Bug 1418596 - Resping ipa-server-docker container - 7.3.3
Summary: Resping ipa-server-docker container - 7.3.3
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa-server-container
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Petr Vobornik
QA Contact: Nikhil Dehadrai
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-02-02 09:54 UTC by Martin Bašti
Modified: 2017-03-02 20:08 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-03-02 20:08:28 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:0420 0 normal SHIPPED_LIVE Red Hat Enterprise Linux Atomic Identity Management Server Container Image 2017-03-03 01:27:37 UTC

Description Martin Bašti 2017-02-02 09:54:05 UTC
Resping ipa-server-docker container - 7.3.3

Comment 7 Niranjan Mallapadi Raghavender 2017-02-27 23:01:41 UTC
Versions:
===========
[root@ipaserver1 ~]# atomic host status
State: idle
Deployments:
● rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
       Version: 7.3.3 (2017-02-27 16:31:38)
        Commit: bfc591ba1a4395c6b8e54d34964b05df4a61e0d82d20cc1a2fd817855c7e2da5
        OSName: rhel-atomic-host

  rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
       Version: 7.3.3 (2017-02-23 22:16:59)
        Commit: fbeed59bb47b14e32a6b28e13aaa1cad96e88188930a5bf880f949728b7f36ea
        OSName: rhel-atomic-host

[root@ipaserver1 ~]# atomic info ipadocker
Image Name: ipadocker
BZComponent: ipa-server-docker
Name: rhel7/ipa-server
RUN_OPTS_FILE: /var/lib/${NAME}/docker-run-opts
Release: 36
Version: 4.4.0
architecture: x86_64
authoritative-source-url: registry.access.redhat.com
build-date: 2017-02-27T11:04:27.027814
com.redhat.build-host: ip-10-29-120-151.ec2.internal
com.redhat.component: ipa-server-docker
description: IPA is an integrated solution to provide centrally managed Identity (users, hosts, services), Authentication (SSO, 2FA), and Authorization (host access control, SELinux user roles, services). The solution provides features for further integration with Linux based clients (SUDO, automount) and integration with Active Directory based infrastructures (Trusts).
distribution-scope: public
install: docker run -ti --rm --privileged -v /:/host -e HOST=/host -e DATADIR=/var/lib/${NAME} -e NAME=${NAME} -e IMAGE=${IMAGE} ${IMAGE} /bin/install.sh
io.k8s.description: IPA is an integrated solution to provide centrally managed Identity (users, hosts, services), Authentication (SSO, 2FA), and Authorization (host access control, SELinux user roles, services). The solution provides features for further integration with Linux based clients (SUDO, automount) and integration with Active Directory based infrastructures (Trusts).
io.k8s.display-name: Identity Management (IdM) for Linux
io.k8s.openshift.tags: Identity Management
io.openshift.tags: base rhel7
name: rhel7/ipa-server
release: 36
run: docker run ${RUN_OPTS} --name ${NAME} -v /var/lib/${NAME}:/data:Z -v /sys/fs/cgroup:/sys/fs/cgroup:ro --tmpfs /run --tmpfs /tmp -v /dev/urandom:/dev/random:ro ${IMAGE}
stop: docker stop ${NAME}
summary: Identity Management (IdM) for Linux provides centralized management of identities and policies for Atomic Host
uninstall: docker run --rm --privileged -v /:/host -e HOST=/host -e DATADIR=/var/lib/${NAME} ${IMAGE} /bin/uninstall.sh
vcs-ref: 16e3edc9a83722fbc2646f8bfd8642a15706e4d5
vcs-type: git
vendor: Red Hat, Inc.
version: 4.4.0





[root@ipaserver1 ~]# docker load < docker-image-sha256:abe848fc1a959bda7a6855c23b02bb68e1fc958bb8fc56c928b52c384af3a22d.x86_64.tar.gz
827264d42df6: Loading layer [==================================================>] 202.3 MB/202.3 MB
9ca8c628d8e7: Loading layer [==================================================>] 10.24 kB/10.24 kB
e90eb4334236: Loading layer [==================================================>] 478.1 MB/478.1 MB
Loaded image: mbasti/ipa-server-docker:extras-rhel-7.3-docker-candidate-20170227110351
[root@ipaserver1 ~]# docker images
REPOSITORY                 TAG                                               IMAGE ID            CREATED             SIZE
mbasti/ipa-server-docker   extras-rhel-7.3-docker-candidate-20170227110351   f96b5cc687e6        5 hours ago         652.9 MB
[root@ipaserver1 ~]# docker tag f96b5cc687e6 ipadocker
[root@ipaserver1 ~]# docker images
REPOSITORY                 TAG                                               IMAGE ID            CREATED             SIZE
ipadocker                  latest                                            f96b5cc687e6        5 hours ago         652.9 MB
mbasti/ipa-server-docker   extras-rhel-7.3-docker-candidate-20170227110351   f96b5cc687e6        5 hours ago         652.9 MB
[root@ipaserver1 ~]# 

[root@ipaserver1 ~]# mkdir /var/lib/ipadocker
[root@ipaserver1 ~]# cat /var/lib/ipadocker/ipa-server-install-options
--setup-dns
--ip-address=10.65.223.74
-r TESTRELM.TEST
-a Secret123 -p Secret123
--no-ntp
-U






The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)

Excluded by options:
  * Configure the Network Time Daemon (ntpd)

Warning: skipping DNS resolution of host ipaserver1.testrelm.test
The domain name has been determined based on the host name.

Checking DNS domain testrelm.test., please wait ...
Checking DNS forwarders, please wait ...

The IPA Master Server will be configured with:
Hostname:       ipaserver1.testrelm.test
IP address(es): 10.65.223.74
Domain name:    testrelm.test
Realm name:     TESTRELM.TEST

BIND DNS server will be configured to serve IPA domain with:
Forwarders:       10.65.201.89
Forward policy:   only
Reverse zone(s):  No reverse zone

