A typical OpenShift environment isn't going to let you run 'sudo' anyway even if you resolve the error.
As to the error, it is because the /etc/passwd file lacks a user entry for that user ID. See section 'Support Arbitrary User IDs' in: https://docs.openshift.com/container-platform/3.10/creating_images/guidelines.html <https://docs.openshift.com/container-platform/3.10/creating_images/guidelines.html> If you use the method described of making the passwd file writable and adding an entry from the entry point, only use the image with OpenShift. If you want to use the image outside of OpenShift with docker and when using docker the environment is not dropping capabilities for running setuid, you need to take extra steps to secure the image properly so people can't become root. As to why you don't see issue with docker as is, you will if you supply the '-u 1000110000' option to docker run. Graham > On 17 Aug 2018, at 6:40 pm, [email protected] wrote: > > Hello, > I am again having problem running my application using image stream I > created. As discussed last, I had changed the Dockerfile to use non-root > user. I have set uid of this non-root user to be 1001. But when I deploy the > application, the pod crashes frequently. In the logs I can see following: > > sudo: unknown uid 1000110000: who are you? > > This uid is the uid of the project in which I am running the application. > If I run following, I get following: > > $oc rsh <container id> id > sh-4.2$ id > uid=1000110000 gid=0(root) groups=0(root),1000110000 > > Although, if I do $docker ps and run, I get following: > > $docker exec -it 1fe3bbf19cb0 bash > bash-4.2$ id > uid=1001 gid=0(root) groups=0(root),1000110000 > > I am now confused why openshift isn't recognizing uid set from its own > uid-range. > Here is another information: > > oc describe project mec > Name: mec > Created: 4 weeks ago > Labels: <none> > Annotations: openshift.io/description= > openshift.io/display-name= > openshift.io/requester=dhanashree > openshift.io/sa.scc.mcs=s0:c11,c0 > > openshift.io/sa.scc.supplemental-groups=1000110000/10000 > > openshift.io/sa.scc.uid-range=1000110000/10000 > Display Name: <none> > Description: <none> > Status: Active > Node Selector: <none> > Quota: <none> > Resource limits: <none> > > You can find my Dockerfile here. > (https://github.com/dhanugithub/omdockerimage/blob/master/Dockerfile) > Kindly help. Thank you. > > Best Regards, > Dhanashree Kulkarni > > brown-iposs GmbH > Friedrich-Breuer-Straße 120 > 53225 Bonn > Germany > > Fon +49 (0) 228 299 799 80 > Fax +49 (0) 228 299 799 84 > mailto:[email protected] > www.brown-iposs.eu > www.facebook.com/browniposs > www.facebook.com/wimap4g > > Directors: Dr. Bernd Schröder, Karsten Schmeling > Trade register: 14385, Country court Bonn > VAT-ID: DE814670174 > > Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte > Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail > irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und > vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte > Weitergabe dieser Mail ist nicht gestattet. > > This e-mail may contain confidential and/or privileged information. If you > are not the intended recipient (or have received this e-mail in error) please > notify the sender immediately and destroy this e-mail. Any unauthorised > copying, disclosure or distribution of the material in this e-mail is > strictly forbidden. > > -----Ursprüngliche Nachricht----- > Von: Dhanashree Kulkarni Kulkarni ([email protected]) > [mailto:[email protected]] > Gesendet: Wednesday, August 08, 2018 3:04 PM > An: 'Aleksandar Lazic' <[email protected]>; 'Anton Hughes' > <[email protected]> > Cc: '[email protected]' <[email protected]> > Betreff: AW: error running application using customized image stream > > Thank you so much. It worked. I changed work directory in Dockerfile and just > appended 'sudo' before chown in om_install.sh and om.sh. > I was struggling for this since 1 week. Now I can move ahead. Although the > application is still not working but I am happy that permission error is > gone. I will now look into why application isn't