I am building a container for Kubernetes that runs a SAMBA Active Directory Domain Controller.
I am doing the job through Ansible and the container is being deployed in a Kubernetes cluster (K3S).
Docker is using the following files as part of its build:
etc/krb5.conf
etc/bind/rndc.key
etc/bind/named.conf.local
etc/bind/db.0
etc/bind/db.255
etc/bind/db.empty
etc/bind/named.conf.options
etc/bind/db.local
etc/bind/named.conf
etc/bind/db.127
etc/bind/named.conf.default-zones
etc/supervisor/conf.d/supervisord.conf
etc/freeradius/3.0/mods-available/eap
etc/freeradius/3.0/mods-available/realm
etc/freeradius/3.0/mods-available/ntlm_auth
etc/freeradius/3.0/mods-available/mschap
etc/freeradius/3.0/clients.conf
etc/freeradius/3.0/proxy.conf
etc/freeradius/3.0/sites-available/default
etc/freeradius/3.0/sites-available/inner-tunnel
boot/init.sh
boot/kdb5_util_create.expect
Dockerfile
The idea is that for all files the path is the same inside the container, but /
as a prefix.
However I came across something strange when inspecting the running container that was compiled as a result.
The content of /etc/samba
, /etc/bind
and /etc/freeradius
is definitely not supposed to be the same!
The content of my Dockerfile
is as follows:
FROM ubuntu:noble
ENV DEBIAN_FRONTEND noninteractive
# Avoid ERROR: invoke-rc.d: policy-rc.d denied execution of start.
RUN echo "#!/bin/sh\nexit 0" > /usr/sbin/policy-rc.d
VOLUME ["/var/lib/samba", "/etc/samba", "/etc/bind", "/etc/freeradius", "/SambaVolume"]
# Setup ssh and install supervisord
RUN apt-get update
RUN apt-get upgrade -y
RUN apt-get install -y openssh-server supervisor ntp mc
RUN mkdir -p /var/run/sshd
RUN mkdir -p /var/log/supervisor
RUN sed -ri 's/PermitRootLogin without-password/PermitRootLogin Yes/g' /etc/ssh/sshd_config
# Add SAMBA VolumeShare location
RUN mkdir -p /SambaVolume
# Install bind9 dns server
RUN apt-get install -y bind9 dnsutils
# Copy tweaked DNS setttings (instead of ADD, due to we want to overwrite any existing files)
COPY etc/bind/* /etc/bind/
# Install samba and dependencies to make it an Active Directory Domain Controller
RUN apt-get install -y samba smbclient winbind libpam-winbind libnss-winbind krb5-kdc libpam-krb5
# Install Freeradius so validate VPN users against samba
RUN apt-get install -y freeradius
# Copy Freeradius customised files
COPY etc/freeradius/ /etc/freeradius/
# Copy customized kerberos configuration file
COPY etc/krb5.conf /etc/
# Install utilities needed for setup
RUN apt-get install -y expect pwgen
ADD boot/kdb5_util_create.expect /root/kdb5_util_create.expect
# Install rsyslog to get better logging of ie. bind9
RUN apt-get install -y rsyslog
# Create run directory for bind9
RUN mkdir -p /var/run/named
RUN chown -R bind:bind /var/run/named
# Add supervisord and init
ADD etc/supervisor/conf.d/supervisord.conf /etc/supervisor/conf.d/supervisord.conf
ADD boot/init.sh /root/init.sh
RUN chmod 755 /root/init.sh
EXPOSE 53/tcp 53/udp 80/tcp 80/udp 88/tcp 88/udp 135/tcp 135/udp 137/tcp 137/udp
EXPOSE 138/tcp 138/udp 389/tcp 389/udp 443/tcp 443/udp 445/tcp 445/udp 464/tcp 464/udp
EXPOSE 636/tcp 636/udp 3268/tcp 3268/udp 3269/tcp 3269/udp 9389/tcp 9389/udp
EXPOSE 123/udp 22/tcp 22/udp
ENTRYPOINT ["/root/init.sh"]
CMD ["app:start"]
And the compiled container is being stored in a local register using the following commands:
docker build -t samba:latest samba/
docker tag samba:latest registry.example.com:5000/samba:latest
docker push registry.example.com:5000/samba:latest
It is being deployed through Ansible with the following task:
- name: Create SAMBA Deployment
kubernetes.core.k8s:
state: present
definition:
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: samba
namespace: samba-system
labels:
app: samba
spec:
replicas: 1
selector:
matchLabels:
app: samba
template:
metadata:
labels:
app: samba
spec:
volumes:
- name: samba-config
persistentVolumeClaim:
claimName: samba-config-vol
containers:
- name: samba
image: registry.example.com:5000/samba:latest
ports:
- containerPort: 123
protocol: UDP
# ### SKIPPING ###
- containerPort: 9389
protocol: UDP
- containerPort: 9389
protocol: TCP
volumeMounts:
- name: samba-config
mountPath: /etc/samba
- name: samba-config
mountPath: /etc/bind
- name: samba-config
mountPath: /etc/freeradius
- name: samba-config
mountPath: /var/lib/samba
envFrom:
- configMapRef:
name: samba-environment-map
securityContext:
priviledged: true
allowPrivilegeEscalation: true
readOnlyRootFilesystem: false
capabilities:
add:
- ALL
I am wondering why the content of the folders /etc/bind
, /etc/samba
and /etc/freeradius
is the same.
I thought I read somewhere that you could use the same persistentVolumeClaim
for all folders?
This happens because you mount single
volume
namedsamba-config
onto multiplevolumeMounts
. Think about this as mounting the same block device onto different mount points under Linux (in ro mode of course) - you'll get the same contents in all of these directories..