Configuring directory server (dirsrv). Estimated time: 1 minute
  [1/47]: creating directory server user
  [2/47]: creating directory server instance
  [3/47]: updating configuration in dse.ldif
  [4/47]: restarting directory server
  [5/47]: adding default schema
  [6/47]: enabling memberof plugin
  [7/47]: enabling winsync plugin
  [8/47]: configuring replication version plugin
  [9/47]: enabling IPA enrollment plugin
  [10/47]: enabling ldapi
  [11/47]: configuring uniqueness plugin
  [12/47]: configuring uuid plugin
  [13/47]: configuring modrdn plugin
  [14/47]: configuring DNS plugin
  [15/47]: enabling entryUSN plugin
  [16/47]: configuring lockout plugin
  [17/47]: configuring topology plugin
  [18/47]: creating indices
  [19/47]: enabling referential integrity plugin
  [20/47]: configuring certmap.conf
  [21/47]: configure autobind for root
  [22/47]: configure new location for managed entries
  [23/47]: configure dirsrv ccache
  [24/47]: enabling SASL mapping fallback
  [25/47]: restarting directory server
  [26/47]: adding sasl mappings to the directory
  [27/47]: adding default layout
  [28/47]: adding delegation layout
  [29/47]: creating container for managed entries
  [30/47]: configuring user private groups
  [31/47]: configuring netgroups from hostgroups
  [32/47]: creating default Sudo bind user
  [33/47]: creating default Auto Member layout
  [34/47]: adding range check plugin
  [35/47]: creating default HBAC rule allow_all
  [36/47]: adding sasl mappings to the directory
  [37/47]: adding entries for topology management
  [38/47]: initializing group membership
  [39/47]: adding master entry
  [40/47]: initializing domain level
  [41/47]: configuring Posix uid/gid generation
  [42/47]: adding replication acis
  [43/47]: enabling compatibility plugin
  [44/47]: activating sidgen plugin
  [45/47]: activating extdom plugin
  [46/47]: tuning directory server
  [47/47]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds
  [1/31]: creating certificate server user
  [2/31]: configuring certificate server instance
  [3/31]: stopping certificate server instance to update CS.cfg
  [4/31]: backing up CS.cfg
  [5/31]: disabling nonces
  [6/31]: set up CRL publishing
  [7/31]: enable PKIX certificate path discovery and validation
  [8/31]: starting certificate server instance
  [9/31]: creating RA agent certificate database
  [10/31]: importing CA chain to RA certificate database
  [11/31]: fixing RA database permissions
  [12/31]: setting up signing cert profile
  [13/31]: setting audit signing renewal to 2 years
  [14/31]: restarting certificate server
  [15/31]: requesting RA certificate from CA
  [16/31]: issuing RA agent certificate
  [17/31]: adding RA agent as a trusted user
  [18/31]: authorizing RA to modify profiles
  [19/31]: authorizing RA to manage lightweight CAs
  [20/31]: Ensure lightweight CAs container exists
  [21/31]: configure certmonger for renewals
  [22/31]: configure certificate renewals
  [23/31]: configure RA certificate renewal
  [24/31]: configure Server-Cert certificate renewal
  [25/31]: Configure HTTP to proxy connections
  [26/31]: restarting certificate server
  [27/31]: migrating certificate profiles to LDAP
  [28/31]: importing IPA certificate profiles
  [29/31]: adding default CA ACL
  [30/31]: adding 'ipa' CA entry
  [31/31]: updating IPA configuration
Done configuring certificate server (pki-tomcatd).
Configuring directory server (dirsrv). Estimated time: 10 seconds
  [1/3]: configuring ssl for ds instance
  [2/3]: restarting directory server
  [3/3]: adding CA certificate entry
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds
  [1/9]: adding kerberos container to the directory
  [2/9]: configuring KDC
  [3/9]: initialize kerberos container
WARNING: Your system is running out of entropy, you may experience long delays
  [4/9]: adding default ACIs
  [5/9]: creating a keytab for the directory
  [6/9]: creating a keytab for the machine
  [7/9]: adding the password extension to the directory
  [8/9]: starting the KDC
  [9/9]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin 
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa_memcached
  [1/2]: starting ipa_memcached 
  [2/2]: configuring ipa_memcached to start on boot
Done configuring ipa_memcached.
Configuring ipa-otpd
  [1/2]: starting ipa-otpd 
  [2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Configuring ipa-custodia
  [1/5]: Generating ipa-custodia config file
  [2/5]: Making sure custodia container exists
  [3/5]: Generating ipa-custodia keys
  [4/5]: starting ipa-custodia 
  [5/5]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring the web interface (httpd). Estimated time: 1 minute
  [1/21]: setting mod_nss port to 443
  [2/21]: setting mod_nss cipher suite
  [3/21]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2
  [4/21]: setting mod_nss password file
  [5/21]: enabling mod_nss renegotiate
  [6/21]: adding URL rewriting rules
  [7/21]: configuring httpd
  [8/21]: configure certmonger for renewals
  [9/21]: setting up httpd keytab
  [10/21]: setting up ssl
  [11/21]: importing CA certificates from LDAP
  [12/21]: setting up browser autoconfig
  [13/21]: publish CA cert
  [14/21]: clean up any existing httpd ccache
  [15/21]: configuring SELinux for httpd
  [16/21]: create KDC proxy user
  [17/21]: create KDC proxy config
  [18/21]: enable KDC proxy
  [19/21]: restarting httpd
  [20/21]: configuring httpd to start on boot
  [21/21]: enabling oddjobd
Done configuring the web interface (httpd).
Applying LDAP updates
Upgrading IPA:
  [1/9]: stopping directory server
  [2/9]: saving configuration
  [3/9]: disabling listeners
  [4/9]: enabling DS global lock
  [5/9]: starting directory server
  [6/9]: upgrading server 
  [7/9]: stopping directory server
  [8/9]: restoring configuration
  [9/9]: starting directory server
Done.
Restarting the directory server
Restarting the KDC
Configuring DNS (named)
  [1/11]: generating rndc key file
WARNING: Your system is running out of entropy, you may experience long delays
  [2/11]: adding DNS container
  [3/11]: setting up our zone
  [4/11]: setting up our own record
  [5/11]: setting up records for other masters
  [6/11]: adding NS record to the zones
  [7/11]: setting up kerberos principal
  [8/11]: setting up named.conf
  [9/11]: setting up server configuration
  [10/11]: configuring named to start on boot
  [11/11]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Configuring DNS key synchronization service (ipa-dnskeysyncd)
  [1/7]: checking status
  [2/7]: setting up bind-dyndb-ldap working directory
  [3/7]: setting up kerberos principal
  [4/7]: setting up SoftHSM
  [5/7]: adding DNSSEC containers
  [6/7]: creating replica keys
  [7/7]: configuring ipa-dnskeysyncd to start on boot
Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named
Updating DNS system records
Restarting the web server
Configuring client side components
Using existing certificate '/etc/ipa/ca.crt'.
Client hostname: ipaserver1.testrelm.test
Realm: TESTRELM.TEST
DNS Domain: testrelm.test
IPA Server: ipaserver1.testrelm.test
BaseDN: dc=testrelm,dc=test

Skipping synchronizing time with NTP server.
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
trying https://ipaserver1.testrelm.test/ipa/json
Forwarding 'schema' to json server 'https://ipaserver1.testrelm.test/ipa/json'
trying https://ipaserver1.testrelm.test/ipa/json
Forwarding 'ping' to json server 'https://ipaserver1.testrelm.test/ipa/json'
Forwarding 'ca_is_enabled' to json server 'https://ipaserver1.testrelm.test/ipa/json'
Systemwide CA database updated.
SSSD enabled
Configured /etc/openldap/ldap.conf
/etc/ssh/ssh_config not found, skipping configuration
/etc/ssh/sshd_config not found, skipping configuration
Configuring testrelm.test as NIS domain.
Client configuration complete.

==============================================================================
Setup complete

Next steps:
        1. You must make sure these network ports are open:
                TCP Ports:
                  * 80, 443: HTTP/HTTPS
                  * 389, 636: LDAP/LDAPS
                  * 88, 464: kerberos
                  * 53: bind
                UDP Ports:
                  * 88, 464: kerberos
                  * 53: bind

        2. You can now obtain a kerberos ticket using the command: 'kinit admin'
           This ticket will allow you to use the IPA tools (e.g., ipa user-add)
           and the web user interface.
        3. Kerberos requires time synchronization between clients
           and servers for correct operation. You should consider enabling ntpd.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
Created symlink from /etc/systemd/system/container-ipa.target.wants/ipa-server-update-self-ip-address.service to /usr/lib/systemd/system/ipa-server-update-self-ip-address.service.
Created symlink from /etc/systemd/system/container-ipa.target.wants/ipa-server-upgrade.service to /usr/lib/systemd/system/ipa-server-upgrade.service.
Removed symlink /etc/systemd/system/container-ipa.target.wants/ipa-server-configure-first.service.
FreeIPA server configured.



Run ipadocker container
======================

[root@ipaserver1 ~]# docker run --net=host -d --name ipadocker -v /var/lib/ipadocker:/data:Z -v /sys/fs/cgroup:/sys/fs/cgroup:ro --tmpfs  /run --tmpfs /tmp -v /dev/urandom:/dev/random:ro ipadocker
58a1ad4e3644ce61838beda27bc7960d317136fa5c07e94884939ad3512a4a0c


