Okay thanks Den. The github issue helped and it's working now. But don't know if it's the right approach.
From: [email protected] To: [email protected]; [email protected] CC: [email protected] Subject: RE: Errors: container "x" in pod/x-1-8vhpi is crash-looping Date: Fri, 26 Feb 2016 09:39:45 +0000 Okay, it was: https://github.com/openshift/origin/issues/4078 It works now by performing: oadm policy add-scc-to-user anyuid -z default But I'm sorry it still not very clear for me what's the best solution for this problem. Is the above a good solution? Or do we rather change every image: https://docs.openshift.org/latest/creating_images/guidelines.html#openshift-specific-guidelines From: [email protected] To: [email protected] Subject: RE: Errors: container "x" in pod/x-1-8vhpi is crash-looping Date: Fri, 26 Feb 2016 10:28:08 +0100 CC: [email protected] Is this also such a user-issue?: I try to start a postgresdb (created by our own, so not the default postgres-image) Again the backoff restart loop: docker logs show: error: failed switching to "postgres": setgroups operation not permitted > Date: Thu, 25 Feb 2016 08:44:41 -0500 > Subject: Re: Errors: container "x" in pod/x-1-8vhpi is crash-looping > From: [email protected] > To: [email protected] > CC: [email protected]; [email protected] > > Generally you would add your service account to the "anyuid" SCC, > rather than change the meaning of "restricted". > > oadm policy add-scc-to-user anyuid -z default > > The default security model in OpenShift is "secure", i.e., defended. > If you want to run root containers you can selective add that as an > admin, or change the definition of restricted. > > On Thu, Feb 25, 2016 at 7:08 AM, Lorenz Vanthillo > <[email protected]> wrote: > > I performed: > > > > 1. Edit the restricted SCC: > > > > $ oc edit scc restricted > > > > > > And changed: > > > > runAsUser: > > type: MustRunAsRange > > > > to > > > > runAsUser: > > type: RunAsAny > > > > > > But I assume that this is a bad solution. Although it's still not very clear > > why OpenShift is using a random user inside a container. > > > > > > ________________________________ > > From: [email protected] > > To: [email protected] > > CC: [email protected] > > Subject: RE: Errors: container "x" in pod/x-1-8vhpi is crash-looping > > Date: Thu, 25 Feb 2016 12:11:51 +0100 > > > > > > Hi John, > > > > Thanks for the fast reply. > > > > "Running a container with an arbitrary user ID also has the benefit of > > ensuring that a process which is able to escape the container due to a > > vulnerability in the container framework will not have specific user > > permissions on the host system." > > > > The permissions on the server.xml in the container are: -rw-------. 1 root > > root. Here is a permission error in OpenShift. > > How would you change these permissions to make it "world writable"? Isn't it > > unsave to make it "world writable"? > > > > Thanks > > > > ________________________________ > > From: [email protected] > > To: [email protected]; [email protected] > > Subject: Re: Errors: container "x" in pod/x-1-8vhpi is crash-looping > > Date: Thu, 25 Feb 2016 10:58:13 +0000 > > > > Lorenz, > > The issue is not that the image is coming from a specific repo, but rather > > the image itself is not fine tuned for use within openshift. CrashLoop > > indicates the container was able to start, but then crashed, and subsequent > > restarts are resulting in the same. > > In general your permissions are not set properly for this container to run > > inside of openshift. I suggest modifying those permissions to being world > > writable. > > For additional information take a look at Support Arbitrary User ID's > > portion of this documentation > > > > > > > > -- > > John Skarbek > > > > On February 25, 2016 at 05:22:21, Lorenz Vanthillo > > ([email protected]) wrote: > > > > I'm on Origin 1.1.3 > > I've pulled an image from a private registry (insecure: self-signed certs + > > basic authentication). > > > > docker pull ec2-xxx:5000/image:2.3 > > > > The image is on my node. I create a project where a will run an instance of > > this image: > > $ oc new-project image > > $ oc new-app --insecure-registry ec2-xxx:5000/image:2.3 > > > > W0225 09:55:55.322035 6777 pipeline.go:154] Could not find an image > > stream match for "ec2xxx:5000/image:2.3". Make sure that a Docker image with > > that tag is available on the node for the deployment to succeed. > > > > --> Found Docker image 51e260c (20 hours old) from ec2-xxx:5000 for > > "ec2-xxx:5000/image:2.3" > > > > > > > > * This image will be deployed in deployment config "image" > > > > * Port 8080/tcp will be load balanced by service "image" > > > > * Other containers can access this service through the hostname > > "image" > > > > * WARNING: Image "image" runs as the 'root' user which may not be > > permitted by your cluster administrator > > > > > > > > --> Creating resources with label app=image ... > > > > deploymentconfig "image" created > > > > service "image" created > > > > --> Success > > > > Run 'oc status' to view your app. > > > > > > oc status shows me: > > Errors: > > * container "image" in pod/image-1-3J24 is crash-looping > > > > Is it because there is no image-stream for this image at the moment? I've > > did already the same steps with another image from the same registry and it > > did not went in a loop. > > > > The logs of the container show: > > $ docker logs 457deef27b1 > > Feb 25, 2016 9:57:27 AM org.apache.catalina.startup. > > Catalina load > > WARNING: Unable to load server configuration from > > [/usr/local/tomcat/conf/server.xml] > > Feb 25, 2016 9:57:27 AM org.apache.catalina.startup.Catalina load > > WARNING: Permissions incorrect, read permission is not allowed on the file. > > Feb 25, 2016 9:57:27 AM org.apache.catalina.startup.Catalina load > > WARNING: Unable to load server configuration from > > [/usr/local/tomcat/conf/server.xml] > > Feb 25, 2016 9:57:27 AM org.apache.catalina.startup.Catalina load > > WARNING: Permissions incorrect, read permission is not allowed on the file. > > Feb 25, 2016 9:57:27 AM org.apache.catalina.startup.Catalina start > > SEVERE: Cannot start server. Server instance is not configured. > > > > > > But when I just perform an 'docker run ec2-xxx:image:2.3' the container is > > running fine. So it's no issue with the container. > > 25-Feb-2016 10:16:44.047 INFO [localhost-startStop-1] xxx has finished in 41 > > ms > > 25-Feb-2016 10:16:44.056 INFO [main] xxx > > 25-Feb-2016 10:16:44.062 INFO [main] xxx > > 25-Feb-2016 10:16:44.064 INFO [main] > > org.apache.catalina.startup.Catalina.start Server startup in 13824 ms > > > > _______________________________________________ > > users mailing list > > [email protected] > > https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openshift.redhat.com_openshiftmm_listinfo_users&d=CwICAg&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&r=8IlWeJZqFtf8Tvx1PDV9NsLfM_M0oNfzEXXNp-tpx74&m=HHhWXrx0bumM_yqZ6f4wecTofvnXLn09S6iTTCb1wEE&s=dZNG1Ur0Iu7DWNi8m2O91SdIGxsW96hU1SCIuacY4O0&e= > > > > > > > > _______________________________________________ > > users mailing list > > [email protected] > > http://lists.openshift.redhat.com/openshiftmm/listinfo/users > > _______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
