Dockerhub ucs-master app center not available

Hi there,

i have run the most current dockerhub ucs-master image 4.1-3. https://hub.docker.com/r/univention/ucs-master-amd64/

I used the setup mentioned here:
http://wiki.univention.de/index.php?title=Docker

docker run -d -e rootpwd=univention --hostname=master --name=master -p 8011:80 univention/ucs-master-amd64:4.1-3 /sbin/init

Running this one, shows the problem that the appstore does not show up any app, but the following docker network error message:

Is it possible and maintained to run ucs-master as a docker container running other apps as docker containers? Docker itself should be able to handle those situations, when the ucs image is runned in privilege mode. But this is not mentioned in the “Setup a DC master via docker” section.

So how do i setup an ucs-master inside docker, which is able to handle ucs apps? And why is the most current ucs 4.2 not listed as an univention maintained docker image?

UPDATE:

I was able to solve the first issue. I assumed, that univention tries to use the default docker bridge network, which is alraidy in use by my docker instance running ucs itself. So i created an additional custom docker bridge using this command:
docker network create --ip-range 172.25.2.0/24 --subnet 172.25.0.0/16 dockerInternalNet --ipv6=false

Afterwards i start the container using this non default docker network:
docker run -d -e rootpwd=univention --privileged=true --network=dockerInternalNet --dns=127.0.0.1 --hostname=master --name=master -p 8011:80 univention/ucs-master-amd64:4.1-3 /sbin/init

(I added the privileged for testing, to circumvent possible docker in docker issues. Additionally i set the localhost ip 127.0.0.1 as container dns, that ucs is able to resolve its own subdomains.) Nevertheless, the app-center does not work yet. Now i get the following error:

Could not fulfill the request. Server error message: The command has failed: The docker service is not running! The App Center will not work properly. Make sure docker.io ist installed, try starting the service with “service docker start”.

When i go into the ucs bash with:
docker exec -it master /bin/bash
and run
service docker start
i get the following error:
Failed to start docker.service: Unit docker.service failed to load: No such file or directory.

So it seems to me, that docker itself is not installed on the ucs-master dockerhub image. Even when i install all package updates, upgrade to ucs 4.2 and install again all package updates, this error persist. So how do i install the missing docker service in ucs?

UPDATE 2:

I was able find the problem. UCS is shipped with dockerhub images using the docker container mode, which does not contain any docker daemon. Installing the docker deamon uninstalls the container mode:

