[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: oc new-app with root privileges



Hi All,

Apologies for bringing this back up, but I was busy with my exams and stuff, and now I'm back to solve this issue.

I did some research on my problem and the links I received from you guys.
Below is my dockerfile which I wrote to get the tgt service running and also the s2i tool working for the image.

FROM 172.30.79.210:5000/openshift/centos-with-bmi-setup_v1
MAINTAINER "Akshaya" <khare ak husky neu edu>
ENV container docker
ENV LIGHTTPD_VERSION=1.4.35
# Set labels used in OpenShift to describe the builder images
LABEL io.k8s.description="Platform for serving static HTML files" \
      io.k8s.display-name="Lighttpd 1.4.35" \
      io.openshift.expose-services="8080:http" \
      io.openshift.tags="builder,html,lighttpd"

#USER root
RUN (cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i ==systemd-tmpfiles-setup.service ] || rm -f $i; done); \
rm -rf /lib/systemd/system/multi-user.target.wants/*;\
rm -rf /etc/systemd/system/*.wants/*;\
rm -rf /lib/systemd/system/local-fs.target.wants/*; \
rm -rf /lib/systemd/system/sockets.target.wants/*udev*; \
rm -rf /lib/systemd/system/sockets.target.wants/*initctl*; \
rm -rf /lib/systemd/system/basic.target.wants/*;\
rm -rf /lib/systemd/system/anaconda.target.wants/*;\
yum install -y git ;\
yum install -y lighttpd && \
    # clean yum cache files, as they are not needed and will only make the image bigger in the end
    yum clean all -y;
RUN systemctl enable tgtd.service

# Defines the location of the S2I
# Although this is defined in openshift/base-centos7 image it's repeated here
# to make it clear why the following COPY operation is happening
LABEL io.openshift.s2i.scripts-url="">
# Copy the S2I scripts from ./.s2i/bin/ to /usr/local/s2i when making the builder image
COPY ./.s2i/bin/ /usr/local/s2i

# Copy the lighttpd configuration file
COPY ./etc/ /opt/app-root/etc

# Specify the ports the final image will expose
EXPOSE 8080

VOLUME [ "/sys/fs/cgroup" ]
#VOLUME ["/sys/fs/cgroup:ro"]
CMD ["/usr/sbin/init"]

Turns out it was not an issue about the root access.
The service works automatically if i use the docker run command with volume group specified as below:

docker run -ti -v /sys/fs/cgroup:/sys/fs/cgroup:ro -d docker.io/centos

Based on the below blog, systemd insists on looking at cgroup file system within a container: 
https://developers.redhat.com/blog/2014/05/05/running-systemd-within-docker-container/

So on running the image using the cgroup file system, the service works fine.
Without it, the service fails to start.

Is there a way to mount the volume group in openshift while starting an application using this image?

Thanks & Regards,
Akshaya



On Fri, Dec 2, 2016 at 5:30 PM, Srinivas Naga Kotaru (skotaru) <skotaru cisco com> wrote:

Sorry, forgot to put blog link

 

http://developers.redhat.com/blog/2016/10/21/understanding-openshift-security-context-constraints/

 

-- 

Srinivas Kotaru

 

From: Srinivas Naga Kotaru <skotaru cisco com>
Date: Friday, December 2, 2016 at 2:27 PM
To: Akshaya Khare <khare ak husky neu edu>, Ben Parees <bparees redhat com>
Cc: users <users lists openshift redhat com>, Jordan Liggitt <jliggitt redhat com>


Subject: Re: oc new-app with root privileges

 

This is the blog post am using to refer steps mentioned here. I didn’t tested yet but this article talking about how to run an container using anyuid SCC privileges

 

-- 

Srinivas Kotaru

 

From: Akshaya Khare <khare ak husky neu edu>
Date: Friday, December 2, 2016 at 1:59 PM
To: Ben Parees <bparees redhat com>
Cc: users <users lists openshift redhat com>, Srinivas Naga Kotaru <skotaru cisco com>, Jordan Liggitt <jliggitt redhat com>
Subject: Re: oc new-app with root privileges

 

Thanks Ben, 

 

I'll check this reference.

our developers in the team will need to start a service once the container is up.

But the systemd is only accessible for my image if it is run as root.

 

Maybe I can try adding this startup script into the docker file as well.

I'll check both and let you know...

 

Regards,

AK

 

On Fri, Dec 2, 2016 at 4:47 PM, Ben Parees <bparees redhat com> wrote:

 

 

On Fri, Dec 2, 2016 at 4:35 PM, Akshaya Khare <khare ak husky neu edu> wrote:

Hi again, 

 

I tried using the suggestions you guys gave but some how its still failing.

On further analysis I understood that this is not actually the image which I created.

 

Since I'm using source2image, the github source is being mapped on to my image which has root privileges.

Now my image creates a build and then a new pod is spawned up using that build.

 

Is there some other configuration within these steps which allows me to run the pod as a root user?

Or these steps have nothing to do with the user issue i'm facing?

 

​you can control the user the pod runs as by setting the pod's security context:
http://kubernetes.io/docs/api-reference/v1/definitions/#_v1_podsecuritycontext

but it would be better to try to understand why your image needs to run as root and change file/etc permissions so that it does not require that.


 

 

Thanks, 

AK

 

On Thu, Dec 1, 2016 at 6:31 PM, Srinivas Naga Kotaru (skotaru) <skotaru cisco com> wrote:

I was thinking belwo are right steps as per my knowledge

 

1.       Create a service account

2.       Grant anyuid SCC to this service account

3.       And add sercice account details to dc object

 

 

I might be wrong but above steps in my mind. Even I would like to get clarity on this topic what is the right approach to run a container using anyuid priviligies

 

 

-- 

Srinivas Kotaru

 

From: <users-bounces lists openshift.redhat.com> on behalf of Ben Parees <bparees redhat com>
Date: Thursday, December 1, 2016 at 1:37 PM
To: Akshaya Khare <khare ak husky neu edu>, Jordan Liggitt <jliggitt redhat com>
Cc: users <users lists openshift redhat com>
Subject: Re: oc new-app with root privileges

 

 

 

On Thu, Dec 1, 2016 at 4:18 PM, Akshaya Khare <khare ak husky neu edu> wrote:

Hi,

 

I created my own image which can use s2i to use git urls for my internal projects.

 

The image has been created such that the systemd services will be working, and in order to do that the image had to be created with root user.

 

Now the container spawned from this image only works properly i spawn it with the below command:

 

docker run -ti -v /sys/fs/cgroup:/sys/fs/cgroup:ro -d my-image-name

 

The container works fine.

 

Unfortunately, whenever I try to create the container from the openshift ui, it creates the pod successfully but it doesn't have access to run it since it doesn't run it as a root user.

 

I tried to provide this command:

 

oadm policy add-scc-to-user anyuid -z project-name

 

But still the pod is created without the root user.

 

Is there any way to run the pod with root user via both cli or ui?

 

​assuming your built image defaults to running as root, the adding anyuid scc should be all you need to do for the image to run as that user, as far as i know.


 

 

--

Thanks & Regards,

Akshaya Khare


_______________________________________________
users mailing list
users lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users




--

Ben Parees | OpenShift



 

--

Thanks & Regards,

Akshaya Khare




--

Ben Parees | OpenShift



 

--

Thanks & Regards,

Akshaya Khare




--
Thanks & Regards,
Akshaya Khare
312-785-3508

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]