Process selinux labels
=========================
system_u:system_r:container_runtime_t:s0 root 18060 3733  0 22:19 ?      00:00:00 /usr/bin/docker-containerd-shim-current 58a1ad4e3644ce61838beda27bc7960d317136fa5c07e94884939ad3512a4a0c /var/run/docker/libcontainerd/58a1ad4e3644ce61838be
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18075 18060  0 22:19 ? 00:00:00 /usr/sbin/init --show-status=false
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18103 18075  0 22:19 ? 00:00:00 tail --silent -n 0 -f --retry /var/log/ipa-server-configure-first.log /var/log/ipa-server-run.log
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18115 18075  0 22:19 ? 00:00:00 /usr/lib/systemd/systemd-journald
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 dbus 18117 18075  0 22:19 ? 00:00:00 /bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18127 18075  0 22:19 ? 00:00:00 /usr/sbin/certmonger -S -p /var/run/certmonger.pid -n
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18128 18075  0 22:19 ? 00:00:00 /usr/sbin/oddjobd -n -p /var/run/oddjobd.pid -t 300
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18133 18075  6 22:19 ? 00:00:02 /usr/bin/python2 /usr/sbin/ipactl start
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18150 18127  0 22:19 ? 00:00:00 /usr/bin/python2 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18151 18075  0 22:19 ? 00:00:00 /usr/sbin/sssd -D -f
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18152 18151  0 22:19 ? 00:00:00 /usr/libexec/sssd/sssd_be --domain testrelm.test --uid 0 --gid 0 --debug-to-files
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18154 18127  0 22:19 ? 00:00:00 /usr/bin/python2 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18155 18127  0 22:19 ? 00:00:00 /usr/bin/python2 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18156 18127  0 22:19 ? 00:00:00 /usr/bin/python2 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18157 18127  0 22:19 ? 00:00:00 /usr/bin/python2 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18158 18127  0 22:19 ? 00:00:00 /usr/bin/python2 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18159 18127  0 22:19 ? 00:00:00 /usr/bin/python2 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18168 18127  0 22:19 ? 00:00:00 /usr/bin/python2 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/dogtag-ipa-renew-agent-submit
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18170 18127  0 22:19 ? 00:00:00 /usr/bin/python2 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/dogtag-ipa-renew-agent-submit
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18172 18151  0 22:19 ? 00:00:00 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18173 18151  0 22:19 ? 00:00:00 /usr/libexec/sssd/sssd_sudo --uid 0 --gid 0 --debug-to-files
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18174 18151  0 22:19 ? 00:00:00 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18175 18151  0 22:19 ? 00:00:00 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 --debug-to-files
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18176 18127  0 22:19 ? 00:00:00 /usr/bin/python2 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/dogtag-ipa-renew-agent-submit
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18178 18127  0 22:19 ? 00:00:00 /usr/bin/python2 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/dogtag-ipa-renew-agent-submit
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18179 18127  0 22:19 ? 00:00:00 /usr/bin/python2 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/dogtag-ipa-renew-agent-submit
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 389 18324 18075  7 22:20 ? 00:00:00 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-TESTRELM-TEST -i /var/run/dirsrv/slapd-TESTRELM-TEST.pid
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18373 18075  0 22:20 ? 00:00:00 /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18377 18075  0 22:20 ? 00:00:00 /usr/sbin/kadmind -P /var/run/kadmind.pid
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 25 18387 18075  0 22:20 ?  00:00:00 /usr/sbin/named-pkcs11 -u named
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 48 18397 18075  0 22:20 ?  00:00:00 /usr/bin/memcached -d -s /var/run/ipa_memcached/ipa_memcached -u apache -m 64 -c 1024 -P /var/run/ipa_memcached/ipa_memcached.pid
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18408 18075  4 22:20 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18410 18408  2 22:20 ? 00:00:00 /usr/libexec/nss_pcache 65538 off /etc/httpd/alias
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 288 18411 18408  1 22:20 ? 00:00:00 (wsgi:kdcproxy) -DFOREGROUND
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 288 18412 18408  1 22:20 ? 00:00:00 (wsgi:kdcproxy) -DFOREGROUND
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 48 18413 18408 18 22:20 ?  00:00:00 (wsgi:ipa)      -DFOREGROUND
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 48 18414 18408 18 22:20 ?  00:00:00 (wsgi:ipa)      -DFOREGROUND
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 48 18415 18408  3 22:20 ?  00:00:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 48 18416 18408  3 22:20 ?  00:00:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 48 18417 18408  3 22:20 ?  00:00:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 48 18418 18408  3 22:20 ?  00:00:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 48 18419 18408  3 22:20 ?  00:00:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18422 18075  3 22:20 ? 00:00:00 /usr/bin/python2 /usr/sbin/custodia /etc/ipa/custodia/custodia.conf
system_u:system_r:kernel_t:s0   root      18592      2  0 22:20 ?        00:00:00 [kworker/u2:3]
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 17 18593 18075  4 22:20 ?  00:00:00 /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni -classpath /usr/share/tomcat
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 18628 13567  0 22:20 pts/0 00:00:00 ps -efZ



Tried accessing ipaserver from another system using firefox and added user through web and
cli 

[root@ipaserver1 /]# id ipauser1
uid=1800200001(ipauser1) gid=1800200001(ipauser1) groups=1800200001(ipauser1)
[root@ipaserver1 /]# ipa userad^C
[root@ipaserver1 /]# kinit admin
Password for admin@TESTRELM.TEST: 
[root@ipaserver1 /]# ipa user-add
First name: ipa
Last name: user2
User login [iuser2]: ipauser2
---------------------
Added user "ipauser2"
---------------------
  User login: ipauser2
  First name: ipa
  Last name: user2
  Full name: ipa user2
  Display name: ipa user2
  Initials: iu
  Home directory: /home/ipauser2
  GECOS: ipa user2
  Login shell: /bin/sh
  Principal name: ipauser2@TESTRELM.TEST
  Principal alias: ipauser2@TESTRELM.TEST
  Email address: ipauser2@testrelm.test
  UID: 1800200003
  GID: 1800200003
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False


[root@ipaserver1 ~]# docker exec -it ipadocker kdestroy
[root@ipaserver1 ~]# docker exec -it ipadocker kinit admin
Password for admin@TESTRELM.TEST: 
kinit: Password incorrect while getting initial credentials
[root@ipaserver1 ~]# docker exec -it ipadocker kinit admin
Password for admin@TESTRELM.TEST: 
[root@ipaserver1 ~]# docker exec -it ipadocker ipa user-add ipauser3
First name: ipa
Last name: user3
---------------------
Added user "ipauser3"
---------------------
  User login: ipauser3
  First name: ipa
  Last name: user3
  Full name: ipa user3
  Display name: ipa user3
  Initials: iu
  Home directory: /home/ipauser3
  GECOS: ipa user3
  Login shell: /bin/sh
  Principal name: ipauser3@TESTRELM.TEST
  Principal alias: ipauser3@TESTRELM.TEST
  Email address: ipauser3@testrelm.test
  UID: 1800200004
  GID: 1800200004
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False

Comment 8 Niranjan Mallapadi Raghavender 2017-02-27 23:05:19 UTC
[root@ipaserver1 ~]# docker exec -it ipadocker ipactl status

Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
[root@ipaserver1 ~]# docker exec -it ipadocker ipactl restart

Stopping pki-tomcatd Service
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting ipa_memcached Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful
[root@ipaserver1 ~]# docker exec -it ipadocker ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

Comment 9 Niranjan Mallapadi Raghavender 2017-02-27 23:30:46 UTC
Versions:
===========
[root@ipaserver1 ~]# atomic host status
State: idle
Deployments:
● rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
       Version: 7.3.3 (2017-02-27 16:31:38)
        Commit: bfc591ba1a4395c6b8e54d34964b05df4a61e0d82d20cc1a2fd817855c7e2da5
        OSName: rhel-atomic-host

  rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
       Version: 7.3.3 (2017-02-23 22:16:59)
        Commit: fbeed59bb47b14e32a6b28e13aaa1cad96e88188930a5bf880f949728b7f36ea
        OSName: rhel-atomic-host

[root@ipaserver1 ~]# atomic info ipadocker
Image Name: ipadocker
BZComponent: ipa-server-docker
Name: rhel7/ipa-server
RUN_OPTS_FILE: /var/lib/${NAME}/docker-run-opts
Release: 36
Version: 4.4.0
architecture: x86_64
authoritative-source-url: registry.access.redhat.com
build-date: 2017-02-27T11:04:27.027814
com.redhat.build-host: ip-10-29-120-151.ec2.internal
com.redhat.component: ipa-server-docker
description: IPA is an integrated solution to provide centrally managed Identity (users, hosts, services), Authentication (SSO, 2FA), and Authorization (host access control, SELinux user roles, services). The solution provides features for further integration with Linux based clients (SUDO, automount) and integration with Active Directory based infrastructures (Trusts).
distribution-scope: public
install: docker run -ti --rm --privileged -v /:/host -e HOST=/host -e DATADIR=/var/lib/${NAME} -e NAME=${NAME} -e IMAGE=${IMAGE} ${IMAGE} /bin/install.sh
io.k8s.description: IPA is an integrated solution to provide centrally managed Identity (users, hosts, services), Authentication (SSO, 2FA), and Authorization (host access control, SELinux user roles, services). The solution provides features for further integration with Linux based clients (SUDO, automount) and integration with Active Directory based infrastructures (Trusts).
io.k8s.display-name: Identity Management (IdM) for Linux
io.k8s.openshift.tags: Identity Management
io.openshift.tags: base rhel7
name: rhel7/ipa-server
release: 36
run: docker run ${RUN_OPTS} --name ${NAME} -v /var/lib/${NAME}:/data:Z -v /sys/fs/cgroup:/sys/fs/cgroup:ro --tmpfs /run --tmpfs /tmp -v /dev/urandom:/dev/random:ro ${IMAGE}
stop: docker stop ${NAME}
summary: Identity Management (IdM) for Linux provides centralized management of identities and policies for Atomic Host
uninstall: docker run --rm --privileged -v /:/host -e HOST=/host -e DATADIR=/var/lib/${NAME} ${IMAGE} /bin/uninstall.sh
vcs-ref: 16e3edc9a83722fbc2646f8bfd8642a15706e4d5
vcs-type: git
vendor: Red Hat, Inc.
version: 4.4.0





