Skip to content

Commit

Permalink
Move Django database and keytabs to podman volume
Browse files Browse the repository at this point in the history
In order to persist information between container executions, we should mount data such as keytabs as a volume.
This change centralizes keytabs and Django database so that everything can be
mounted to a single volume if specified by the user.

Signed-off-by: Antonio Torres <[email protected]>
  • Loading branch information
antoniotorresm committed Apr 9, 2024
1 parent f46dbf2 commit 9a7e853
Show file tree
Hide file tree
Showing 6 changed files with 19 additions and 14 deletions.
10 changes: 6 additions & 4 deletions Containerfile.test
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,9 @@ ENV TZ=Europe/Madrid \
RUN mkdir /www
COPY . /www/ipa-tuura

# Create data directory (volume mount point)
RUN mkdir /www/ipa-tuura/data

# Install system dependencies
RUN dnf -y update && dnf -y install \
dbus-daemon \
Expand Down Expand Up @@ -82,14 +85,13 @@ RUN echo 'apache ALL=(ALL) NOPASSWD:ALL' > /etc/sudoers.d/apache \
&& chmod -R 770 /etc/sssd \
&& chmod 740 /www/ipa-tuura/src/ipa-tuura/ \
&& chown apache:apache /www/ipa-tuura/src/ipa-tuura/ \
&& chown apache:apache /www/ipa-tuura/src/ipa-tuura/db.sqlite3
&& chmod 740 /www/ipa-tuura/data \
&& chown -R apache:apache /www/ipa-tuura/data

# Setup gssproxy
COPY prod/conf/gssproxy.conf /etc/gssproxy/80-httpd.conf
COPY prod/conf/httpd_env.conf /etc/systemd/system/httpd.service.d/env.conf
RUN mkdir /var/lib/ipatuura \
&& chmod 770 /var/lib/ipatuura \
&& systemctl enable gssproxy
RUN systemctl enable gssproxy

# Enable httpd service
RUN systemctl enable httpd
Expand Down
3 changes: 2 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -37,13 +37,14 @@ The service can be deployed on a host using the following commands:

```bash
setsebool -P container_manage_cgroup true
podman run --name=bridge -d --privileged --dns <IP address> --add-host <host>:<IP address> -p 8000:8000 -p 3501:3500 -p 4701:81 -p 443:443 --hostname <hostname> quay.io/idmops/bridge
podman run --name=bridge -d --privileged --dns <IP address> --add-host <host>:<IP address> -p 8000:8000 -p 3501:3500 -p 4701:81 -p 443:443 --hostname <hostname> quay.io/idmops/bridge --mount type=volume,src=bridge-data,target=/www/ipa-tuura/data
```
* Where you need to provide host details such as:
- DNS IP address: --dns ```<IP address>```
- The integration domain host, so that the bridge service can resolve the name: --add-host ```<host>:<IP address>```
- The hostname where the bridge is going to be deployed: --hostname ```<hostname>```
- The container image: quay.io/idmops/bridge points to our official image, which is regularly updated by GitHub Actions on post merge request.
- The volume for storing persistent ipa-tuura data, with target `/www/ipa-tuura/data`

To enroll with an existing FreeIPA server, you can use the following CURL command:

Expand Down
10 changes: 6 additions & 4 deletions prod/Containerfile
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,9 @@ ENV TZ=Europe/Madrid \
RUN mkdir /www
COPY . /www/ipa-tuura

# Create data directory (volume mount point)
RUN mkdir /www/ipa-tuura/data

# Install system dependencies
RUN dnf -y update && dnf -y install \
dbus-daemon \
Expand Down Expand Up @@ -86,14 +89,13 @@ RUN echo 'apache ALL=(ALL) NOPASSWD:ALL' > /etc/sudoers.d/apache \
&& chmod -R 770 /etc/sssd \
&& chmod 740 /www/ipa-tuura/src/ipa-tuura/ \
&& chown apache:apache /www/ipa-tuura/src/ipa-tuura/ \
&& chown apache:apache /www/ipa-tuura/src/ipa-tuura/db.sqlite3
&& chmod 740 /www/ipa-tuura/data \
&& chown -R apache:apache /www/ipa-tuura/data

# Setup gssproxy
COPY prod/conf/gssproxy.conf /etc/gssproxy/80-httpd.conf
COPY prod/conf/httpd_env.conf /etc/systemd/system/httpd.service.d/env.conf
RUN mkdir /var/lib/ipatuura \
&& chmod 770 /var/lib/ipatuura \
&& systemctl enable gssproxy
RUN systemctl enable gssproxy

# Enable httpd service
RUN systemctl enable httpd
Expand Down
2 changes: 1 addition & 1 deletion prod/conf/gssproxy.conf
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
[service/HTTP]
mechs = krb5
cred_store = keytab:/var/lib/ipatuura/httpd.keytab
cred_store = keytab:/www/ipa-tuura/data/httpd.keytab
cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U
euid = apache
4 changes: 2 additions & 2 deletions src/ipa-tuura/domains/utils.py
Original file line number Diff line number Diff line change
Expand Up @@ -235,7 +235,7 @@ def deploy_ipa_service(domain):
http_bridge_principal = "HTTP/%s@%s" % (socket.gethostname(), realm)
keytab_file = os.environ.get("KRB5_CLIENT_KTNAME", None)
keytab_path = os.path.dirname(keytab_file)
http_keytab_file = "/var/lib/ipatuura/httpd.keytab"
http_keytab_file = "/www/ipa-tuura/data/httpd.keytab"

ipa_api_connect(domain)

Expand Down Expand Up @@ -452,7 +452,7 @@ def join_ad_realm(domain):
ad_passwd,
"scp",
f"{ad_admin}@{ad_server}:C:/httpd.keytab",
"/var/lib/ipatuura/httpd.keytab",
"/www/ipa-tuura/data/httpd.keytab",
]
)

Expand Down
4 changes: 2 additions & 2 deletions src/ipa-tuura/root/settings.py
Original file line number Diff line number Diff line change
Expand Up @@ -85,7 +85,7 @@
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.sqlite3',
'NAME': os.path.join(BASE_DIR, 'db.sqlite3'),
'NAME': os.path.join('/www/ipa-tuura/data', 'db.sqlite3'),
}
}

Expand Down Expand Up @@ -131,7 +131,7 @@

# ipa-tuura configuration
# We assume that an admin keytab is available
os.environ["KRB5_CLIENT_KTNAME"] = '/var/lib/ipa/ipatuura/service.keytab'
os.environ["KRB5_CLIENT_KTNAME"] = '/www/ipa-tuura/data/service.keytab'

AUTH_USER_MODEL = 'scim.User'

Expand Down

0 comments on commit 9a7e853

Please sign in to comment.