[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: Errors: container "x" in pod/x-1-8vhpi is crash-looping



Lorenz,

The reason for using an arbitrary UID is to prevent the user inside of the container from having access to resources outside of the container if somehow breached. This includes resources on the host as well as resources accessed by other containers.

Since you don’t know what that user is going to be ahead of time, the solution would be to make the files needed by the user to be world readable. And if necessary world writable.

I would agree that the change you made is not the greatest as this would allow the user specified in the docker image to run potentially adding a bit of risk to the host which may have a collision with the same username resources.

Should for some reason the container MUST run as a specific user (which I’ve run into a couple of these cases), the documentation I linked can assist with such. It simply requires an extra bit of work but helps keeps things in a safer state.



-- 
John Skarbek

On February 25, 2016 at 07:09:07, Lorenz Vanthillo (lorenz vanthillo outlook com) wrote:

I performed:

1.     Edit the restricted SCC:

$ oc edit scc restricted

And changed:
runAsUser:
  type: MustRunAsRange

to

runAsUser:
type: RunAsAny


But I assume that this is a bad solution. Although it's still not very clear why OpenShift is using a random user inside a container.



From: lorenz vanthillo outlook com
To: john skarbek ca com
CC: users lists openshift redhat com
Subject: RE: Errors: container "x" in pod/x-1-8vhpi is crash-looping
Date: Thu, 25 Feb 2016 12:11:51 +0100

Hi John,

Thanks for the fast reply.

"Running a container with an arbitrary user ID also has the benefit of ensuring that a process which is able to escape the container due to a vulnerability in the container framework will not have specific user permissions on the host system."

The permissions on the server.xml in the container are: -rw-------. 1 root root. Here is a permission error in OpenShift.
How would you change these permissions to make it "world writable"? Isn't it unsave to make it "world writable"?

Thanks


From: John Skarbek ca com
To: users lists openshift redhat com; lorenz vanthillo outlook com
Subject: Re: Errors: container "x" in pod/x-1-8vhpi is crash-looping
Date: Thu, 25 Feb 2016 10:58:13 +0000

Lorenz,
The issue is not that the image is coming from a specific repo, but rather the image itself is not fine tuned for use within openshift. CrashLoop indicates the container was able to start, but then crashed, and subsequent restarts are resulting in the same.
In general your permissions are not set properly for this container to run inside of openshift. I suggest modifying those permissions to being world writable.
For additional information take a look at Support Arbitrary User ID's portion of this documentation



-- 
John Skarbek

On February 25, 2016 at 05:22:21, Lorenz Vanthillo (lorenz vanthillo outlook com) wrote:

I'm on Origin 1.1.3
I've pulled an image from a private registry (insecure: self-signed certs + basic authentication).

docker pull ec2-xxx:5000/image:2.3

The image is on my node. I create a project where a will run an instance of this image:
$ oc new-project image
$ oc new-app --insecure-registry ec2-xxx:5000/image:2.3

W0225 09:55:55.322035    6777 pipeline.go:154] Could not find an image stream match for "ec2xxx:5000/image:2.3". Make sure that a Docker image with that tag is available on the node for the deployment to succeed.

--> Found Docker image 51e260c (20 hours old) from ec2-xxx:5000 for "ec2-xxx:5000/image:2.3"

 

    * This image will be deployed in deployment config "image"

    * Port 8080/tcp will be load balanced by service "image"

      * Other containers can access this service through the hostname "image"

    * WARNING: Image "image" runs as the 'root' user which may not be permitted by your cluster administrator

 

--> Creating resources with label app=image ...

    deploymentconfig "image" created

    service "image" created

--> Success

    Run 'oc status' to view your app.


oc status shows me:
Errors:
  * container "image" in pod/image-1-3J24 is crash-looping

Is it because there is no image-stream for this image at the moment? I've did already the same steps with another image from the same registry and it did not went in a loop.

The logs of the container show:
$ docker logs 457deef27b1
Feb 25, 2016 9:57:27 AM org.apache.catalina.startup.
Catalina load
WARNING: Unable to load server configuration from [/usr/local/tomcat/conf/server.xml]
Feb 25, 2016 9:57:27 AM org.apache.catalina.startup.Catalina load
WARNING: Permissions incorrect, read permission is not allowed on the file.
Feb 25, 2016 9:57:27 AM org.apache.catalina.startup.Catalina load
WARNING: Unable to load server configuration from [/usr/local/tomcat/conf/server.xml]
Feb 25, 2016 9:57:27 AM org.apache.catalina.startup.Catalina load
WARNING: Permissions incorrect, read permission is not allowed on the file.
Feb 25, 2016 9:57:27 AM org.apache.catalina.startup.Catalina start
SEVERE: Cannot start server. Server instance is not configured.


But when I just perform an 'docker run ec2-xxx:image:2.3' the container is running fine. So it's no issue with the container.
25-Feb-2016 10:16:44.047 INFO [localhost-startStop-1] xxx has finished in 41 ms
25-Feb-2016 10:16:44.056 INFO [main] xxx
25-Feb-2016 10:16:44.062 INFO [main] xxx
25-Feb-2016 10:16:44.064 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in 13824 ms

_______________________________________________
users mailing list
users lists openshift redhat com
https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openshift.redhat.com_openshiftmm_listinfo_users&d=CwICAg&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&r=8IlWeJZqFtf8Tvx1PDV9NsLfM_M0oNfzEXXNp-tpx74&m=HHhWXrx0bumM_yqZ6f4wecTofvnXLn09S6iTTCb1wEE&s=dZNG1Ur0Iu7DWNi8m2O91SdIGxsW96hU1SCIuacY4O0&e=


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]