Ok that sounds good info. I remember even after changing to numeric 185 also had seen similar error. Will try once again.
Finally are you saying use numeric UID and 1001 for non java and 185 for java based apps? Am I right? -- Srinivas Kotaru From: Ben Parees <[email protected]<mailto:[email protected]>> Date: Tuesday, March 15, 2016 at 11:12 AM To: skotaru <[email protected]<mailto:[email protected]>> Cc: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: dockerfiles for standard images On Tue, Mar 15, 2016 at 1:56 PM, Srinivas Naga Kotaru (skotaru) <[email protected]<mailto:[email protected]>> wrote: Ben Thanks for link. Simple question. I was trying to build a new JBOSS EAP builder image by adding some specific libs as per our requirement. It involve few RUN and YUM commands. Do we need to use root user before installing and move it back to builder user? Yes, you need to set the user back to root prior to performing root operations like yum install. At the end of your dockerfile, you should set the user back to 185. if you docker inspect the image, you can see it runs as user 185 by default. For JBOSS EAP, all processes are running as jboss and /etc/passwd entry for this user is 185. When I did something like below, POD creation failing and saying something like, it should have numeric UID. yes, this is a restriction that ensures your builder image is not running as root, or using a named user that equates to root. Discussed here: https://docs.openshift.org/latest/creating_images/guidelines.html#openshift-specific-guidelines "Lastly, the final USER declaration in the Dockerfile should specify the user ID (numeric value) and not the user name. This allows OpenShift to validate the authority the image is attempting to run with and prevent running images that are trying to run as root, because running containers as a privileged user exposes potential security holes<https://docs.openshift.org/latest/install_config/install/prerequisites.html#security-warning>. If the image does not specify a USER, it inherits the USER from the parent image." FROM myrepo.example.com/mycompnay/eap64-openshift<http://myrepo.example.com/mycompnay/eap64-openshift> USER root RUN yum --enablerepo='rhel-7-server-ose-3.0-rpms' install -y nss_wrapper && \ yum clean all -y RUN mkdir -p /opt/oracle/product/instantclient-basic-12.1.0.2.0 ADD ./instantclient_12_1/* /opt/oracle/product/instantclient-basic-12.1.0.2.0/ RUN ln -s /opt/oracle/product/instantclient-basic-12.1.0.2.0/ /opt/oracle/product/current RUN chown -R jboss:jboss /opt/eap RUN chown -R jboss:jboss /opt/oracle USER jboss If I change it to like below, all looks good. RUN chown -R 1001:0 /opt/eap RUN chown -R 1001:0 /opt/oracle USER 1001 I knew for non java images, you are using 1001. My question is same for java images also? Example tomat and jboss eap. I could see 1001 user doesn’t exist in /etc/passwd fie of Tomcat and JBOSS EAP based pods -- Srinivas Kotaru From: Ben Parees <[email protected]<mailto:[email protected]>> Date: Tuesday, March 15, 2016 at 10:39 AM To: skotaru <[email protected]<mailto:[email protected]>> Cc: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: dockerfiles for standard images You can see most of them here: https://github.com/openshift/?utf8=%E2%9C%93&query=sti- sti-base serves as a base image for the others. Dockerfile.rhel7 is the rhel dockerfile, Dockerfile is the centos dockerfile. On Tue, Mar 15, 2016 at 12:56 PM, Srinivas Naga Kotaru (skotaru) <[email protected]<mailto:[email protected]>> wrote: Can someone point me link to standard images docker files? Am more interested to see OSE images rather origin. I knew it might requires access, but since we have access, that should be fine. -- Srinivas Kotaru _______________________________________________ users mailing list [email protected]<mailto:[email protected]> http://lists.openshift.redhat.com/openshiftmm/listinfo/users -- Ben Parees | OpenShift -- Ben Parees | OpenShift
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
