On Tue, Mar 15, 2016 at 1:56 PM, Srinivas Naga Kotaru (skotaru) < [email protected]> wrote:
> Ben > > Thanks for link. > > Simple question. > > I was trying to build a new JBOSS EAP builder image by adding some > specific libs as per our requirement. It involve few RUN and YUM commands. > Do we need to use root user before installing and move it back to builder > user? > > Yes, you need to set the user back to root prior to performing root operations like yum install. At the end of your dockerfile, you should set the user back to 185. if you docker inspect the image, you can see it runs as user 185 by default. > For JBOSS EAP, all processes are running as jboss and /etc/passwd entry > for this user is 185. When I did something like below, POD creation failing > and saying something like, it should have numeric UID. > yes, this is a restriction that ensures your builder image is not running as root, or using a named user that equates to root. Discussed here: https://docs.openshift.org/latest/creating_images/guidelines.html#openshift-specific-guidelines "Lastly, the final *USER* declaration in the Dockerfile should specify the user ID (numeric value) and not the user name. This allows OpenShift to validate the authority the image is attempting to run with and prevent running images that are trying to run as root, because running containers as a privileged user exposes potential security holes <https://docs.openshift.org/latest/install_config/install/prerequisites.html#security-warning>. If the image does not specify a *USER*, it inherits the *USER* from the parent image." > > FROM myrepo.example.com/mycompnay/eap64-openshift > USER root > RUN yum --enablerepo='rhel-7-server-ose-3.0-rpms' install -y nss_wrapper > && \ > yum clean all -y > RUN mkdir -p /opt/oracle/product/instantclient-basic-12.1.0.2.0 > ADD ./instantclient_12_1/* > /opt/oracle/product/instantclient-basic-12.1.0.2.0/ > RUN ln -s /opt/oracle/product/instantclient-basic-12.1.0.2.0/ > /opt/oracle/product/current > RUN chown -R jboss:jboss /opt/eap > RUN chown -R jboss:jboss /opt/oracle > USER jboss > > If I change it to like below, all looks good. > > RUN chown -R 1001:0 /opt/eap > RUN chown -R 1001:0 /opt/oracle > USER 1001 > > I knew for non java images, you are using 1001. My question is same for > java images also? Example tomat and jboss eap. I could see 1001 user > doesn’t exist in /etc/passwd fie of Tomcat and JBOSS EAP based pods > > -- > *Srinivas Kotaru* > > From: Ben Parees <[email protected]> > Date: Tuesday, March 15, 2016 at 10:39 AM > To: skotaru <[email protected]> > Cc: "[email protected]" <[email protected]> > Subject: Re: dockerfiles for standard images > > You can see most of them here: > https://github.com/openshift/?utf8=%E2%9C%93&query=sti- > > sti-base serves as a base image for the others. > > Dockerfile.rhel7 is the rhel dockerfile, Dockerfile is the centos > dockerfile. > > > On Tue, Mar 15, 2016 at 12:56 PM, Srinivas Naga Kotaru (skotaru) < > [email protected]> wrote: > >> Can someone point me link to standard images docker files? Am more >> interested to see OSE images rather origin. I knew it might requires >> access, but since we have access, that should be fine. >> >> -- >> *Srinivas Kotaru* >> >> _______________________________________________ >> users mailing list >> [email protected] >> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >> >> > > > -- > Ben Parees | OpenShift > > -- Ben Parees | OpenShift
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
