This guide runs FreeIPA in a container using the official FreeIPA Docker images. FreeIPA 4.13.1 includes Modern WebUI beta, DNS over TLS/HTTPS support, and LDAP system accounts.
Run FreeIPA server with minimal configuration:
# Pull the latest FreeIPA image
docker pull freeipa/freeipa-server:latest
# Run FreeIPA server container
docker run \
--name freeipa-server \
-h ipa.example.com \
--rm \
-ti \
-v freeipa-data:/data \
-v /sys/fs/cgroup:/sys/fs/cgroup:ro \
--sysctl net.ipv4.ip_forward=1 \
--sysctl net.ipv6.conf.all.disable_ipv6=0 \
--sysctl net.ipv6.conf.all.forwarding=1 \
-p 53:53/tcp \
-p 53:53/udp \
-p 80:80/tcp \
-p 443:443/tcp \
-p 389:389/tcp \
-p 636:636/tcp \
-p 88:88/tcp \
-p 88:88/udp \
-p 464:464/tcp \
-p 464:464/udp \
-p 123:123/udp \
freeipa/freeipa-server:latest \
--domain=example.com \
--realm=EXAMPLE.COM \
--ds-password=Secret123 \
--admin-password=Secret123 \
--setup-dns \
--forwarder=8.8.8.8 \
--auto-forwarders
For production use, create a docker-compose file:
version: '3.8'
services:
freeipa:
image: freeipa/freeipa-server:4.13.1
container_name: freeipa-server
hostname: ipa.example.com
restart: unless-stopped
cap_add:
- NET_ADMIN
volumes:
- freeipa-data:/data
- /sys/fs/cgroup:/sys/fs/cgroup:ro
sysctls:
- net.ipv4.ip_forward=1
- net.ipv6.conf.all.disable_ipv6=0
- net.ipv6.conf.all.forwarding=1
ports:
- "53:53/tcp"
- "53:53/udp"
- "80:80/tcp"
- "443:443/tcp"
- "389:389/tcp"
- "636:636/tcp"
- "88:88/tcp"
- "88:88/udp"
- "464:464/tcp"
- "464:464/udp"
- "123:123/udp"
environment:
- IPA_SERVER_HOSTNAME=ipa.example.com
- IPA_SERVER_IP=172.17.0.2 # Optional: specify IP address
command: [
"--domain=example.com",
"--realm=EXAMPLE.COM",
"--ds-password=Secret123",
"--admin-password=Secret123",
"--setup-dns",
"--forwarder=8.8.8.8",
"--auto-forwarders",
"--unattended"
]
volumes:
freeipa-data:
Save as docker-compose.yml and run:
docker-compose up -d
With FreeIPA 4.13.x in Docker, you have access to:
The FreeIPA container supports several environment variables:
IPA_SERVER_HOSTNAME - Server hostnameIPA_SERVER_IP - Server IP address (optional)IPA_CA_SUBJECT - CA subject (optional)IPA_DNS_FORWARDERS - DNS forwarders (comma-separated)/data - Persistent data storage/sys/fs/cgroup - Required for systemd# Enter the container
docker exec -it freeipa-server bash
# Run IPA commands inside the container
docker exec -it freeipa-server ipa user-find admin
# Create backup
docker exec -it freeipa-server ipa-backup --data
# The backup will be stored in the volume at /data/backups
To connect clients to your containerized FreeIPA server:
# On client systems
docker run -it --rm \
--cap-add NET_ADMIN \
freeipa/freeipa-client:latest \
--server=ipa.example.com \
--domain=example.com \
--realm=EXAMPLE.COM \
--password=Secret123
Check container logs:
docker logs freeipa-server
# Follow logs in real-time
docker logs -f freeipa-server
To update to a newer version:
# Stop current container
docker stop freeipa-server
# Pull new image
docker pull freeipa/freeipa-server:4.13.1
# Start with new image (data persists in volume)
# (Use same command as initial run)
Deploying FreeIPA in containers for production? Our consulting covers:
Get expert help: office@linux-server-admin.com | Contact Page