Dockerfile: ```Dockerfile FROM debian:buster
ENV container docker
# systemd RUN apt-get update && apt-get install -y \ systemd systemd-sysv && \ apt-get clean && \ rm -rf /var/lib/apt/lists/* RUN systemctl disable systemd-resolved.service RUN systemctl disable systemd-hostnamed.service STOPSIGNAL SIGRTMIN+3 CMD [ "/sbin/init" ]
RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ slapd && \ apt-get clean && rm -rf /var/lib/apt/lists/* RUN systemctl enable slapd.service
# Allow restart of slapd after dpkg-reconfigure (docker forbids this by default) RUN bash -c "install -m755 <(printf '#!/bin/sh\nexit 0') /usr/sbin/policy-rc.d" ```
Build command: ```sh docker build -t tmp . ```
Run command: ```sh docker run \ --name=tmp \ -it \ --tmpfs /run \ --tmpfs /run/lock \ --tmpfs /tmp \ -v /sys/fs/cgroup:/sys/fs/cgroup:ro \ --rm \ tmp ```
Slapd restart (run within container): ```sh service slapd restart ```
Log (journalctl -u slapd): Jun 18 07:14:25 81bb7d58af2b systemd[1]: Starting LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol)... Jun 18 07:14:25 81bb7d58af2b slapd[39]: @(#) $OpenLDAP: slapd (Apr 20 2020 18:19:54) $ Debian OpenLDAP Maintainers pkg-openldap-devel@lists.alioth.debian.org Jun 18 07:14:25 81bb7d58af2b slapd[40]: slapd starting Jun 18 07:14:25 81bb7d58af2b slapd[27]: Starting OpenLDAP: slapd. Jun 18 07:14:25 81bb7d58af2b systemd[1]: Started LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol). Jun 18 07:14:35 81bb7d58af2b systemd[1]: Stopping LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol)... Jun 18 07:14:35 81bb7d58af2b slapd[72]: Stopping OpenLDAP: slapd. Jun 18 07:14:35 81bb7d58af2b systemd[1]: slapd.service: Succeeded. Jun 18 07:14:35 81bb7d58af2b systemd[1]: Stopped LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol). Jun 18 07:14:40 81bb7d58af2b systemd[1]: slapd.service: Found left-over process 40 (slapd) in control group while starting unit. Ignoring. Jun 18 07:14:40 81bb7d58af2b systemd[1]: This usually indicates unclean termination of a previous run, or service implementation deficiencies.
Jun 18 07:14:40 81bb7d58af2b systemd[1]: Starting LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol)... Jun 18 07:14:40 81bb7d58af2b slapd[99]: Starting OpenLDAP: slapd failed! Jun 18 07:14:40 81bb7d58af2b systemd[1]: slapd.service: Control process exited, code=exited, status=1/FAILURE Jun 18 07:14:40 81bb7d58af2b systemd[1]: slapd.service: Failed with result 'exit-code'. Jun 18 07:14:40 81bb7d58af2b systemd[1]: Failed to start LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol).
---
The problem seems to be an unclean stop (left-over process) which still occupies the port. Which capabilities [1] / seccomp [2] is needed by slapd?
[1]: https://linux.die.net/man/7/capabilities [2]: https://docs-stage.docker.com/engine/security/seccomp/
---
My goal is to set the domain to "thisbox".
