Re: Clarification on container security in OpenShift

[Srinivas Naga Kotaru (skotaru)]

Clayton and Team

Is it possible to run all containers from a specific application to use a 
dedicated OS user name ( UUID in OSE 2.X). Am not referring UID which is 
typically a numeric number and control local access.

We have a requirement for database access control perceptive where every 
application ( all instances of that app) should use a dedicated OS user name ( 
UUID) and it should be predicable well in advance ( unlike OSE 2.X auto scaling 
where UUID prediction is difficult).

--
Srinivas Kotaru

From: 
>
 on behalf of "ccole...@redhat.com" 
>
Date: Tuesday, January 19, 2016 at 9:57 AM
To: Paul Weil >
Cc: dev >
Subject: Re: Clarification on container security in OpenShift

If you had specified uid 0 in your pod definition, you would receive an error 
(instead of being defaulted).  We do this defaulting by default to protect from 
the classic "it's usually a bad idea to run arbitrary software from the 
Internet as root on your machines" - the step Paul mentions is the equivalent 
of requiring you to answer "are you sure you want to allow this to run as root?"

On Jan 19, 2016, at 12:51 PM, Paul Weil 
> wrote:

You are correct, the container will not run as root with pod spec that is shown.

The pod spec indicates that you validated under the restricted SCC and were 
given the UID 13.  When your container is launched it will be 
configured to run as 13 regardless of what is in the docker file.

If you would like the container to run as root you can grant access to the 
anyuid SCC for the service account that the pod is using.

https://docs.openshift.org/latest/admin_guide/manage_scc.html#add-an-scc-to-a-user-or-group.



On Tue, Jan 19, 2016 at 11:43 AM, Rishi Misra 
> wrote:
Thanks for your response.  Perhaps interpreting this will help me understand 
SCC better - My app pod looks like:

/==/
oc get pod nodejs-sample-app-1-fpiha -o yaml
apiVersion: v1
kind: Pod
metadata:
  annotations:
kubernetes.io/created-by: |
  
{"kind":"SerializedReference","apiVersion":"v1","reference":{"kind":"ReplicationController","namespace":"test","name":"nodejs-sample-app-1","uid":"6fd8f412-bb9a-11e5-9f87-022e","apiVersion":"v1","resourceVersion":"328"}}

openshift.io/deployment-config.latest-version:
 "1"

openshift.io/deployment-config.name:
 nodejs-sample-app
openshift.io/deployment.name: 
nodejs-sample-app-1
openshift.io/generated-by: OpenShiftNewApp
openshift.io/scc: restricted
  creationTimestamp: 2016-01-15T15:12:54Z
  generateName: nodejs-sample-app-1-
  labels:
app: nodejs-sample-app
deployment: nodejs-sample-app-1
deploymentconfig: nodejs-sample-app
  name: nodejs-sample-app-1-fpiha
  namespace: test
  resourceVersion: "1729"
  selfLink: /api/v1/namespaces/test/pods/nodejs-sample-app-1-fpiha
  uid: 737d0f9a-bb9a-11e5-9f87-022e
spec:
  containers:
  - image: openshift/nodejs-sample-app:forOpenShift
imagePullPolicy: IfNotPresent
name: nodejs-sample-app
ports:
- containerPort: 8080
  protocol: TCP
resources: {}
securityContext:
  privileged: false
  runAsUser: 13
  seLinuxOptions:
level: s0:c6,c0
terminationMessagePath: /dev/termination-log
volumeMounts:
- mountPath: 
/var/run/secrets/kubernetes.io/serviceaccount
  name: default-token-8dwhf
  readOnly: true
  dnsPolicy: ClusterFirst
  host: xxx..
  imagePullSecrets:
  - name: default-dockercfg-i1ke5
  nodeName: xxx..
  restartPolicy: Always
  securityContext:
seLinuxOptions:
  level: s0:c6,c0
  serviceAccount: default
  serviceAccountName: default
  terminationGracePeriodSeconds: 30
  volumes:
  - name: default-token-8dwhf
secret:
  secretName: default-token-8dwhf
status:
  conditions:
  - lastProbeTime: null
lastTransitionTime: 2016-01-19T16:10:00Z
status: "True"
type: Ready
  containerStatuses:
  - containerID: 
docker://ca9a288d9ee1fe48517e18e5f6f6b1def28e0ba605962545063f42fbf1f38f38
image: openshift/nodejs-sample-app:forOpenShift
imageID: 
docker://a7782aa25f2463169c43423490297c3a5cf9237b34e7cc772ac2f3ab06b5d302
lastState: {}
name: nodejs-sample-app
ready: true
restartCount: 0
state:
  running:
startedAt: 2016-01-15T15:12:57Z
  hostIP: x.xx.xx.xxx
  phase: 

