[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Errors: container "x" in pod/x-1-8vhpi is crash-looping



Generally you would add your service account to the "anyuid" SCC,
rather than change the meaning of "restricted".

    oadm policy add-scc-to-user anyuid -z default

The default security model in OpenShift is "secure", i.e., defended.
If you want to run root containers you can selective add that as an
admin, or change the definition of restricted.

On Thu, Feb 25, 2016 at 7:08 AM, Lorenz Vanthillo
<lorenz vanthillo outlook com> wrote:
> I performed:
>
> 1.     Edit the restricted SCC:
>
> $ oc edit scc restricted
>
>
> And changed:
>
> runAsUser:
>   type: MustRunAsRange
>
> to
>
> runAsUser:
>   type: RunAsAny
>
>
> But I assume that this is a bad solution. Although it's still not very clear
> why OpenShift is using a random user inside a container.
>
>
> ________________________________
> From: lorenz vanthillo outlook com
> To: john skarbek ca com
> CC: users lists openshift redhat com
> Subject: RE: Errors: container "x" in pod/x-1-8vhpi is crash-looping
> Date: Thu, 25 Feb 2016 12:11:51 +0100
>
>
> Hi John,
>
> Thanks for the fast reply.
>
> "Running a container with an arbitrary user ID also has the benefit of
> ensuring that a process which is able to escape the container due to a
> vulnerability in the container framework will not have specific user
> permissions on the host system."
>
> The permissions on the server.xml in the container are: -rw-------. 1 root
> root. Here is a permission error in OpenShift.
> How would you change these permissions to make it "world writable"? Isn't it
> unsave to make it "world writable"?
>
> Thanks
>
> ________________________________
> From: John Skarbek ca com
> To: users lists openshift redhat com; lorenz vanthillo outlook com
> Subject: Re: Errors: container "x" in pod/x-1-8vhpi is crash-looping
> Date: Thu, 25 Feb 2016 10:58:13 +0000
>
> Lorenz,
> The issue is not that the image is coming from a specific repo, but rather
> the image itself is not fine tuned for use within openshift. CrashLoop
> indicates the container was able to start, but then crashed, and subsequent
> restarts are resulting in the same.
> In general your permissions are not set properly for this container to run
> inside of openshift. I suggest modifying those permissions to being world
> writable.
> For additional information take a look at Support Arbitrary User ID's
> portion of this documentation
>
>
>
> --
> John Skarbek
>
> On February 25, 2016 at 05:22:21, Lorenz Vanthillo
> (lorenz vanthillo outlook com) wrote:
>
> I'm on Origin 1.1.3
> I've pulled an image from a private registry (insecure: self-signed certs +
> basic authentication).
>
> docker pull ec2-xxx:5000/image:2.3
>
> The image is on my node. I create a project where a will run an instance of
> this image:
> $ oc new-project image
> $ oc new-app --insecure-registry ec2-xxx:5000/image:2.3
>
> W0225 09:55:55.322035    6777 pipeline.go:154] Could not find an image
> stream match for "ec2xxx:5000/image:2.3". Make sure that a Docker image with
> that tag is available on the node for the deployment to succeed.
>
> --> Found Docker image 51e260c (20 hours old) from ec2-xxx:5000 for
> "ec2-xxx:5000/image:2.3"
>
>
>
>     * This image will be deployed in deployment config "image"
>
>     * Port 8080/tcp will be load balanced by service "image"
>
>       * Other containers can access this service through the hostname
> "image"
>
>     * WARNING: Image "image" runs as the 'root' user which may not be
> permitted by your cluster administrator
>
>
>
> --> Creating resources with label app=image ...
>
>     deploymentconfig "image" created
>
>     service "image" created
>
> --> Success
>
>     Run 'oc status' to view your app.
>
>
> oc status shows me:
> Errors:
>   * container "image" in pod/image-1-3J24 is crash-looping
>
> Is it because there is no image-stream for this image at the moment? I've
> did already the same steps with another image from the same registry and it
> did not went in a loop.
>
> The logs of the container show:
> $ docker logs 457deef27b1
> Feb 25, 2016 9:57:27 AM org.apache.catalina.startup.
> Catalina load
> WARNING: Unable to load server configuration from
> [/usr/local/tomcat/conf/server.xml]
> Feb 25, 2016 9:57:27 AM org.apache.catalina.startup.Catalina load
> WARNING: Permissions incorrect, read permission is not allowed on the file.
> Feb 25, 2016 9:57:27 AM org.apache.catalina.startup.Catalina load
> WARNING: Unable to load server configuration from
> [/usr/local/tomcat/conf/server.xml]
> Feb 25, 2016 9:57:27 AM org.apache.catalina.startup.Catalina load
> WARNING: Permissions incorrect, read permission is not allowed on the file.
> Feb 25, 2016 9:57:27 AM org.apache.catalina.startup.Catalina start
> SEVERE: Cannot start server. Server instance is not configured.
>
>
> But when I just perform an 'docker run ec2-xxx:image:2.3' the container is
> running fine. So it's no issue with the container.
> 25-Feb-2016 10:16:44.047 INFO [localhost-startStop-1] xxx has finished in 41
> ms
> 25-Feb-2016 10:16:44.056 INFO [main] xxx
> 25-Feb-2016 10:16:44.062 INFO [main] xxx
> 25-Feb-2016 10:16:44.064 INFO [main]
> org.apache.catalina.startup.Catalina.start Server startup in 13824 ms
>
> _______________________________________________
> users mailing list
> users lists openshift redhat com
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openshift.redhat.com_openshiftmm_listinfo_users&d=CwICAg&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&r=8IlWeJZqFtf8Tvx1PDV9NsLfM_M0oNfzEXXNp-tpx74&m=HHhWXrx0bumM_yqZ6f4wecTofvnXLn09S6iTTCb1wEE&s=dZNG1Ur0Iu7DWNi8m2O91SdIGxsW96hU1SCIuacY4O0&e=
>
>
>
> _______________________________________________
> users mailing list
> users lists openshift redhat com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]