[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: error running application using customized image stream



A typical OpenShift environment isn't going to let you run 'sudo' anyway even if you resolve the error.

As to the error, it is because the /etc/passwd file lacks a user entry for that user ID.

See section 'Support Arbitrary User IDs' in:

https://docs.openshift.com/container-platform/3.10/creating_images/guidelines.html

If you use the method described of making the passwd file writable and adding an entry from the entry point, only use the image with OpenShift. If you want to use the image outside of OpenShift with docker and when using docker the environment is not dropping capabilities for running setuid, you need to take extra steps to secure the image properly so people can't become root.

As to why you don't see issue with docker as is, you will if you supply the '-u 1000110000' option to docker run.

Graham

On 17 Aug 2018, at 6:40 pm, dhanashree kulkarni brown-iposs eu wrote:

Hello,
I am again having problem running my application using image stream I created. As discussed last, I had changed the Dockerfile to use non-root user. I have set uid of this non-root user to be 1001. But when I deploy the application, the pod crashes frequently. In the logs I can see following:

sudo: unknown uid 1000110000: who are you?

This uid is the uid of the project in which I am running the application.
If I run following, I get following:

$oc rsh <container id> id
sh-4.2$ id
uid=1000110000 gid=0(root) groups=0(root),1000110000

Although, if I do $docker ps and run, I get following:

$docker exec -it 1fe3bbf19cb0 bash
bash-4.2$ id
uid=1001 gid=0(root) groups=0(root),1000110000

I am now confused why openshift isn't recognizing uid set from its own uid-range.
Here is another information:

oc describe project mec
Name:                   mec
Created:                 4 weeks ago
Labels:                  <none>
Annotations:             openshift.io/description=
                        openshift.io/display-name=
                        openshift.io/requester=dhanashree
                        openshift.io/sa.scc.mcs=s0:c11,c0
                        openshift.io/sa.scc.supplemental-groups=1000110000/10000
                        openshift.io/sa.scc.uid-range=1000110000/10000
Display Name:           <none>
Description:             <none>
Status:                  Active
Node Selector:           <none>
Quota:                   <none>
Resource limits:         <none>

You can find my Dockerfile here. (https://github.com/dhanugithub/omdockerimage/blob/master/Dockerfile)
Kindly help. Thank you.

Best Regards,
Dhanashree Kulkarni

brown-iposs GmbH
Friedrich-Breuer-Straße 120
53225 Bonn
Germany

Fon   +49 (0) 228 299 799 80
Fax   +49 (0) 228 299 799 84
mailto:birgit bachmann brown-iposs eu
www.brown-iposs.eu
www.facebook.com/browniposs
www.facebook.com/wimap4g

Directors: Dr. Bernd Schröder, Karsten Schmeling
Trade register: 14385, Country court Bonn
VAT-ID: DE814670174

Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet.

This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden.

-----Ursprüngliche Nachricht-----
Von: Dhanashree Kulkarni Kulkarni (dhanashree kulkarni brown-iposs eu) [mailto:dhanashree kulkarni brown-iposs eu]
Gesendet: Wednesday, August 08, 2018 3:04 PM
An: 'Aleksandar Lazic' <aleks me2digital eu>; 'Anton Hughes' <anton c hughes gmail com>
Cc: 'users lists openshift redhat com' <users lists openshift redhat com>
Betreff: AW: error running application using customized image stream

Thank you so much. It worked. I changed work directory in Dockerfile and just appended 'sudo' before chown in om_install.sh and om.sh.
I was  struggling for this since 1 week. Now I can move ahead. Although the application is still not working but I am happy that permission error is gone. I will now look into why application isn't working.
I will post again in case further query.
Thank you again.


Best Regards,
Dhanashree Kulkarni

brown-iposs GmbH
Friedrich-Breuer-Straße 120
53225 Bonn
Germany

Fon   +49 (0) 228 299 799 80
Fax   +49 (0) 228 299 799 84
mailto:birgit bachmann brown-iposs eu
www.brown-iposs.eu
www.facebook.com/browniposs
www.facebook.com/wimap4g

Directors: Dr. Bernd Schröder, Karsten Schmeling Trade register: 14385, Country court Bonn
VAT-ID: DE814670174

Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet.

This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden.

-----Ursprüngliche Nachricht-----
Von: Aleksandar Lazic [mailto:aleks me2digital eu]
Gesendet: Tuesday, August 07, 2018 6:06 PM
An: dhanashree kulkarni brown-iposs eu; 'Anton Hughes' <anton c hughes gmail com>
Cc: users lists openshift redhat com
Betreff: Re: error running application using customized image stream

Hi.

Am 07.08.2018 um 16:23 schrieb dhanashree kulkarni brown-iposs eu:

Hello thank you for taking a look. I checked the link you provided and
tried to change my Dockerfile accordingly but it didn’t seem to work.

So, I changed the Dockerfile to use a user called “ubuntu” and added
this user to sudoers of container. Still I get the permission error.

I added following lines in the Dockerfile:



RUN apt-get install -y libreoffice --no-install-recommends




RUN apt-get install -y sudo && adduser ubuntu && echo "ubuntu
ALL=(root) NOPASSWD:ALL" > /etc/sudoers.d/ubuntu && chmod 4755
/etc/sudoers.d/ubuntu


RUN su - ubuntu



Is it advisable to change default setting of openshift to use anyuser?


Not it's not a good Idea.
The main problem is that the https://github.com/openmeetings/openmeetings-docker
isn't prepared to run as non root user which is in general not a good idea.