[root@ipaserver1 ~]# docker load < docker-image-sha256:abe848fc1a959bda7a6855c23b02bb68e1fc958bb8fc56c928b52c384af3a22d.x86_64.tar.gz
827264d42df6: Loading layer [==================================================>] 202.3 MB/202.3 MB
9ca8c628d8e7: Loading layer [==================================================>] 10.24 kB/10.24 kB
e90eb4334236: Loading layer [==================================================>] 478.1 MB/478.1 MB
Loaded image: mbasti/ipa-server-docker:extras-rhel-7.3-docker-candidate-20170227110351
[root@ipaserver1 ~]# docker images
REPOSITORY                 TAG                                               IMAGE ID            CREATED             SIZE
mbasti/ipa-server-docker   extras-rhel-7.3-docker-candidate-20170227110351   f96b5cc687e6        5 hours ago         652.9 MB
[root@ipaserver1 ~]# docker tag f96b5cc687e6 ipadocker
[root@ipaserver1 ~]# docker images
REPOSITORY                 TAG                                               IMAGE ID            CREATED             SIZE
ipadocker                  latest                                            f96b5cc687e6        5 hours ago         652.9 MB
mbasti/ipa-server-docker   extras-rhel-7.3-docker-candidate-20170227110351   f96b5cc687e6        5 hours ago         652.9 MB
[root@ipaserver1 ~]# 

[root@ipaserver1 ~]# mkdir /var/lib/ipadocker
[root@ipaserver1 ~]# cat /var/lib/ipadocker/ipa-server-install-options
--setup-dns
--ip-address=10.65.223.74
-r TESTRELM.TEST
-a Secret123 -p Secret123
--no-ntp
-U






The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)

Excluded by options:
  * Configure the Network Time Daemon (ntpd)

Warning: skipping DNS resolution of host ipaserver1.testrelm.test
The domain name has been determined based on the host name.

Checking DNS domain testrelm.test., please wait ...
Checking DNS forwarders, please wait ...

The IPA Master Server will be configured with:
Hostname:       ipaserver1.testrelm.test
IP address(es): 10.65.223.74
Domain name:    testrelm.test
Realm name:     TESTRELM.TEST

BIND DNS server will be configured to serve IPA domain with:
Forwarders:       10.65.201.89
Forward policy:   only
Reverse zone(s):  No reverse zone

Configuring directory server (dirsrv). Estimated time: 1 minute
  [1/47]: creating directory server user
  [2/47]: creating directory server instance
  [3/47]: updating configuration in dse.ldif
  [4/47]: restarting directory server
  [5/47]: adding default schema
  [6/47]: enabling memberof plugin
  [7/47]: enabling winsync plugin
  [8/47]: configuring replication version plugin
  [9/47]: enabling IPA enrollment plugin
  [10/47]: enabling ldapi
  [11/47]: configuring uniqueness plugin
  [12/47]: configuring uuid plugin
  [13/47]: configuring modrdn plugin
  [14/47]: configuring DNS plugin
  [15/47]: enabling entryUSN plugin
  [16/47]: configuring lockout plugin
  [17/47]: configuring topology plugin
  [18/47]: creating indices
  [19/47]: enabling referential integrity plugin
  [20/47]: configuring certmap.conf
  [21/47]: configure autobind for root
  [22/47]: configure new location for managed entries
  [23/47]: configure dirsrv ccache
  [24/47]: enabling SASL mapping fallback
  [25/47]: restarting directory server
  [26/47]: adding sasl mappings to the directory
  [27/47]: adding default layout
  [28/47]: adding delegation layout
  [29/47]: creating container for managed entries
  [30/47]: configuring user private groups
  [31/47]: configuring netgroups from hostgroups
  [32/47]: creating default Sudo bind user
  [33/47]: creating default Auto Member layout
  [34/47]: adding range check plugin
  [35/47]: creating default HBAC rule allow_all
  [36/47]: adding sasl mappings to the directory
  [37/47]: adding entries for topology management
  [38/47]: initializing group membership
  [39/47]: adding master entry
  [40/47]: initializing domain level
  [41/47]: configuring Posix uid/gid generation
  [42/47]: adding replication acis
  [43/47]: enabling compatibility plugin
  [44/47]: activating sidgen plugin
  [45/47]: activating extdom plugin
  [46/47]: tuning directory server
  [47/47]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds
  [1/31]: creating certificate server user
  [2/31]: configuring certificate server instance
  [3/31]: stopping certificate server instance to update CS.cfg
  [4/31]: backing up CS.cfg
  [5/31]: disabling nonces
  [6/31]: set up CRL publishing
  [7/31]: enable PKIX certificate path discovery and validation
  [8/31]: starting certificate server instance
  [9/31]: creating RA agent certificate database
  [10/31]: importing CA chain to RA certificate database
  [11/31]: fixing RA database permissions
  [12/31]: setting up signing cert profile
  [13/31]: setting audit signing renewal to 2 years
  [14/31]: restarting certificate server
  [15/31]: requesting RA certificate from CA
  [16/31]: issuing RA agent certificate
  [17/31]: adding RA agent as a trusted user
  [18/31]: authorizing RA to modify profiles
  [19/31]: authorizing RA to manage lightweight CAs
  [20/31]: Ensure lightweight CAs container exists
  [21/31]: configure certmonger for renewals
  [22/31]: configure certificate renewals
  [23/31]: configure RA certificate renewal
  [24/31]: configure Server-Cert certificate renewal
  [25/31]: Configure HTTP to proxy connections
  [26/31]: restarting certificate server
  [27/31]: migrating certificate profiles to LDAP
  [28/31]: importing IPA certificate profiles
  [29/31]: adding default CA ACL
  [30/31]: adding 'ipa' CA entry
  [31/31]: updating IPA configuration
Done configuring certificate server (pki-tomcatd).
Configuring directory server (dirsrv). Estimated time: 10 seconds
  [1/3]: configuring ssl for ds instance
  [2/3]: restarting directory server
  [3/3]: adding CA certificate entry
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds
  [1/9]: adding kerberos container to the directory
  [2/9]: configuring KDC
  [3/9]: initialize kerberos container
WARNING: Your system is running out of entropy, you may experience long delays
  [4/9]: adding default ACIs
  [5/9]: creating a keytab for the directory
  [6/9]: creating a keytab for the machine
  [7/9]: adding the password extension to the directory
  [8/9]: starting the KDC
  [9/9]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin 
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa_memcached
  [1/2]: starting ipa_memcached 
  [2/2]: configuring ipa_memcached to start on boot
Done configuring ipa_memcached.
Configuring ipa-otpd
  [1/2]: starting ipa-otpd 
  [2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Configuring ipa-custodia
  [1/5]: Generating ipa-custodia config file
  [2/5]: Making sure custodia container exists
  [3/5]: Generating ipa-custodia keys
  [4/5]: starting ipa-custodia 
  [5/5]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring the web interface (httpd). Estimated time: 1 minute
  [1/21]: setting mod_nss port to 443
  [2/21]: setting mod_nss cipher suite
  [3/21]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2
  [4/21]: setting mod_nss password file
  [5/21]: enabling mod_nss renegotiate
  [6/21]: adding URL rewriting rules
  [7/21]: configuring httpd
  [8/21]: configure certmonger for renewals
  [9/21]: setting up httpd keytab
  [10/21]: setting up ssl
  [11/21]: importing CA certificates from LDAP
  [12/21]: setting up browser autoconfig
  [13/21]: publish CA cert
  [14/21]: clean up any existing httpd ccache
  [15/21]: configuring SELinux for httpd
  [16/21]: create KDC proxy user
  [17/21]: create KDC proxy config
  [18/21]: enable KDC proxy
  [19/21]: restarting httpd
  [20/21]: configuring httpd to start on boot
  [21/21]: enabling oddjobd
Done configuring the web interface (httpd).
Applying LDAP updates
Upgrading IPA:
  [1/9]: stopping directory server
  [2/9]: saving configuration
  [3/9]: disabling listeners
  [4/9]: enabling DS global lock
  [5/9]: starting directory server
  [6/9]: upgrading server 
  [7/9]: stopping directory server
  [8/9]: restoring configuration
  [9/9]: starting directory server
Done.
Restarting the directory server
Restarting the KDC
Configuring DNS (named)
  [1/11]: generating rndc key file
WARNING: Your system is running out of entropy, you may experience long delays
  [2/11]: adding DNS container
  [3/11]: setting up our zone
  [4/11]: setting up our own record
  [5/11]: setting up records for other masters
  [6/11]: adding NS record to the zones
  [7/11]: setting up kerberos principal
  [8/11]: setting up named.conf
  [9/11]: setting up server configuration
  [10/11]: configuring named to start on boot
  [11/11]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Configuring DNS key synchronization service (ipa-dnskeysyncd)
  [1/7]: checking status
  [2/7]: setting up bind-dyndb-ldap working directory
  [3/7]: setting up kerberos principal
  [4/7]: setting up SoftHSM
  [5/7]: adding DNSSEC containers
  [6/7]: creating replica keys
  [7/7]: configuring ipa-dnskeysyncd to start on boot
Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named
Updating DNS system records
Restarting the web server
Configuring client side components
Using existing certificate '/etc/ipa/ca.crt'.
Client hostname: ipaserver1.testrelm.test
Realm: TESTRELM.TEST
DNS Domain: testrelm.test
IPA Server: ipaserver1.testrelm.test
BaseDN: dc=testrelm,dc=test

