Hello,
in the past couple of week I've pushed multiple changes to the
https://github.com/freeipa/freeipa-container
repository, fixing and enabling Fedora 28 and Fedora 29 Dockerfiles, adding Travis CI configuration where we currently test IPA master and replica setups in images of Fedoras from 23 to rawhide and on CentOS 7:
https://travis-ci.org/freeipa/freeipa-container/branches
Testing on Travis' Ubuntus allowed me to reproduce and fix some issues that people have observed on non-RHEL/CentOS/Fedora docker hosts. One of the results is that docker run's --privileged or --cap-add SYS_ADMIN options should not be needed anymore, making things more confined and more secure. In fact, it's quite likely that running the FreeIPA server containers as privileged will result in
https://github.com/freeipa/freeipa-container/issues/254
... so just don't do it.
Another focus of the effort was to make it possible to run the containers as read-only (docker run --read-only), making all the changes that are done during the initial ipa-server-install or during runtime properly confined to the /data volume, or pointed to discardable /tmp. While things pass in my local read-only tests, in Travis CI the initial ipa-server-install phase runs fine but starting the read-only container afterwars seems to hang:
https://travis-ci.org/adelton/freeipa-container/builds/459418370
Any help with investigating why this is happening would be appreciated.