You can see this in this lines
https://github.com/openmeetings/openmeetings-docker/blob/master/Dockerfile#L30
ENV work /root/work

https://github.com/openmeetings/openmeetings-docker/blob/master/scripts/om.sh#L15-L17

I suggest to change the Dockerfile and the om.sh according to the suggestion from Anton in the keycloak dockerfile.

https://github.com/jboss-dockerfiles/keycloak/blob/master/server-openshift/Dockerfile#L9-L16

As at Buildtime can you run some tasks as root like yum install but at runtime not.

You can change the work to let's say /data/om and do all the work there.
At runtime just call '${TOMCAT_PATH}/bin/catalina.sh run'

Regards
aleks

Best Regards,

Dhanashree Kulkarni



brown-iposs GmbH

Friedrich-Breuer-Straße 120

53225 Bonn

Germany



Fon   +49 (0) 228 299 799 80

Fax   +49 (0) 228 299 799 84

mailto:birgit bachmann brown-iposs eu

www.brown-iposs.eu <http://www.brown-iposs.eu/>

www.facebook.com/browniposs <http://www.facebook.com/browniposs>

www.facebook.com/wimap4g <http://www.facebook.com/wimap4g>



Directors: Dr. Bernd Schröder, Karsten Schmeling

Trade register: 14385, Country court Bonn

VAT-ID: DE814670174



Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen.
Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich
erhalten haben, informieren Sie bitte sofort den Absender und
vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte
Weitergabe dieser Mail ist nicht gestattet.



This e-mail may contain confidential and/or privileged information. If
you are not the intended recipient (or have received this e-mail in
error) please notify the sender immediately and destroy this e-mail.
Any unauthorised copying, disclosure or distribution of the material
in this e-mail is strictly forbidden.



*Von:*kurrent93 gmail com [mailto:kurrent93 gmail com] *Im Auftrag von
*Anton Hughes
*Gesendet:* Tuesday, August 07, 2018 1:12 PM
*An:* dhanashree kulkarni brown-iposs eu
*Cc:* users lists openshift redhat com
*Betreff:* Re: error running application using customized image stream



By default OpenShift doesnt allow containers to run using root user.



Take a look
at
https://github.com/jboss-dockerfiles/keycloak/blob/master/server-opens
hift/Dockerfile#L9-L16 for an example of giving the permissions and
setting a non-root user.



On 7 August 2018 at 21:38, <dhanashree kulkarni brown-iposs eu
<mailto:dhanashree kulkarni brown-iposs eu>> wrote:

   Hello,

   My name is Dhanashree Kulkarni. I have installed OpenShift Origin all in
   one in a Centos 7 VM running on Proxmox VE.

   I have built a Docker image using a Dockerfile, and created an image
   stream using that Docker image and tagged and pushed it in the Docker
   registry inside OpenShift. Now when I want to run the application using
   this created image stream, it gives me permission error.

   I want to run Apache Openmeetings application inside OpenShift. For that I
   have used the Dockerfile created by Maxim Solodovnik
   (https://github.com/openmeetings/openmeetings-docker). The ENTRYPOINT in
   the Dockerfile seems to create this error.

   **Steps Followed:**



   git clone https://github.com/dhanugithub/openmeetings-docker.git

   cd openmeetings-docker

   ls

   docker build -t om-server .

   docker images

   docker login -u openshift –p <TOKEN from web console>
   docker-registry-default.apps.x.x.x.x.nip.io
   <http://docker-registry-default.apps.x.x.x.x.nip.io>

   oc create is om-server -n mec

   docker tag om-server
   docker-registry-default.apps.x.x.x.x.nip.io/mec/om-server:latest

<http://docker-registry-default.apps.x.x.x.x.nip.io/mec/om-server:late
st>

   docker push
   docker-registry-default.apps.x.x.x.x.nip.io/mec/om-server:latest

<http://docker-registry-default.apps.x.x.x.x.nip.io/mec/om-server:late
st>



   I am attaching the error log which I get after deploying the application.

   If anyone can suggest some corrections, that would be great.

   Thank you.





   Best Regards,

   Dhanashree Kulkarni



   brown-iposs GmbH

   Friedrich-Breuer-Straße 120

   53225 Bonn

   Germany



   Fon   +49 (0) 228 299 799 80

   Fax   +49 (0) 228 299 799 84

   mailto:birgit bachmann brown-iposs eu

   www.brown-iposs.eu <http://www.brown-iposs.eu/>

   www.facebook.com/browniposs <http://www.facebook.com/browniposs>

   www.facebook.com/wimap4g <http://www.facebook.com/wimap4g>



   Directors: Dr. Bernd Schröder, Karsten Schmeling

   Trade register: 14385, Country court Bonn

   VAT-ID: DE814670174



   Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte
   Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail
   irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und
   vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte
   Weitergabe dieser Mail ist nicht gestattet.



   This e-mail may contain confidential and/or privileged information. If you
   are not the intended recipient (or have received this e-mail in error)
   please notify the sender immediately and destroy this e-mail. Any
   unauthorised copying, disclosure or distribution of the material in this
   e-mail is strictly forbidden.




   _______________________________________________
   users mailing list
   users lists openshift redhat com <mailto:users lists openshift redhat com>
   http://lists.openshift.redhat.com/openshiftmm/listinfo/users





_______________________________________________
users mailing list
users lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users





_______________________________________________
users mailing list
users lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]