According to this doc https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.16/#podsecuritycontext-v1-core `privileged` seems to be in both pod and container securityContext. Also have seen people use it in pod.spec... But anyway...
Adrian
----- Original message -----
From: Ben Parees <bpar...@redhat.com>
To: Weiqiang Zhuang <wzhu...@us.ibm.com>
Cc: users <users@lists.openshift.redhat.com>
Subject: [EXTERNAL] Re: docker command run from containers got permission denied on /var/run/docker.sock
Date: Wed, Oct 2, 2019 11:48 AM
On Wed, Oct 2, 2019 at 2:44 PM Weiqiang Zhuang <wzhu...@us.ibm.com> wrote:Thanks Ben. Yes, the pod is running as root.BTW, now I moved the privileged into the containers section and suddenly this works. Not sure why the securityContext behaves this though.Looks like privileged isn't a valid field for the securityContext within the pod.spec, so your value was being ignored.```apiVersion: v1
kind: Pod
metadata:
name: dood
spec:
containers:
- securityContext:privileged: truename: docker-cmds
image: argoproj/argoexec:v2.3.0
command: ['sh', '-c', 'sleep 1d']....```Adrian----- Original message -----
From: Ben Parees <bpar...@redhat.com>
To: Weiqiang Zhuang <wzhu...@us.ibm.com>
Cc: users <users@lists.openshift.redhat.com>
Subject: [EXTERNAL] Re: docker command run from containers got permission denied on /var/run/docker.sock
Date: Wed, Oct 2, 2019 11:27 AM
On Wed, Oct 2, 2019 at 1:38 PM Weiqiang Zhuang <wzhu...@us.ibm.com> wrote:On an Openshift 3.11 cluster, we tried to run docker commands but all returned following error:```Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.39/version: dial unix /var/run/docker.sock: connect: permission denied```Has anyone run into similar situation and come up with a solution? I have searched past posts and googled and tried, but so far without luck to make it work.Detailed info:An example Pod yaml file is```apiVersion: v1
kind: Pod
metadata:
name: dood
spec:securityContext:privileged: true
containers:
- name: docker-cmds
image: argoproj/argoexec:v2.3.0
command: ['sh', '-c', 'sleep 1d']
resources:
requests:
cpu: 10m
memory: 256Mi
volumeMounts:
- mountPath: /var/run
name: docker-sock
volumes:
- name: docker-sock
hostPath:
path: /var/run```On the host (compute nodes) machine, the socket looks like# ls -l /var/run/docker.sock
srw-rw----. 1 root docker 0 Sep 15 11:55 /var/run/docker.sockInside the container, the mounted path looks like# ls -l /var/run/docker.sock
srw-rw----. 1 root 1001 0 Sep 15 18:55 /var/run/docker.sockThe serviceaccount running the container has been added to the `anyuid` and `hostmount-anyuid` scc.can you confirm the pod container is running as uid 0/root?Thanks.Adrian
_______________________________________________
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users
--Ben Parees | OpenShift
--Ben Parees | OpenShift
_______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users