freeipa-container icon indicating copy to clipboard operation
freeipa-container copied to clipboard
verified publisher icon freeipa

freeipa running on rke2 kubernetes cluster

Open rrotondo opened this issue 6 months ago • 2 comments

Hi, I'm trying to run freeipa on a kubernetes cluster provided by rancher framework rke2. Master and nodes use Debian 12 Manifest used are avaible here As described in the issue pod doesn't get ready. It seems I cannot access to systemctl inside the pod and I get: Readiness probe failed: Failed to connect to bus: No such file or directory Moreover all logs files are empty. I have only: freeipa-data/var/log/ipa-server-configure-first.log with a timestamp: Tue May 27 09:05:31 UTC 2025 /usr/local/sbin/init

I suspect it's something related to containerd configuration (there is no docker on cluster) but I'm not sure how to apply InitConfiguration of this manifest: tests/k8s-initconfiguration-containerd.yaml

In any case this doesn't explain logs file empty.

Any hint?

Thanks for your help.

Regards, Riccardo

rrotondo avatar Jun 26 '25 11:06 rrotondo

How did you install that RKE2 cluster? Have you got the prerequisites for running user-namespaced systemd-based containers in that cluster met, per https://github.com/freeipa/freeipa-container#running-in-kubernetes?

AFAICS, the default installation even from the latest channel with RKE2 v1.33.1+rke2r1 only has containerd v2.0.5-k3s1:

test@ubuntu-24-04:~$ curl -sfL https://get.rke2.io | sudo INSTALL_RKE2_CHANNEL=latest sh -
[INFO]  finding release for channel latest
[INFO]  using v1.33.1+rke2r1 as release
[INFO]  downloading checksums at https://github.com/rancher/rke2/releases/download/v1.33.1%2Brke2r1/sha256sum-amd64.txt
[INFO]  downloading tarball at https://github.com/rancher/rke2/releases/download/v1.33.1%2Brke2r1/rke2.linux-amd64.tar.gz
[INFO]  verifying tarball
[INFO]  unpacking tarball file to /usr/local
test@ubuntu-24-04:~$ sudo systemctl start rke2-server.service
test@ubuntu-24-04:~$ sudo CRI_CONFIG_FILE=/var/lib/rancher/rke2/agent/etc/crictl.yaml /var/lib/rancher/rke2/bin/crictl version
Version:  0.1.0
RuntimeName:  containerd
RuntimeVersion:  v2.0.5-k3s1
RuntimeApiVersion:  v1
test@rhe2-2-ubuntu-24-04:~$

That repo https://baltig.infn.it/infnct/icsc/spoke8/freeipa-kubernetes, does it show a configuration that you've seen working for example with K3s, using setup similar to the one we use in the Ubuntu-based GitHub Actions CI workflows (https://github.com/freeipa/freeipa-container/blob/master/.github/actions/install-containerd-2.1/action.yaml and https://github.com/freeipa/freeipa-container/blob/master/.github/actions/install-k3s/action.yaml)?

I suspect it's something related to containerd configuration (there is no docker on cluster) but I'm not sure how to apply InitConfiguration of this manifest: tests/k8s-initconfiguration-containerd.yaml

That configuration is used in https://github.com/freeipa/freeipa-container/blob/master/.github/actions/install-k8s/action.yaml#L25-L29 for kubeadm init setups to ensure they use containerd. Are your RKE2 nodes using containerd or not?

In any case this doesn't explain logs file empty.

It very much does. The ipa-server-install which would populate the logs is run in a systemd service by systemd in the container in the Pod. In your case I assume the systemd process fails to run, so it never gets anywhere close to running the service and the ipa-server-install which would populate the logs.

For troubleshooting I would recommend to simplify the setup, take FreeIPA completely out of the picture, and try to get systemd running, for example from the docker.io/almalinux/10-init image. Only after you get that working and verified will it make sense to attempt the FreeIPA setup.

adelton avatar Jun 26 '25 12:06 adelton

Anyway, in https://github.com/freeipa/freeipa-container/pull/684 I now show the RKE2 with containerd 2.1 working on GitHub Actions Ubuntu 24.04 runners.

adelton avatar Jun 28 '25 11:06 adelton

The PR got merged to master.

adelton avatar Jun 30 '25 08:06 adelton

Hi, thank you for your reply.

How did you install that RKE2 cluster? Have you got the prerequisites for running user-namespaced systemd-based containers in that cluster met, per https://github.com/freeipa/freeipa-container#running-in-kubernetes?

Actually cloud managers provided for me. I forgot to check that requirements, and you're right, here my containerd version:

Version:  0.1.0
RuntimeName:  containerd
RuntimeVersion:  v2.0.4-k3s2
RuntimeApiVersion:  v1

That repo https://baltig.infn.it/infnct/icsc/spoke8/freeipa-kubernetes, does it show a configuration that you've seen working for example with K3s, using setup similar to the one we use in the Ubuntu-based GitHub Actions CI workflows (https://github.com/freeipa/freeipa-container/blob/master/.github/actions/install-containerd-2.1/action.yaml and https://github.com/freeipa/freeipa-container/blob/master/.github/actions/install-k3s/action.yaml)?

No, it's a starting point to test Freeipa on kubernetes with rke2 that is currently used in our cluster.

For troubleshooting I would recommend to simplify the setup, take FreeIPA completely out of the picture, and try to get systemd running, for example from the docker.io/almalinux/10-init image. Only after you get that working and verified will it make sense to attempt the FreeIPA setup.

I'll try that. Thanks

rrotondo avatar Jul 02 '25 12:07 rrotondo

The new https://github.com/freeipa/freeipa-container/blob/master/.github/actions/install-rke2/action.yaml can be an inspiration as well.

I'm going to close this issue as resolved. Feel free to open a new one if you hit a problem with containerd 2.1+ and UserNamespacesSupport feature gate enabled.

adelton avatar Jul 03 '25 13:07 adelton