make setup-dnsforward all*.testqueries to sssd-ci DNS server. Note that this will disable systemd-resolved and enable dnsmasq in NetworkManager.
| Name | IP | FQDN | Description |
|---|---|---|---|
| ipa | 172.16.100.10 |
master.ipa.test |
IPA server |
| ldap | 172.16.100.20 |
master.ldap.test |
TLS ready 389 Directory Server |
| samba | 172.16.100.30 |
dc.sambe.test |
Samba DC root domain |
| client | 172.16.100.40 |
client.test |
Client machine with configured SSSD |
All passwords are set to Secret123.
| Machine | Username | Password | Description |
|---|---|---|---|
| Any Linux machine | root | Secret123 | Local user |
| Any Linux machine | ci | Secret123 | Local user |
| samba | Administrator@samba.test | Secret123 | Domain user |
| ipa | admin@ipa.test | Secret123 | Domain user |
Please, view the packages ansible role to see the installed packages:
The following use cases are supported out of the box:
sssdwith single domain connected to LDAPsssdwith single domain connected to IPAsssdwith single domain connected to Samba DC viaadprovidersssdconnected to IPA with one trusted Samba DC domainsssdconnected to multiple domains
There are images available for multiple distributions. See the catalog for all available tags.
You can set the TAG environment variable to choose the tag the should be used
when starting the containers. You can also set it in the .env file if you
intend to use it for a longer time.
Most notable tags are:
latest- this is the latest Fedora stable composerawhide- this is the latest Fedora rawhide compose
We currently have full support for Fedora and CentOS Stream and a limited
support for Debian and Ubuntu. The client is always created from the target
distribution, but if any service is unavailable on that distribution (like
samba-dc on CentOS Stream) it is created from fedora:latest instead.
There is also a development version to
ci-client image, named
ci-client-devel. This image
contains preinstalled development dependencies, which makes it unfortunately
quite large. However, it is suitable for use when coding on SSSD. You can use it
by overriding docker-compose values in docker-compose.override.yml file:
services:
client:
image: ${REGISTRY}/ci-client-devel:${TAG}The certificates are stored in data/certs and will expire in 2041, so the should be no need to regenerate them any time soon. There should be no need to regenerate ssh keys in data/sssh-keys either. However, you can do it by calling the following two scripts:
$ ./src/tools/gen-certs.sh
$ ./src/tools/gen-ssh-keys.shThe images are build and published automatically in GitHub actions in the build workflow on each push and automatically every Sunday.
If you need to build them manually, you can do it by calling the build make
target. It takes multiple environment variables:
BASE_IMAGE: base image that should be used, default isregistry.fedoraproject.org/fedora:latestTAG: tag of the result images, default islatestUNAVAILABLE: space separated list of unavailable services, default is empty (all services are available), e.g.ipa ldap samba
The following example builds the CentOS Stream 8 images:
$ sudo make build BASE_IMAGE=quay.io/centos/centos:stream8 TAG=centos8 UNAVAILABLE=sambaThe images are stored in local localhost/sssd image registry.
The images are automatically published on successful build of GitHub actions
build workflow so there should be no need to do
this manually. However, you can do it by calling the push make target. It
takes multiple environment variables:
REGISTRY: target registry where the images will be pushed, requiredTAG: tag of the local images inlocalhost/sssdthat will be pushed, it is also used as the destination tag, requiredEXTRA_TAGS: space separated list of additional tags for the image, default is empty (no additional tag), e.g.fedora-latest latest
The images are build from multiple layers in order to safe space. The layers are:
flowchart TD
base-ground --> base-ldap
base-ground --> base-client
base-ground --> base-samba
base-ldap --> base-ipa
base-ldap --> ldap
base-ipa --> ipa
base-client --> client
client --> client-devel
base-samba --> samba