Running the following code (within container): ```sh cat <<EOF >/tmp/slapd Name: slapd/domain Template: slapd/domain Value: thisbox Owners: slapd
EOF DEBIAN_FRONTEND=noninteractive DEBCONF_DB_OVERRIDE=/tmp/slapd dpkg-reconfigure slapd ```
Log (journalctl -u slapd): -- Logs begin at Thu 2020-06-18 07:43:44 UTC, end at Thu 2020-06-18 07:44:57 UTC. -- Jun 18 07:43:44 fe1ddc01fdaf systemd[1]: Starting LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol)... Jun 18 07:43:44 fe1ddc01fdaf slapd[38]: @(#) $OpenLDAP: slapd (Apr 20 2020 18:19:54) $ Debian OpenLDAP Maintainers pkg-openldap-devel@lists.alioth.debian.org Jun 18 07:43:44 fe1ddc01fdaf slapd[39]: slapd starting Jun 18 07:43:44 fe1ddc01fdaf slapd[28]: Starting OpenLDAP: slapd. Jun 18 07:43:44 fe1ddc01fdaf systemd[1]: Started LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol). Jun 18 07:43:48 fe1ddc01fdaf systemd[1]: Stopping LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol)... Jun 18 07:43:48 fe1ddc01fdaf slapd[160]: Stopping OpenLDAP: slapd. Jun 18 07:43:48 fe1ddc01fdaf systemd[1]: slapd.service: Succeeded. Jun 18 07:43:48 fe1ddc01fdaf systemd[1]: Stopped LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol). Jun 18 07:43:48 fe1ddc01fdaf systemd[1]: Starting LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol)... Jun 18 07:43:48 fe1ddc01fdaf slapd[170]: @(#) $OpenLDAP: slapd (Apr 20 2020 18:19:54) $ Debian OpenLDAP Maintainers pkg-openldap-devel@lists.alioth.debian.org Jun 18 07:43:48 fe1ddc01fdaf slapd[170]: daemon: bind(8) failed errno=98 (Address already in use) Jun 18 07:43:48 fe1ddc01fdaf slapd[170]: daemon: bind(8) failed errno=98 (Address already in use) Jun 18 07:43:48 fe1ddc01fdaf slapd[170]: slapd stopped. Jun 18 07:43:48 fe1ddc01fdaf slapd[170]: connections_destroy: nothing to destroy. Jun 18 07:43:48 fe1ddc01fdaf slapd[165]: Starting OpenLDAP: slapd failed! Jun 18 07:43:48 fe1ddc01fdaf systemd[1]: slapd.service: Control process exited, code=exited, status=1/FAILURE Jun 18 07:43:48 fe1ddc01fdaf systemd[1]: slapd.service: Failed with result 'exit-code'. Jun 18 07:43:48 fe1ddc01fdaf systemd[1]: Failed to start LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol).
So the problem indicates that the address is already in use.
---
Setting the configuration within Dockerfile (no need to restart in container): ```Dockerfile RUN echo "" >> /tmp/slapd && \ echo "Name: slapd/domain" >> /tmp/slapd && \ echo "Template: slapd/domain" >> /tmp/slapd && \ echo "Value: thisbox" >> /tmp/slapd && \ echo "Owners: slapd" >> /tmp/slapd && \ echo "" >> /tmp/slapd && \ DEBIAN_FRONTEND=noninteractive \ DEBCONF_DB_OVERRIDE=/tmp/slapd \ dpkg-reconfigure slapd ```
doesn't throw any error, but doesn't seem to work either.
```sh ldapadd -Q -Y EXTERNAL -H ldapi:/// ```
logs to stdout: ``` adding new entry "ou=users,dc=thisbox" ldap_add: Server is unwilling to perform (53) additional info: no global superior knowledge ```
So for some reason the setup on container creation doesn't seem to be used.
---
I am new to LDAP, so I am apologizing if I am using something completely wrongly. Just trying to fix https://salsa.debian.org/freedombox-team/freedombox/-/issues/1880.
Any help appreciated!
(apologies to the list, I'm going to engage on a couple of docker points here while addressing the actual -- fairly Debian specific -- question; feel free to skip over this mail...)
On Thu, Jun 18, 2020 at 06:43:37PM +0200, darkdragon wrote:
# systemd RUN apt-get update && apt-get install -y \ systemd systemd-sysv && \ apt-get clean && \ rm -rf /var/lib/apt/lists/* RUN systemctl disable systemd-resolved.service RUN systemctl disable systemd-hostnamed.service
systemd in a container? I'll assume you know what you're doing, but it looks to me like a weird thing to do. At any rate it would help if you could reduce this to just the parts relevant for the actual problem.
# Allow restart of slapd after dpkg-reconfigure (docker forbids this by default) RUN bash -c "install -m755 <(printf '#!/bin/sh\nexit 0') /usr/sbin/policy-rc.d"
docker doesn't care. this policy comes from the debian:buster container, which (IMO rightly) assumes that you will run your daemon directly and not via the service manager.
