BuildRequest name parameter

2017-07-26 Thread Andrew Lau 
What is the purpose of the {name} URL parameter for the instantiate in
BuildRequests? ie.
POST /oapi/v1/namespaces/{namespace}/buildconfigs/{name}/instantiate

https://docs.openshift.org/latest/rest_api/openshift_v1.html#create-instantiate-of-a-buildrequest

The docs seem to suggest it's the name but I can set it to anything and the
name ends up getting pulled from the JSON body ie.:

{
  "metadata": {
  "name": "test"
},
"triggeredBy" : {}
}

If my JSON body does not include a name then it complains that there is no
"name".
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Using Custom SCC and Service Account in Deployment

2017-07-26 Thread Isuru Haththotuwa 
Thanks all. What was mentioned by Graham was the issue; I was not in the
correct project.

On Thu, Jul 27, 2017 at 5:46 AM, Graham Dumpleton 
wrote:

> What is documented in that blog does work.
>
> Instead of:
>
> oc adm policy add-scc-to-user anyuid system:serviceaccount:mysvcacct
>
> use:
>
> oc adm policy add-scc-to-user anyuid -z mysvcacct
>
> as the blog explains, and make sure you are in the correct project in case
> when you switched to admin you weren't, or add '-n yourprojectname' option
> to commands.
>
> The form of what you ran is:
>
> oc adm policy add-scc-to-user  \
> system:serviceaccount::<
> serviceaccount_name>
>
> If you only have three parts to colon separate argument, it is interpreted
> as:
>
> oc adm policy add-scc-to-group  \
> system:serviceaccounts:
>
> So you aren't strictly adding it to just the service account, but to all
> service accounts in namespace. That should have yielded same result, but
> maybe not and definitely probably not want you wanted, especially if you
> ran it in the wrong project.
>
> Graham
>
> On 27 Jul 2017, at 4:49 AM, Isuru Haththotuwa 
> wrote:
>
> Hi all,
>
> I'm trying to allow Docker containers to be run in openshift using the
> user specified in the Dockerfile itself, without using a random user id. I
> see that its possible to do this using the command [1], where all
> authenticated users will be added to the anyuid group. Without doing this
> for all users, can I do it for one specific user? I tried the following:
>
>1. Create a service account in default project using command [2]
>2. Add the service account to the anyuid scc using command [3]
>3. Referred this service account name in the Deployment definition as
>shown in the sample [4]
>
> However, still the container seems to start with a random user id. Is this
> approach incorrect? What is the link between service account and the user
> we set in the Docker images (with USER keyword)?
>
> [1]. oc adm policy add-scc-to-group anyuid system:authenticated
>
> [2]. oc create serviceaccount mysvcacct
>
> [3]. oc adm policy add-scc-to-user anyuid system:serviceaccount:mysvcacct
>
> [4]. https://blog.openshift.com/understanding-service-accounts-sccs/
>
> --
> Thanks and Regards,
> Isuru
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
>
>


-- 
Thanks and Regards,
Isuru
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Using Custom SCC and Service Account in Deployment

2017-07-26 Thread Graham Dumpleton 
What is documented in that blog does work.

Instead of:

oc adm policy add-scc-to-user anyuid system:serviceaccount:mysvcacct

use:

oc adm policy add-scc-to-user anyuid -z mysvcacct

as the blog explains, and make sure you are in the correct project in case when 
you switched to admin you weren't, or add '-n yourprojectname' option to 
commands.

The form of what you ran is:

oc adm policy add-scc-to-user  \
system:serviceaccount::

If you only have three parts to colon separate argument, it is interpreted as:

oc adm policy add-scc-to-group  \
system:serviceaccounts:

So you aren't strictly adding it to just the service account, but to all 
service accounts in namespace. That should have yielded same result, but maybe 
not and definitely probably not want you wanted, especially if you ran it in 
the wrong project.

Graham

> On 27 Jul 2017, at 4:49 AM, Isuru Haththotuwa  wrote:
> 
> Hi all, 
> 
> I'm trying to allow Docker containers to be run in openshift using the user 
> specified in the Dockerfile itself, without using a random user id. I see 
> that its possible to do this using the command [1], where all authenticated 
> users will be added to the anyuid group. Without doing this for all users, 
> can I do it for one specific user? I tried the following:
> Create a service account in default project using command [2]
> Add the service account to the anyuid scc using command [3]
> Referred this service account name in the Deployment definition as shown in 
> the sample [4]
> However, still the container seems to start with a random user id. Is this 
> approach incorrect? What is the link between service account and the user we 
> set in the Docker images (with USER keyword)?
> 
> 
> [1]. oc adm policy add-scc-to-group anyuid system:authenticated
> 
> [2]. oc create serviceaccount mysvcacct
> 
> [3]. oc adm policy add-scc-to-user anyuid system:serviceaccount:mysvcacct
> 
> [4]. https://blog.openshift.com/understanding-service-accounts-sccs/ 
> 
> 
> -- 
> Thanks and Regards,
> Isuru 
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Using Custom SCC and Service Account in Deployment

2017-07-26 Thread Clayton Coleman 
The uid assigned is not random.  It is the first uid of a range assigned to
the namespace.  The value is stored on the namespace as an annotation.  The
SCC looks at that range when interpreting MustRunAsRange.  You can set the
annotation yourself as you see fit

On Jul 26, 2017, at 2:50 PM, Isuru Haththotuwa  wrote:

Hi all,

I'm trying to allow Docker containers to be run in openshift using the user
specified in the Dockerfile itself, without using a random user id. I see
that its possible to do this using the command [1], where all authenticated
users will be added to the anyuid group. Without doing this for all users,
can I do it for one specific user? I tried the following:

   1. Create a service account in default project using command [2]
   2. Add the service account to the anyuid scc using command [3]
   3. Referred this service account name in the Deployment definition as
   shown in the sample [4]

However, still the container seems to start with a random user id. Is this
approach incorrect? What is the link between service account and the user
we set in the Docker images (with USER keyword)?

[1]. oc adm policy add-scc-to-group anyuid system:authenticated

[2]. oc create serviceaccount mysvcacct

[3]. oc adm policy add-scc-to-user anyuid system:serviceaccount:mysvcacct

[4]. https://blog.openshift.com/understanding-service-accounts-sccs/

-- 
Thanks and Regards,
Isuru

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Using Custom SCC and Service Account in Deployment

2017-07-26 Thread Isuru Haththotuwa 
Hi all,

I'm trying to allow Docker containers to be run in openshift using the user
specified in the Dockerfile itself, without using a random user id. I see
that its possible to do this using the command [1], where all authenticated
users will be added to the anyuid group. Without doing this for all users,
can I do it for one specific user? I tried the following:

   1. Create a service account in default project using command [2]
   2. Add the service account to the anyuid scc using command [3]
   3. Referred this service account name in the Deployment definition as
   shown in the sample [4]

However, still the container seems to start with a random user id. Is this
approach incorrect? What is the link between service account and the user
we set in the Docker images (with USER keyword)?

[1]. oc adm policy add-scc-to-group anyuid system:authenticated

[2]. oc create serviceaccount mysvcacct

[3]. oc adm policy add-scc-to-user anyuid system:serviceaccount:mysvcacct

[4]. https://blog.openshift.com/understanding-service-accounts-sccs/

-- 
Thanks and Regards,
Isuru
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users