On 05/18/2016 05:58 PM, Dusty Mabe wrote:
On 05/18/2016 07:10 AM, Clayton Coleman wrote:
It was a deliberate choice, predicated on other changes coming to
Docker (user namespaces) plus the desire to ensure demos run.
I guess this was surprising to me. To me part of the "promise" of
the CDK is that you are running in an Environment that more closely
resembles production. I know there are many places where this promise
falls apart, but this seems like a fundamental one since this is the
one huge learning gap when going from running in kube to running in
openshift.
Will a documentation in CDK/ADB about how to migrate application to
production OpenShift will help? Till we have "oc debug".
I would almost prefer for this to be a question asked on startup of
the cdk (that can be overriden). The question could explain the
limitation and why it will exist in production and then the user can
choose if they want to ignore and run without restrictions.
I am conservative about asking questions during setup as it reduces the
user experience and we are not sure if the user has enough knowledge
about it.
As a side note, how far off are user namespaces? From my understanding
that's not really coming soon.
Ultimately, the CDK is a playground. Putting up chain link fences
around the playground sends the wrong message.
I'd prefer to have it easier to go between the levels in the short
term than to ratchet it back.
On May 17, 2016, at 11:27 PM, Dusty Mabe <[email protected]> wrote:
Currently we are configuring openshift in the CDK/ADB to be more
permissive than it should be when running containers.
At [1] we are setting:
oadm policy add-scc-to-group anyuid system:authenticated
From my experiments this means that containers run as anyuid and thus
can be root, cc clayton for confirmation.
What this means is that we are misleading users to thinking things
will run in production OpenShift, when the production OpenShift most
likely won't have things configured this way.
We should probably not be doing this. Reverting this change will also
mean that proposed demos, etc.. should be retested on the newer version
meticulously.
Dusty
[1]
https://github.com/projectatomic/adb-utils/blob/01adadd904dea98033c9c83d0648d90f5e8f2806/services/openshift/scripts/openshift_provision#L47
_______________________________________________
Devtools mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/devtools
_______________________________________________
Devtools mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/devtools