Skipping synchronizing time with NTP server.
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
trying https://ipaserver1.testrelm.test/ipa/json
Forwarding 'schema' to json server 'https://ipaserver1.testrelm.test/ipa/json'
trying https://ipaserver1.testrelm.test/ipa/json
Forwarding 'ping' to json server 'https://ipaserver1.testrelm.test/ipa/json'
Forwarding 'ca_is_enabled' to json server 'https://ipaserver1.testrelm.test/ipa/json'
Systemwide CA database updated.
SSSD enabled
Configured /etc/openldap/ldap.conf
/etc/ssh/ssh_config not found, skipping configuration
/etc/ssh/sshd_config not found, skipping configuration
Configuring testrelm.test as NIS domain.
Client configuration complete.

==============================================================================
Setup complete

Next steps:
        1. You must make sure these network ports are open:
                TCP Ports:
                  * 80, 443: HTTP/HTTPS
                  * 389, 636: LDAP/LDAPS
                  * 88, 464: kerberos
                  * 53: bind
                UDP Ports:
                  * 88, 464: kerberos
                  * 53: bind

        2. You can now obtain a kerberos ticket using the command: 'kinit admin'
           This ticket will allow you to use the IPA tools (e.g., ipa user-add)
           and the web user interface.
        3. Kerberos requires time synchronization between clients
           and servers for correct operation. You should consider enabling ntpd.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
Created symlink from /etc/systemd/system/container-ipa.target.wants/ipa-server-update-self-ip-address.service to /usr/lib/systemd/system/ipa-server-update-self-ip-address.service.
Created symlink from /etc/systemd/system/container-ipa.target.wants/ipa-server-upgrade.service to /usr/lib/systemd/system/ipa-server-upgrade.service.
Removed symlink /etc/systemd/system/container-ipa.target.wants/ipa-server-configure-first.service.
FreeIPA server configured.



Run ipadocker container
======================

[root@ipaserver1 ~]# docker run --net=host -d --name ipadocker -v /var/lib/ipadocker:/data:Z -v /sys/fs/cgroup:/sys/fs/cgroup:ro --tmpfs  /run --tmpfs /tmp -v /dev/urandom:/dev/random:ro ipadocker
58a1ad4e3644ce61838beda27bc7960d317136fa5c07e94884939ad3512a4a0c


Process selinux labels
=========================
system_u:system_r:container_runtime_t:s0 root 18060 3733  0 22:19 ?      00:00:00 /usr/bin/docker-containerd-shim-current 58a1ad4e3644ce61838beda27bc7960d317136fa5c07e94884939ad3512a4a0c /var/run/docker/libcontainerd/58a1ad4e3644ce61838be
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18075 18060  0 22:19 ? 00:00:00 /usr/sbin/init --show-status=false
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18103 18075  0 22:19 ? 00:00:00 tail --silent -n 0 -f --retry /var/log/ipa-server-configure-first.log /var/log/ipa-server-run.log
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18115 18075  0 22:19 ? 00:00:00 /usr/lib/systemd/systemd-journald
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 dbus 18117 18075  0 22:19 ? 00:00:00 /bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18127 18075  0 22:19 ? 00:00:00 /usr/sbin/certmonger -S -p /var/run/certmonger.pid -n
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18128 18075  0 22:19 ? 00:00:00 /usr/sbin/oddjobd -n -p /var/run/oddjobd.pid -t 300
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18133 18075  6 22:19 ? 00:00:02 /usr/bin/python2 /usr/sbin/ipactl start
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18150 18127  0 22:19 ? 00:00:00 /usr/bin/python2 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18151 18075  0 22:19 ? 00:00:00 /usr/sbin/sssd -D -f
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18152 18151  0 22:19 ? 00:00:00 /usr/libexec/sssd/sssd_be --domain testrelm.test --uid 0 --gid 0 --debug-to-files
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18154 18127  0 22:19 ? 00:00:00 /usr/bin/python2 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18155 18127  0 22:19 ? 00:00:00 /usr/bin/python2 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18156 18127  0 22:19 ? 00:00:00 /usr/bin/python2 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18157 18127  0 22:19 ? 00:00:00 /usr/bin/python2 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18158 18127  0 22:19 ? 00:00:00 /usr/bin/python2 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18159 18127  0 22:19 ? 00:00:00 /usr/bin/python2 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18168 18127  0 22:19 ? 00:00:00 /usr/bin/python2 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/dogtag-ipa-renew-agent-submit
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18170 18127  0 22:19 ? 00:00:00 /usr/bin/python2 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/dogtag-ipa-renew-agent-submit
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18172 18151  0 22:19 ? 00:00:00 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18173 18151  0 22:19 ? 00:00:00 /usr/libexec/sssd/sssd_sudo --uid 0 --gid 0 --debug-to-files
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18174 18151  0 22:19 ? 00:00:00 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18175 18151  0 22:19 ? 00:00:00 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 --debug-to-files
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18176 18127  0 22:19 ? 00:00:00 /usr/bin/python2 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/dogtag-ipa-renew-agent-submit
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18178 18127  0 22:19 ? 00:00:00 /usr/bin/python2 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/dogtag-ipa-renew-agent-submit
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18179 18127  0 22:19 ? 00:00:00 /usr/bin/python2 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/dogtag-ipa-renew-agent-submit
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 389 18324 18075  7 22:20 ? 00:00:00 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-TESTRELM-TEST -i /var/run/dirsrv/slapd-TESTRELM-TEST.pid
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18373 18075  0 22:20 ? 00:00:00 /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18377 18075  0 22:20 ? 00:00:00 /usr/sbin/kadmind -P /var/run/kadmind.pid
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 25 18387 18075  0 22:20 ?  00:00:00 /usr/sbin/named-pkcs11 -u named
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 48 18397 18075  0 22:20 ?  00:00:00 /usr/bin/memcached -d -s /var/run/ipa_memcached/ipa_memcached -u apache -m 64 -c 1024 -P /var/run/ipa_memcached/ipa_memcached.pid
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18408 18075  4 22:20 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18410 18408  2 22:20 ? 00:00:00 /usr/libexec/nss_pcache 65538 off /etc/httpd/alias
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 288 18411 18408  1 22:20 ? 00:00:00 (wsgi:kdcproxy) -DFOREGROUND
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 288 18412 18408  1 22:20 ? 00:00:00 (wsgi:kdcproxy) -DFOREGROUND
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 48 18413 18408 18 22:20 ?  00:00:00 (wsgi:ipa)      -DFOREGROUND
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 48 18414 18408 18 22:20 ?  00:00:00 (wsgi:ipa)      -DFOREGROUND
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 48 18415 18408  3 22:20 ?  00:00:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 48 18416 18408  3 22:20 ?  00:00:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 48 18417 18408  3 22:20 ?  00:00:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 48 18418 18408  3 22:20 ?  00:00:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 48 18419 18408  3 22:20 ?  00:00:00 /usr/sbin/httpd -DFOREGROUND
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 root 18422 18075  3 22:20 ? 00:00:00 /usr/bin/python2 /usr/sbin/custodia /etc/ipa/custodia/custodia.conf
system_u:system_r:kernel_t:s0   root      18592      2  0 22:20 ?        00:00:00 [kworker/u2:3]
system_u:system_r:svirt_lxc_net_t:s0:c52,c880 17 18593 18075  4 22:20 ?  00:00:00 /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni -classpath /usr/share/tomcat
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 18628 13567  0 22:20 pts/0 00:00:00 ps -efZ



