Chapter 1. Overview of the Containerized Identity Management Services

The following sections provide an overview of the containerized Identity Management services in Red Hat Enterprise Linux.


The rhel7/ipa-server container is a Technology Preview feature. See Technology Preview Features Support Scope in the Red Hat Knowledgebase for details.

1.1. Introduction to the ipa-server and sssd Containers

Using Identity Management or the System Security Services Daemon (SSSD) in a container ensures that all Identity Management or SSSD processes run in isolation from the host system. This enables the host system to run other software without conflicts with these processes.


The ipa-server and sssd containers are designed to be used on Red Hat Enterprise Linux Atomic Host systems. For details on Atomic Host, see Getting Started with Atomic in the Atomic documentation.

Additional Resources

1.2. Available Container Images

The rhel7/ipa-server Container Image

  • Enables you to run Identity Management servers and related services in a container.
  • Provides Identity Management server services.

The rhel7/sssd Container Image

  • Enables you to run the System Security Services Daemon (SSSD) in a container.
  • Provides identity and authentication services to Atomic Host systems by enrolling the system to an Identity Management server or connecting it to an Active Directory domain.
  • Provides identity and authentication services to applications running in other containers.

Additional Resources

1.3. Benefits and drawbacks of using Identity Management in containers



  • The Identity Management processes run under Atomic. For example, if the docker daemon terminates, the Identity Management server running under it also terminates. However, maintaining multiple replicas counters this drawback.
  • SELinux separation is not applied to the components within a container. However, the components are still separated using process UIDs.

    • Note that although SELinux does not apply its mandatory access control (MAC) between the components, the sVirt project applies MAC to the container environment. This ensures that the container as a whole is protected from other containers.
    • The ipa-server container runs only the components required to run the Identity Management server itself. The container does not run any third-party components that can attack Identity Management due to the lack of SELinux isolation.
    • See also Secure Containers with SELinux in Atomic documentation.