On Sat, May 20, 2017 at 9:41 AM, Andrew Lau <andrew andrewklau com> wrote:Thanks, that clarifies it a bit more.What relationship do these UIDs have to the `docker run --user` parameter.it should be basically the same behavior.What confuses me still is with MustRunAsRange I can start a Docker container that has no USER (ie. root). However if I go to run that same image on Docker natively with something like `docker run user=1001 redis` it'll run into permission errors.If you oc rsh into the container on openshift and run "whoami", what user is it running as?
On Sat, 20 May 2017 at 23:11 Clayton Coleman <ccoleman redhat com> wrote:Range means that the uid will be defaulted and limited to the range
specified on the namespace (scc.sa.uid). The default is the first
element in the range.
NonRoot may not apply defaulting (although technically it could), and
simply requires that the container have a non zero, numeric uid.
Defaulting is a little special here - we don't default in the API, but
instead wait until the container image is pulled. If the image has a
user > 0 (numeric) it'll be allowed through, otherwise the pod should
Now that we have the image resolver, it would certainly be possible to
do that calculation via image resolution and report it to get early
> On May 20, 2017, at 6:27 AM, Andrew Lau <andrew andrewklau com> wrote:
> I'm looking to find some clarification on the difference between MustRunAsRange vs MustRunAsNonRoot
> MustRunAsRange seems to be the cluster default, this allow containers to run even if they are not having the USER definition
> Many pages seem to tout OpenShift does not run containers as root, and the web console also suggests it may be blocked but still lets them run.
> users mailing list
> users lists openshift redhat com
users mailing list
users lists openshift redhat com
--Ben Parees | OpenShift