Tried accessing ipaserver from another system using firefox and added user through web and
cli 

[root@ipaserver1 /]# id ipauser1
uid=1800200001(ipauser1) gid=1800200001(ipauser1) groups=1800200001(ipauser1)
[root@ipaserver1 /]# ipa userad^C
[root@ipaserver1 /]# kinit admin
Password for admin@TESTRELM.TEST: 
[root@ipaserver1 /]# ipa user-add
First name: ipa
Last name: user2
User login [iuser2]: ipauser2
---------------------
Added user "ipauser2"
---------------------
  User login: ipauser2
  First name: ipa
  Last name: user2
  Full name: ipa user2
  Display name: ipa user2
  Initials: iu
  Home directory: /home/ipauser2
  GECOS: ipa user2
  Login shell: /bin/sh
  Principal name: ipauser2@TESTRELM.TEST
  Principal alias: ipauser2@TESTRELM.TEST
  Email address: ipauser2@testrelm.test
  UID: 1800200003
  GID: 1800200003
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False


[root@ipaserver1 ~]# docker exec -it ipadocker kdestroy
[root@ipaserver1 ~]# docker exec -it ipadocker kinit admin
Password for admin@TESTRELM.TEST: 
kinit: Password incorrect while getting initial credentials
[root@ipaserver1 ~]# docker exec -it ipadocker kinit admin
Password for admin@TESTRELM.TEST: 
[root@ipaserver1 ~]# docker exec -it ipadocker ipa user-add ipauser3
First name: ipa
Last name: user3
---------------------
Added user "ipauser3"
---------------------
  User login: ipauser3
  First name: ipa
  Last name: user3
  Full name: ipa user3
  Display name: ipa user3
  Initials: iu
  Home directory: /home/ipauser3
  GECOS: ipa user3
  Login shell: /bin/sh
  Principal name: ipauser3@TESTRELM.TEST
  Principal alias: ipauser3@TESTRELM.TEST
  Email address: ipauser3@testrelm.test
  UID: 1800200004
  GID: 1800200004
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False

===================

Replica installation
-----------------
[root@ipareplica1 ~]# atomic host status
State: idle
Deployments:
● rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
       Version: 7.3.3 (2017-02-27 16:31:38)
        Commit: bfc591ba1a4395c6b8e54d34964b05df4a61e0d82d20cc1a2fd817855c7e2da5
        OSName: rhel-atomic-host

  rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
       Version: 7.3.2-1 (2017-02-20 17:26:48)
        Commit: 69a74a4ed6954492a7c82279f6efe59bffb8952e95577f8359a6717d57a36774
        OSName: rhel-atomic-host

[root@ipareplica1 ~]# atomic info replicadocker
Image Name: replicadocker
BZComponent: ipa-server-docker
Name: rhel7/ipa-server
RUN_OPTS_FILE: /var/lib/${NAME}/docker-run-opts
Release: 36
Version: 4.4.0
architecture: x86_64
authoritative-source-url: registry.access.redhat.com
build-date: 2017-02-27T11:04:27.027814
com.redhat.build-host: ip-10-29-120-151.ec2.internal
com.redhat.component: ipa-server-docker
description: IPA is an integrated solution to provide centrally managed Identity (users, hosts, services), Authentication (SSO, 2FA), and Authorization (host access control, SELinux user roles, services). The solution provides features for further integration with Linux based clients (SUDO, automount) and integration with Active Directory based infrastructures (Trusts).
distribution-scope: public
install: docker run -ti --rm --privileged -v /:/host -e HOST=/host -e DATADIR=/var/lib/${NAME} -e NAME=${NAME} -e IMAGE=${IMAGE} ${IMAGE} /bin/install.sh
io.k8s.description: IPA is an integrated solution to provide centrally managed Identity (users, hosts, services), Authentication (SSO, 2FA), and Authorization (host access control, SELinux user roles, services). The solution provides features for further integration with Linux based clients (SUDO, automount) and integration with Active Directory based infrastructures (Trusts).
io.k8s.display-name: Identity Management (IdM) for Linux
io.k8s.openshift.tags: Identity Management
io.openshift.tags: base rhel7
name: rhel7/ipa-server
release: 36
run: docker run ${RUN_OPTS} --name ${NAME} -v /var/lib/${NAME}:/data:Z -v /sys/fs/cgroup:/sys/fs/cgroup:ro --tmpfs /run --tmpfs /tmp -v /dev/urandom:/dev/random:ro ${IMAGE}
stop: docker stop ${NAME}
summary: Identity Management (IdM) for Linux provides centralized management of identities and policies for Atomic Host
uninstall: docker run --rm --privileged -v /:/host -e HOST=/host -e DATADIR=/var/lib/${NAME} ${IMAGE} /bin/uninstall.sh
vcs-ref: 16e3edc9a83722fbc2646f8bfd8642a15706e4d5
vcs-type: git
vendor: Red Hat, Inc


[root@ipareplica1 ~]# cat  /var/lib/replicadocker/ipa-replica-install-options
--setup-dns
--forwarder=10.65.201.89
--setup-ca
--server ipaserver1.testrelm.test
--domain testrelm.test
--admin-password Secret123
--principal admin
-U





[root@ipareplica1 ~]# atomic install --name replicadocker replicadocker net-host  ipa-replica-install
docker run -ti --rm --privileged -v /:/host -e HOST=/host -e DATADIR=/var/lib/replicadocker -e NAME=replicadocker -e IMAGE=replicadocker replicadocker /bin/install.sh net-host ipa-replica-install
+ chroot /host /usr/bin/docker run -ti --rm --name replicadocker -e NAME=replicadocker -e IMAGE=replicadocker -v /var/lib/replicadocker:/data:Z -v /sys/fs/cgroup:/sys/fs/cgroup:ro --tmpfs /run --tmpfs /tmp -v /dev/urandom:/dev/random:ro --net=host replicadocker exit-on-finished ipa-replica-install
systemd 219 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ -LZ4 -SECCOMP +BLKID +ELFUTILS +KMOD +IDN)
Detected virtualization docker.
Detected architecture x86-64.
Set hostname to <ipareplica1.testrelm.test>.
Initializing machine ID from random generator.
Mon Feb 27 23:17:11 UTC 2017 /usr/sbin/ipa-server-configure-first 
Configuring client side components
Client hostname: ipareplica1.testrelm.test
Realm: TESTRELM.TEST
DNS Domain: testrelm.test
IPA Server: ipaserver1.testrelm.test
BaseDN: dc=testrelm,dc=test

Skipping synchronizing time with NTP server.
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=TESTRELM.TEST
    Issuer:      CN=Certificate Authority,O=TESTRELM.TEST
    Valid From:  Mon Feb 27 22:13:19 2017 UTC
    Valid Until: Fri Feb 27 22:13:19 2037 UTC

Enrolled in IPA realm TESTRELM.TEST
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm TESTRELM.TEST
trying https://ipaserver1.testrelm.test/ipa/json
Forwarding 'schema' to json server 'https://ipaserver1.testrelm.test/ipa/json'
trying https://ipaserver1.testrelm.test/ipa/json
Forwarding 'ping' to json server 'https://ipaserver1.testrelm.test/ipa/json'
Forwarding 'ca_is_enabled' to json server 'https://ipaserver1.testrelm.test/ipa/json'
Systemwide CA database updated.
Hostname (ipareplica1.testrelm.test) does not have A/AAAA record.


