Distinguish cgroup v1 which needs /sys/fs/cgroup mounted read-only fr…

…om v2.

Dockerfile.almalinux-8

@@ -94,6 +94,6 @@ EXPOSE 53/udp 53 80 443 389 636 88 464 88/udp 464/udp 123/udp
 RUN uuidgen > /data-template/build-id
 
 # Invocation:
-# docker run -ti -v /sys/fs/cgroup:/sys/fs/cgroup:ro --tmpfs /run --tmpfs /tmp -v /opt/ipa-data:/data:Z -h ipa.example.test ${NAME} [ options ]
+# docker run -ti -v /opt/ipa-data:/data:Z -h ipa.example.test ${NAME} [ options ]
 
 LABEL maintainer="FreeIPA Developers <[email protected]>"

Dockerfile.centos-8

@@ -94,6 +94,6 @@ EXPOSE 53/udp 53 80 443 389 636 88 464 88/udp 464/udp 123/udp
 RUN uuidgen > /data-template/build-id
 
 # Invocation:
-# docker run -ti -v /sys/fs/cgroup:/sys/fs/cgroup:ro --tmpfs /run --tmpfs /tmp -v /opt/ipa-data:/data:Z -h ipa.example.test ${NAME} [ options ]
+# docker run -ti -v /opt/ipa-data:/data:Z -h ipa.example.test ${NAME} [ options ]
 
 LABEL maintainer="FreeIPA Developers <[email protected]>"

Dockerfile.centos-8-stream

@@ -95,6 +95,6 @@ EXPOSE 53/udp 53 80 443 389 636 88 464 88/udp 464/udp 123/udp
 RUN uuidgen > /data-template/build-id
 
 # Invocation:
-# docker run -ti -v /sys/fs/cgroup:/sys/fs/cgroup:ro --tmpfs /run --tmpfs /tmp -v /opt/ipa-data:/data:Z -h ipa.example.test ${NAME} [ options ]
+# docker run -ti -v /opt/ipa-data:/data:Z -h ipa.example.test ${NAME} [ options ]
 
 LABEL maintainer="FreeIPA Developers <[email protected]>"

Dockerfile.centos-9-stream

@@ -98,6 +98,6 @@ EXPOSE 53/udp 53 80 443 389 636 88 464 88/udp 464/udp 123/udp
 RUN uuidgen > /data-template/build-id
 
 # Invocation:
-# docker run -ti -v /sys/fs/cgroup:/sys/fs/cgroup:ro --tmpfs /run --tmpfs /tmp -v /opt/ipa-data:/data:Z -h ipa.example.test ${NAME} [ options ]
+# docker run -ti -v /opt/ipa-data:/data:Z -h ipa.example.test ${NAME} [ options ]
 
 LABEL maintainer="FreeIPA Developers <[email protected]>"

Dockerfile.fedora-35

@@ -92,6 +92,6 @@ EXPOSE 53/udp 53 80 443 389 636 88 464 88/udp 464/udp 123/udp
 RUN uuidgen > /data-template/build-id
 
 # Invocation:
-# docker run -ti -v /sys/fs/cgroup:/sys/fs/cgroup:ro --tmpfs /run --tmpfs /tmp -v /opt/ipa-data:/data:Z -h ipa.example.test ${NAME} [ options ]
+# docker run -ti -v /opt/ipa-data:/data:Z -h ipa.example.test ${NAME} [ options ]
 
 LABEL maintainer="FreeIPA Developers <[email protected]>"

Dockerfile.fedora-36

@@ -92,6 +92,6 @@ EXPOSE 53/udp 53 80 443 389 636 88 464 88/udp 464/udp 123/udp
 RUN uuidgen > /data-template/build-id
 
 # Invocation:
-# docker run -ti -v /sys/fs/cgroup:/sys/fs/cgroup:ro --tmpfs /run --tmpfs /tmp -v /opt/ipa-data:/data:Z -h ipa.example.test ${NAME} [ options ]
+# docker run -ti -v /opt/ipa-data:/data:Z -h ipa.example.test ${NAME} [ options ]
 
