[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

AW: error running application using customized image stream



Hello,
I am again having problem running my application using image stream I created. As discussed last, I had changed the Dockerfile to use non-root user. I have set uid of this non-root user to be 1001. But when I deploy the application, the pod crashes frequently. In the logs I can see following:

sudo: unknown uid 1000110000: who are you?

This uid is the uid of the project in which I am running the application.
If I run following, I get following:

$oc rsh <container id> id
sh-4.2$ id
uid=1000110000 gid=0(root) groups=0(root),1000110000

Although, if I do $docker ps and run, I get following:

$docker exec -it 1fe3bbf19cb0 bash
bash-4.2$ id
uid=1001 gid=0(root) groups=0(root),1000110000

I am now confused why openshift isn't recognizing uid set from its own uid-range.
Here is another information:

oc describe project mec
Name:                  	 mec
Created:                	4 weeks ago
Labels:                 	<none>
Annotations:            	openshift.io/description=
                        		openshift.io/display-name=
                        		openshift.io/requester=dhanashree
                        		openshift.io/sa.scc.mcs=s0:c11,c0
                        		openshift.io/sa.scc.supplemental-groups=1000110000/10000
                        		openshift.io/sa.scc.uid-range=1000110000/10000
Display Name:          	 <none>
Description:            	<none>
Status:                 	Active
Node Selector:          	<none>
Quota:                  	<none>
Resource limits:        	<none>

You can find my Dockerfile here. (https://github.com/dhanugithub/omdockerimage/blob/master/Dockerfile)
Kindly help. Thank you.

Best Regards,
Dhanashree Kulkarni

brown-iposs GmbH
Friedrich-Breuer-Straße 120
53225 Bonn
Germany

Fon   +49 (0) 228 299 799 80
Fax   +49 (0) 228 299 799 84
mailto:birgit bachmann brown-iposs eu
www.brown-iposs.eu
www.facebook.com/browniposs
www.facebook.com/wimap4g

Directors: Dr. Bernd Schröder, Karsten Schmeling
Trade register: 14385, Country court Bonn
VAT-ID: DE814670174

Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet.

This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden.

-----Ursprüngliche Nachricht-----
Von: Dhanashree Kulkarni Kulkarni (dhanashree kulkarni brown-iposs eu) [mailto:dhanashree kulkarni brown-iposs eu] 
Gesendet: Wednesday, August 08, 2018 3:04 PM
An: 'Aleksandar Lazic' <aleks me2digital eu>; 'Anton Hughes' <anton c hughes gmail com>
Cc: 'users lists openshift redhat com' <users lists openshift redhat com>
Betreff: AW: error running application using customized image stream

Thank you so much. It worked. I changed work directory in Dockerfile and just appended 'sudo' before chown in om_install.sh and om.sh.
I was  struggling for this since 1 week. Now I can move ahead. Although the application is still not working but I am happy that permission error is gone. I will now look into why application isn't working.
I will post again in case further query.
Thank you again.


Best Regards,
Dhanashree Kulkarni

brown-iposs GmbH
Friedrich-Breuer-Straße 120
53225 Bonn
Germany

Fon   +49 (0) 228 299 799 80
Fax   +49 (0) 228 299 799 84
mailto:birgit bachmann brown-iposs eu
www.brown-iposs.eu
www.facebook.com/browniposs
www.facebook.com/wimap4g

Directors: Dr. Bernd Schröder, Karsten Schmeling Trade register: 14385, Country court Bonn
VAT-ID: DE814670174

Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet.

This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden.

-----Ursprüngliche Nachricht-----
Von: Aleksandar Lazic [mailto:aleks me2digital eu]
Gesendet: Tuesday, August 07, 2018 6:06 PM
An: dhanashree kulkarni brown-iposs eu; 'Anton Hughes' <anton c hughes gmail com>
Cc: users lists openshift redhat com
Betreff: Re: error running application using customized image stream

Hi.

Am 07.08.2018 um 16:23 schrieb dhanashree kulkarni brown-iposs eu:
>
> Hello thank you for taking a look. I checked the link you provided and 
> tried to change my Dockerfile accordingly but it didn’t seem to work.
>
> So, I changed the Dockerfile to use a user called “ubuntu” and added 
> this user to sudoers of container. Still I get the permission error.
>
> I added following lines in the Dockerfile:
>
>  
>
> RUN apt-get install -y libreoffice --no-install-recommends
>
>
>  
>
> RUN apt-get install -y sudo && adduser ubuntu && echo "ubuntu
> ALL=(root) NOPASSWD:ALL" > /etc/sudoers.d/ubuntu && chmod 4755 
> /etc/sudoers.d/ubuntu
>
>
> RUN su - ubuntu
>
>  
>
> Is it advisable to change default setting of openshift to use anyuser?
>

Not it's not a good Idea.
The main problem is that the https://github.com/openmeetings/openmeetings-docker
isn't prepared to run as non root user which is in general not a good idea.

You can see this in this lines
https://github.com/openmeetings/openmeetings-docker/blob/master/Dockerfile#L30
ENV work /root/work

https://github.com/openmeetings/openmeetings-docker/blob/master/scripts/om.sh#L15-L17

I suggest to change the Dockerfile and the om.sh according to the suggestion from Anton in the keycloak dockerfile.

https://github.com/jboss-dockerfiles/keycloak/blob/master/server-openshift/Dockerfile#L9-L16

As at Buildtime can you run some tasks as root like yum install but at runtime not.