Re: Clarification on container security in OpenShift

[Srinivas Naga Kotaru (skotaru)]

Clayton

Am referring OS user name running a specific process not UID or user id. While 
inspecting pod definitions, I can see the  flexibility of specifying UID, 
however am not seeing similar mechanism to run container or processes ( in 
container) using a pre defined OS user name or group.

Just sake of example, say, I want to run apache process or tomcat process from 
container run using www:www or tomcat:tomcat user and group combination.

Is it possible?


--
Srinivas Kotaru

From: "ccole...@redhat.com" 
>
Date: Tuesday, January 19, 2016 at 10:44 AM
To: skotaru >
Cc: Paul Weil >, dev 
>
Subject: Re: Clarification on container security in OpenShift

Not sure if this is exactly what you are asking, but Openshift allows you to 
partition the local UNIX user ID space across the entire cluster automatically. 
 Every project gets a 10k block by default.  Those are not shared, so that 
block uniquely identifies any process in that project on any node.  The default 
policy forces pods to run in uids in that block - again, that cannot be escaped 
by end users by default.

If you want to identify all pods via the API, that is what labels and 
annotations are for.  Enforcing a unique label on each pod in a namespace 
should be possible, although that's only visible via the API.

On Jan 19, 2016, at 1:31 PM, Srinivas Naga Kotaru (skotaru) 
> wrote:

Clayton and Team

Is it possible to run all containers from a specific application to use a 
dedicated OS user name ( UUID in OSE 2.X). Am not referring UID which is 
typically a numeric number and control local access.

We have a requirement for database access control perceptive where every 
application ( all instances of that app) should use a dedicated OS user name ( 
UUID) and it should be predicable well in advance ( unlike OSE 2.X auto scaling 
where UUID prediction is difficult).

--
Srinivas Kotaru

From: 
>
 on behalf of "ccole...@redhat.com" 
>
Date: Tuesday, January 19, 2016 at 9:57 AM
To: Paul Weil >
Cc: dev >
Subject: Re: Clarification on container security in OpenShift

If you had specified uid 0 in your pod definition, you would receive an error 
(instead of being defaulted).  We do this defaulting by default to protect from 
the classic "it's usually a bad idea to run arbitrary software from the 
Internet as root on your machines" - the step Paul mentions is the equivalent 
of requiring you to answer "are you sure you want to allow this to run as root?"

On Jan 19, 2016, at 12:51 PM, Paul Weil 
> wrote:

You are correct, the container will not run as root with pod spec that is shown.

The pod spec indicates that you validated under the restricted SCC and were 
given the UID 13.  When your container is launched it will be 
configured to run as 13 regardless of what is in the docker file.

If you would like the container to run as root you can grant access to the 
anyuid SCC for the service account that the pod is using.

https://docs.openshift.org/latest/admin_guide/manage_scc.html#add-an-scc-to-a-user-or-group.



