[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: runAsUser.Type values



OK, thanks.

What's the recommended approach to running a specific container that cannot work with an allocated ID from the range.
I try running such an image (oc new-app repo/image) as a normal user and it fails as it doesn't run with a randomly assigned userid.

I can resolve this by editing the "restricted" SCC configuration, but that would apply to all containers which might not be what is wanted.
Instead I tried doing this with the system:admin user as I believed that would do this with the privileged SCC, but that does not seem to be the case as the container fails to start for the same reason as when running with a normal user.

So what is the recommended approach for running a specific container with a different SCC?

Tim


On 08/06/2017 18:34, Vyacheslav Semushin wrote:
2017-06-08 19:17 GMT+02:00 Tim Dudgeon <tdudgeon ml gmail com>:
I'm struggling to find a full definition of the different values for the runAsUser.Type option for Security Context Constraints.

 
I found mention of MustRunAsRange, RunAsAny and MustRunAsNonRoot.

Is there an option for run as the specified user unless it is root, in which case allocate an id from the range?

I think no, there is no such option.

The behavior that you are requesting could be unexpected for many users. If someone defines that his image needs to be run under root user than he has reason for that. In most cases, it means that if OpenShift will try to run such an image under unprivileged user, container won't start or won't work.


--
Slava Semushin | OpenShift


_______________________________________________
users mailing list
users lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]