hello i solved it giving the oc user cluster-admin role .. i do not really like this way but it works :/
Best regards > El 22 mar 2016, a las 12:03, Julio Saura <[email protected]> escribió: > > i forgot saying that my pod is running process under user jboss and that unix > user exists in my nodes .. > > so i create pods under unix user developer ( loged in Openshift master as > developer too ) but the pod has runAs jboss.. > > thanks in advance > >> El 22 mar 2016, a las 11:46, Julio Saura <[email protected]> escribió: >> >> sorry for the necro post but i have the problem again >> >> now i don’t want to use root account ( cluster admin ) for deploying pods, >> so i created a new unix user ( developer ) for deploying on a new project ( >> project1 ) >> >> the pods running under this new unix user are owned by >> >> UID PID PPID C STIME TTY TIME CMD >> 1000040+ 1 0 0 11:15 ? 00:00:00 /bin/bash >> /etc/init.d/jboss-as start >> 1000040+ 63 0 1 11:15 ? 00:00:00 bash >> 1000040+ 71 1 0 11:15 ? 00:00:00 sleep 1 >> 1000040+ 72 63 0 11:15 ? 00:00:00 ps -ef >> >> and due to permission problems my pods dies .. >> >> i have tried to use the command >> >> oadm policy add-ssc-to-user anyuid -z developer >> oadm policy add-ssc-to-user anyuid -z project1 >> >> and still no luck .. seems that developer unix user is still no able to run >> pods with other user .. >> >> i am missing something? >> >> oc get scc >> NAME PRIV CAPS HOSTDIR EMPTYDIR SELINUX >> RUNASUSER FSGROUP SUPGROUP PRIORITY >> anyuid false [] false true MustRunAs >> RunAsAny RunAsAny RunAsAny 10 >> hostaccess false [] true true MustRunAs >> MustRunAsRange RunAsAny RunAsAny <none> >> hostmount-anyuid false [] true true MustRunAs >> RunAsAny RunAsAny RunAsAny <none> >> nonroot false [] false true MustRunAs >> MustRunAsNonRoot RunAsAny RunAsAny <none> >> privileged true [] true true RunAsAny >> RunAsAny RunAsAny RunAsAny <none> >> restricted false [] false true MustRunAs >> MustRunAsRange RunAsAny RunAsAny <none> >> >> thanks >> >> >> >> >>>>> >> >>> El 3 mar 2016, a las 17:27, Clayton Coleman <[email protected]> escribió: >>> >>> When you create a pod directly as a cluster admin, you have permission >>> to run as any user. So the check allows you to create that process. >>> When you run under a replication controller, permission has to be >>> delegated to ensure that the controller (which is acting on your >>> behalf) can create a pod that runs that way. The service account is >>> what is delegated. >>> >>>> On Mar 1, 2016, at 9:37 AM, Julio Saura <[email protected]> wrote: >>>> >>>> hello >>>> >>>> thanks for answering >>>> >>>> but why is running without problem if i run my image as a POD without >>>> doing that and failing when i use RC instead of POD? >>>> >>>> thanks >>>> >>>> >>>>> El 1 mar 2016, a las 16:21, Clayton Coleman <[email protected]> >>>>> escribió: >>>>> >>>>> Regular Openshift users don't have permission to run as arbitrary >>>>> UIDs. You can read more here: >>>>> https://docs.openshift.org/latest/architecture/additional_concepts/authorization.html#security-context-constraints >>>>> >>>>> To give yourself access as a root user (if you are an admin) run >>>>> >>>>> oadm policy add-scc-to-user anyuid -z default >>>>> >>>>> Or to let your pods run as any non-root user, run >>>>> >>>>> oadm policy add-scc-to-user nonroot -z default >>>>> >>>>>> On Mar 1, 2016, at 9:04 AM, Julio Saura <[email protected]> wrote: >>>>>> >>>>>> Hello >>>>>> >>>>>> i have a working open shift running and maybe is my misunderstanding but >>>>>> i have a problem with RC >>>>>> >>>>>> so, >>>>>> >>>>>> i have an own docker image for my app, my entry point in my docker file >>>>>> creates some directories that are needed for my app to work and starts a >>>>>> jboss,, so far so good >>>>>> >>>>>> the image is running if i define it as a POD, but when i try to create a >>>>>> RC using that image i am having some weird permission denied when >>>>>> creating the directories and so my pod dies. >>>>>> >>>>>> i have noticed that when i run it as POD my process is running under the >>>>>> user i define in a step inside my docker file when building the image, >>>>>> but if i run it on a RC the process is running under an unknown UID >>>>>> >>>>>> UID PID PPID C STIME TTY TIME CMD >>>>>> 1000120+ 1 0 0 17:02 ? 00:00:00 /bin/bash >>>>>> /etc/init.d/jboss-as st >>>>>> >>>>>> and so when that entry point is trying to create the directories i need >>>>>> i get permission denied errors, logically the process dies and so does >>>>>> my pod inside de RC .. >>>>>> >>>>>> why is this happening? on my dockerfile i add a unix user as the process >>>>>> proprietary and in my entry point command script i am changing the user >>>>>> when starting .. running on the RC the user is not created and not used, >>>>>> but running it as a POD works like a charm.. >>>>>> >>>>>> i am missing something? >>>>>> >>>>>> best regards >>>>>> thanks all! >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> users mailing list >>>>>> [email protected] >>>>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >>>> >> >> >> _______________________________________________ >> users mailing list >> [email protected] >> http://lists.openshift.redhat.com/openshiftmm/listinfo/users > > > _______________________________________________ > users mailing list > [email protected] > http://lists.openshift.redhat.com/openshiftmm/listinfo/users _______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