On Tue, Jan 19, 2016 at 11:43 AM, Rishi Misra 
> wrote:
Thanks for your response.  Perhaps interpreting this will help me understand 
SCC better - My app pod looks like:

/==/
oc get pod nodejs-sample-app-1-fpiha -o yaml
apiVersion: v1
kind: Pod
metadata:
  annotations:
kubernetes.io/created-by: |
  
{"kind":"SerializedReference","apiVersion":"v1","reference":{"kind":"ReplicationController","namespace":"test","name":"nodejs-sample-app-1","uid":"6fd8f412-bb9a-11e5-9f87-022e","apiVersion":"v1","resourceVersion":"328"}}

openshift.io/deployment-config.latest-version:
 "1"

openshift.io/deployment-config.name:
 nodejs-sample-app
openshift.io/deployment.name: 
nodejs-sample-app-1
openshift.io/generated-by: OpenShiftNewApp
openshift.io/scc: restricted
  creationTimestamp: 2016-01-15T15:12:54Z
  generateName: nodejs-sample-app-1-
  labels:
app: nodejs-sample-app
deployment: nodejs-sample-app-1
deploymentconfig: nodejs-sample-app
  name: nodejs-sample-app-1-fpiha
  namespace: test
  

Re: Clarification on container security in OpenShift

[Clayton Coleman]

OpenShift only supports numeric UIDs and numeric GIDs - but you can
specify whatever you want as an admin, or force a group of
applications to run with a set of values.  If you want to use a string
user value, you'll need to set that in your images to a known UID.  If
you want to use a name for the user and then map that to an arbitrary
UID in the container, you can do that via nsswitch (we have
documentation on how to specify that).

On Tue, Jan 19, 2016 at 1:54 PM, Srinivas Naga Kotaru (skotaru)
 wrote:
> Clayton
>
> Am referring OS user name running a specific process not UID or user id.
> While inspecting pod definitions, I can see the  flexibility of specifying
> UID, however am not seeing similar mechanism to run container or processes (
> in container) using a pre defined OS user name or group.
>
> Just sake of example, say, I want to run apache process or tomcat process
> from container run using www:www or tomcat:tomcat user and group
> combination.
>
> Is it possible?
>
>
> --
> Srinivas Kotaru
>
> From: "ccole...@redhat.com" 
> Date: Tuesday, January 19, 2016 at 10:44 AM
> To: skotaru 
> Cc: Paul Weil , dev 
>
> Subject: Re: Clarification on container security in OpenShift
>
> Not sure if this is exactly what you are asking, but Openshift allows you to
> partition the local UNIX user ID space across the entire cluster
> automatically.  Every project gets a 10k block by default.  Those are not
> shared, so that block uniquely identifies any process in that project on any
> node.  The default policy forces pods to run in uids in that block - again,
> that cannot be escaped by end users by default.
>
> If you want to identify all pods via the API, that is what labels and
> annotations are for.  Enforcing a unique label on each pod in a namespace
> should be possible, although that's only visible via the API.
>
> On Jan 19, 2016, at 1:31 PM, Srinivas Naga Kotaru (skotaru)
>  wrote:
>
> Clayton and Team
>
> Is it possible to run all containers from a specific application to use a
> dedicated OS user name ( UUID in OSE 2.X). Am not referring UID which is
> typically a numeric number and control local access.
>
> We have a requirement for database access control perceptive where every
> application ( all instances of that app) should use a dedicated OS user name
> ( UUID) and it should be predicable well in advance ( unlike OSE 2.X auto
> scaling where UUID prediction is difficult).
>
> --
> Srinivas Kotaru
>
> From:  on behalf of
> "ccole...@redhat.com" 
> Date: Tuesday, January 19, 2016 at 9:57 AM
> To: Paul Weil 
> Cc: dev 
> Subject: Re: Clarification on container security in OpenShift
>
> If you had specified uid 0 in your pod definition, you would receive an
> error (instead of being defaulted).  We do this defaulting by default to
> protect from the classic "it's usually a bad idea to run arbitrary software
> from the Internet as root on your machines" - the step Paul mentions is the
> equivalent of requiring you to answer "are you sure you want to allow this
> to run as root?"
>
> On Jan 19, 2016, at 12:51 PM, Paul Weil  wrote:
>
> You are correct, the container will not run as root with pod spec that is
> shown.
>
> The pod spec indicates that you validated under the restricted SCC and were
> given the UID 13.  When your container is launched it will be
> configured to run as 13 regardless of what is in the docker file.
>
> If you would like the container to run as root you can grant access to the
> anyuid SCC for the service account that the pod is using.
>
> https://docs.openshift.org/latest/admin_guide/manage_scc.html#add-an-scc-to-a-user-or-group.
>
>
>
> On Tue, Jan 19, 2016 at 11:43 AM, Rishi Misra 
> wrote:
>>
>> Thanks for your response.  Perhaps interpreting this will help me
>> understand SCC better - My app pod looks like:
>>
>> /==/
>> oc get pod nodejs-sample-app-1-fpiha -o yaml
>> apiVersion: v1
>> kind: Pod
>> metadata:
>>   annotations:
>> kubernetes.io/created-by: |
>>
>> {"kind":"SerializedReference","apiVersion":"v1","reference":{"kind":"ReplicationController","namespace":"test","name":"nodejs-sample-app-1","uid":"6fd8f412-bb9a-11e5-9f87-022e","apiVersion":"v1","resourceVersion":"328"}}
>> openshift.io/deployment-config.latest-version: "1"
>> openshift.io/deployment-config.name: nodejs-sample-app
>> openshift.io/deployment.name: nodejs-sample-app-1
>> openshift.io/generated-by: OpenShiftNewApp
>> openshift.io/scc: restricted
>>   creationTimestamp: 2016-01-15T15:12:54Z
>>   generateName: nodejs-sample-app-1-
>>   labels:
>> app: nodejs-sample-app
>> deployment: nodejs-sample-app-1
>> 

