Sorry, forgot to put blog link http://developers.redhat.com/blog/2016/10/21/understanding-openshift-security-context-constraints/
-- Srinivas Kotaru From: Srinivas Naga Kotaru <skot...@cisco.com> Date: Friday, December 2, 2016 at 2:27 PM To: Akshaya Khare <khare...@husky.neu.edu>, Ben Parees <bpar...@redhat.com> Cc: users <users@lists.openshift.redhat.com>, Jordan Liggitt <jligg...@redhat.com> Subject: Re: oc new-app with root privileges This is the blog post am using to refer steps mentioned here. I didn’t tested yet but this article talking about how to run an container using anyuid SCC privileges -- Srinivas Kotaru From: Akshaya Khare <khare...@husky.neu.edu> Date: Friday, December 2, 2016 at 1:59 PM To: Ben Parees <bpar...@redhat.com> Cc: users <users@lists.openshift.redhat.com>, Srinivas Naga Kotaru <skot...@cisco.com>, Jordan Liggitt <jligg...@redhat.com> Subject: Re: oc new-app with root privileges Thanks Ben, I'll check this reference. our developers in the team will need to start a service once the container is up. But the systemd is only accessible for my image if it is run as root. Maybe I can try adding this startup script into the docker file as well. I'll check both and let you know... Regards, AK On Fri, Dec 2, 2016 at 4:47 PM, Ben Parees <bpar...@redhat.com<mailto:bpar...@redhat.com>> wrote: On Fri, Dec 2, 2016 at 4:35 PM, Akshaya Khare <khare...@husky.neu.edu<mailto:khare...@husky.neu.edu>> wrote: Hi again, I tried using the suggestions you guys gave but some how its still failing. On further analysis I understood that this is not actually the image which I created. Since I'm using source2image, the github source is being mapped on to my image which has root privileges. Now my image creates a build and then a new pod is spawned up using that build. Is there some other configuration within these steps which allows me to run the pod as a root user? Or these steps have nothing to do with the user issue i'm facing? you can control the user the pod runs as by setting the pod's security context: http://kubernetes.io/docs/api-reference/v1/definitions/#_v1_podsecuritycontext but it would be better to try to understand why your image needs to run as root and change file/etc permissions so that it does not require that. Thanks, AK On Thu, Dec 1, 2016 at 6:31 PM, Srinivas Naga Kotaru (skotaru) <skot...@cisco.com<mailto:skot...@cisco.com>> wrote: I was thinking belwo are right steps as per my knowledge 1. Create a service account 2. Grant anyuid SCC to this service account 3. And add sercice account details to dc object I might be wrong but above steps in my mind. Even I would like to get clarity on this topic what is the right approach to run a container using anyuid priviligies -- Srinivas Kotaru From: <users-boun...@lists.openshift.redhat.com<mailto:users-boun...@lists.openshift.redhat.com>> on behalf of Ben Parees <bpar...@redhat.com<mailto:bpar...@redhat.com>> Date: Thursday, December 1, 2016 at 1:37 PM To: Akshaya Khare <khare...@husky.neu.edu<mailto:khare...@husky.neu.edu>>, Jordan Liggitt <jligg...@redhat.com<mailto:jligg...@redhat.com>> Cc: users <users@lists.openshift.redhat.com<mailto:users@lists.openshift.redhat.com>> Subject: Re: oc new-app with root privileges On Thu, Dec 1, 2016 at 4:18 PM, Akshaya Khare <khare...@husky.neu.edu<mailto:khare...@husky.neu.edu>> wrote: Hi, I created my own image which can use s2i to use git urls for my internal projects. The image has been created such that the systemd services will be working, and in order to do that the image had to be created with root user. Now the container spawned from this image only works properly i spawn it with the below command: docker run -ti -v /sys/fs/cgroup:/sys/fs/cgroup:ro -d my-image-name The container works fine. Unfortunately, whenever I try to create the container from the openshift ui, it creates the pod successfully but it doesn't have access to run it since it doesn't run it as a root user. I tried to provide this command: oadm policy add-scc-to-user anyuid -z project-name But still the pod is created without the root user. Is there any way to run the pod with root user via both cli or ui? assuming your built image defaults to running as root, the adding anyuid scc should be all you need to do for the image to run as that user, as far as i know. -- Thanks & Regards, Akshaya Khare 312-785-3508<tel:312-785-3508> _______________________________________________ users mailing list users@lists.openshift.redhat.com<mailto:users@lists.openshift.redhat.com> http://lists.openshift.redhat.com/openshiftmm/listinfo/users -- Ben Parees | OpenShift -- Thanks & Regards, Akshaya Khare 312-785-3508<tel:312-785-3508> -- Ben Parees | OpenShift -- Thanks & Regards, Akshaya Khare 312-785-3508
_______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