working. > I will post again in case further query. > Thank you again. > > > Best Regards, > Dhanashree Kulkarni > > brown-iposs GmbH > Friedrich-Breuer-Straße 120 > 53225 Bonn > Germany > > Fon +49 (0) 228 299 799 80 > Fax +49 (0) 228 299 799 84 > mailto:[email protected] > www.brown-iposs.eu > www.facebook.com/browniposs > www.facebook.com/wimap4g > > Directors: Dr. Bernd Schröder, Karsten Schmeling Trade register: 14385, > Country court Bonn > VAT-ID: DE814670174 > > Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte > Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail > irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und > vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte > Weitergabe dieser Mail ist nicht gestattet. > > This e-mail may contain confidential and/or privileged information. If you > are not the intended recipient (or have received this e-mail in error) please > notify the sender immediately and destroy this e-mail. Any unauthorised > copying, disclosure or distribution of the material in this e-mail is > strictly forbidden. > > -----Ursprüngliche Nachricht----- > Von: Aleksandar Lazic [mailto:[email protected]] > Gesendet: Tuesday, August 07, 2018 6:06 PM > An: [email protected]; 'Anton Hughes' > <[email protected]> > Cc: [email protected] > Betreff: Re: error running application using customized image stream > > Hi. > > Am 07.08.2018 um 16:23 schrieb [email protected]: >> >> Hello thank you for taking a look. I checked the link you provided and >> tried to change my Dockerfile accordingly but it didn’t seem to work. >> >> So, I changed the Dockerfile to use a user called “ubuntu” and added >> this user to sudoers of container. Still I get the permission error. >> >> I added following lines in the Dockerfile: >> >> >> >> RUN apt-get install -y libreoffice --no-install-recommends >> >> >> >> >> RUN apt-get install -y sudo && adduser ubuntu && echo "ubuntu >> ALL=(root) NOPASSWD:ALL" > /etc/sudoers.d/ubuntu && chmod 4755 >> /etc/sudoers.d/ubuntu >> >> >> RUN su - ubuntu >> >> >> >> Is it advisable to change default setting of openshift to use anyuser? >> > > Not it's not a good Idea. > The main problem is that the > https://github.com/openmeetings/openmeetings-docker > isn't prepared to run as non root user which is in general not a good idea. > > You can see this in this lines > https://github.com/openmeetings/openmeetings-docker/blob/master/Dockerfile#L30 > ENV work /root/work > > https://github.com/openmeetings/openmeetings-docker/blob/master/scripts/om.sh#L15-L17 > > I suggest to change the Dockerfile and the om.sh according to the suggestion > from Anton in the keycloak dockerfile. > > https://github.com/jboss-dockerfiles/keycloak/blob/master/server-openshift/Dockerfile#L9-L16 > > As at Buildtime can you run some tasks as root like yum install but at > runtime not. > > You can change the work to let's say /data/om and do all the work there. > At runtime just call '${TOMCAT_PATH}/bin/catalina.sh run' > > Regards > aleks > >> Best Regards, >> >> Dhanashree Kulkarni >> >> >> >> brown-iposs GmbH >> >> Friedrich-Breuer-Straße 120 >> >> 53225 Bonn >> >> Germany >> >> >> >> Fon +49 (0) 228 299 799 80 >> >> Fax +49 (0) 228 299 799 84 >> >> mailto:[email protected] >> >> www.brown-iposs.eu <http://www.brown-iposs.eu/> >> >> www.facebook.com/browniposs <http://www.facebook.com/browniposs> >> >> www.facebook.com/wimap4g <http://www.facebook.com/wimap4g> >> >> >> >> Directors: Dr. Bernd Schröder, Karsten Schmeling >> >> Trade register: 14385, Country court Bonn >> >> VAT-ID: DE814670174 >> >> >> >> Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte >> Informationen. >> Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich >> erhalten haben, informieren Sie bitte sofort den Absender und >> vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte >> Weitergabe dieser Mail ist nicht gestattet. >> >> >> >> This e-mail may contain confidential and/or privileged information. If >> you are not the intended recipient (or have received this e-mail in >> error) please notify the sender immediately and destroy this e-mail. >> Any unauthorised