You can change the work to let's say /data/om and do all the work there.
At runtime just call '${TOMCAT_PATH}/bin/catalina.sh run'

Regards
aleks

> Best Regards,
>
> Dhanashree Kulkarni
>
>  
>
> brown-iposs GmbH
>
> Friedrich-Breuer-Straße 120
>
> 53225 Bonn
>
> Germany
>
>  
>
> Fon   +49 (0) 228 299 799 80
>
> Fax   +49 (0) 228 299 799 84
>
> mailto:birgit bachmann brown-iposs eu
>
> www.brown-iposs.eu <http://www.brown-iposs.eu/>
>
> www.facebook.com/browniposs <http://www.facebook.com/browniposs>
>
> www.facebook.com/wimap4g <http://www.facebook.com/wimap4g>
>
>  
>
> Directors: Dr. Bernd Schröder, Karsten Schmeling
>
> Trade register: 14385, Country court Bonn
>
> VAT-ID: DE814670174
>
>  
>
> Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen.
> Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich 
> erhalten haben, informieren Sie bitte sofort den Absender und 
> vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte 
> Weitergabe dieser Mail ist nicht gestattet.
>
>  
>
> This e-mail may contain confidential and/or privileged information. If 
> you are not the intended recipient (or have received this e-mail in
> error) please notify the sender immediately and destroy this e-mail. 
> Any unauthorised copying, disclosure or distribution of the material 
> in this e-mail is strictly forbidden.
>
>  
>
> *Von:*kurrent93 gmail com [mailto:kurrent93 gmail com] *Im Auftrag von 
> *Anton Hughes
> *Gesendet:* Tuesday, August 07, 2018 1:12 PM
> *An:* dhanashree kulkarni brown-iposs eu
> *Cc:* users lists openshift redhat com
> *Betreff:* Re: error running application using customized image stream
>
>  
>
> By default OpenShift doesnt allow containers to run using root user.
>
>  
>
> Take a look
> at
> https://github.com/jboss-dockerfiles/keycloak/blob/master/server-opens
> hift/Dockerfile#L9-L16 for an example of giving the permissions and 
> setting a non-root user.
>
>  
>
> On 7 August 2018 at 21:38, <dhanashree kulkarni brown-iposs eu
> <mailto:dhanashree kulkarni brown-iposs eu>> wrote:
>
>     Hello,
>
>     My name is Dhanashree Kulkarni. I have installed OpenShift Origin all in
>     one in a Centos 7 VM running on Proxmox VE.
>
>     I have built a Docker image using a Dockerfile, and created an image
>     stream using that Docker image and tagged and pushed it in the Docker
>     registry inside OpenShift. Now when I want to run the application using
>     this created image stream, it gives me permission error.
>
>     I want to run Apache Openmeetings application inside OpenShift. For that I
>     have used the Dockerfile created by Maxim Solodovnik
>     (https://github.com/openmeetings/openmeetings-docker). The ENTRYPOINT in
>     the Dockerfile seems to create this error.
>
>     **Steps Followed:**
>
>      
>
>     git clone https://github.com/dhanugithub/openmeetings-docker.git
>
>     cd openmeetings-docker
>
>     ls
>
>     docker build -t om-server .
>
>     docker images
>
>     docker login -u openshift –p <TOKEN from web console>
>     docker-registry-default.apps.x.x.x.x.nip.io
>     <http://docker-registry-default.apps.x.x.x.x.nip.io>
>
>     oc create is om-server -n mec
>
>     docker tag om-server
>     docker-registry-default.apps.x.x.x.x.nip.io/mec/om-server:latest
>     
> <http://docker-registry-default.apps.x.x.x.x.nip.io/mec/om-server:late
> st>
>
>     docker push
>     docker-registry-default.apps.x.x.x.x.nip.io/mec/om-server:latest
>     
> <http://docker-registry-default.apps.x.x.x.x.nip.io/mec/om-server:late
> st>
>
>      
>
>     I am attaching the error log which I get after deploying the application.
>
>     If anyone can suggest some corrections, that would be great.
>
>     Thank you.
>
>      
>
>      
>
>     Best Regards,
>
>     Dhanashree Kulkarni
>
>      
>
>     brown-iposs GmbH
>
>     Friedrich-Breuer-Straße 120
>
>     53225 Bonn
>
>     Germany
>
>      
>
>     Fon   +49 (0) 228 299 799 80
>
>     Fax   +49 (0) 228 299 799 84
>
>     mailto:birgit bachmann brown-iposs eu
>
>     www.brown-iposs.eu <http://www.brown-iposs.eu/>
>
>     www.facebook.com/browniposs <http://www.facebook.com/browniposs>
>
>     www.facebook.com/wimap4g <http://www.facebook.com/wimap4g>
>
>      
>
>     Directors: Dr. Bernd Schröder, Karsten Schmeling
>
>     Trade register: 14385, Country court Bonn
>
>     VAT-ID: DE814670174
>
>      
>
>     Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte
>     Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail
>     irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und
>     vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte
>     Weitergabe dieser Mail ist nicht gestattet.
>
>      
>
>     This e-mail may contain confidential and/or privileged information. If you
>     are not the intended recipient (or have received this e-mail in error)
>     please notify the sender immediately and destroy this e-mail. Any
>     unauthorised copying, disclosure or distribution of the material in this
>     e-mail is strictly forbidden.
>
>      
>
>
>     _______________________________________________
>     users mailing list
>     users lists openshift redhat com <mailto:users lists openshift redhat com>
>     http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
>  
>
>
>
> _______________________________________________
> users mailing list
> users lists openshift redhat com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users






[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]