 LABEL maintainer="FreeIPA Developers <[email protected]>"

Dockerfile.fedora-rawhide

@@ -92,6 +92,6 @@ EXPOSE 53/udp 53 80 443 389 636 88 464 88/udp 464/udp 123/udp
 RUN uuidgen > /data-template/build-id
 
 # Invocation:
-# docker run -ti -v /sys/fs/cgroup:/sys/fs/cgroup:ro --tmpfs /run --tmpfs /tmp -v /opt/ipa-data:/data:Z -h ipa.example.test ${NAME} [ options ]
+# docker run -ti -v /opt/ipa-data:/data:Z -h ipa.example.test ${NAME} [ options ]
 
 LABEL maintainer="FreeIPA Developers <[email protected]>"

Dockerfile.rhel-8

@@ -91,6 +91,6 @@ EXPOSE 53/udp 53 80 443 389 636 88 464 88/udp 464/udp 123/udp
 RUN uuidgen > /data-template/build-id
 
 # Invocation:
-# docker run -ti -v /sys/fs/cgroup:/sys/fs/cgroup:ro --tmpfs /run --tmpfs /tmp -v /opt/ipa-data:/data:Z -h ipa.example.test ${NAME} [ options ]
+# docker run -ti -v /opt/ipa-data:/data:Z -h ipa.example.test ${NAME} [ options ]
 
 LABEL maintainer="FreeIPA Developers <[email protected]>"

Dockerfile.rocky-8

@@ -94,6 +94,6 @@ EXPOSE 53/udp 53 80 443 389 636 88 464 88/udp 464/udp 123/udp
 RUN uuidgen > /data-template/build-id
 
 # Invocation:
-# docker run -ti -v /sys/fs/cgroup:/sys/fs/cgroup:ro --tmpfs /run --tmpfs /tmp -v /opt/ipa-data:/data:Z -h ipa.example.test ${NAME} [ options ]
+# docker run -ti -v /opt/ipa-data:/data:Z -h ipa.example.test ${NAME} [ options ]
 
 LABEL maintainer="FreeIPA Developers <[email protected]>"

README

@@ -24,19 +24,31 @@ to be running.
 ## Running FreeIPA server container
 
 The FreeIPA container runs systemd to manage all the necessary services
-within a single container. On SELinux enabled systems, it may be
-necessary to enable running systemd in containers by setting SELinux
-boolean `container_manage_cgroup` on the host with
+within a single container. Running a systemd-based container may
+require special handling or parameters to be passed to the container
+runtime.
 
-    setsebool -P container_manage_cgroup 1
+With podman, normal `podman run` is typically enough.
+
+With docker on systems with cgroups v2, it may be necessary to
+use [user namespace remapping](https://docs.docker.com/engine/security/userns-remap/)
+for the container cgroup to be properly created and mounted within
+the container read-write as systemd expects it, with
+
+    { "userns-remap": "default" }
 
-When using docker and latest Fedora-based images on hosts operating
-systems which default to cgroups v2, switching to cgroups version 1
-might be needed. On Fedora hosts, something like
+in `/etc/docker/daemon.json`. Restart of the docker service is needed
+after this edit. This approach also isolates the root in the container
+from the root on the host, which is a good thing in general.
 
-    sudo grubby --update-kernel=ALL --args="systemd.unified_cgroup_hierarchy=0"
+With docker on systems with cgroups v1, it may be necessary to
+invoke `docker run` with option `-v /sys/fs/cgroup:/sys/fs/cgroup:ro`.
 
