sorry for the necro post but i have the problem again now i don’t want to use root account ( cluster admin ) for deploying pods, so i created a new unix user ( developer ) for deploying on a new project ( project1 )
the pods running under this new unix user are owned by UID PID PPID C STIME TTY TIME CMD 1000040+ 1 0 0 11:15 ? 00:00:00 /bin/bash /etc/init.d/jboss-as start 1000040+ 63 0 1 11:15 ? 00:00:00 bash 1000040+ 71 1 0 11:15 ? 00:00:00 sleep 1 1000040+ 72 63 0 11:15 ? 00:00:00 ps -ef and due to permission problems my pods dies .. i have tried to use the command oadm policy add-ssc-to-user anyuid -z developer oadm policy add-ssc-to-user anyuid -z project1 and still no luck .. seems that developer unix user is still no able to run pods with other user .. i am missing something? oc get scc NAME PRIV CAPS HOSTDIR EMPTYDIR SELINUX RUNASUSER FSGROUP SUPGROUP PRIORITY anyuid false [] false true MustRunAs RunAsAny RunAsAny RunAsAny 10 hostaccess false [] true true MustRunAs MustRunAsRange RunAsAny RunAsAny <none> hostmount-anyuid false [] true true MustRunAs RunAsAny RunAsAny RunAsAny <none> nonroot false [] false true MustRunAs MustRunAsNonRoot RunAsAny RunAsAny <none> privileged true [] true true RunAsAny RunAsAny RunAsAny RunAsAny <none> restricted false [] false true MustRunAs MustRunAsRange RunAsAny RunAsAny <none> thanks >>> > El 3 mar 2016, a las 17:27, Clayton Coleman <[email protected]> escribió: > > When you create a pod directly as a cluster admin, you have permission > to run as any user. So the check allows you to create that process. > When you run under a replication controller, permission has to be > delegated to ensure that the controller (which is acting on your > behalf) can create a pod that runs that way. The service account is > what is delegated. > >> On Mar 1, 2016, at 9:37 AM, Julio Saura <[email protected]> wrote: >> >> hello >> >> thanks for answering >> >> but why is running without problem if i run my image as a POD without doing >> that and failing when i use RC instead of POD? >> >> thanks >> >> >>> El 1 mar 2016, a las 16:21, Clayton Coleman <[email protected]> escribió: >>> >>> Regular Openshift users don't have permission to run as arbitrary >>> UIDs. You can read more here: >>> https://docs.openshift.org/latest/architecture/additional_concepts/authorization.html#security-context-constraints >>> >>> To give yourself access as a root user (if you are an admin) run >>> >>> oadm policy add-scc-to-user anyuid -z default >>> >>> Or to let your pods run as any non-root user, run >>> >>> oadm policy add-scc-to-user nonroot -z default >>> >>>> On Mar 1, 2016, at 9:04 AM, Julio Saura <[email protected]> wrote: >>>> >>>> Hello >>>> >>>> i have a working open shift running and maybe is my misunderstanding but i >>>> have a problem with RC >>>> >>>> so, >>>> >>>> i have an own docker image for my app, my entry point in my docker file >>>> creates some directories that are needed for my app to work and starts a >>>> jboss,, so far so good >>>> >>>> the image is running if i define it as a POD, but when i try to create a >>>> RC using that image i am having some weird permission denied when creating >>>> the directories and so my pod dies. >>>> >>>> i have noticed that when i run it as POD my process is running under the >>>> user i define in a step inside my docker file when building the image, but >>>> if i run it on a RC the process is running under an unknown UID >>>> >>>> UID PID PPID C STIME TTY TIME CMD >>>> 1000120+ 1 0 0 17:02 ? 00:00:00 /bin/bash >>>> /etc/init.d/jboss-as st >>>> >>>> and so when that entry point is trying to create the directories i need i >>>> get permission denied errors, logically the process dies and so does my >>>> pod inside de RC .. >>>> >>>> why is this happening? on my dockerfile i add a unix user as the process >>>> proprietary and in my entry point command script i am changing the user >>>> when starting .. running on the RC the user is not created and not used, >>>> but running it as a POD works like a charm.. >>>> >>>> i am missing something? >>>> >>>> best regards >>>> thanks all! >>>> >>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> users mailing list >>>> [email protected] >>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >> _______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
