Hello,
Wondering if there is a plan to do an official image.
Also what others in the community doing?
Finally, there is this project that seems to be updated/supported but obviously not official https://github.com/bitnami/bitnami-docker-openldap%C2%A0anyone here used/seen this?
Why am i asking? We simply looking to dockerize our infra and want to see what people here have experienced.
Our ldap env: 3-way MMR (syncrepl) on v2.6.1
Thank you, Dave
An official image would be great.
There are too many sketchy ones and even the good ones, have issues with their config, like having to hack their start up script to properly configure the mdb size.
On Sun, Feb 20, 2022 at 12:00 PM Dave Macias davama@gmail.com wrote:
Hello,
Wondering if there is a plan to do an official image.
Also what others in the community doing?
Finally, there is this project that seems to be updated/supported but obviously not official https://github.com/bitnami/bitnami-docker-openldap anyone here used/seen this?
Why am i asking? We simply looking to dockerize our infra and want to see what people here have experienced.
Our ldap env: 3-way MMR (syncrepl) on v2.6.1
Thank you, Dave
Thank you for the input!
Anyone else?
Of course, would love to hear the opinion of a dev ;)
On Mon, Feb 21, 2022 at 1:39 PM Daniel Zuniga daniel.zuniga@gmail.com wrote:
An official image would be great.
There are too many sketchy ones and even the good ones, have issues with their config, like having to hack their start up script to properly configure the mdb size.
On Sun, Feb 20, 2022 at 12:00 PM Dave Macias davama@gmail.com wrote:
Hello,
Wondering if there is a plan to do an official image.
Also what others in the community doing?
Finally, there is this project that seems to be updated/supported but obviously not official https://github.com/bitnami/bitnami-docker-openldap anyone here used/seen this?
Why am i asking? We simply looking to dockerize our infra and want to see what people here have experienced.
Our ldap env: 3-way MMR (syncrepl) on v2.6.1
Thank you, Dave
Happy Monday Everyone,
Does anyone else have an opinion/comment/concern on this? This will be the last time I ask if no response... ( I like quiet mailing list too :D )
Thank you always for the awesome support!!
Best, Dave
On Tue, Feb 22, 2022 at 1:11 PM Dave Macias davama@gmail.com wrote:
Thank you for the input!
Anyone else?
Of course, would love to hear the opinion of a dev ;)
On Mon, Feb 21, 2022 at 1:39 PM Daniel Zuniga daniel.zuniga@gmail.com wrote:
An official image would be great.
There are too many sketchy ones and even the good ones, have issues with their config, like having to hack their start up script to properly configure the mdb size.
On Sun, Feb 20, 2022 at 12:00 PM Dave Macias davama@gmail.com wrote:
Hello,
Wondering if there is a plan to do an official image.
Also what others in the community doing?
Finally, there is this project that seems to be updated/supported but obviously not official https://github.com/bitnami/bitnami-docker-openldap anyone here used/seen this?
Why am i asking? We simply looking to dockerize our infra and want to see what people here have experienced.
Our ldap env: 3-way MMR (syncrepl) on v2.6.1
Thank you, Dave
While I use Docker for some other services, I do not use it for OpenLDAP and have no interest in doing so. We use puppet for managing our OpenLDAP cluster (running the Symas builds).
// John Pfeifer Division of Information Technology University of Maryland, College Park
On Mar 21, 2022, at 4:55 PM, Dave Macias davama@gmail.com wrote:
Happy Monday Everyone,
Does anyone else have an opinion/comment/concern on this? This will be the last time I ask if no response... ( I like quiet mailing list too :D )
Thank you always for the awesome support!!
Best, Dave
On Tue, Feb 22, 2022 at 1:11 PM Dave Macias <davama@gmail.com mailto:davama@gmail.com> wrote: Thank you for the input!
Anyone else?
Of course, would love to hear the opinion of a dev ;)
On Mon, Feb 21, 2022 at 1:39 PM Daniel Zuniga <daniel.zuniga@gmail.com mailto:daniel.zuniga@gmail.com> wrote: An official image would be great.
There are too many sketchy ones and even the good ones, have issues with their config, like having to hack their start up script to properly configure the mdb size.
On Sun, Feb 20, 2022 at 12:00 PM Dave Macias <davama@gmail.com mailto:davama@gmail.com> wrote: Hello,
Wondering if there is a plan to do an official image.
Also what others in the community doing?
Finally, there is this project that seems to be updated/supported but obviously not official https://github.com/bitnami/bitnami-docker-openldap https://github.com/bitnami/bitnami-docker-openldap anyone here used/seen this?
Why am i asking? We simply looking to dockerize our infra and want to see what people here have experienced.
Our ldap env: 3-way MMR (syncrepl) on v2.6.1
Thank you, Dave
On Mar 21, 2022, at 3:55 PM, Dave Macias davama@gmail.com wrote:
Does anyone else have an opinion/comment/concern on this? This will be the last time I ask if no response... ( I like quiet mailing list too :D )
Thank you always for the awesome support!!