root@master:/# apt-get install univention-docker univention-appcenter-docker
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages were automatically installed and are no longer required:
  libid3tag0 libimlib2 libobrender29 libobt2 libpangoxft-1.0-0 openbox
Use 'apt-get autoremove' to remove them.
The following extra packages will be installed:
  adwaita-icon-theme at-spi2-core bc cgroupfs-mount colord colord-data containerd dmeventd docker.io eject elinks elinks-data emacs24 emacs24-bin-common emacs24-common gconf-service gconf2-common git git-man
  grub-common grub-pc grub-pc-bin grub2-common imagemagick-common iptables libapparmor1 libatk-bridge2.0-0 libatspi2.0-0 libblas-common libblas3 libcolord2 libcolorhug2 libdevmapper-event1.02.1 liberror-perl
  libfftw3-double3 libfribidi0 libfsplib0 libfuse2 libgconf-2-4 libgd3 libgfortran3 libgomp1 libgphoto2-6 libgphoto2-l10n libgphoto2-port10 libgtk-3-0 libgtk-3-bin libgtk-3-common libgusb2 libieee1284-3
  libjson-glib-1.0-0 libjson-glib-1.0-common liblinear1 liblockfile-bin liblockfile1 liblqr-1-0 liblua5.2-0 liblvm2cmd2.02 libm17n-0 libmagickcore-6.q16-2 libmagickwand-6.q16-2 libnfnetlink0 libnl-3-200
  libnl-genl-3-200 libopts25 libotf0 libpcap0.8 libpolkit-agent-1-0 libpolkit-backend-1-0 libpolkit-gobject-1-0 libpsl0 libquadmath0 libreadline5 librest-0.7-0 libsane libsane-common libsane-extras
  libsane-extras-common libseccomp2 libsnmp-session-perl libsoup-gnome2.4-1 libtre5 libusb-1.0-0 libwayland-client0 libwayland-cursor0 libxkbcommon0 locate lockfile-progs lvm2 m17n-db memtest86+ mrtg ndiff
  nfs-kernel-server nmap ntp ntpdate os-prober patch policykit-1 python-egenix-mxdatetime python-egenix-mxtools python-pygresql python-univention-pkgdb quota runc sane-utils univention-firewall univention-grub
  univention-maintenance univention-nfs-server univention-pkgdb-tools univention-portal univention-quota univention-role-common univention-role-server-common unzip wget zip
Suggested packages:
  aufs-tools btrfs-tools debootstrap docker-doc rinse zfs-fuse zfsutils cdtool setcd elinks-doc emacs24-common-non-dfsg emacs24-el git-daemon-run git-daemon-sysvinit git-doc git-el git-email git-gui gitk gitweb
  git-arch git-cvs git-mediawiki git-svn multiboot-doc grub-emu xorriso desktop-base console-setup libfftw3-bin libfftw3-dev libgd-tools gphoto2 gtkam gvfs liblinear-tools liblinear-dev m17n-docs
  libmagickcore-6.q16-2-extra avahi-daemon hplip hpoj tre-agrep thin-provisioning-tools gawk hwtools memtester kernel-patch-badram memtest86 mtools mrtg-contrib ntp-doc ed diffutils-doc
  python-egenix-mxdatetime-dbg python-egenix-mxdatetime-doc python-egenix-mxtools-dbg python-egenix-mxtools-doc python-pygresql-dbg libnet-ldap-perl unpaper
Recommended packages:
  ubuntu-fan postgresql-client
The following packages will be REMOVED:
  univention-container-role-common univention-container-role-server-common univention-docker-container-mode
The following NEW packages will be installed:
  adwaita-icon-theme at-spi2-core bc cgroupfs-mount colord colord-data containerd dmeventd docker.io eject elinks elinks-data emacs24 emacs24-bin-common emacs24-common gconf-service gconf2-common git git-man
  grub-common grub-pc grub-pc-bin grub2-common imagemagick-common iptables libapparmor1 libatk-bridge2.0-0 libatspi2.0-0 libblas-common libblas3 libcolord2 libcolorhug2 libdevmapper-event1.02.1 liberror-perl
  libfftw3-double3 libfribidi0 libfsplib0 libfuse2 libgconf-2-4 libgd3 libgfortran3 libgomp1 libgphoto2-6 libgphoto2-l10n libgphoto2-port10 libgtk-3-0 libgtk-3-bin libgtk-3-common libgusb2 libieee1284-3
  libjson-glib-1.0-0 libjson-glib-1.0-common liblinear1 liblockfile-bin liblockfile1 liblqr-1-0 liblua5.2-0 liblvm2cmd2.02 libm17n-0 libmagickcore-6.q16-2 libmagickwand-6.q16-2 libnfnetlink0 libnl-3-200
  libnl-genl-3-200 libopts25 libotf0 libpcap0.8 libpolkit-agent-1-0 libpolkit-backend-1-0 libpolkit-gobject-1-0 libpsl0 libquadmath0 libreadline5 librest-0.7-0 libsane libsane-common libsane-extras
  libsane-extras-common libseccomp2 libsnmp-session-perl libsoup-gnome2.4-1 libtre5 libusb-1.0-0 libwayland-client0 libwayland-cursor0 libxkbcommon0 locate lockfile-progs lvm2 m17n-db memtest86+ mrtg ndiff
  nfs-kernel-server nmap ntp ntpdate os-prober patch policykit-1 python-egenix-mxdatetime python-egenix-mxtools python-pygresql python-univention-pkgdb quota runc sane-utils univention-appcenter-docker
  univention-docker univention-firewall univention-grub univention-maintenance univention-nfs-server univention-pkgdb-tools univention-portal univention-quota univention-role-common
  univention-role-server-common unzip wget zip
0 upgraded, 121 newly installed, 3 to remove and 0 not upgraded.
Need to get 83.0 MB/83.1 MB of archives.
After this operation, 365 MB of additional disk space will be used.
Do you want to continue? [Y/n]

After this installation, the app center is reachable and i can install the kopano related apps. In contrast, nextcloud is not installable, because ucs claimes to be runned as a container.

