On Thu, Nov 12, 2015 at 09:00:31PM -0500, Colin Walters wrote: > > Can you improve the commit message? It currently is mostly "what" > but not much "why" (and the subject line should be imperative tense matching > the rest of the style). > Something like: > > ``` > manifest: Add requirements for host fedora/sssd container > > Having these dependencies on the host are necessary in order for the > new `fedora/sssd` container to work. For more information, see: > > https://lists.projectatomic.io/projectatomic-archives/atomic-devel/2015-October/msg00055.html
Please find fixed patch in attachment. > I took a quick look at the container source. > > - What is up with: > ``` > [Service] > ExecStartPre=/bin/systemctl start dbus.service > ``` > in > https://github.com/fedora-cloud/Fedora-Dockerfiles/blob/master/sssd/oddjobd.service > ? > > Ah wait, we're running another system bus inside the container? Hmm. > Regardless couldn't we just do `Requires=dbus.service` in sssd.service or so? I'll check that, thanks for noticing it. > Also, am I right in that things like: > ``` > -v /var/lib/sss/:/var/lib/sss/ > ``` > > will hard require UID/GID matching between host and container? Yes. We pull host's uids to the container in runtime https://github.com/fedora-cloud/Fedora-Dockerfiles/blob/master/sssd/run.sh#L11 so that hopefully covers at least some of the use cases -- for example, you can use host's usernames in /etc/sssd/sssd.conf (think apache) and the sssd in the container will not complain because it will know about them. > Do you have a sense for the degree to which container and host versions can > vary? > Are we expecting to support e.g. a Fedora 23 host > with version X of /usr/lib64/libnss_sss.so.2 talking to a Fedora 24 container > sssd > version Y (where X < Y, or X > Y)? SSSD teams says the protocol used on the Unix sockets is and remains compatible. Ideally we'd probably like to have the versions in sync. How are other "system" containers addressing it? What is the process of rebuilding these containers to keep them en par with the Atomic versions, and the naming? Currently, https://github.com/fedora-cloud/Fedora-Dockerfiles/blob/master/sssd/Dockerfile uses fedora:22 (it was the latest released version when it was added) while it does not exist in f22 and f23 branches at all. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat
>From 352899a8cedb25af0460eda7fe9feb47efa65e0b Mon Sep 17 00:00:00 2001 From: Jan Pazdziora <jpazdzi...@redhat.com> Date: Tue, 27 Oct 2015 11:43:40 +0100 Subject: [PATCH] Add sssd-client for PAM and NSS and oddjob-mkhomedir for homedir population. With SSSD in a container (fedora/sssd), we still need some bits on the host to talk to the SSSD. See: - https://lists.projectatomic.io/projectatomic-archives/atomic-devel/2015-October/msg00055.html --- fedora-atomic-docker-host.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/fedora-atomic-docker-host.json b/fedora-atomic-docker-host.json index ae883da..cebebf9 100644 --- a/fedora-atomic-docker-host.json +++ b/fedora-atomic-docker-host.json @@ -23,7 +23,7 @@ "check-groups": { "type": "file", "filename": "group" }, "packages": ["atomic", - "glibc", "nss-altfiles", "shadow-utils", + "glibc", "nss-altfiles", "shadow-utils", "sssd-client", "fedora-release", "dracut-config-generic", "kernel", "dracut-network", @@ -69,7 +69,8 @@ "flannel", "docker", "python-docker-py", - "iscsi-initiator-utils"], + "iscsi-initiator-utils", + "oddjob-mkhomedir"], "default_target": "multi-user.target", -- 2.5.0
