Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Move Django database and keytabs to podman volume #108

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Move Django database and keytabs to podman volume #108

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 6 additions & 4 deletions Containerfile.test
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,9 @@ ENV TZ=Europe/Madrid \
RUN mkdir /www
COPY . /www/ipa-tuura

# Create data directory (volume mount point)
RUN mkdir /www/ipa-tuura/data

# Install system dependencies
RUN dnf -y update && dnf -y install \
dbus-daemon \
Expand Down Expand Up @@ -82,14 +85,13 @@ RUN echo 'apache ALL=(ALL) NOPASSWD:ALL' > /etc/sudoers.d/apache \
&& chmod -R 770 /etc/sssd \
&& chmod 740 /www/ipa-tuura/src/ipa-tuura/ \
&& chown apache:apache /www/ipa-tuura/src/ipa-tuura/ \
&& chown apache:apache /www/ipa-tuura/src/ipa-tuura/db.sqlite3
&& chmod 740 /www/ipa-tuura/data \
&& chown -R apache:apache /www/ipa-tuura/data

# Setup gssproxy
COPY prod/conf/gssproxy.conf /etc/gssproxy/80-httpd.conf
COPY prod/conf/httpd_env.conf /etc/systemd/system/httpd.service.d/env.conf
RUN mkdir /var/lib/ipatuura \
&& chmod 770 /var/lib/ipatuura \
&& systemctl enable gssproxy
RUN systemctl enable gssproxy

# Enable httpd service
RUN systemctl enable httpd
Expand Down
3 changes: 2 additions & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,13 +37,14 @@ The service can be deployed on a host using the following commands:

```bash
setsebool -P container_manage_cgroup true
podman run --name=bridge -d --privileged --dns <IP address> --add-host <host>:<IP address> -p 8000:8000 -p 3501:3500 -p 4701:81 -p 443:443 --hostname <hostname> quay.io/idmops/bridge
podman run --name=bridge -d --privileged --dns <IP address> --add-host <host>:<IP address> -p 8000:8000 -p 3501:3500 -p 4701:81 -p 443:443 --hostname <hostname> quay.io/idmops/bridge --mount type=volume,src=bridge-data,target=/www/ipa-tuura/data
```
* Where you need to provide host details such as:
- DNS IP address: --dns ```<IP address>```
- The integration domain host, so that the bridge service can resolve the name: --add-host ```<host>:<IP address>```
- The hostname where the bridge is going to be deployed: --hostname ```<hostname>```
- The container image: quay.io/idmops/bridge points to our official image, which is regularly updated by GitHub Actions on post merge request.
- The volume for storing persistent ipa-tuura data, with target `/www/ipa-tuura/data`

To enroll with an existing FreeIPA server, you can use the following CURL command:

Expand Down
10 changes: 6 additions & 4 deletions prod/Containerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,9 @@ ENV TZ=Europe/Madrid \
RUN mkdir /www
COPY . /www/ipa-tuura

# Create data directory (volume mount point)
RUN mkdir /www/ipa-tuura/data

# Install system dependencies
RUN dnf -y update && dnf -y install \
dbus-daemon \
Expand Down Expand Up @@ -86,14 +89,13 @@ RUN echo 'apache ALL=(ALL) NOPASSWD:ALL' > /etc/sudoers.d/apache \
&& chmod -R 770 /etc/sssd \
&& chmod 740 /www/ipa-tuura/src/ipa-tuura/ \
&& chown apache:apache /www/ipa-tuura/src/ipa-tuura/ \
&& chown apache:apache /www/ipa-tuura/src/ipa-tuura/db.sqlite3
&& chmod 740 /www/ipa-tuura/data \
&& chown -R apache:apache /www/ipa-tuura/data

# Setup gssproxy
COPY prod/conf/gssproxy.conf /etc/gssproxy/80-httpd.conf
COPY prod/conf/httpd_env.conf /etc/systemd/system/httpd.service.d/env.conf
RUN mkdir /var/lib/ipatuura \
&& chmod 770 /var/lib/ipatuura \
&& systemctl enable gssproxy
RUN systemctl enable gssproxy

# Enable httpd service
RUN systemctl enable httpd
Expand Down
2 changes: 1 addition & 1 deletion prod/conf/gssproxy.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
[service/HTTP]
mechs = krb5
cred_store = keytab:/var/lib/ipatuura/httpd.keytab
cred_store = keytab:/www/ipa-tuura/data/httpd.keytab
cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U
euid = apache
4 changes: 2 additions & 2 deletions src/ipa-tuura/domains/utils.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -235,7 +235,7 @@ def deploy_ipa_service(domain):
http_bridge_principal = "HTTP/%s@%s" % (socket.gethostname(), realm)
keytab_file = os.environ.get("KRB5_CLIENT_KTNAME", None)
keytab_path = os.path.dirname(keytab_file)
http_keytab_file = "/var/lib/ipatuura/httpd.keytab"
http_keytab_file = "/www/ipa-tuura/data/httpd.keytab"

ipa_api_connect(domain)

Expand Down Expand Up @@ -452,7 +452,7 @@ def join_ad_realm(domain):
ad_passwd,
"scp",
f"{ad_admin}@{ad_server}:C:/httpd.keytab",
"/var/lib/ipatuura/httpd.keytab",
"/www/ipa-tuura/data/httpd.keytab",
]
)

Expand Down
4 changes: 2 additions & 2 deletions src/ipa-tuura/root/settings.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -85,7 +85,7 @@
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.sqlite3',
'NAME': os.path.join(BASE_DIR, 'db.sqlite3'),
'NAME': os.path.join('/www/ipa-tuura/data', 'db.sqlite3'),
}
}

Expand Down Expand Up @@ -131,7 +131,7 @@

# ipa-tuura configuration
# We assume that an admin keytab is available
os.environ["KRB5_CLIENT_KTNAME"] = '/var/lib/ipa/ipatuura/service.keytab'
os.environ["KRB5_CLIENT_KTNAME"] = '/www/ipa-tuura/data/service.keytab'

AUTH_USER_MODEL = 'scim.User'

Expand Down
Loading