From 9a7e8539788a35f7462486da0c96d72f2df96752 Mon Sep 17 00:00:00 2001 From: Antonio Torres Date: Tue, 9 Apr 2024 09:28:12 +0200 Subject: [PATCH] Move Django database and keytabs to podman volume In order to persist information between container executions, we should mount data such as keytabs as a volume. This change centralizes keytabs and Django database so that everything can be mounted to a single volume if specified by the user. Signed-off-by: Antonio Torres --- Containerfile.test | 10 ++++++---- README.md | 3 ++- prod/Containerfile | 10 ++++++---- prod/conf/gssproxy.conf | 2 +- src/ipa-tuura/domains/utils.py | 4 ++-- src/ipa-tuura/root/settings.py | 4 ++-- 6 files changed, 19 insertions(+), 14 deletions(-) diff --git a/Containerfile.test b/Containerfile.test index 435342e..8b0733d 100644 --- a/Containerfile.test +++ b/Containerfile.test @@ -18,6 +18,9 @@ ENV TZ=Europe/Madrid \ RUN mkdir /www COPY . /www/ipa-tuura +# Create data directory (volume mount point) +RUN mkdir /www/ipa-tuura/data + # Install system dependencies RUN dnf -y update && dnf -y install \ dbus-daemon \ @@ -82,14 +85,13 @@ RUN echo 'apache ALL=(ALL) NOPASSWD:ALL' > /etc/sudoers.d/apache \ && chmod -R 770 /etc/sssd \ && chmod 740 /www/ipa-tuura/src/ipa-tuura/ \ && chown apache:apache /www/ipa-tuura/src/ipa-tuura/ \ - && chown apache:apache /www/ipa-tuura/src/ipa-tuura/db.sqlite3 + && chmod 740 /www/ipa-tuura/data \ + && chown -R apache:apache /www/ipa-tuura/data # Setup gssproxy COPY prod/conf/gssproxy.conf /etc/gssproxy/80-httpd.conf COPY prod/conf/httpd_env.conf /etc/systemd/system/httpd.service.d/env.conf -RUN mkdir /var/lib/ipatuura \ - && chmod 770 /var/lib/ipatuura \ - && systemctl enable gssproxy +RUN systemctl enable gssproxy # Enable httpd service RUN systemctl enable httpd diff --git a/README.md b/README.md index 169308d..f7006d4 100644 --- a/README.md +++ b/README.md @@ -37,13 +37,14 @@ The service can be deployed on a host using the following commands: ```bash setsebool -P container_manage_cgroup true -podman run --name=bridge -d --privileged --dns --add-host : -p 8000:8000 -p 3501:3500 -p 4701:81 -p 443:443 --hostname quay.io/idmops/bridge +podman run --name=bridge -d --privileged --dns --add-host : -p 8000:8000 -p 3501:3500 -p 4701:81 -p 443:443 --hostname quay.io/idmops/bridge --mount type=volume,src=bridge-data,target=/www/ipa-tuura/data ``` * Where you need to provide host details such as: - DNS IP address: --dns `````` - The integration domain host, so that the bridge service can resolve the name: --add-host ```:``` - The hostname where the bridge is going to be deployed: --hostname `````` - The container image: quay.io/idmops/bridge points to our official image, which is regularly updated by GitHub Actions on post merge request. +- The volume for storing persistent ipa-tuura data, with target `/www/ipa-tuura/data` To enroll with an existing FreeIPA server, you can use the following CURL command: diff --git a/prod/Containerfile b/prod/Containerfile index 90af621..a716870 100644 --- a/prod/Containerfile +++ b/prod/Containerfile @@ -22,6 +22,9 @@ ENV TZ=Europe/Madrid \ RUN mkdir /www COPY . /www/ipa-tuura +# Create data directory (volume mount point) +RUN mkdir /www/ipa-tuura/data + # Install system dependencies RUN dnf -y update && dnf -y install \ dbus-daemon \ @@ -86,14 +89,13 @@ RUN echo 'apache ALL=(ALL) NOPASSWD:ALL' > /etc/sudoers.d/apache \ && chmod -R 770 /etc/sssd \ && chmod 740 /www/ipa-tuura/src/ipa-tuura/ \ && chown apache:apache /www/ipa-tuura/src/ipa-tuura/ \ - && chown apache:apache /www/ipa-tuura/src/ipa-tuura/db.sqlite3 + && chmod 740 /www/ipa-tuura/data \ + && chown -R apache:apache /www/ipa-tuura/data # Setup gssproxy COPY prod/conf/gssproxy.conf /etc/gssproxy/80-httpd.conf COPY prod/conf/httpd_env.conf /etc/systemd/system/httpd.service.d/env.conf -RUN mkdir /var/lib/ipatuura \ - && chmod 770 /var/lib/ipatuura \ - && systemctl enable gssproxy +RUN systemctl enable gssproxy # Enable httpd service RUN systemctl enable httpd diff --git a/prod/conf/gssproxy.conf b/prod/conf/gssproxy.conf index 9b1bbd7..2f284a3 100644 --- a/prod/conf/gssproxy.conf +++ b/prod/conf/gssproxy.conf @@ -1,5 +1,5 @@ [service/HTTP] mechs = krb5 - cred_store = keytab:/var/lib/ipatuura/httpd.keytab + cred_store = keytab:/www/ipa-tuura/data/httpd.keytab cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U euid = apache diff --git a/src/ipa-tuura/domains/utils.py b/src/ipa-tuura/domains/utils.py index 810092a..3453f99 100644 --- a/src/ipa-tuura/domains/utils.py +++ b/src/ipa-tuura/domains/utils.py @@ -235,7 +235,7 @@ def deploy_ipa_service(domain): http_bridge_principal = "HTTP/%s@%s" % (socket.gethostname(), realm) keytab_file = os.environ.get("KRB5_CLIENT_KTNAME", None) keytab_path = os.path.dirname(keytab_file) - http_keytab_file = "/var/lib/ipatuura/httpd.keytab" + http_keytab_file = "/www/ipa-tuura/data/httpd.keytab" ipa_api_connect(domain) @@ -452,7 +452,7 @@ def join_ad_realm(domain): ad_passwd, "scp", f"{ad_admin}@{ad_server}:C:/httpd.keytab", - "/var/lib/ipatuura/httpd.keytab", + "/www/ipa-tuura/data/httpd.keytab", ] ) diff --git a/src/ipa-tuura/root/settings.py b/src/ipa-tuura/root/settings.py index 5f360ab..3a18399 100644 --- a/src/ipa-tuura/root/settings.py +++ b/src/ipa-tuura/root/settings.py @@ -85,7 +85,7 @@ DATABASES = { 'default': { 'ENGINE': 'django.db.backends.sqlite3', - 'NAME': os.path.join(BASE_DIR, 'db.sqlite3'), + 'NAME': os.path.join('/www/ipa-tuura/data', 'db.sqlite3'), } } @@ -131,7 +131,7 @@ # ipa-tuura configuration # We assume that an admin keytab is available -os.environ["KRB5_CLIENT_KTNAME"] = '/var/lib/ipa/ipatuura/service.keytab' +os.environ["KRB5_CLIENT_KTNAME"] = '/www/ipa-tuura/data/service.keytab' AUTH_USER_MODEL = 'scim.User'