ipa         : ERROR    The IP address 10.65.223.74 of host ipaserver1.testrelm.test resolves to: dhcp223-74.pnq.redhat.com.. Clients may not function properly. Please check your DNS setup. (Note that this check queries IPA DNS directly and ignores /etc/hosts.)
Checking DNS forwarders, please wait ...
Run connection check to master
Connection check OK
Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 1 minute
  [1/44]: creating directory server user
  [2/44]: creating directory server instance
  [3/44]: updating configuration in dse.ldif
  [4/44]: restarting directory server
  [5/44]: adding default schema
  [6/44]: enabling memberof plugin
  [7/44]: enabling winsync plugin
  [8/44]: configuring replication version plugin
  [9/44]: enabling IPA enrollment plugin
  [10/44]: enabling ldapi
  [11/44]: configuring uniqueness plugin
  [12/44]: configuring uuid plugin
  [13/44]: configuring modrdn plugin
  [14/44]: configuring DNS plugin
  [15/44]: enabling entryUSN plugin
  [16/44]: configuring lockout plugin
  [17/44]: configuring topology plugin
  [18/44]: creating indices
  [19/44]: enabling referential integrity plugin
  [20/44]: configuring certmap.conf
  [21/44]: configure autobind for root
  [22/44]: configure new location for managed entries
  [23/44]: configure dirsrv ccache
  [24/44]: enabling SASL mapping fallback
  [25/44]: restarting directory server
  [26/44]: creating DS keytab
  [27/44]: retrieving DS Certificate
  [28/44]: restarting directory server
  [29/44]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 6 seconds elapsed
Update succeeded

  [30/44]: adding sasl mappings to the directory
  [31/44]: updating schema
  [32/44]: setting Auto Member configuration
  [33/44]: enabling S4U2Proxy delegation
  [34/44]: importing CA certificates from LDAP
  [35/44]: initializing group membership
  [36/44]: adding master entry
  [37/44]: initializing domain level
  [38/44]: configuring Posix uid/gid generation
  [39/44]: adding replication acis
  [40/44]: enabling compatibility plugin
  [41/44]: activating sidgen plugin
  [42/44]: activating extdom plugin
  [43/44]: tuning directory server
  [44/44]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring ipa-custodia
  [1/5]: Generating ipa-custodia config file
  [2/5]: Generating ipa-custodia keys
  [3/5]: Importing RA Key
/usr/lib/python2.7/site-packages/urllib3/connection.py:251: SecurityWarning: Certificate has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
  SecurityWarning
  [4/5]: starting ipa-custodia 
  [5/5]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
  [5/5]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring Kerberos KDC (krb5kdc). Estimated time: 30 seconds
  [1/4]: configuring KDC
  [2/4]: adding the password extension to the directory
  [3/4]: starting the KDC
  [4/4]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin 
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa_memcached
  [1/2]: starting ipa_memcached 
  [2/2]: configuring ipa_memcached to start on boot
Done configuring ipa_memcached.
Configuring the web interface (httpd). Estimated time: 1 minute
  [1/20]: setting mod_nss port to 443
  [2/20]: setting mod_nss cipher suite
  [3/20]: setting mod_nss protocol list to TLSv1.0 - TLSv1.2
  [4/20]: setting mod_nss password file
  [5/20]: enabling mod_nss renegotiate
  [6/20]: adding URL rewriting rules
  [7/20]: configuring httpd
  [8/20]: configure certmonger for renewals
  [9/20]: setting up httpd keytab
  [10/20]: setting up ssl
  [11/20]: importing CA certificates from LDAP
  [12/20]: publish CA cert
  [13/20]: clean up any existing httpd ccache
  [14/20]: configuring SELinux for httpd
  [15/20]: create KDC proxy user
  [16/20]: create KDC proxy config
  [17/20]: enable KDC proxy
  [18/20]: restarting httpd
  [19/20]: configuring httpd to start on boot
  [20/20]: enabling oddjobd
Done configuring the web interface (httpd).
Applying LDAP updates
Upgrading IPA:
  [1/9]: stopping directory server
  [2/9]: saving configuration
  [3/9]: disabling listeners
  [4/9]: enabling DS global lock
  [5/9]: starting directory server
  [6/9]: upgrading server
  [7/9]: stopping directory server
  [8/9]: restoring configuration
  [9/9]: starting directory server
Done.
Configuring ipa-otpd
  [1/2]: starting ipa-otpd 
  [2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds
  [1/26]: creating certificate server user
  [2/26]: creating certificate server db
  [3/26]: setting up initial replication

Starting replication, please wait until this has completed.
Update in progress, 5 seconds elapsed
Update succeeded

  [4/26]: creating installation admin user
  [5/26]: setting up certificate server
  [6/26]: stopping instance to update CS.cfg
  [7/26]: backing up CS.cfg
  [8/26]: disabling nonces
  [9/26]: set up CRL publishing
  [10/26]: enable PKIX certificate path discovery and validation
  [11/26]: set up client auth to db
  [12/26]: destroying installation admin user
  [13/26]: Ensure lightweight CAs container exists
  [14/26]: Configure lightweight CA key retrieval
  [15/26]: starting instance
  [16/26]: importing CA chain to RA certificate database
  [17/26]: fixing RA database permissions
  [18/26]: setting up signing cert profile
  [19/26]: setting audit signing renewal to 2 years
  [20/26]: configure certificate renewals
  [21/26]: configure Server-Cert certificate renewal
  [22/26]: Configure HTTP to proxy connections
  [23/26]: updating IPA configuration
  [24/26]: Restart HTTP server to pick up changes
  [25/26]: enabling CA instance
  [26/26]: configuring certmonger renewal for lightweight CAs
Done configuring certificate server (pki-tomcatd).
Configuring DNS (named)
  [1/8]: generating rndc key file
WARNING: Your system is running out of entropy, you may experience long delays
  [2/8]: setting up our own record
  [3/8]: adding NS record to the zones
  [4/8]: setting up kerberos principal
  [5/8]: setting up named.conf
  [6/8]: setting up server configuration
  [7/8]: configuring named to start on boot
  [8/8]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Configuring DNS key synchronization service (ipa-dnskeysyncd)
  [1/7]: checking status
  [2/7]: setting up bind-dyndb-ldap working directory
  [3/7]: setting up kerberos principal
  [4/7]: setting up SoftHSM
  [5/7]: adding DNSSEC containers
  [6/7]: creating replica keys
  [7/7]: configuring ipa-dnskeysyncd to start on boot
Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named
Updating DNS system records

Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files

Created symlink from /etc/systemd/system/container-ipa.target.wants/ipa-server-update-self-ip-address.service to /usr/lib/systemd/system/ipa-server-update-self-ip-address.service.
Created symlink from /etc/systemd/system/container-ipa.target.wants/ipa-server-upgrade.service to /usr/lib/systemd/system/ipa-server-upgrade.service.
Removed symlink /etc/systemd/system/container-ipa.target.wants/ipa-server-configure-first.service.
FreeIPA server configured.


Start replica ipa process
============================
[root@ipareplica1 ~]# docker run --net=host -d --name replicadocker -v  /var/lib/replicadocker:/data:Z -v /sys/fs/cgroup:/sys/fs/cgroup:ro --tmpfs /run --tmpfs /tmp -v /dev/urandom:/dev/random:ro replicadocker
f5e888ccf2911a3816b4a35f1beedf19ecb0e307640b24618bddc980d768a439