copying, disclosure or distribution of the material >> in this e-mail is strictly forbidden. >> >> >> >> *Von:*[email protected] [mailto:[email protected]] *Im Auftrag von >> *Anton Hughes >> *Gesendet:* Tuesday, August 07, 2018 1:12 PM >> *An:* [email protected] >> *Cc:* [email protected] >> *Betreff:* Re: error running application using customized image stream >> >> >> >> By default OpenShift doesnt allow containers to run using root user. >> >> >> >> Take a look >> at >> https://github.com/jboss-dockerfiles/keycloak/blob/master/server-opens >> hift/Dockerfile#L9-L16 for an example of giving the permissions and >> setting a non-root user. >> >> >> >> On 7 August 2018 at 21:38, <[email protected] >> <mailto:[email protected]>> wrote: >> >> Hello, >> >> My name is Dhanashree Kulkarni. I have installed OpenShift Origin all in >> one in a Centos 7 VM running on Proxmox VE. >> >> I have built a Docker image using a Dockerfile, and created an image >> stream using that Docker image and tagged and pushed it in the Docker >> registry inside OpenShift. Now when I want to run the application using >> this created image stream, it gives me permission error. >> >> I want to run Apache Openmeetings application inside OpenShift. For that I >> have used the Dockerfile created by Maxim Solodovnik >> (https://github.com/openmeetings/openmeetings-docker). The ENTRYPOINT in >> the Dockerfile seems to create this error. >> >> **Steps Followed:** >> >> >> >> git clone https://github.com/dhanugithub/openmeetings-docker.git >> >> cd openmeetings-docker >> >> ls >> >> docker build -t om-server . >> >> docker images >> >> docker login -u openshift –p <TOKEN from web console> >> docker-registry-default.apps.x.x.x.x.nip.io >> <http://docker-registry-default.apps.x.x.x.x.nip.io> >> >> oc create is om-server -n mec >> >> docker tag om-server >> docker-registry-default.apps.x.x.x.x.nip.io/mec/om-server:latest >> >> <http://docker-registry-default.apps.x.x.x.x.nip.io/mec/om-server:late >> st> >> >> docker push >> docker-registry-default.apps.x.x.x.x.nip.io/mec/om-server:latest >> >> <http://docker-registry-default.apps.x.x.x.x.nip.io/mec/om-server:late >> st> >> >> >> >> I am attaching the error log which I get after deploying the application. >> >> If anyone can suggest some corrections, that would be great. >> >> Thank you. >> >> >> >> >> >> Best Regards, >> >> Dhanashree Kulkarni >> >> >> >> brown-iposs GmbH >> >> Friedrich-Breuer-Straße 120 >> >> 53225 Bonn >> >> Germany >> >> >> >> Fon +49 (0) 228 299 799 80 >> >> Fax +49 (0) 228 299 799 84 >> >> mailto:[email protected] >> >> www.brown-iposs.eu <http://www.brown-iposs.eu/> >> >> www.facebook.com/browniposs <http://www.facebook.com/browniposs> >> >> www.facebook.com/wimap4g <http://www.facebook.com/wimap4g> >> >> >> >> Directors: Dr. Bernd Schröder, Karsten Schmeling >> >> Trade register: 14385, Country court Bonn >> >> VAT-ID: DE814670174 >> >> >> >> Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte >> Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail >> irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und >> vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte >> Weitergabe dieser Mail ist nicht gestattet. >> >> >> >> This e-mail may contain confidential and/or privileged information. If you >> are not the intended recipient (or have received this e-mail in error) >> please notify the sender immediately and destroy this e-mail. Any >> unauthorised copying, disclosure or distribution of the material in this >> e-mail is strictly forbidden. >> >> >> >> >> _______________________________________________ >> users mailing list >> [email protected] <mailto:[email protected]> >> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >> >> >> >> >> >> _______________________________________________ >> users mailing list >> [email protected] >> http://lists.openshift.redhat.com/openshiftmm/listinfo/users > > > > > > _______________________________________________ > users mailing list > [email protected] > http://lists.openshift.redhat.com/openshiftmm/listinfo/users
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
