Hi All, Apologies for bringing this back up, but I was busy with my exams and stuff, and now I'm back to solve this issue.
I did some research on my problem and the links I received from you guys. Below is my dockerfile which I wrote to get the tgt service running and also the s2i tool working for the image. FROM 172.30.79.210:5000/openshift/centos-with-bmi-setup_v1 MAINTAINER "Akshaya" <[email protected]> ENV container docker ENV LIGHTTPD_VERSION=1.4.35 # Set labels used in OpenShift to describe the builder images LABEL io.k8s.description="Platform for serving static HTML files" \ io.k8s.display-name="Lighttpd 1.4.35" \ io.openshift.expose-services="8080:http" \ io.openshift.tags="builder,html,lighttpd" #USER root RUN (cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i ==systemd-tmpfiles-setup.service ] || rm -f $i; done); \ rm -rf /lib/systemd/system/multi-user.target.wants/*;\ rm -rf /etc/systemd/system/*.wants/*;\ rm -rf /lib/systemd/system/local-fs.target.wants/*; \ rm -rf /lib/systemd/system/sockets.target.wants/*udev*; \ rm -rf /lib/systemd/system/sockets.target.wants/*initctl*; \ rm -rf /lib/systemd/system/basic.target.wants/*;\ rm -rf /lib/systemd/system/anaconda.target.wants/*;\ yum install -y git ;\ yum install -y lighttpd && \ # clean yum cache files, as they are not needed and will only make the image bigger in the end yum clean all -y; RUN systemctl enable tgtd.service # Defines the location of the S2I # Although this is defined in openshift/base-centos7 image it's repeated here # to make it clear why the following COPY operation is happening LABEL io.openshift.s2i.scripts-url=image:///usr/local/s2i # Copy the S2I scripts from ./.s2i/bin/ to /usr/local/s2i when making the builder image COPY ./.s2i/bin/ /usr/local/s2i # Copy the lighttpd configuration file COPY ./etc/ /opt/app-root/etc # Specify the ports the final image will expose EXPOSE 8080 VOLUME [ "/sys/fs/cgroup" ] #VOLUME ["/sys/fs/cgroup:ro"] CMD ["/usr/sbin/init"] Turns out it was not an issue about the root access. The service works automatically if i use the docker run command with volume group specified as below: docker run -ti *-v /sys/fs/cgroup:/sys/fs/cgroup:ro* -d docker.io/centos Based on the below blog, systemd insists on looking at cgroup file system within a container: https://developers.redhat.com/blog/2014/05/05/running-systemd-within-docker-container/ So on running the image using the cgroup file system, the service works fine. Without it, the service fails to start. Is there a way to mount the volume group in openshift while starting an application using this image? Thanks & Regards, Akshaya On Fri, Dec 2, 2016 at 5:30 PM, Srinivas Naga Kotaru (skotaru) < [email protected]> wrote: > Sorry, forgot to put blog link > > > > http://developers.redhat.com/blog/2016/10/21/understanding- > openshift-security-context-constraints/ > > > > -- > > *Srinivas Kotaru* > > > > *From: *Srinivas Naga Kotaru <[email protected]> > *Date: *Friday, December 2, 2016 at 2:27 PM > *To: *Akshaya Khare <[email protected]>, Ben Parees < > [email protected]> > *Cc: *users <[email protected]>, Jordan Liggitt < > [email protected]> > > *Subject: *Re: oc new-app with root privileges > > > > This is the blog post am using to refer steps mentioned here. I didn’t > tested yet but this article talking about how to run an container using > anyuid SCC privileges > > > > -- > > *Srinivas Kotaru* > > > > *From: *Akshaya Khare <[email protected]> > *Date: *Friday, December 2, 2016 at 1:59 PM > *To: *Ben Parees <[email protected]> > *Cc: *users <[email protected]>, Srinivas Naga Kotaru < > [email protected]>, Jordan Liggitt <[email protected]> > *Subject: *Re: oc new-app with root privileges > > > > Thanks Ben, > > > > I'll check this reference. > > our developers in the team will need to start a service once the container > is up. > > But the systemd is only accessible