Our recommendation in many cases is to make files group owned by GID 0 - the user in the container is always in the root group. You won't be able to chown, but you can selectively expose which files to write to.
On Feb 25, 2016, at 8:05 AM, Skarbek, John <[email protected]> wrote: Lorenz, The reason for using an arbitrary UID is to prevent the user inside of the container from having access to resources outside of the container if somehow breached. This includes resources on the host as well as resources accessed by other containers. Since you don’t know what that user is going to be ahead of time, the solution would be to make the files needed by the user to be world readable. And if necessary world writable. I would agree that the change you made is not the greatest as this would allow the user specified in the docker image to run potentially adding a bit of risk to the host which may have a collision with the same username resources. Should for some reason the container MUST run as a specific user (which I’ve run into a couple of these cases), the documentation I linked can assist with such. It simply requires an extra bit of work but helps keeps things in a safer state. -- John Skarbek On February 25, 2016 at 07:09:07, Lorenz Vanthillo ( [email protected]) wrote: I performed: 1. Edit the *restricted* SCC: $ oc edit scc restricted And changed: runAsUser: type: MustRunAsRange to runAsUser: type: RunAsAny But I assume that this is a bad solution. Although it's still not very clear why OpenShift is using a random user inside a container. ------------------------------ From: [email protected] To: [email protected] CC: [email protected] Subject: RE: Errors: container "x" in pod/x-1-8vhpi is crash-looping Date: Thu, 25 Feb 2016 12:11:51 +0100 Hi John, Thanks for the fast reply. "Running a container with an arbitrary user ID also has the benefit of ensuring that a process which is able to escape the container due to a vulnerability in the container framework will not have specific user permissions on the host system." The permissions on the server.xml in the container are: -rw-------. 1 root root. Here is a permission error in OpenShift. How would you change these permissions to make it "world writable"? Isn't it unsave to make it "world writable"? Thanks ------------------------------ From: [email protected] To: [email protected]; [email protected] Subject: Re: Errors: container "x" in pod/x-1-8vhpi is crash-looping Date: Thu, 25 Feb 2016 10:58:13 +0000 Lorenz, The issue is not that the image is coming from a specific repo, but rather the image itself is not fine tuned for use within openshift. CrashLoop indicates the container was able to start, but then crashed, and subsequent restarts are resulting in the same. In general your permissions are not set properly for this container to run inside of openshift. I suggest modifying those permissions to being world writable. For additional information take a look at Support Arbitrary User ID's portion of this documentation <https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.openshift.org_latest_creating-5Fimages_guidelines.html-23openshift-2Dspecific-2Dguidelines&d=CwMFAw&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&r=8IlWeJZqFtf8Tvx1PDV9NsLfM_M0oNfzEXXNp-tpx74&m=4iPIc09FSM2nlY9Alq00NbUcECuOuLca4H63MgwSBcc&s=lRYRH3DU_EEm16Sr9Nwm9OqldRHhZfWVux069vlfGp0&e=> -- John Skarbek On February 25, 2016 at 05:22:21, Lorenz Vanthillo ( [email protected]) wrote: I'm on Origin 1.1.3 I've pulled an image from a private registry (insecure: self-signed certs + basic authentication). docker pull ec2-xxx:5000/image:2.3 The image is on my node. I create a project where a will run an instance of this image: $ oc new-project image $ oc new-app --insecure-registry ec2-xxx:5000/image:2.3 W0225 09:55:55.322035 6777 pipeline.go:154] Could not find an image stream match for "ec2xxx:5000/image:2.3". Make sure that a Docker image with that tag is available on the node for the deployment to succeed. --> Found Docker image 51e260c (20 hours old) from ec2-xxx:5000 for "ec2-xxx:5000/image:2.3" * This image will be deployed in deployment config "image" * Port 8080/tcp will be load balanced by service "image" * Other containers can access this service through the hostname "image" * WARNING: Image "image" runs as the 'root' user which may not be permitted by your cluster administrator --> Creating resources with label app=image ... deploymentconfig "image" created service "image" created --> Success Run 'oc status' to view your app. oc status shows me: Errors: * container "image" in pod/image-1-3J24 is crash-looping Is it because there is no image-stream for this image at the moment? I've did already the same steps with another image from the same registry and it did not went in a loop. The logs of the container show: $ docker logs 457deef27b1 Feb 25, 2016 9:57:27 AM org.apache.catalina.startup. Catalina load WARNING: Unable to load server configuration from [/usr/local/tomcat/conf/server.xml] Feb 25, 2016 9:57:27 AM org.apache.catalina.startup.Catalina load WARNING: Permissions incorrect, read permission is not allowed on the file. Feb 25, 2016 9:57:27 AM org.apache.catalina.startup.Catalina load WARNING: Unable to load server configuration from [/usr/local/tomcat/conf/server.xml] Feb 25, 2016 9:57:27 AM org.apache.catalina.startup.Catalina load WARNING: Permissions incorrect, read permission is not allowed on the file. Feb 25, 2016 9:57:27 AM org.apache.catalina.startup.Catalina start SEVERE: Cannot start server. Server instance is not configured. But when I just perform an 'docker run ec2-xxx:image:2.3' the container is running fine. So it's no issue with the container. 25-Feb-2016 10:16:44.047 INFO [localhost-startStop-1] xxx has finished in 41 ms 25-Feb-2016 10:16:44.056 INFO [main] xxx 25-Feb-2016 10:16:44.062 INFO [main] xxx 25-Feb-2016 10:16:44.064 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in 13824 ms _______________________________________________ users mailing list [email protected] https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openshift.redhat.com_openshiftmm_listinfo_users&d=CwICAg&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&r=8IlWeJZqFtf8Tvx1PDV9NsLfM_M0oNfzEXXNp-tpx74&m=HHhWXrx0bumM_yqZ6f4wecTofvnXLn09S6iTTCb1wEE&s=dZNG1Ur0Iu7DWNi8m2O91SdIGxsW96hU1SCIuacY4O0&e= _______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