-and reboot might be necessary.
+On SELinux enabled systems, it may be also necessary to enable running
+systemd in containers by setting SELinux boolean `container_manage_cgroup`
+on the host with
+
+    setsebool -P container_manage_cgroup 1
 
 The FreeIPA container will store all its configurations and data on
 volume mounted to `/data` directory in the container. If we create
@@ -54,12 +66,10 @@ and with docker using
 
     docker run --name freeipa-server-container -ti \
         -h ipa.example.test --read-only \
-        -v /sys/fs/cgroup:/sys/fs/cgroup:ro \
         -v /var/lib/ipa-data:/data:Z freeipa-server [ opts ]
 
-Note the `-v /sys/fs/cgroup:/sys/fs/cgroup:ro` option in the `docker run`
-case -- depending on your version of docker, it may or may not be
-necessary.
+In case cgroup v1 is used on the host, `-v /sys/fs/cgroup:/sys/fs/cgroup:ro`
+option may be necessary in the `docker run` case.
 
 If you receive error like
 
@@ -101,7 +111,6 @@ the `-U` argument to `ipa-server-install` and specify all the necessary
 inputs as argument on the command line, for example
 
     docker run -ti -h ipa.example.test --read-only \
-        -v /sys/fs/cgroup:/sys/fs/cgroup:ro \
         -v /var/lib/ipa-data:/data:Z \
         -e PASSWORD=Secret123 \
         freeipa-server ipa-server-install -U -r EXAMPLE.TEST --no-ntp

ipa-server-configure-first

@@ -150,7 +150,7 @@ function usage () {
 	if [ -n "$1" ] ; then
 		echo $1 >&2
 	else
-		echo "Start as docker run -h \$FQDN_HOSTNAME -e PASSWORD=\$THE_ADMIN_PASSWORD -v /sys/fs/cgroup:/sys/fs/cgroup:ro -v /path:/data:Z image" >&2
+		echo "Start as docker run -h \$FQDN_HOSTNAME -e PASSWORD=\$THE_ADMIN_PASSWORD -v /path:/data:Z image" >&2
 	fi
 	exit 1
 }

tests/run-master-and-replica.sh

@@ -76,7 +76,13 @@ function run_ipa_container() {
 	mkdir -p $VOLUME
 	OPTS=
 	if [ "${docker%podman}" = "$docker" ] ; then
-		OPTS="-v /sys/fs/cgroup:/sys/fs/cgroup:ro --sysctl net.ipv6.conf.all.disable_ipv6=0"
+		# if it is not podman, it is docker
+		if [ -f /sys/fs/cgroup/cgroup.controllers ] ; then
+			# we assume unified cgroup v2 and docker with userns remapping enabled
+			OPTS="--sysctl net.ipv6.conf.all.disable_ipv6=0"
+		else
+			OPTS="-v /sys/fs/cgroup:/sys/fs/cgroup:ro --sysctl net.ipv6.conf.all.disable_ipv6=0"
+		fi
 	fi
 	if [ -n "$seccomp" ] ; then
 		OPTS="$OPTS --security-opt seccomp=$seccomp"

tests/run-partial-tests.sh

@@ -20,7 +20,13 @@ function run_and_wait_for () {
 	local NAME="$2"
 	OPTS=
 	if [ "${docker%podman}" = "$docker" ] ; then
-		OPTS="--tmpfs /run --tmpfs /tmp -v /sys/fs/cgroup:/sys/fs/cgroup:ro --sysctl net.ipv6.conf.all.disable_ipv6=0"
+		# if it is not podman, it is docker
+		if [ -f /sys/fs/cgroup/cgroup.controllers ] ; then
+			# we assume unified cgroup v2 and docker with userns remapping enabled
+			OPTS="--tmpfs /run --tmpfs /tmp --sysctl net.ipv6.conf.all.disable_ipv6=0"
+		else
+			OPTS="--tmpfs /run --tmpfs /tmp -v /sys/fs/cgroup:/sys/fs/cgroup:ro --sysctl net.ipv6.conf.all.disable_ipv6=0"
+		fi
 	fi
 	if [ -n "$seccomp" ] ; then
 		OPTS="$OPTS --security-opt seccomp=$seccomp"