Hi Dave,
It’s a fair question to ask. There are many openldap images out there, of varying refinement, complexity and (presumably) quality.
Despite not being an expert in containers, I took on the task of creating images that we use in testing and to share with our customers, as they sometimes ask about it as well.
I have my own opinion on what’s needed but that’s not as good as real requirements.
Speaking of, can you supply a list of them? If we can agree to what we’d like to see an openldap container ‘do’, it should be easy enough to make that happen.
I’ll start:
1. Must be secure, not run as root, and follow best practices.
2. The configuration and database artifacts must reside outside the container.
— Shawn
Hello,
On Tue, Mar 29, 2022 at 10:42 AM Shawn McKinney smckinney@symas.com wrote:
On Mar 21, 2022, at 3:55 PM, Dave Macias davama@gmail.com wrote:
Does anyone else have an opinion/comment/concern on this? This will be the last time I ask if no response... ( I like quiet mailing list too :D )
Thank you always for the awesome support!!
Hi Dave,
It’s a fair question to ask. There are many openldap images out there, of varying refinement, complexity and (presumably) quality.
Despite not being an expert in containers, I took on the task of creating images that we use in testing and to share with our customers, as they sometimes ask about it as well.
I have my own opinion on what’s needed but that’s not as good as real requirements.
Speaking of, can you supply a list of them? If we can agree to what we’d like to see an openldap container ‘do’, it should be easy enough to make that happen.
I’ll start:
Must be secure, not run as root, and follow best practices.
The configuration and database artifacts must reside outside the container.
I believe the trickiest thing to get right is exactly this interface between the container and its configuration. In summary, what should the entrypoint.sh be able to do, with what env vars set, what to do if an existing db is found, hooks for extra scripts to run, storage mount points, etc.
A good source for inspiration might be database-like containers, like postgresql.
Appreciate the reply Shawn.
It’s a fair question to ask. There are many openldap images out there, of varying refinement, complexity and (presumably) quality.
Agreed. I prefer to stick to what is supported without "hacking" too much
I’ll start:
- Must be secure, not run as root, and follow best practices.
I can agree to this but the current symas rpm by default does not follow this... ( I believe there was a mailing list Q about it recently which was shut down because "many customers run like this and it's fine" ) of course, the user can easily create the ldap user and make the slapd service run as ldap.
2. The configuration and database artifacts must reside outside the
container.
absolutely
3. Must be able to add new modules/plugins. (probably outside the container too) For example, we use bind-dyndb-ldap
Cant think of anything else honestly, ldap is pretty light.. hence the name :D
My only qualm about dockering openldap is the dependency to docker, but does not hurt to explore it. Either-way, options are always good to have.
Thanks again for the response.
Best, Dave
On 3/29/22 16:36, Dave Macias wrote:
Shawn wrote:
I’ll start: 1. Must be secure, not run as root, and follow best practices.I can agree to this but the current symas rpm by default does not follow this...
Probably Shawn did not mean running slapd in the container as root or not.
I understood Shawn that he wrote: The container must not run as root, and must work without any special privileges.
Anyway you're absolutely free to use whatever command-line you'd like to start slapd (CMD) independent from the RPMs you're using.
- Must be able to add new modules/plugins. (probably outside the
container too) For example, we use bind-dyndb-ldap
bind-dyndb-ldap is a bind DNS server backend and not something the OpenLDAP project is responsible for. Does not make sense to add anything like this on a requirements list for an OpenLDAP server container.
My only qualm about dockering openldap is the dependency to docker, but does not hurt to explore it.
There are various container run-times with different security properties. E.g. podman or sysbox allow to run other containers or systemd inside an unprivileged container.
Ciao, Michael. (also not a container expert)
Thank you for the input Michael
Probably Shawn did not mean running slapd in the container as root or not.
I understood Shawn that he wrote: The container must not run as root, and must work without any special privileges.
Anyway you're absolutely free to use whatever command-line you'd like to start slapd (CMD) independent from the RPMs you're using.
I see. Yes, the container as non-priv user is best
- Must be able to add new modules/plugins. (probably outside the
container too) For example, we use bind-dyndb-ldap
bind-dyndb-ldap is a bind DNS server backend and not something the OpenLDAP project is responsible for. Does not make sense to add anything like this on a requirements list for an OpenLDAP server container.
Fair point. One can mount their own volumes to add anything extra. At least documenting this would be nice.
My only qualm about dockering openldap is the dependency to docker, but does not hurt to explore it.
There are various container run-times with different security properties. E.g. podman or sysbox allow to run other containers or systemd inside an unprivileged container.
Ciao, Michael. (also not a container expert)
True. I mentioned docker simply because it's one of the most popular right now.
Thanks!
openldap-technical@openldap.org
-
Andreas Hasenack -
Daniel Zuniga -
Dave Macias -
John C. Pfeifer -
Michael Ströder -
Shawn McKinney