Re: Clarification on container security in OpenShift

Clayton and Team Is it possible to run all containers from a specific application to use a dedicated OS user name ( UUID in OSE 2.X). Am not referring UID which is typically a numeric number and control local access. We have a requirement for database access control perceptive where every

Re: Clarification on container security in OpenShift

Clayton Am referring OS user name running a specific process not UID or user id. While inspecting pod definitions, I can see the flexibility of specifying UID, however am not seeing similar mechanism to run container or processes ( in container) using a pre defined OS user name or group.

Re: Clarification on container security in OpenShift

OpenShift only supports numeric UIDs and numeric GIDs - but you can specify whatever you want as an admin, or force a group of applications to run with a set of values. If you want to use a string user value, you'll need to set that in your images to a known UID. If you want to use a name for

routing/vhost alias

Hi In OSE 2.X we have a alias concept for routes. User or admin can create an alias ( apache vhost definition) for an application and create a DNS recored to point to upstream load balancer. This was so flexible if user FQDN is different than openshift created http url ( example

Username resolution failing

Hi. Regarding openshift policy for safely running images, it's recommended to disable scc for unprivileged user. This may causes some issues while reading from password database since EUID of the running user is generated by openshift and can't be found inside the container: bash-4.2$ pip

Re: Username resolution failing

Yes there is a trick, documented here: https://docs.openshift.org/latest/creating_images/guidelines.html#openshift-specific-guidelines see the section on "*Support Arbitrary User IDs" *which describes how to use nss wrapper to work around this. That said, the openshift python image already does

Re: Username resolution failing

Yes, we are using rhel images. Thanks! *Mateus Caruccio* Master of Puppets +55 (51) 8298.0026 gtalk: *mateus.caruc...@getupcloud.com twitter: @MateusCaruccio * This message and any attachment are solely for the intended recipient

Clarification on container security in OpenShift

Hello - as per: https://hub.docker.com/r/openshift/origin-custom-docker-builder/: "Containers run as a non-root unique user that is separate from other system users" In my experience I was able to run my Docker app image as a root user in OpenShift without modifying any security context. Perhaps

Re: Username resolution failing

That's a good point. We do have the mechanism in place to do that. Michal, any objection to adding the NSS env definitions to our scl_enable script? On Tue, Jan 19, 2016 at 11:02 AM, Mateus Caruccio < mateus.caruc...@getupcloud.com> wrote: > Yep, just tried centos images and it is working

Re: Username resolution failing

Yep, just tried centos images and it is working fine. It took me a while to understand the whole thing. I was simply "oc exec-ing" into the pod, but those NSS vars are create by sti/run. It may be good if those vars would be available from any shell. Thanks. *Mateus Caruccio* Master of Puppets