routing/vhost alias

[Srinivas Naga Kotaru (skotaru)]

Hi

In OSE 2.X we have a alias concept for routes. User or admin can create an 
alias ( apache vhost definition) for an application and create a DNS recored to 
point to upstream load balancer. This was so flexible if user FQDN is different 
than openshift created http url (  example http://-.domain).

In 3.X we have router instead of apache node proxy. Can user or admin create 
similar alias entries?

The reason am asking, client facing virtual are different than openshift 
generated URL’s for each app in our environment.  We need a mechanism to 
map/proxy client facing url to openshift generated URL. Thus, it requires or 
have same Host header at backend using VHOST serveralias or HAProxy using some 
ACL definition etc.


--
Srinivas Kotaru
___
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

Username resolution failing

[Mateus Caruccio]

Hi.

Regarding openshift policy for safely running images, it's recommended to
disable scc for unprivileged user. This may causes some issues while
reading from password database since EUID of the running user is generated
by openshift and can't be found inside the container:

bash-4.2$ pip install memcache
Traceback (most recent call last):
  File "/opt/rh/rh-python34/root/usr/bin/pip", line 7, in 
from pip import main
  File
"/opt/rh/rh-python34/root/usr/lib/python3.4/site-packages/pip/__init__.py",
line 9, in 
from pip.util import get_installed_distributions, get_prog
  File
"/opt/rh/rh-python34/root/usr/lib/python3.4/site-packages/pip/util.py",
line 16, in 
from pip.locations import site_packages, running_under_virtualenv,
virtualenv_no_global
  File
"/opt/rh/rh-python34/root/usr/lib/python3.4/site-packages/pip/locations.py",
line 96, in 
build_prefix = _get_build_prefix()
  File
"/opt/rh/rh-python34/root/usr/lib/python3.4/site-packages/pip/locations.py",
line 65, in _get_build_prefix
__get_username())
  File
"/opt/rh/rh-python34/root/usr/lib/python3.4/site-packages/pip/locations.py",
line 60, in __get_username
return pwd.getpwuid(os.geteuid()).pw_name
KeyError: 'getpwuid(): uid not found: 100018'

How can I circumvent this obstacle? Should I rebuild all sti scripts to
include this user into the image? There is any trick to allow passwd
readers to read from a mock?