My goal is to set the domain to "thisbox".
OK, that's a good thing to have stated up front.
Running the following code (within container):
cat <<EOF >/tmp/slapd Name: slapd/domain Template: slapd/domain Value: thisbox Owners: slapd EOF DEBIAN_FRONTEND=noninteractive DEBCONF_DB_OVERRIDE=/tmp/slapd dpkg-reconfigure slapd
I'd recommend preseeding the config before installing slapd, instead of trying to make dpkg-reconfigure work in the container.
example of a Dockerfile for that:
FROM debian:buster
ENV DEBIAN_FRONTEND=noninteractive
RUN echo slapd slapd/domain string thisbox | debconf-set-selections && \ apt-get update && \ apt-get -y install ldap-utils slapd && \ apt-get clean
ENTRYPOINT ["/usr/sbin/slapd", "-h", "ldap:/// ldapi:///", "-u", "openldap", "-d", "0"]
Pre-configuring 'slapd/domain' to 'thisbox' will initialize it with the suffix set to 'dc=thisbox'. The slapd package offers a few other debconf settings for things like the admin password, too.
Hope that helps.
systemd in a container? I'll assume you know what you're doing, but it looks to me like a weird thing to do.
I don't use it for production, but mainly to test things on my laptop. It's a lot more lightweight than virtual machines.
At any rate it would help if you could reduce this to just the parts relevant for the actual problem.
This is what I did. Only the two "disable" lines are not necessary any more in latest debian releases.
docker doesn't care. this policy comes from the debian:buster container, which (IMO rightly) assumes that you will run your daemon directly and not via the service manager.
Sorry for my incorrect wording. This is what I meant and I agree that this is a good default. In my case, I have to overwrite this default though.
Running the following code (within container):
cat <<EOF >/tmp/slapd Name: slapd/domain Template: slapd/domain Value: thisbox Owners: slapd EOF DEBIAN_FRONTEND=noninteractive DEBCONF_DB_OVERRIDE=/tmp/slapd dpkg-reconfigure slapdI'd recommend preseeding the config before installing slapd, instead of trying to make dpkg-reconfigure work in the container.
example of a Dockerfile for that:
FROM debian:buster
ENV DEBIAN_FRONTEND=noninteractive
RUN echo slapd slapd/domain string thisbox | debconf-set-selections && \ apt-get update && \ apt-get -y install ldap-utils slapd && \ apt-get clean
ENTRYPOINT ["/usr/sbin/slapd", "-h", "ldap:/// ldapi:///", "-u", "openldap", "-d", "0"]
Pre-configuring 'slapd/domain' to 'thisbox' will initialize it with the suffix set to 'dc=thisbox'. The slapd package offers a few other debconf settings for things like the admin password, too.
Thanks a lot! This allows me to run without "--privileged" now!
Nevertheless, I think it is worth investigating what actually causes the issue. Other systemd services can be restarted without "--privileged" as well.
Minimum example: ``` FROM debian:buster
ENV container docker ENV DEBIAN_FRONTEND noninteractive RUN apt-get update
# systemd RUN apt-get install -y systemd STOPSIGNAL SIGRTMIN+3 CMD [ "/sbin/init" ]
# slapd RUN echo slapd slapd/domain string thisbox | debconf-set-selections && \ apt-get install -y ldap-utils slapd RUN systemctl enable slapd.service ```
Build: docker build -t slapd .
Run: docker run \ --name slapd \ --rm -d \ --tmpfs /run --tmpfs /run/lock --tmpfs /tmp -v /sys/fs/cgroup:/sys/fs/cgroup:ro slapd
Shell: docker exec -it slapd bash
Test restart: systemctl status slapd systemctl restart slapd systemctl status slapd
Error messages: Jun 19 14:56:35 66bc7f3dac74 slapd[75]: daemon: bind(8) failed errno=98 (Address already in use) Jun 19 14:56:35 66bc7f3dac74 slapd[75]: daemon: bind(8) failed errno=98 (Address already in use)
openldap-technical@openldap.org
-
darkdragon -
Ryan Tandy