On Tue, Mar 15, 2016 at 2:17 PM, Srinivas Naga Kotaru (skotaru) < [email protected]> wrote:
> Ok that sounds good info. I remember even after changing to numeric 185 > also had seen similar error. Will try once again. > > Finally are you saying use numeric UID and 1001 for non java and 185 for > java based apps? Am I right? > it's all pretty arbitrary but yes, the non-java images use 1001, it appears the EAP image uses 185. > > -- > *Srinivas Kotaru* > > From: Ben Parees <[email protected]> > Date: Tuesday, March 15, 2016 at 11:12 AM > > To: skotaru <[email protected]> > Cc: "[email protected]" <[email protected]> > Subject: Re: dockerfiles for standard images > > > > On Tue, Mar 15, 2016 at 1:56 PM, Srinivas Naga Kotaru (skotaru) < > [email protected]> wrote: > >> Ben >> >> Thanks for link. >> >> Simple question. >> >> I was trying to build a new JBOSS EAP builder image by adding some >> specific libs as per our requirement. It involve few RUN and YUM commands. >> Do we need to use root user before installing and move it back to builder >> user? >> >> > Yes, you need to set the user back to root prior to performing root > operations like yum install. At the end of your dockerfile, you should set > the user back to 185. > > if you docker inspect the image, you can see it runs as user 185 by > default. > > > > >> For JBOSS EAP, all processes are running as jboss and /etc/passwd entry >> for this user is 185. When I did something like below, POD creation failing >> and saying something like, it should have numeric UID. >> > > yes, this is a restriction that ensures your builder image is not running > as root, or using a named user that equates to root. Discussed here: > https://docs.openshift.org/latest/creating_images/guidelines.html#openshift-specific-guidelines > > "Lastly, the final *USER* declaration in the Dockerfile should specify > the user ID (numeric value) and not the user name. This allows OpenShift to > validate the authority the image is attempting to run with and prevent > running images that are trying to run as root, because running containers > as a privileged user exposes potential security holes > <https://docs.openshift.org/latest/install_config/install/prerequisites.html#security-warning>. > If the image does not specify a *USER*, it inherits the *USER* from the > parent image." > > > > > > >> >> FROM myrepo.example.com/mycompnay/eap64-openshift >> USER root >> RUN yum --enablerepo='rhel-7-server-ose-3.0-rpms' install -y nss_wrapper >> && \ >> yum clean all -y >> RUN mkdir -p /opt/oracle/product/instantclient-basic-12.1.0.2.0 >> ADD ./instantclient_12_1/* >> /opt/oracle/product/instantclient-basic-12.1.0.2.0/ >> RUN ln -s /opt/oracle/product/instantclient-basic-12.1.0.2.0/ >> /opt/oracle/product/current >> RUN chown -R jboss:jboss /opt/eap >> RUN chown -R jboss:jboss /opt/oracle >> USER jboss >> >> If I change it to like below, all looks good. >> >> RUN chown -R 1001:0 /opt/eap >> RUN chown -R 1001:0 /opt/oracle >> USER 1001 >> >> I knew for non java images, you are using 1001. My question is same for >> java images also? Example tomat and jboss eap. I could see 1001 user >> doesn’t exist in /etc/passwd fie of Tomcat and JBOSS EAP based pods >> >> -- >> *Srinivas Kotaru* >> >> From: Ben Parees <[email protected]> >> Date: Tuesday, March 15, 2016 at 10:39 AM >> To: skotaru <[email protected]> >> Cc: "[email protected]" <[email protected]> >> Subject: Re: dockerfiles for standard images >> >> You can see most of them here: >> https://github.com/openshift/?utf8=%E2%9C%93&query=sti- >> >> sti-base serves as a base image for the others. >> >> Dockerfile.rhel7 is the rhel dockerfile, Dockerfile is the centos >> dockerfile. >> >> >> On Tue, Mar 15, 2016 at 12:56 PM, Srinivas Naga Kotaru (skotaru) < >> [email protected]> wrote: >> >>> Can someone point me link to standard images docker files? Am more >>> interested to see OSE images rather origin. I knew it might requires >>> access, but since we have access, that should be fine. >>> >>> -- >>> *Srinivas Kotaru* >>> >>> _______________________________________________ >>> users mailing list >>> [email protected] >>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >>> >>> >> >> >> -- >> Ben Parees | OpenShift >> >> > > > -- > Ben Parees | OpenShift > > -- Ben Parees | OpenShift
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