The app-center and the installed kopano app is only usable until the container is restarted. After a restart, no one can login anymore (not in kopano and not in the univention management console).

root@master:/# service univention-management-console-server status
● univention-management-console-server.service - LSB: Univention Management Console Server
   Loaded: loaded (/etc/init.d/univention-management-console-server)
  Drop-In: /lib/systemd/system/univention-management-console-server.service.d
           └─killmode.conf
   Active: active (running) since Tue 2017-05-02 13:40:37 CEST; 25min ago
  Process: 635 ExecStart=/etc/init.d/univention-management-console-server start (code=exited, status=0/SUCCESS)
   CGroup: /docker/ba4a824c6956af57488442d0eb433808dd23ad3bd9f8563eccaf35660910094d/system.slice/univention-management-console-server.service
           └─740 /usr/bin/python2.7 /usr/sbin/univention-management-console-server start

May 02 13:40:36 master systemd[1]: Starting LSB: Univention Management Console Server...
May 02 13:40:37 master univention-management-console-server[635]: Starting Univention Management Console Server: univention-management-console-server.
May 02 13:40:37 master systemd[1]: Started LSB: Univention Management Console Server.
May 02 14:02:50 master python2.7[740]: inexistant user Administrator
May 02 14:02:50 master python2.7[740]: saml_msg is too small: minlength = 128
May 02 14:02:50 master python2.7[740]: pam_unix(univention-management-console:auth): check pass; user unknown
May 02 14:02:50 master python2.7[740]: pam_unix(univention-management-console:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
May 02 14:02:50 master python2.7[740]: pam_krb5(univention-management-console:auth): authentication failure; logname=Administrator uid=0 euid=0 tty= ruser= rhost=
May 02 14:02:50 master python2.7[740]: pam_ldap: ldap_starttls_s: Can't contact LDAP server

So after a reboot ucs is not able to connect to the ldap instance anymore. This way seems very broken and not official. So what is the way to go to get a working app-center in an ucs container?

UPDATE 3:

Okey there is some half way solution. I can set the ucr variable appcenter/docker to false. This would disable docker capabilities for the appcenter. But this would also disable all app installations, which are docker based.

Hello @cguenther,

welcome to Univention Help

I’m not sure I completely understand what you are trying to achieve. Do you want to run a UCS Master as Docker Container on another UCS System? And then use the App Center and dockerized Apps inside that dockered UCS Master?

Best regards,
Michael Grandjean

I have an containerized IT environment, where all my services lives inside a container. I try to add the ucs as an container as well. This works well, until i want to use the app-center. First i wonder why the current version 4.2 is not available via dockerhub. I found no solution to use also the dockerized ucs apps.

To run docker inside docker you have to start each container in privileged mode:
https://www.google.de/search?q=docker+inside+docker

Start the main UCS container like this, then check if you can manually start a container inside the main UCS container. If that works, let’s see if we can find a way make the app center start app containers in that way.

Ok thanks for your investigation. I will go with the ucs-master with appcenter/docker=false. I only want to install kopano at the moment and the related apps seem to be native apps.

Hello,
I’ve experienced same/similar issue.

I am currently evaluating UCS for use primarily as a central IdP (for SSO using OpenID), also in connection with AppCetner and perspectively as a DC.
After I had a look at this. VBox Image I came to the decision that for us the productive use regarding operating costs and flexibility is best possible by using Docker.
Accordingly I wanted to run the container from the image univention/ucs-master-amd64:latest behind a reverse proxy. (Image jwilder/nginx-proxy:latest). Here I encountered the problem that docker conf does not declare ports on the connected networks. (See “NetworkSettings”. “Ports”: {} ). So the container itself works fine, but a docker reverse proxy doesn’t recognise this, because it gets the available services from the docker host. So there is no EXPOSE definition in the docker file or the hint -expose in docker run to allow container interaction.
My first question would be whether you actually consider Docker for UCS ready for production. U/a also with regard to the comparatively lean documentation and the fact that the admin has to think about a reasonable definition of volumes etc.
After the initial setup, I recognised in the AppCenter that I cannot install applications that are provided in the AppCenter itself as docker based applications. Problem: The univention/ucs-master-amd64 image does not provide a docker.io service itself. That makes sense! Because installing Docker images in Docker images makes little to no sense. But that brings me back to the question whether Docker is currently useful for UCS operation, at least in conjunction with AppCenter? According to current knowledge:

• Either UCS in Docker should recognize that it runs in Docker (I think that’s already the case) and request privileged as container permissions so it can use the Docker host’s docker.io to deploy and manage containers itself.
• Or the AppCenter provides an API to register containers from compatible images (as I see it, the images have to be built specifically for UCS anyway, for LDAP integration etc. to work) with the UCS.
• Respectively, a combination of both variants would be possible.

In short, I have not found a case in documentation, wiki or forum while testing this scenario. Therefore I summarised the question to you:

1. UCS with AppCenter on Docker, can it be recommended for productive use? If so, how do you solve the Docker in Docker problem described in the previous paragraph?
2. do you have references / experience with the operation of the appliance in Hetzner Cloud (not managed, or root server)? It needs specfic packaging see Hetzner Wiki where I’m not sure if they ask for the actual OS root path or a packaging in ISO format.

Many greetings
codehorse