i forgot saying that my pod is running process under user jboss and that unix user exists in my nodes ..
so i create pods under unix user developer ( loged in Openshift master as developer too ) but the pod has runAs jboss.. thanks in advance > El 22 mar 2016, a las 11:46, Julio Saura <[email protected]> escribió: > > sorry for the necro post but i have the problem again > > now i don’t want to use root account ( cluster admin ) for deploying pods, so > i created a new unix user ( developer ) for deploying on a new project ( > project1 ) > > the pods running under this new unix user are owned by > > UID PID PPID C STIME TTY TIME CMD > 1000040+ 1 0 0 11:15 ? 00:00:00 /bin/bash > /etc/init.d/jboss-as start > 1000040+ 63 0 1 11:15 ? 00:00:00 bash > 1000040+ 71 1 0 11:15 ? 00:00:00 sleep 1 > 1000040+ 72 63 0 11:15 ? 00:00:00 ps -ef > > and due to permission problems my pods dies .. > > i have tried to use the command > > oadm policy add-ssc-to-user anyuid -z developer > oadm policy add-ssc-to-user anyuid -z project1 > > and still no luck .. seems that developer unix user is still no able to run > pods with other user .. > > i am missing something? > > oc get scc > NAME PRIV CAPS HOSTDIR EMPTYDIR SELINUX > RUNASUSER FSGROUP SUPGROUP PRIORITY > anyuid false [] false true MustRunAs > RunAsAny RunAsAny RunAsAny 10 > hostaccess false [] true true MustRunAs > MustRunAsRange RunAsAny RunAsAny <none> > hostmount-anyuid false [] true true MustRunAs > RunAsAny RunAsAny RunAsAny <none> > nonroot false [] false true MustRunAs > MustRunAsNonRoot RunAsAny RunAsAny <none> > privileged true [] true true RunAsAny > RunAsAny RunAsAny RunAsAny <none> > restricted false [] false true MustRunAs > MustRunAsRange RunAsAny RunAsAny <none> > > thanks > > > > >>>> > >> El 3 mar 2016, a las 17:27, Clayton Coleman <[email protected]> escribió: >> >> When you create a pod directly as a cluster admin, you have permission >> to run as any user. So the check allows you to create that process. >> When you run under a replication controller, permission has to be >> delegated to ensure that the controller (which is acting on your >> behalf) can create a pod that runs that way. The service account is >> what is delegated. >> >>> On Mar 1, 2016, at 9:37 AM, Julio Saura <[email protected]> wrote: >>> >>> hello >>> >>> thanks for answering >>> >>> but why is running without problem if i run my image as a POD without doing >>> that and failing when i use RC instead of POD? >>> >>> thanks >>> >>> >>>> El 1 mar 2016, a las 16:21, Clayton Coleman <[email protected]> escribió: >>>> >>>> Regular Openshift users don't have permission to run as arbitrary >>>> UIDs. You can read more here: >>>> https://docs.openshift.org/latest/architecture/additional_concepts/authorization.html#security-context-constraints >>>> >>>> To give yourself access as a root user (if you are an admin) run >>>> >>>> oadm policy add-scc-to-user anyuid -z default >>>> >>>> Or to let your pods run as any non-root user, run >>>> >>>> oadm policy add-scc-to-user nonroot -z default >>>> >>>>> On Mar 1, 2016, at 9:04 AM, Julio Saura <[email protected]> wrote: >>>>> >>>>> Hello >>>>> >>>>> i have a working open shift running and maybe is my misunderstanding but >>>>> i have a problem with RC >>>>> >>>>> so, >>>>> >>>>> i have an own docker image for my app, my entry point in my docker file >>>>> creates some directories that are needed for my app to work and starts a >>>>> jboss,, so far so good >>>>> >>>>> the image is running if i define it as a POD, but when i try to create a >>>>> RC using that image i am having some weird permission denied when >>>>> creating the directories and so my pod dies. >>>>> >>>>> i have noticed that when i run it as POD my process is running under the >>>>> user i define in a step inside my docker file when building the image, >>>>> but if i run it on a RC the process is running under an unknown UID >>>>> >>>>> UID PID PPID C STIME TTY TIME CMD >>>>> 1000120+ 1 0 0 17:02 ? 00:00:00 /bin/bash >>>>> /etc/init.d/jboss-as st >>>>> >>>>> and so when that entry point is trying to create the directories i need i >>>>> get permission denied errors, logically the process dies and so does my >>>>> pod inside de RC .. >>>>> >>>>> why is this happening? on my dockerfile i add a unix user as the process >>>>> proprietary and in my entry point command script i am changing the user >>>>> when starting .. running on the RC the user is not created and not used, >>>>> but running it as a POD works like a charm.. >>>>> >>>>> i am missing something? >>>>> >>>>> best regards >>>>> thanks all! >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> users mailing list >>>>> [email protected] >>>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >>> > > > _______________________________________________ > users mailing list > [email protected] > http://lists.openshift.redhat.com/openshiftmm/listinfo/users _______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
