Hello,
I am again having problem running my application using image stream I created.
As discussed last, I had changed the Dockerfile to use non-root user. I have
set uid of this non-root user to be 1001. But when I deploy the application,
the pod crashes frequently. In the logs I can see following:
sudo: unknown uid 1000110000: who are you?
This uid is the uid of the project in which I am running the application.
If I run following, I get following:
$oc rsh <container id> id
sh-4.2$ id
uid=1000110000 gid=0(root) groups=0(root),1000110000
Although, if I do $docker ps and run, I get following:
$docker exec -it 1fe3bbf19cb0 bash
bash-4.2$ id
uid=1001 gid=0(root) groups=0(root),1000110000
I am now confused why openshift isn't recognizing uid set from its own
uid-range.
Here is another information:
oc describe project mec
Name: mec
Created: 4 weeks ago
Labels: <none>
Annotations: openshift.io/description=
openshift.io/display-name=
openshift.io/requester=dhanashree
openshift.io/sa.scc.mcs=s0:c11,c0
openshift.io/sa.scc.supplemental-groups=1000110000/10000
openshift.io/sa.scc.uid-range=1000110000/10000
Display Name: <none>
Description: <none>
Status: Active
Node Selector: <none>
Quota: <none>
Resource limits: <none>
You can find my Dockerfile here.
(https://github.com/dhanugithub/omdockerimage/blob/master/Dockerfile)
Kindly help. Thank you.
Best Regards,
Dhanashree Kulkarni
brown-iposs GmbH
Friedrich-Breuer-Straße 120
53225 Bonn
Germany
Fon +49 (0) 228 299 799 80
Fax +49 (0) 228 299 799 84
mailto:[email protected]
www.brown-iposs.eu
www.facebook.com/browniposs
www.facebook.com/wimap4g
Directors: Dr. Bernd Schröder, Karsten Schmeling
Trade register: 14385, Country court Bonn
VAT-ID: DE814670174
Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen.
Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten
haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail.
Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht
gestattet.
This e-mail may contain confidential and/or privileged information. If you are
not the intended recipient (or have received this e-mail in error) please
notify the sender immediately and destroy this e-mail. Any unauthorised
copying, disclosure or distribution of the material in this e-mail is strictly
forbidden.
-----Ursprüngliche Nachricht-----
Von: Dhanashree Kulkarni Kulkarni ([email protected])
[mailto:[email protected]]
Gesendet: Wednesday, August 08, 2018 3:04 PM
An: 'Aleksandar Lazic' <[email protected]>; 'Anton Hughes'
<[email protected]>
Cc: '[email protected]' <[email protected]>
Betreff: AW: error running application using customized image stream
Thank you so much. It worked. I changed work directory in Dockerfile and just
appended 'sudo' before chown in om_install.sh and om.sh.
I was struggling for this since 1 week. Now I can move ahead. Although the
application is still not working but I am happy that permission error is gone.
I will now look into why application isn't working.
I will post again in case further query.
Thank you again.
Best Regards,
Dhanashree Kulkarni
brown-iposs GmbH
Friedrich-Breuer-Straße 120
53225 Bonn
Germany
Fon +49 (0) 228 299 799 80
Fax +49 (0) 228 299 799 84
mailto:[email protected]
www.brown-iposs.eu
www.facebook.com/browniposs
www.facebook.com/wimap4g
Directors: Dr. Bernd Schröder, Karsten Schmeling Trade register: 14385, Country
court Bonn
VAT-ID: DE814670174
Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen.
Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten
haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail.
Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht
gestattet.
This e-mail may contain confidential and/or privileged information. If you are
not the intended recipient (or have received this e-mail in error) please
notify the sender immediately and destroy this e-mail. Any unauthorised
copying, disclosure or distribution of the material in this e-mail is strictly
forbidden.
-----Ursprüngliche Nachricht-----
Von: Aleksandar Lazic [mailto:[email protected]]
Gesendet: Tuesday, August 07, 2018 6:06 PM
An: [email protected]; 'Anton Hughes'
<[email protected]>
Cc: [email protected]
Betreff: Re: error running application using customized image stream
Hi.
Am 07.08.2018 um 16:23 schrieb [email protected]:
>
> Hello thank you for taking a look. I checked the link you provided and
> tried to change my Dockerfile accordingly but it didn’t seem to work.
>
> So, I changed the Dockerfile to use a user called “ubuntu” and added
> this user to sudoers of container. Still I get the permission error.
>
> I added following lines in the Dockerfile:
>
>
>
> RUN apt-get install -y libreoffice --no-install-recommends
>
>
>
>
> RUN apt-get install -y sudo && adduser ubuntu && echo "ubuntu
> ALL=(root) NOPASSWD:ALL" > /etc/sudoers.d/ubuntu && chmod 4755
> /etc/sudoers.d/ubuntu
>
>
> RUN su - ubuntu
>
>
>
> Is it advisable to change default setting of openshift to use anyuser?
>
Not it's not a good Idea.
The main problem is that the https://github.com/openmeetings/openmeetings-docker
isn't prepared to run as non root user which is in general not a good idea.
You can see this in this lines
https://github.com/openmeetings/openmeetings-docker/blob/master/Dockerfile#L30
ENV work /root/work
https://github.com/openmeetings/openmeetings-docker/blob/master/scripts/om.sh#L15-L17
I suggest to change the Dockerfile and the om.sh according to the suggestion
from Anton in the keycloak dockerfile.
https://github.com/jboss-dockerfiles/keycloak/blob/master/server-openshift/Dockerfile#L9-L16
As at Buildtime can you run some tasks as root like yum install but at runtime
not.
