The FreeIPA community is looking for your help and feedback!
The FreeIPA development team is excited to share with you a new version of the FreeIPA server 4.1.2 running in a container on top of CentOS. It is the first time a FreeIPA upstream release is available in the CentOS docker index. It is a preview of the features that will eventually make their way in the main CentOS distribution. This version of FreeIPA showcases multiple new major features as well as improvements to existing components above what is currently available in CentOS 7.0
In order to use this docker container, please run
docker pull centos/freeipa
Then follow the guide/documentation available at https://registry.hub.docker.com/u/centos/freeipa/
These features include:
– Backup and Restore
Ability to backup server data and restore an instance in the case of disaster
– CA Certificate Management Utility
A tool to change IPA chaining or rotate the CA certificate on already installed server
– ID Views
Ability to store POSIX data and SSH keys in IPA for users belonging to a trusted Active Directory domain. Alternative POSIX data and SSH keys can also be stored for regular IPA users making it possible to serve different POSIX data to different clients (requires SSSD 1.12.3 or later). This is useful in migration scenarios where consolidation of multiple identity stores (local files, NIS domains, legacy LDAP servers, ..) with duplicated identities and inconsistent POSIX attributes needs to be retained for some clients.
Note: The solution requires the latest SSSD bits availble the Copr REPO. https://copr.fedoraproject.org/coprs/mkosek/freeipa/
With this version we are introducing for the first time the ability to manage DNSSEC signatures on DNS data. This feature will be available in the community version only and would not be included into CentOS 7.1.
There are also significant improvements in UI, permissions, keytab management, automatic membership and SUDO rules handling.
More information can be found here:
The biggest and the most interesting feature of FreeIPA 4.1.2 is support for the two factor authentication using HOTP/TOTP compatible software tokens like FreeOTP (open source compatible alternative to Google Authenticator) and hardware tokens like Yubikeys. This feature allows Kerberos and LDAP clients of a FreeIPA server to authenticate using the normal account password as the first factor and an OTP
token as a second factor. For those environments where a 2FA solution is already in place, FreeIPA can act as a proxy via RADIUS. More about this feature can be read here.
If you want to see this feature in CentOS 7.1 proper we need your help!
Please give it a try and provide feedback. We really, really need it!
Please use firstname.lastname@example.org if you have any questions.
If you notice any issues or want to file an RFE you can do it here:
https://fedorahosted.org/freeipa/ (requires a Fedora account).
You can also find us on irc.freenode.net on #freeipa.
The CentOS Project is pleased to announce four new Docker images in the CentOS Container Set, providing popular, ready to use containerized applications and services. Today you can grab containers with MariaDB, Nginx, FreeIPA, and the Apache HTTP Server straight from the Docker Hub.
The new containers are based on CentOS 7, and are tailored to provide just the right set of packages to provide MariaDB, Nginx, FreeIPA, or The Apache HTTP Server right out of the box.
The first set of applications and services provide two of the world’s most popular Web servers, MariaDB for your database needs, and FreeIPA to provide an integrated security information management solution.
The CentOS Container Set is an effort to leverage the CentOS Project to give developers and admins the building blocks to easily set up containerized services in their environment. Keep an eye on the CentOS blog for further releases, or help us as we continue to develop more!
To get started with one of the images, use: `docker pull centos/<app>` where <app> is the name of the container (*e.g.* `docker pull centos/mariadb`). You can find some quick “getting started” info on the Docker Hub page for each application.
Jason Brooks has written up a longer howto for FreeIPA that details how to build the container (which is already done here, but you can rebuild the images if you like using the Dockerfiles on GitHub), and how to set it up to use FreeIPA with an application.
We have a larger set of Dockerfiles (derived initially from the Fedora Dockerfiles) set that we’re working on to develop pre-made CentOS Docker containers for easy use. Join the centos-devel mailing list to ask questions about the containers, or to provide feedback on their use. We also accept pull requests if you have any fixes or new Dockerfiles to contribute!
We will have speakers in the morning, starting at 10:00 am local time and a hackfest beginning at 1:00pm.
EDIT (Monday July 28, 2014 – 2010 UTC):
We now have what we think is going to be the final version of this upgrade tool. Please see the following link to test:
We now have some Beta Testing RPMs available to test upgrades from CentOS-6 to CentOS-7. These tests were announced on the CentOS-Devel mailing list here:
Since the release of the test RPMs, we have had several patches created by Manuel Mausz. Manuel’s patches have done a lot to make the Preupgrade Assistant work for upgrades. We now need to get some tests of the patched RPMs.
The new RPMs are available from the Testing Repo here:
The upstream documentation for performing upgrades, as it currently exists, is here:
The CentOS team would like to very much thank Manuel for his testing work and patches for Preupgrade Assistant. This is an example of how we are now doing things in the “New” CentOS Project … where the community is now involved in all aspects of what we do except the actual building of the upstream sources for the actual distro.
Other things we need from the community for this process:
The SRPMs for these packages are here:
The sources are also available from git.centos.org:
And the specific packages are:
Please test and document these packages and the process, and submit any required code changes to the CentOS-Devel mailing list. If you need wiki.centos.org edit capability to create/update docs for the process, ask on the CentOS-Docs mailing list.
Note: The state of this software is to be considered Beta at best … do NOT try to use it on ANYTHING even slightly important.
EDIT: New packages are now pushed based on the changes from this mail:
Please run preupg with "-s CentOS6_7".
The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved RIP address in the case of a system call that does not use IRET, which allows local users to leverage a race condition and gain privileges, or cause a denial of service (double fault), via a crafted application that makes ptrace and fork system calls.
This issue affects CentOS-6 and -7 kernels. An updtream fix has now been applied to the CenOSPlus kernels.
After three weeks in testing, we are very happy to announce the release for CentOS-7/x86_64 Please read the announcement here : http://lists.centos.org/pipermail/centos-announce/2014-July/020393.html And the Release Notes at : http://wiki.centos.org/Manuals/ReleaseNotes/CentOS7 But this isnt the end of the seven process, it’s where the fun begins – KB
At this point we have a set of images that we consider release grade, pending final testing, we will move to release these unless a major blocker is reported.
folks with bandwidth to spare are encouraged to help seed these images via torrents, here are the urls to hit:
The centosplus kernel for 7 is now available for testing. The kernel version is 3.10.0-123.el7 (GA kernel). You can download it from this site.
If you wonder what this kernel is for, please visit this earlier post.
Extra features enabled in the config file include some network adapters, BusLogic, IPX, Appletalk, and ReiserFS. TOMOYO and AppArmor are also enabled but SeLinux remains the default.
For more details, please see this post on the centos-devel mailing list.
Your feedback welcome either here or on the mailing list.