Chapter 1. Overview of the Containerized Identity Management Services
The following sections provide an overview of the containerized Identity Management services in Red Hat Enterprise Linux.
The rhel7/ipa-server container is a Technology Preview feature. See Technology Preview Features Support Scope in the Red Hat Knowledgebase for details.
1.1. Introduction to the ipa-server and sssd Containers
Using Identity Management or the System Security Services Daemon (SSSD) in a container ensures that all Identity Management or SSSD processes run in isolation from the host system. This enables the host system to run other software without conflicts with these processes.
The ipa-server and sssd containers are designed to be used on Red Hat Enterprise Linux Atomic Host systems. For details on Atomic Host, see Getting Started with Atomic in the Atomic documentation.
- Overview of Containers in Red Hat Systems explains what containers are and how they work. The guide also includes links to documents for getting started with containers.
- Introduction to Red Hat Identity Management in the Linux Domain Identity, Authentication, and Policy Guide provides an overview of Identity Management, Identity Management servers, and Identity Management clients.
- Atomic Host documentation provides information about Red Hat Enterprise Linux Atomic Host and containers in general.
1.2. Available Container Images
The rhel7/ipa-server Container Image
- Enables you to run Identity Management servers and related services in a container.
- Provides Identity Management server services.
The rhel7/sssd Container Image
- Enables you to run the System Security Services Daemon (SSSD) in a container.
- Provides identity and authentication services to Atomic Host systems by enrolling the system to an Identity Management server or connecting it to an Active Directory domain.
- Provides identity and authentication services to applications running in other containers.
- You can find more details about the container images in the Red Hat Container Catalog.
1.3. Benefits and drawbacks of using Identity Management in containers
- All Identity Management configuration and data are kept in isolation in a subdirectory.
- Migrating Identity Management servers is easier: the container subdirectory can be moved to another container or to the host system. See also Chapter 4, Migrating a Server from a Container to a Host System.
- The Identity Management processes run under Atomic. For example, if the docker daemon terminates, the Identity Management server running under it also terminates. However, maintaining multiple replicas counters this drawback.
SELinux separation is not applied to the components within a container. However, the components are still separated using process UIDs.
- Note that although SELinux does not apply its mandatory access control (MAC) between the components, the sVirt project applies MAC to the container environment. This ensures that the container as a whole is protected from other containers.
- The ipa-server container runs only the components required to run the Identity Management server itself. The container does not run any third-party components that can attack Identity Management due to the lack of SELinux isolation.
- See also Secure Containers with SELinux in Atomic documentation.