[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Issue with running a docker container in OKD



Images run on OKD by default are assigned a random UID at runtime. Images which assume the container is running as root tend to fail. Can the binaries listed only be run by the root user?

You can either update your Dockerfile to `chmod +x` those binaries (anyone can execute), or you can do the more dangerous thing and create a security context constraint that allows the container to run as root [1]

[1] https://docs.okd.io/3.11/admin_guide/manage_scc.html#enable-dockerhub-images-that-require-root

On Fri, Jan 31, 2020 at 1:34 PM Nishant Trivedi <nishant paravision ai> wrote:
Hi folks,

I'm trying out OKD to install and manage a suite of microservices and running into a weird problem while trying to create a container from a docker image.

To provide some details about the docker image I'm using, this image creates a user and a group in the beginning and does all operations as this user instead of root. So something like:

FROM ubuntu:18.04
RUN groupadd shire && \
      useradd --create-home -g shire frodo
...
USER frodo
RUN pip3 install -U --user --no-cache-dir Pyro4 supervisor==4.0.3

It then uses a utility called "supervisor" to start and maintain multiple processes. So for the docker container the last few lines look like:

COPY supervisord.conf /etc/supervisor/conf.d/supervisord.conf
ENTRYPOINT ["/bin/bash", "-c"]
CMD ["supervisord -c /etc/supervisor/conf.d/supervisord.conf"]

I've run this image manually on a cloud instance and it runs without problems.

Now when I run it on OKD, the container is started with a user that is different from the one defined by the docker image (as far as I can tell because when I log into the pod, the user is reported as "1000280000"). The "supervisor" process is started by this user and hence it is not able to execute the "pyro4-ns" command which is installed in the path "/home/frodo/.local/bin/". In the docker container logs I see the following lines:
2020-01-31 17:00:06,883 INFO supervisord started with pid 1
2020-01-31 17:00:07,885 INFO spawnerr: no permission to run command '/home/frodo/.local/bin/pyro4-ns'
2020-01-31 17:00:08,886 INFO spawnerr: no permission to run command '/home/frodo/.local/bin/pyro4-ns'
2020-01-31 17:00:13,894 INFO gave up: pyro-ns entered FATAL state, too many start retries too quickly

Is there a way to instruct OKD to start the container as a different user? Or is my understanding incorrect. I'm running the image by pulling the image through the deployment flow on OKD web console. I'm attaching the full sample Dockerfile and the supervisord.conf with the message.

Appreciate any help on this issue.

Best,
--
Nishant.
_______________________________________________
users mailing list
users lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users


--

Adam Kaplan

He/Him

Senior Software Engineer - OpenShift

Red Hat

100 E. Davie St. Raleigh, NC 27601 USA

adam kaplan redhat com    T: +1-919-754-4843     IM: adambkaplan


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]