[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: User "admin" cannot get securitycontextconstraints at the cluster scope





On Thu, Aug 2, 2018 at 3:16 AM Traiano Welcome <traiano gmail com> wrote:
Hi

I was working through the O'Reilly book "OpenShift for developers" but the example on page 75, where tomcat8 is run fails:

- The container remains in crashloop backoff
- The logs show the container is having permission issues:

----
Aug 02, 2018 1:03:47 AM org.apache.catalina.startup.Catalina load
WARNING: Unable to load server configuration from [/usr/local/tomcat/conf/server.xml]
Aug 02, 2018 1:03:47 AM org.apache.catalina.startup.Catalina load
WARNING: Permissions incorrect, read permission is not allowed on the file.
Aug 02, 2018 1:03:47 AM org.apache.catalina.startup.Catalina start
SEVERE: Cannot start server. Server instance is not configured.
----

- This appears to be due to openshift/minishift not allowing containers to run as root
- I try installing the anyuid addon and running this command:
- oc adm policy add-scc-to-user anyuid -z default -n tomcat8
- However it fails with this error despite the anyuid addon being applied:

----
Error from server (Forbidden): securitycontextconstraints "anyuid" is forbidden: User "admin" cannot get securitycontextconstraints at the cluster scope: User "admin" cannot get securitycontextconstraints at the cluster scope
----

anyuid scc is to allow the container to run as root inside the container.
From the description you've provided it looks like you're trying to contact
OpenShift API to get the list of SCC-s, in which case your container's
ServiceAccount must allow doing so. I'd recommend having a look at the
docs, which explain in greater details what SA are [1], and what SCC are [2].

[1] https://docs.openshift.org/latest/dev_guide/service_accounts.html
[2] https://docs.openshift.org/latest/architecture/additional_concepts/authorization.html#security-context-constraints

Maciej

 


How do I fix this?

Thanks in advance,
Traiano

_______________________________________________
users mailing list
users lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]