You can change the work to let's say /data/om and do all the work there.
At runtime just call '${TOMCAT_PATH}/bin/catalina.sh run'
Regards
aleks
> Best Regards,
>
> Dhanashree Kulkarni
>
>
>
> brown-iposs GmbH
>
> Friedrich-Breuer-Straße 120
>
> 53225 Bonn
>
> Germany
>
>
>
> Fon +49 (0) 228 299 799 80
>
> Fax +49 (0) 228 299 799 84
>
> mailto:[email protected]
>
> www.brown-iposs.eu <http://www.brown-iposs.eu/>
>
> www.facebook.com/browniposs <http://www.facebook.com/browniposs>
>
> www.facebook.com/wimap4g <http://www.facebook.com/wimap4g>
>
>
>
> Directors: Dr. Bernd Schröder, Karsten Schmeling
>
> Trade register: 14385, Country court Bonn
>
> VAT-ID: DE814670174
>
>
>
> Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen.
> Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich
> erhalten haben, informieren Sie bitte sofort den Absender und
> vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte
> Weitergabe dieser Mail ist nicht gestattet.
>
>
>
> This e-mail may contain confidential and/or privileged information. If
> you are not the intended recipient (or have received this e-mail in
> error) please notify the sender immediately and destroy this e-mail.
> Any unauthorised copying, disclosure or distribution of the material
> in this e-mail is strictly forbidden.
>
>
>
> *Von:*[email protected] [mailto:[email protected]] *Im Auftrag von
> *Anton Hughes
> *Gesendet:* Tuesday, August 07, 2018 1:12 PM
> *An:* [email protected]
> *Cc:* [email protected]
> *Betreff:* Re: error running application using customized image stream
>
>
>
> By default OpenShift doesnt allow containers to run using root user.
>
>
>
> Take a look
> at
> https://github.com/jboss-dockerfiles/keycloak/blob/master/server-opens
> hift/Dockerfile#L9-L16 for an example of giving the permissions and
> setting a non-root user.
>
>
>
> On 7 August 2018 at 21:38, <[email protected]
> <mailto:[email protected]>> wrote:
>
> Hello,
>
> My name is Dhanashree Kulkarni. I have installed OpenShift Origin all in
> one in a Centos 7 VM running on Proxmox VE.
>
> I have built a Docker image using a Dockerfile, and created an image
> stream using that Docker image and tagged and pushed it in the Docker
> registry inside OpenShift. Now when I want to run the application using
> this created image stream, it gives me permission error.
>
> I want to run Apache Openmeetings application inside OpenShift. For that I
> have used the Dockerfile created by Maxim Solodovnik
> (https://github.com/openmeetings/openmeetings-docker). The ENTRYPOINT in
> the Dockerfile seems to create this error.
>
> **Steps Followed:**
>
>
>
> git clone https://github.com/dhanugithub/openmeetings-docker.git
>
> cd openmeetings-docker
>
> ls
>
> docker build -t om-server .
>
> docker images
>
> docker login -u openshift –p <TOKEN from web console>
> docker-registry-default.apps.x.x.x.x.nip.io
> <http://docker-registry-default.apps.x.x.x.x.nip.io>
>
> oc create is om-server -n mec
>
> docker tag om-server
> docker-registry-default.apps.x.x.x.x.nip.io/mec/om-server:latest
>
> <http://docker-registry-default.apps.x.x.x.x.nip.io/mec/om-server:late
> st>
>
> docker push
> docker-registry-default.apps.x.x.x.x.nip.io/mec/om-server:latest
>
> <http://docker-registry-default.apps.x.x.x.x.nip.io/mec/om-server:late
> st>
>
>
>
> I am attaching the error log which I get after deploying the application.
>
> If anyone can suggest some corrections, that would be great.
>
> Thank you.
>
>
>
>
>
> Best Regards,
>
> Dhanashree Kulkarni
>
>
>
> brown-iposs GmbH
>
> Friedrich-Breuer-Straße 120
>
> 53225 Bonn
>
> Germany
>
>
>
> Fon +49 (0) 228 299 799 80
>
> Fax +49 (0) 228 299 799 84
>
> mailto:[email protected]
>
> www.brown-iposs.eu <http://www.brown-iposs.eu/>
>
> www.facebook.com/browniposs <http://www.facebook.com/browniposs>
>
> www.facebook.com/wimap4g <http://www.facebook.com/wimap4g>
>
>
>
> Directors: Dr. Bernd Schröder, Karsten Schmeling
>
> Trade register: 14385, Country court Bonn
>
> VAT-ID: DE814670174
>
>
>
> Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte
> Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail
> irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und
> vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte
> Weitergabe dieser Mail ist nicht gestattet.
>
>
>
> This e-mail may contain confidential and/or privileged information. If you
> are not the intended recipient (or have received this e-mail in error)
> please notify the sender immediately and destroy this e-mail. Any
> unauthorised copying, disclosure or distribution of the material in this
> e-mail is strictly forbidden.
>
>
>
>
> _______________________________________________
> users mailing list
> [email protected] <mailto:[email protected]>
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
>
>
>
>
> _______________________________________________
> users mailing list
> [email protected]
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
_______________________________________________
users mailing list
[email protected]
http://lists.openshift.redhat.com/openshiftmm/listinfo/users