Thanks,


*Mateus Caruccio*
Master of Puppets
+55 (51) 8298.0026
gtalk:


*mateus.caruc...@getupcloud.com twitter:
@MateusCaruccio *
This message and any attachment are solely for the intended
recipient and may contain confidential or privileged information
and it can not be forwarded or shared without permission.
Thank you!
___
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

Re: Username resolution failing

[Ben Parees]

Yes there is a trick, documented here:

https://docs.openshift.org/latest/creating_images/guidelines.html#openshift-specific-guidelines

see the section on "*Support Arbitrary User IDs" *which describes how to
use nss wrapper to work around this.

That said, the openshift python image already does the nss trick.  I think
we had an issue with the rhel image not containing the right package, are
you using the rhel image or the centos image?

For the moment you might try the centos image if you haven't already, until
we get the rhel image updated.



On Tue, Jan 19, 2016 at 9:53 AM, Mateus Caruccio <
mateus.caruc...@getupcloud.com> wrote:

> Hi.
>
> Regarding openshift policy for safely running images, it's recommended to
> disable scc for unprivileged user. This may causes some issues while
> reading from password database since EUID of the running user is generated
> by openshift and can't be found inside the container:
>
> bash-4.2$ pip install memcache
> Traceback (most recent call last):
>   File "/opt/rh/rh-python34/root/usr/bin/pip", line 7, in 
> from pip import main
>   File
> "/opt/rh/rh-python34/root/usr/lib/python3.4/site-packages/pip/__init__.py",
> line 9, in 
> from pip.util import get_installed_distributions, get_prog
>   File
> "/opt/rh/rh-python34/root/usr/lib/python3.4/site-packages/pip/util.py",
> line 16, in 
> from pip.locations import site_packages, running_under_virtualenv,
> virtualenv_no_global
>   File
> "/opt/rh/rh-python34/root/usr/lib/python3.4/site-packages/pip/locations.py",
> line 96, in 
> build_prefix = _get_build_prefix()
>   File
> "/opt/rh/rh-python34/root/usr/lib/python3.4/site-packages/pip/locations.py",
> line 65, in _get_build_prefix
> __get_username())
>   File
> "/opt/rh/rh-python34/root/usr/lib/python3.4/site-packages/pip/locations.py",
> line 60, in __get_username
> return pwd.getpwuid(os.geteuid()).pw_name
> KeyError: 'getpwuid(): uid not found: 100018'
>
> How can I circumvent this obstacle? Should I rebuild all sti scripts to
> include this user into the image? There is any trick to allow passwd
> readers to read from a mock?
>
>
> Thanks,
>
>
> *Mateus Caruccio*
> Master of Puppets
> +55 (51) 8298.0026
> gtalk:
>
>
> *mateus.caruc...@getupcloud.com twitter:
> @MateusCaruccio *
> This message and any attachment are solely for the intended
> recipient and may contain confidential or privileged information
> and it can not be forwarded or shared without permission.
> Thank you!
>
> ___
> dev mailing list
> dev@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
>
>


-- 
Ben Parees | OpenShift
___
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

Re: Username resolution failing

[Mateus Caruccio]

Yes, we are using rhel images.

Thanks!

*Mateus Caruccio*
Master of Puppets
+55 (51) 8298.0026
gtalk:


*mateus.caruc...@getupcloud.com twitter:
@MateusCaruccio *
This message and any attachment are solely for the intended
recipient and may contain confidential or privileged information
and it can not be forwarded or shared without permission.
Thank you!

On Tue, Jan 19, 2016 at 1:15 PM, Ben Parees  wrote:

> Yes there is a trick, documented here:
>
>
> https://docs.openshift.org/latest/creating_images/guidelines.html#openshift-specific-guidelines
>
> see the section on "*Support Arbitrary User IDs" *which describes how to
> use nss wrapper to work around this.
>
> That said, the openshift python image already does the nss trick.  I think
> we had an issue with the rhel image not containing the right package, are
> you using the rhel image or the centos image?
>
> For the moment you might try the centos image if you haven't already,
> until we get the rhel image updated.
>
>
>
> On Tue, Jan 19, 2016 at 9:53 AM, Mateus Caruccio <
> mateus.caruc...@getupcloud.com> wrote:
>
>> Hi.
>>
>> Regarding openshift policy for safely running images, it's recommended to
>> disable scc for unprivileged user. This may causes some issues while
>> reading from password database since EUID of the running user is generated
>> by openshift and can't be found inside the container:
>>
>> bash-4.2$ pip install memcache
>> Traceback (most recent call last):
>>   File "/opt/rh/rh-python34/root/usr/bin/pip", line 7, in 
>> from pip import main
>>   File
>> "/opt/rh/rh-python34/root/usr/lib/python3.4/site-packages/pip/__init__.py",
>> line 9, in 
>> from pip.util import get_installed_distributions, get_prog
>>   File
>> "/opt/rh/rh-python34/root/usr/lib/python3.4/site-packages/pip/util.py",
>> line 16, in 
>> from pip.locations import site_packages, running_under_virtualenv,
>> virtualenv_no_global
>>   File
>> "/opt/rh/rh-python34/root/usr/lib/python3.4/site-packages/pip/locations.py",
>> line 96, in 
>> build_prefix = _get_build_prefix()
>>   File
>> "/opt/rh/rh-python34/root/usr/lib/python3.4/site-packages/pip/locations.py",
>> line 65, in _get_build_prefix
>> __get_username())
>>   File
>> "/opt/rh/rh-python34/root/usr/lib/python3.4/site-packages/pip/locations.py",
>> line 60, in __get_username
>> return pwd.getpwuid(os.geteuid()).pw_name
>> KeyError: 'getpwuid(): uid not found: 100018'
>>
>> How can I circumvent this obstacle? Should I rebuild all sti scripts to
>> include this user into the image? There is any trick to allow passwd
>> readers to read from a mock?
>>
>>
>> Thanks,
>>
>>
>> *Mateus Caruccio*
>> Master of Puppets
>> +55 (51) 8298.0026
>> gtalk:
>>
>>
>> *mateus.caruc...@getupcloud.com twitter:
>> @MateusCaruccio *
>> This message and any attachment are solely for the intended
>> recipient and may contain confidential or privileged information
>> and it can not be forwarded or shared without permission.
>> Thank you!
>>
>> ___
>> dev mailing list
>> dev@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
>>
>>
>
>
> --
> Ben Parees | OpenShift
>
>
___
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

Clarification on container security in OpenShift

[Rishi Misra]

Hello - as per:
https://hub.docker.com/r/openshift/origin-custom-docker-builder/:
"Containers run as a non-root unique user that is separate from other
system users"

In my experience I was able to run my Docker app image as a root user in
OpenShift without modifying any security context.  Perhaps there is
something about the statement above that I do not understand very well.
Could someone please clarify if all Docker images running in OpenShift need
to be non-root?.

Thanks.
___
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

Re: Username resolution failing

[Ben Parees]

That's a good point.  We do have the mechanism in place to do that.

Michal, any objection to adding the NSS env definitions to our scl_enable
script?



On Tue, Jan 19, 2016 at 11:02 AM, Mateus Caruccio <
mateus.caruc...@getupcloud.com> wrote:

> Yep, just tried centos images and it is working fine.
>
> It took me a while to understand the whole thing. I was simply "oc
> exec-ing" into the pod, but those NSS vars are create by sti/run.
> It may be good if those vars would be available from any shell.
>
> Thanks.
>
>
> *Mateus Caruccio*
> Master of Puppets
> +55 (51) 8298.0026
> gtalk:
>
>
> *mateus.caruc...@getupcloud.com twitter:
> @MateusCaruccio *
> This message and any attachment are solely for the intended
> recipient and may contain confidential or privileged information
> and it can not be forwarded or shared without permission.
> Thank you!
>
> On Tue, Jan 19, 2016 at 1:52 PM, Ben Parees  wrote:
>
>> Ok, can you try the centos image (centos/python-34-centos7)?
>>
>>
>> Honza:  do you know when the RHEL SCL python images(2.7 and 3.4) will be
>> updated to fix the missing nss rpm issue?
>>
>>
>> On Tue, Jan 19, 2016 at 10:27 AM, Mateus Caruccio <
>> mateus.caruc...@getupcloud.com> wrote:
>>
>>> Yes, we are using rhel images.
>>>
>>> Thanks!
>>>
>>> *Mateus Caruccio*
>>> Master of Puppets
>>> +55 (51) 8298.0026
>>> gtalk:
>>>
>>>
>>> *mateus.caruc...@getupcloud.com twitter:
>>> @MateusCaruccio *
>>> This message and any attachment are solely for the intended
>>> recipient and may contain confidential or privileged information
>>> and it can not be forwarded or shared without permission.
>>> Thank you!
>>>
>>> On Tue, Jan 19, 2016 at 1:15 PM, Ben Parees  wrote:
>>>
 Yes there is a trick, documented here:


 https://docs.openshift.org/latest/creating_images/guidelines.html#openshift-specific-guidelines

 see the section on "*Support Arbitrary User IDs" *which describes how
 to use nss wrapper to work around this.

 That said, the openshift python image already does the nss trick.  I
 think we had an issue with the rhel image not containing the right package,
 are you using the rhel image or the centos image?

 For the moment you might try the centos image if you haven't already,
 until we get the rhel image updated.



 On Tue, Jan 19, 2016 at 9:53 AM, Mateus Caruccio <
 mateus.caruc...@getupcloud.com> wrote:

> Hi.
>
> Regarding openshift policy for safely running images, it's recommended
> to disable scc for unprivileged user. This may causes some issues while
> reading from password database since EUID of the running user is generated
> by openshift and can't be found inside the container:
>
> bash-4.2$ pip install memcache
> Traceback (most recent call last):
>   File "/opt/rh/rh-python34/root/usr/bin/pip", line 7, in 
> from pip import main
>   File
> "/opt/rh/rh-python34/root/usr/lib/python3.4/site-packages/pip/__init__.py",
> line 9, in 
> from pip.util import get_installed_distributions, get_prog
>   File
> "/opt/rh/rh-python34/root/usr/lib/python3.4/site-packages/pip/util.py",
> line 16, in 
> from pip.locations import site_packages, running_under_virtualenv,
> virtualenv_no_global
>   File
> "/opt/rh/rh-python34/root/usr/lib/python3.4/site-packages/pip/locations.py",
> line 96, in 
> build_prefix = _get_build_prefix()
>   File
> "/opt/rh/rh-python34/root/usr/lib/python3.4/site-packages/pip/locations.py",
> line 65, in _get_build_prefix
> __get_username())
>   File
> "/opt/rh/rh-python34/root/usr/lib/python3.4/site-packages/pip/locations.py",
> line 60, in __get_username
> return pwd.getpwuid(os.geteuid()).pw_name
> KeyError: 'getpwuid(): uid not found: 100018'
>
> How can I circumvent this obstacle? Should I rebuild all sti scripts
> to include this user into the image? There is any trick to allow passwd
> readers to read from a mock?
>
>
> Thanks,
>
>
> *Mateus Caruccio*
> Master of Puppets
> +55 (51) 8298.0026
> gtalk:
>
>
> *mateus.caruc...@getupcloud.com twitter:
> @MateusCaruccio *
> This message and any attachment are solely for the intended
> recipient and may contain confidential or privileged information
> and it can not be forwarded or shared without permission.
> Thank you!
>
> ___
> dev mailing list
> dev@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
>
>


 --
 Ben Parees | OpenShift


>>>
>>
>>

Re: Username resolution failing

[Mateus Caruccio]

Yep, just tried centos images and it is working fine.

It took me a while to understand the whole thing. I was simply "oc
exec-ing" into the pod, but those NSS vars are create by sti/run.
It may be good if those vars would be available from any shell.

Thanks.


*Mateus Caruccio*
Master of Puppets
+55 (51) 8298.0026
gtalk:


*mateus.caruc...@getupcloud.com twitter:
@MateusCaruccio *
This message and any attachment are solely for the intended
recipient and may contain confidential or privileged information
and it can not be forwarded or shared without permission.
Thank you!

