Yeah, if CDK was running with this enabled I would not be able to run
anything
in any meaningful timeframe on openshift.
I wish there was a better way though.
i.e. that I could set a flag for a specific deployment wether
it should be allowed to run as root or not without making this a fully
global flag.
But in short - without this permission I don't see CDK/ADB being useful
to anyone
trying to use it for docker based development because dockerhub just has
too many
containers that requires it.
/max
I think most teams at the Brno F2F were struggling with this. It works
locally, but semi-obscure failures when pushed 'live'. And out of the
30 RH
engineers there, none knew 100% or was able to dig up a doc that
explained
why and how to fix it...
This is/will be a massive pain point moving from Dev to Production.
The
very least we need some very clear, simple guides on how to make it
work.
-aslak-
On Wed, May 18, 2016 at 1:10 PM, Clayton Coleman <[email protected]>
wrote:
It was a deliberate choice, predicated on other changes coming to
Docker (user namespaces) plus the desire to ensure demos run.
Ultimately, the CDK is a playground. Putting up chain link fences
around the playground sends the wrong message.
I'd prefer to have it easier to go between the levels in the short
term than to ratchet it back.
On May 17, 2016, at 11:27 PM, Dusty Mabe <[email protected]>
wrote:
Currently we are configuring openshift in the CDK/ADB to be more
permissive than it should be when running containers.
At [1] we are setting:
oadm policy add-scc-to-group anyuid system:authenticated
From my experiments this means that containers run as anyuid and
thus
can be root, cc clayton for confirmation.
What this means is that we are misleading users to thinking things
will run in production OpenShift, when the production OpenShift most
likely won't have things configured this way.
We should probably not be doing this. Reverting this change will
also
mean that proposed demos, etc.. should be retested on the newer
version
meticulously.
Dusty
[1]
https://github.com/projectatomic/adb-utils/blob/01adadd904dea98033c9c83d0648d90f5e8f2806/services/openshift/scripts/openshift_provision#L47
_______________________________________________
Devtools mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/devtools
_______________________________________________
Devtools mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/devtools
/max
http://about.me/maxandersen
_______________________________________________
Container-tools mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/container-tools
