Kubelet (part of all-in-one) runs privileged already and has those permissions - the parts of OpenShift that manage the node run as root in all cases. I know there are some things along the lines of kernel modules for openvswitch that have to be installed, but the container can access them.
On Tue, Jan 12, 2016 at 1:51 PM, Akram Ben Aissi <[email protected]> wrote: > In fact I wonder if their can't be security restrictions from the host > preventing the container from doing modification of the bridges and vxlan > configuration. > > > Sent from mobile > >> On 12 janv. 2016, at 17:02, Clayton Coleman <[email protected]> wrote: >> >> For an all-in-one image or separate masters and nodes? If you're >> running an all-in-one with SDN you probably will hit other issues. I >> don't know what limitations specifically in SDN you are referring to, >> other than possibly that it needs to restart docker to init itself. >> >> On Tue, Jan 12, 2016 at 6:37 AM, Akram Ben Aissi >> <[email protected]> wrote: >>> Hi guys, >>> >>> yes mounting /var/lib/origin works, and also, you can use the create-config >>> flags to use it in a more configurable way. >>> But, the main limitation that I see is around SDN, which I think cannot be >>> used as-is. >>> Can someone confirm? >>> >>> >>> >>> >>> Le 12/01/16 03:51, Clayton Coleman a écrit : >>> >>>> Hi, tried to answer on stack. You should be able to mount the >>>> /var/lib/origin directory and have everything preserved (but double >>>> check the default directories created). >>>> >>>>> On Mon, Jan 11, 2016 at 8:20 PM, Xiao Peng <[email protected]> wrote: >>>>> >>>>> Hi all, >>>>> >>>>> I am relatively new to Openshift Origin. We are designing a solution for >>>>> service integration and want to use Openshift Origin as the platform. But >>>>> I >>>>> wonder if I should use the docker image or should I install Openshift >>>>> natively. >>>>> >>>>> If I can use the docker image in production how should I upgrade it when >>>>> a >>>>> new version of image is released? I know I lose all configuration and >>>>> application definition when starting a new docker container. Is there a >>>>> way >>>>> to keep them? Mapping volumes? Which volumes should be mapped? >>>>> >>>>> The command line I am using is: >>>>> >>>>> docker run -d --name "origin" -e "http_proxy=$http_proxy" -e >>>>> "https_proxy=$https_proxy" -e "no_proxy=$no_proxy" --privileged >>>>> --pid=host >>>>> --net=host -v /:/rootfs:ro -v /var/run:/var/run:rw -v /sys:/sys >>>>> openshift/origin start --cors-allowed-origins='.*' >>>>> >>>>> I have also asked this question on stackoverflow ( >>>>> >>>>> http://stackoverflow.com/questions/34734062/is-the-openshift-origin-docker-image-production-ready >>>>> ). >>>>> >>>>> Thanks, >>>>> >>>>> Xiao Peng, Technical Architect >>>>> Blog: http://mrcoder.github.io/ >>>>> >>>>> _______________________________________________ >>>>> dev mailing list >>>>> [email protected] >>>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev >>>> _______________________________________________ >>>> dev mailing list >>>> [email protected] >>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev >>> >>> >>> _______________________________________________ >>> dev mailing list >>> [email protected] >>> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev _______________________________________________ dev mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