On Tue, Jan 19, 2016 at 1:52 PM, Ben Parees  wrote:

> Ok, can you try the centos image (centos/python-34-centos7)?
>
>
> Honza:  do you know when the RHEL SCL python images(2.7 and 3.4) will be
> updated to fix the missing nss rpm issue?
>
>
> On Tue, Jan 19, 2016 at 10:27 AM, Mateus Caruccio <
> mateus.caruc...@getupcloud.com> wrote:
>
>> Yes, we are using rhel images.
>>
>> Thanks!
>>
>> *Mateus Caruccio*
>> Master of Puppets
>> +55 (51) 8298.0026
>> gtalk:
>>
>>
>> *mateus.caruc...@getupcloud.com twitter:
>> @MateusCaruccio *
>> This message and any attachment are solely for the intended
>> recipient and may contain confidential or privileged information
>> and it can not be forwarded or shared without permission.
>> Thank you!
>>
>> On Tue, Jan 19, 2016 at 1:15 PM, Ben Parees  wrote:
>>
>>> Yes there is a trick, documented here:
>>>
>>>
>>> https://docs.openshift.org/latest/creating_images/guidelines.html#openshift-specific-guidelines
>>>
>>> see the section on "*Support Arbitrary User IDs" *which describes how
>>> to use nss wrapper to work around this.
>>>
>>> That said, the openshift python image already does the nss trick.  I
>>> think we had an issue with the rhel image not containing the right package,
>>> are you using the rhel image or the centos image?
>>>
>>> For the moment you might try the centos image if you haven't already,
>>> until we get the rhel image updated.
>>>
>>>
>>>
>>> On Tue, Jan 19, 2016 at 9:53 AM, Mateus Caruccio <
>>> mateus.caruc...@getupcloud.com> wrote:
>>>
 Hi.

 Regarding openshift policy for safely running images, it's recommended
 to disable scc for unprivileged user. This may causes some issues while
 reading from password database since EUID of the running user is generated
 by openshift and can't be found inside the container:

 bash-4.2$ pip install memcache
 Traceback (most recent call last):
   File "/opt/rh/rh-python34/root/usr/bin/pip", line 7, in 
 from pip import main
   File
 "/opt/rh/rh-python34/root/usr/lib/python3.4/site-packages/pip/__init__.py",
 line 9, in 
 from pip.util import get_installed_distributions, get_prog
   File
 "/opt/rh/rh-python34/root/usr/lib/python3.4/site-packages/pip/util.py",
 line 16, in 
 from pip.locations import site_packages, running_under_virtualenv,
 virtualenv_no_global
   File
 "/opt/rh/rh-python34/root/usr/lib/python3.4/site-packages/pip/locations.py",
 line 96, in 
 build_prefix = _get_build_prefix()
   File
 "/opt/rh/rh-python34/root/usr/lib/python3.4/site-packages/pip/locations.py",
 line 65, in _get_build_prefix
 __get_username())
   File
 "/opt/rh/rh-python34/root/usr/lib/python3.4/site-packages/pip/locations.py",
 line 60, in __get_username
 return pwd.getpwuid(os.geteuid()).pw_name
 KeyError: 'getpwuid(): uid not found: 100018'

 How can I circumvent this obstacle? Should I rebuild all sti scripts to
 include this user into the image? There is any trick to allow passwd
 readers to read from a mock?


 Thanks,


 *Mateus Caruccio*
 Master of Puppets
 +55 (51) 8298.0026
 gtalk:


 *mateus.caruc...@getupcloud.com twitter:
 @MateusCaruccio *
 This message and any attachment are solely for the intended
 recipient and may contain confidential or privileged information
 and it can not be forwarded or shared without permission.
 Thank you!

 ___
 dev mailing list
 dev@lists.openshift.redhat.com
 http://lists.openshift.redhat.com/openshiftmm/listinfo/dev


>>>
>>>
>>> --
>>> Ben Parees | OpenShift
>>>
>>>
>>
>
>
> --
> Ben Parees | OpenShift
>
>
___
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev