You are correct, the container will not run as root with pod spec that is shown.
The pod spec indicates that you validated under the restricted SCC and were given the UID 1000030000. When your container is launched it will be configured to run as 1000030000 regardless of what is in the docker file. If you would like the container to run as root you can grant access to the anyuid SCC for the service account that the pod is using. https://docs.openshift.org/latest/admin_guide/manage_scc.html#add-an-scc-to-a-user-or-group. On Tue, Jan 19, 2016 at 11:43 AM, Rishi Misra <[email protected]> wrote: > Thanks for your response. Perhaps interpreting this will help me > understand SCC better - My app pod looks like: > > /======================================/ > oc get pod nodejs-sample-app-1-fpiha -o yaml > apiVersion: v1 > kind: Pod > metadata: > annotations: > kubernetes.io/created-by: | > > {"kind":"SerializedReference","apiVersion":"v1","reference":{"kind":"ReplicationController","namespace":"test","name":"nodejs-sample-app-1","uid":"6fd8f412-bb9a-11e5-9f87-02000000002e","apiVersion":"v1","resourceVersion":"328"}} > openshift.io/deployment-config.latest-version: "1" > openshift.io/deployment-config.name: nodejs-sample-app > openshift.io/deployment.name: nodejs-sample-app-1 > openshift.io/generated-by: OpenShiftNewApp > *openshift.io/scc <http://openshift.io/scc>: restricted* > creationTimestamp: 2016-01-15T15:12:54Z > generateName: nodejs-sample-app-1- > labels: > app: nodejs-sample-app > deployment: nodejs-sample-app-1 > deploymentconfig: nodejs-sample-app > name: nodejs-sample-app-1-fpiha > namespace: test > resourceVersion: "1729" > selfLink: /api/v1/namespaces/test/pods/nodejs-sample-app-1-fpiha > *uid: 737d0f9a-bb9a-11e5-9f87-02000000002e* > spec: > containers: > - image: openshift/nodejs-sample-app:forOpenShift > imagePullPolicy: IfNotPresent > name: nodejs-sample-app > ports: > - containerPort: 8080 > protocol: TCP > resources: {} > * securityContext:* > * privileged: false* > * runAsUser: 1000030000* > * seLinuxOptions:* > * level: s0:c6,c0* > terminationMessagePath: /dev/termination-log > volumeMounts: > - mountPath: /var/run/secrets/kubernetes.io/serviceaccount > name: default-token-8dwhf > readOnly: true > dnsPolicy: ClusterFirst > host: xxx.xxxx.xxxx > imagePullSecrets: > - name: default-dockercfg-i1ke5 > nodeName: xxx.xxxx.xxxx > restartPolicy: Always > securityContext: > seLinuxOptions: > level: s0:c6,c0 > serviceAccount: default > serviceAccountName: default > terminationGracePeriodSeconds: 30 > volumes: > - name: default-token-8dwhf > secret: > secretName: default-token-8dwhf > status: > conditions: > - lastProbeTime: null > lastTransitionTime: 2016-01-19T16:10:00Z > status: "True" > type: Ready > containerStatuses: > - containerID: > docker://ca9a288d9ee1fe48517e18e5f6f6b1def28e0ba605962545063f42fbf1f38f38 > image: openshift/nodejs-sample-app:forOpenShift > imageID: > docker://a7782aa25f2463169c43423490297c3a5cf9237b34e7cc772ac2f3ab06b5d302 > lastState: {} > name: nodejs-sample-app > ready: true > restartCount: 0 > state: > running: > startedAt: 2016-01-15T15:12:57Z > hostIP: x.xx.xx.xxx > phase: Running > podIP: 172.17.0.2 > startTime: 2016-01-19T16:10:00Z > /======================================/ > > Is this telling me that my container is running as non-root user ( > *1000030000*) and security context is *restricted*? How do I interpret > this container from security context? > > I had specifically commented out USER section in my Dockerfile when > creating this image as it was creating problems when copying things to > root. This led me to think that this image will be run as "root" user in > OpenShift which does not appear to be the case by looking at pod details: > > # Drop the root user and make the content of /opt/app-root owned by user > 1001 > #RUN chown -R 1001:0 /opt/app-root > #USER 1001 > > > On Tue, Jan 19, 2016 at 11:03 AM, Paul Weil <[email protected]> wrote: > >> The effective UID the container uses depends on who is launching the >> container and what SecurityContextConstraints (SCC) they have access to. >> >> Generally, a non-privileged user on a cluster using the default >> SecurityContextConstraints will have a UID set on their pod that is a >> non-root UID. If you created a pod as an admin user or with a service >> account that has access to SCCs that allow running as root you can run run >> the container as root. >> >> You can view which SCC the pod validated against by looking at the >> annotations on the pod (oc get pod <name> -o json|yaml) >> >> Info on how SCCs are sorted if you have access to multiple: >> https://docs.openshift.org/latest/architecture/additional_concepts/authorization.html#scc-prioritization >> >> On Tue, Jan 19, 2016 at 10:49 AM, Rishi Misra < >> [email protected]> wrote: >> >>> Hello - as per: >>> https://hub.docker.com/r/openshift/origin-custom-docker-builder/: >>> "Containers run as a non-root unique user that is separate from other >>> system users" >>> >>> In my experience I was able to run my Docker app image as a root user in >>> OpenShift without modifying any security context. Perhaps there is >>> something about the statement above that I do not understand very well. >>> Could someone please clarify if all Docker images running in OpenShift need >>> to be non-root?. >>> >>> Thanks. >>> >>> _______________________________________________ >>> dev mailing list >>> [email protected] >>> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev >>> >>> >> >
_______________________________________________ dev mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