for my image if it is run as root. > > > > Maybe I can try adding this startup script into the docker file as well. > > I'll check both and let you know... > > > > Regards, > > AK > > > > On Fri, Dec 2, 2016 at 4:47 PM, Ben Parees <[email protected]> wrote: > > > > > > On Fri, Dec 2, 2016 at 4:35 PM, Akshaya Khare <[email protected]> > wrote: > > Hi again, > > > > I tried using the suggestions you guys gave but some how its still > failing. > > On further analysis I understood that this is not actually the image which > I created. > > > > Since I'm using source2image, the github source is being mapped on to my > image which has root privileges. > > Now my image creates a build and then a new pod is spawned up using that > build. > > > > Is there some other configuration within these steps which allows me to > run the pod as a root user? > > Or these steps have nothing to do with the user issue i'm facing? > > > > you can control the user the pod runs as by setting the pod's security > context: > http://kubernetes.io/docs/api-reference/v1/definitions/#_v1_ > podsecuritycontext > > > but it would be better to try to understand why your image needs to run as > root and change file/etc permissions so that it does not require that. > > > > > > > Thanks, > > AK > > > > On Thu, Dec 1, 2016 at 6:31 PM, Srinivas Naga Kotaru (skotaru) < > [email protected]> wrote: > > I was thinking belwo are right steps as per my knowledge > > > > 1. Create a service account > > 2. Grant anyuid SCC to this service account > > 3. And add sercice account details to dc object > > > > > > I might be wrong but above steps in my mind. Even I would like to get > clarity on this topic what is the right approach to run a container using > anyuid priviligies > > > > > > -- > > *Srinivas Kotaru* > > > > *From: *<[email protected]> on behalf of Ben > Parees <[email protected]> > *Date: *Thursday, December 1, 2016 at 1:37 PM > *To: *Akshaya Khare <[email protected]>, Jordan Liggitt < > [email protected]> > *Cc: *users <[email protected]> > *Subject: *Re: oc new-app with root privileges > > > > > > > > On Thu, Dec 1, 2016 at 4:18 PM, Akshaya Khare <[email protected]> > wrote: > > Hi, > > > > I created my own image which can use s2i to use git urls for my internal > projects. > > > > The image has been created such that the systemd services will be working, > and in order to do that the image had to be created with root user. > > > > Now the container spawned from this image only works properly i spawn it > with the below command: > > > > *docker run -ti -v /sys/fs/cgroup:/sys/fs/cgroup:ro -d my-image-name* > > > > The container works fine. > > > > Unfortunately, whenever I try to create the container from the openshift > ui, it creates the pod successfully but it doesn't have access to run it > since it doesn't run it as a root user. > > > > I tried to provide this command: > > > > *oadm policy add-scc-to-user anyuid -z project-name* > > > > But still the pod is created without the root user. > > > > Is there any way to run the pod with root user via both cli or ui? > > > > assuming your built image defaults to running as root, the adding anyuid > scc should be all you need to do for the image to run as that user, as far > as i know. > > > > > > > > > -- > > *Thanks & Regards,* > > *Akshaya Khare* > > *312-785-3508 <312-785-3508>* > > > _______________________________________________ > users mailing list > [email protected] > http://lists.openshift.redhat.com/openshiftmm/listinfo/users > > > > > -- > > Ben Parees | OpenShift > > > > > > -- > > *Thanks & Regards,* > > *Akshaya Khare* > > *312-785-3508 <312-785-3508>* > > > > > -- > > Ben Parees | OpenShift > > > > > > -- > > *Thanks & Regards,* > > *Akshaya Khare* > > *312-785-3508 <(312)%20785-3508>* > -- *Thanks & Regards,* *Akshaya Khare* *312-785-3508*
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