Selinux labels of ipa process:
============================
system_u:system_r:svirt_lxc_net_t:s0:c198,c402 root 17126 17098  0 23:24 ? 00:00:00 tail --silent -n 0 -f --retry /var/log/ipa-server-configure-first.log /var/log/ipa-server-run.log
system_u:system_r:svirt_lxc_net_t:s0:c198,c402 root 17140 17098  0 23:24 ? 00:00:00 /usr/lib/systemd/systemd-journald
system_u:system_r:svirt_lxc_net_t:s0:c198,c402 dbus 17141 17098  0 23:24 ? 00:00:00 /bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
system_u:system_r:svirt_lxc_net_t:s0:c198,c402 root 17151 17098  0 23:24 ? 00:00:00 /usr/sbin/certmonger -S -p /var/run/certmonger.pid -n
system_u:system_r:svirt_lxc_net_t:s0:c198,c402 root 17152 17098  0 23:24 ? 00:00:00 /usr/sbin/oddjobd -n -p /var/run/oddjobd.pid -t 300
system_u:system_r:svirt_lxc_net_t:s0:c198,c402 root 17156 17098  7 23:24 ? 00:00:02 /usr/bin/python2 /usr/sbin/ipactl start
system_u:system_r:svirt_lxc_net_t:s0:c198,c402 root 17171 17098  0 23:24 ? 00:00:00 /usr/sbin/sssd -D -f
system_u:system_r:svirt_lxc_net_t:s0:c198,c402 root 17172 17171  0 23:24 ? 00:00:00 /usr/libexec/sssd/sssd_be --domain testrelm.test --uid 0 --gid 0 --debug-to-files
system_u:system_r:svirt_lxc_net_t:s0:c198,c402 root 17176 17151  0 23:24 ? 00:00:00 /usr/bin/python2 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit
system_u:system_r:svirt_lxc_net_t:s0:c198,c402 root 17179 17151  0 23:24 ? 00:00:00 /usr/bin/python2 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit
system_u:system_r:svirt_lxc_net_t:s0:c198,c402 root 17180 17151  0 23:24 ? 00:00:00 /usr/bin/python2 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit
system_u:system_r:svirt_lxc_net_t:s0:c198,c402 root 17181 17151  0 23:24 ? 00:00:00 /usr/bin/python2 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit
system_u:system_r:svirt_lxc_net_t:s0:c198,c402 root 17182 17151  0 23:24 ? 00:00:00 /usr/bin/python2 -E /usr/libexec/certmonger/ipa-server-guard /usr/libexec/certmonger/ipa-submit
system_u:system_r:svirt_lxc_net_t:s0:c198,c402 root 17193 17171  0 23:24 ? 00:00:00 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files
system_u:system_r:svirt_lxc_net_t:s0:c198,c402 root 17194 17171  0 23:24 ? 00:00:00 /usr/libexec/sssd/sssd_sudo --uid 0 --gid 0 --debug-to-files
system_u:system_r:svirt_lxc_net_t:s0:c198,c402 root 17195 17171  0 23:24 ? 00:00:00 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files
system_u:system_r:svirt_lxc_net_t:s0:c198,c402 root 17196 17171  0 23:24 ? 00:00:00 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 --debug-to-files
system_u:system_r:svirt_lxc_net_t:s0:c198,c402 389 17329 17098 19 23:24 ? 00:00:00 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-TESTRELM-TEST -i /var/run/dirsrv/slapd-TESTRELM-TEST.pid
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 17379 6447  0 23:24 pts/0 00:00:00 ps -efZ

----------------------------
[root@ipareplica1 ~]# docker exec -it replicadocker ipa user-find ipauser1
--------------
1 user matched
--------------
  User login: ipauser1
  First name: ipauser1
  Last name: user1
  Home directory: /home/ipauser1
  Login shell: /bin/sh
  Principal name: ipauser1@TESTRELM.TEST
  Principal alias: ipauser1@TESTRELM.TEST
  Email address: ipauser1@testrelm.test
  UID: 1800200001
  GID: 1800200001
  Account disabled: False
----------------------------
Number of entries returned 1
----------------------------
[root@ipareplica1 ~]# docker exec -it replicadocker ipa user-find ipauser2
--------------
1 user matched
--------------
  User login: ipauser2
  First name: ipa
  Last name: user2
  Home directory: /home/ipauser2
  Login shell: /bin/sh
  Principal name: ipauser2@TESTRELM.TEST
  Principal alias: ipauser2@TESTRELM.TEST
  Email address: ipauser2@testrelm.test
  UID: 1800200003
  GID: 1800200003
  Account disabled: False
----------------------------
Number of entries returned 1
----------------------------
[root@ipareplica1 ~]# docker exec -it replicadocker ipa user-find ipauser3
--------------
1 user matched
--------------
  User login: ipauser3
  First name: ipa
  Last name: user3
  Home directory: /home/ipauser3
  Login shell: /bin/sh
  Principal name: ipauser3@TESTRELM.TEST
  Principal alias: ipauser3@TESTRELM.TEST
  Email address: ipauser3@testrelm.test
  UID: 1800200004
  GID: 1800200004
  Account disabled: False
----------------------------
Number of entries returned 1
----------------------------


[root@ipareplica1 ~]# docker exec -it replicadocker ipa host-find 
---------------
2 hosts matched
---------------
  Host name: ipareplica1.testrelm.test
  Principal name: host/ipareplica1.testrelm.test@TESTRELM.TEST
  Principal alias: host/ipareplica1.testrelm.test@TESTRELM.TEST

  Host name: ipaserver1.testrelm.test
  Principal name: host/ipaserver1.testrelm.test@TESTRELM.TEST
  Principal alias: host/ipaserver1.testrelm.test@TESTRELM.TEST
----------------------------
Number of entries returned 2
----------------------------

Comment 10 Niranjan Mallapadi Raghavender 2017-02-28 00:08:28 UTC
client enrollment to ipa-master
----------------------------

[root@client1 ~]# ipa-client-install 
WARNING: ntpd time&date synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration of ntpd

Discovery was successful!
Client hostname: client1.testrelm.test
Realm: TESTRELM.TEST
DNS Domain: testrelm.test
IPA Server: ipareplica1.testrelm.test
BaseDN: dc=testrelm,dc=test

Continue to configure the system with these values? [no]: yes
Skipping synchronizing time with NTP server.
User authorized to enroll computers: admin
Password for admin@TESTRELM.TEST: 

Continue to configure the system with these values? [no]: yes
Skipping synchronizing time with NTP server.
User authorized to enroll computers: admin
Password for admin@TESTRELM.TEST: 
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=TESTRELM.TEST
    Issuer:      CN=Certificate Authority,O=TESTRELM.TEST
    Valid From:  Mon Feb 27 22:13:19 2017 UTC
    Valid Until: Fri Feb 27 22:13:19 2037 UTC

Enrolled in IPA realm TESTRELM.TEST
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm TESTRELM.TEST
trying https://ipareplica1.testrelm.test/ipa/json
Forwarding 'schema' to json server 'https://ipareplica1.testrelm.test/ipa/json'
trying https://ipareplica1.testrelm.test/ipa/session/json
Forwarding 'ping' to json server 'https://ipareplica1.testrelm.test/ipa/session/json'
Forwarding 'ca_is_enabled' to json server 'https://ipareplica1.testrelm.test/ipa/session/json'
Systemwide CA database updated.
Hostname (client1.testrelm.test) does not have A/AAAA record.
Missing reverse record(s) for address(es): 2620:52:0:1322:221:5eff:fe20:333e.
Incorrect reverse record(s):
10.19.34.76 is pointing to qe-blade-06.idmqe.lab.eng.bos.redhat.com. instead of client1.testrelm.test.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Forwarding 'host_mod' to json server 'https://ipareplica1.testrelm.test/ipa/session/json'
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring testrelm.test as NIS domain.
Client configuration complete.




[root@client1 ~]# id ipauser1
uid=1800200001(ipauser1) gid=1800200001(ipauser1) groups=1800200001(ipauser1)


Login as ipa user ipauser1 on client ipaclient1.testrelm.test 

[root@client1 ~]# ssh ipauser1@localhost
The authenticity of host 'localhost (<no hostip for proxy command>)' can't be established.
ECDSA key fingerprint is e2:b1:51:3b:80:99:c2:1a:dc:40:44:3c:2e:d2:66:52.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
Password: 
Password expired. Change your password now.
Current Password: 
New password: 
Retype new password: 
**  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **
                 This System is reserved by mniranja@redhat.com.

 To return this system early. You can run the command: return2beaker.sh
  Ensure you have your logs off the system before returning to Beaker

 To extend your reservation time. You can run the command:
  extendtesttime.sh
 This is an interactive script. You will be prompted for how many
  hours you would like to extend the reservation.

 You should verify the watchdog was updated succesfully after
  you extend your reservation.
  https://beaker.engineering.redhat.com/recipes/3568517

 For ssh, kvm, serial and power control operations please look here:
  https://beaker.engineering.redhat.com/view/qe-blade-06.idmqe.lab.eng.bos.redhat.com

 For the default root password, see:
  https://beaker.engineering.redhat.com/prefs/

      Beaker Test information:
                         HOSTNAME=qe-blade-06.idmqe.lab.eng.bos.redhat.com
                            JOBID=1738337
                         RECIPEID=3568517
                    RESULT_SERVER=[::1]:7090
                           DISTRO=RHEL-7.3-updates-20170207.0
                     ARCHITECTURE=x86_64

      Job Whiteboard: 

      Recipe Whiteboard: 
**  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **
Could not chdir to home directory /home/ipauser1: No such file or directory

Comment 11 Martin Bašti 2017-02-28 09:43:56 UTC
Is any action required from developers side? I see huge comments but I'm not sure if there is any question hidden or something.

Comment 12 Niranjan Mallapadi Raghavender 2017-02-28 12:15:04 UTC
There is no action required from developers, The comments were the tests that i have ran, Moving it to verified.

Comment 14 errata-xmlrpc 2017-03-02 20:08:28 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:0420


Note You need to log in before you can comment on or make changes to this bug.