[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: Errors: container "x" in pod/x-1-8vhpi is crash-looping



Is this also such a user-issue?:
I try to start a postgresdb (created by our own, so not the default postgres-image)
Again the backoff restart loop:
docker logs show:
error: failed switching to "postgres": setgroups operation not permitted

> Date: Thu, 25 Feb 2016 08:44:41 -0500
> Subject: Re: Errors: container "x" in pod/x-1-8vhpi is crash-looping
> From: ccoleman redhat com
> To: lorenz vanthillo outlook com
> CC: john skarbek ca com; users lists openshift redhat com
>
> Generally you would add your service account to the "anyuid" SCC,
> rather than change the meaning of "restricted".
>
> oadm policy add-scc-to-user anyuid -z default
>
> The default security model in OpenShift is "secure", i.e., defended.
> If you want to run root containers you can selective add that as an
> admin, or change the definition of restricted.
>
> On Thu, Feb 25, 2016 at 7:08 AM, Lorenz Vanthillo
> <lorenz vanthillo outlook com> wrote:
> > I performed:
> >
> > 1. Edit the restricted SCC:
> >
> > $ oc edit scc restricted
> >
> >
> > And changed:
> >
> > runAsUser:
> > type: MustRunAsRange
> >
> > to
> >
> > runAsUser:
> > type: RunAsAny
> >
> >
> > But I assume that this is a bad solution. Although it's still not very clear
> > why OpenShift is using a random user inside a container.
> >
> >
> > ________________________________
> > From: lorenz vanthillo outlook com
> > To: john skarbek ca com
> > CC: users lists openshift redhat com
> > Subject: RE: Errors: container "x" in pod/x-1-8vhpi is crash-looping
> > Date: Thu, 25 Feb 2016 12:11:51 +0100
> >
> >
> > Hi John,
> >
> > Thanks for the fast reply.
> >
> > "Running a container with an arbitrary user ID also has the benefit of
> > ensuring that a process which is able to escape the container due to a
> > vulnerability in the container framework will not have specific user
> > permissions on the host system."
> >
> > The permissions on the server.xml in the container are: -rw-------. 1 root
> > root. Here is a permission error in OpenShift.
> > How would you change these permissions to make it "world writable"? Isn't it
> > unsave to make it "world writable"?
> >
> > Thanks
> >
> > ________________________________
> > From: John Skarbek ca com
> > To: users lists openshift redhat com; lorenz vanthillo outlook com
> > Subject: Re: Errors: container "x" in pod/x-1-8vhpi is crash-looping
> > Date: Thu, 25 Feb 2016 10:58:13 +0000
> >
> > Lorenz,
> > The issue is not that the image is coming from a specific repo, but rather
> > the image itself is not fine tuned for use within openshift. CrashLoop
> > indicates the container was able to start, but then crashed, and subsequent
> > restarts are resulting in the same.
> > In general your permissions are not set properly for this container to run
> > inside of openshift. I suggest modifying those permissions to being world
> > writable.
> > For additional information take a look at Support Arbitrary User ID's
> > portion of this documentation
> >
> >
> >
> > --
> > John Skarbek
> >
> > On February 25, 2016 at 05:22:21, Lorenz Vanthillo
> > (lorenz vanthillo outlook com) wrote:
> >
> > I'm on Origin 1.1.3
> > I've pulled an image from a private registry (insecure: self-signed certs +
> > basic authentication).
> >
> > docker pull ec2-xxx:5000/image:2.3
> >
> > The image is on my node. I create a project where a will run an instance of
> > this image:
> > $ oc new-project image
> > $ oc new-app --insecure-registry ec2-xxx:5000/image:2.3
> >
> > W0225 09:55:55.322035 6777 pipeline.go:154] Could not find an image
> > stream match for "ec2xxx:5000/image:2.3". Make sure that a Docker image with
> > that tag is available on the node for the deployment to succeed.
> >
> > --> Found Docker image 51e260c (20 hours old) from ec2-xxx:5000 for
> > "ec2-xxx:5000/image:2.3"
> >
> >
> >
> > * This image will be deployed in deployment config "image"
> >
> > * Port 8080/tcp will be load balanced by service "image"
> >
> > * Other containers can access this service through the hostname
> > "image"
> >
> > * WARNING: Image "image" runs as the 'root' user which may not be
> > permitted by your cluster administrator
> >
> >
> >
> > --> Creating resources with label app=image ...
> >
> > deploymentconfig "image" created
> >
> > service "image" created
> >
> > --> Success
> >
> > Run 'oc status' to view your app.
> >
> >
> > oc status shows me:
> > Errors:
> > * container "image" in pod/image-1-3J24 is crash-looping
> >
> > Is it because there is no image-stream for this image at the moment? I've
> > did already the same steps with another image from the same registry and it
> > did not went in a loop.
> >
> > The logs of the container show:
> > $ docker logs 457deef27b1
> > Feb 25, 2016 9:57:27 AM org.apache.catalina.startup.
> > Catalina load
> > WARNING: Unable to load server configuration from
> > [/usr/local/tomcat/conf/server.xml]
> > Feb 25, 2016 9:57:27 AM org.apache.catalina.startup.Catalina load
> > WARNING: Permissions incorrect, read permission is not allowed on the file.
> > Feb 25, 2016 9:57:27 AM org.apache.catalina.startup.Catalina load
> > WARNING: Unable to load server configuration from
> > [/usr/local/tomcat/conf/server.xml]
> > Feb 25, 2016 9:57:27 AM org.apache.catalina.startup.Catalina load
> > WARNING: Permissions incorrect, read permission is not allowed on the file.
> > Feb 25, 2016 9:57:27 AM org.apache.catalina.startup.Catalina start
> > SEVERE: Cannot start server. Server instance is not configured.
> >
> >
> > But when I just perform an 'docker run ec2-xxx:image:2.3' the container is
> > running fine. So it's no issue with the container.
> > 25-Feb-2016 10:16:44.047 INFO [localhost-startStop-1] xxx has finished in 41
> > ms
> > 25-Feb-2016 10:16:44.056 INFO [main] xxx
> > 25-Feb-2016 10:16:44.062 INFO [main] xxx
> > 25-Feb-2016 10:16:44.064 INFO [main]
> > org.apache.catalina.startup.Catalina.start Server startup in 13824 ms
> >
> > _______________________________________________
> > users mailing list
> > users lists openshift redhat com
> > https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openshift.redhat.com_openshiftmm_listinfo_users&d=CwICAg&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&r=8IlWeJZqFtf8Tvx1PDV9NsLfM_M0oNfzEXXNp-tpx74&m=HHhWXrx0bumM_yqZ6f4wecTofvnXLn09S6iTTCb1wEE&s=dZNG1Ur0Iu7DWNi8m2O91SdIGxsW96hU1SCIuacY4O0&e=
> >
> >
> >
> > _______________________________________________
> > users mailing list
> > users lists openshift redhat com
> > http://lists.openshift.redhat.com/openshiftmm/listinfo/users
> >

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]