On Wed, Oct 2, 2019 at 3:01 PM Weiqiang Zhuang <wzhu...@us.ibm.com> wrote:
> According to this doc > https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.16/#podsecuritycontext-v1-core > `privileged` > seems to be in both pod and container securityContext. Also have seen > people use it in pod.spec... But anyway... > I don't see "privileged" listed here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.16/#podsecuritycontext-v1-core I do see it here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.16/#securitycontext-v1-core > > > Adrian > > > > ----- Original message ----- > From: Ben Parees <bpar...@redhat.com> > To: Weiqiang Zhuang <wzhu...@us.ibm.com> > Cc: users <users@lists.openshift.redhat.com> > Subject: [EXTERNAL] Re: docker command run from containers got permission > denied on /var/run/docker.sock > Date: Wed, Oct 2, 2019 11:48 AM > > > > On Wed, Oct 2, 2019 at 2:44 PM Weiqiang Zhuang <wzhu...@us.ibm.com> wrote: > > Thanks Ben. Yes, the pod is running as root. > > BTW, now I moved the privileged into the containers section and suddenly > this works. Not sure why the securityContext behaves this though. > > > Looks like privileged isn't a valid field for the securityContext within > the pod.spec, so your value was being ignored. > > > > > > ``` > apiVersion: v1 > kind: Pod > metadata: > name: dood > spec: > containers: > - securityContext: > privileged: true > name: docker-cmds > image: argoproj/argoexec:v2.3.0 > command: ['sh', '-c', 'sleep 1d'] > .... > ``` > > Adrian > > > ----- Original message ----- > From: Ben Parees <bpar...@redhat.com> > To: Weiqiang Zhuang <wzhu...@us.ibm.com> > Cc: users <users@lists.openshift.redhat.com> > Subject: [EXTERNAL] Re: docker command run from containers got permission > denied on /var/run/docker.sock > Date: Wed, Oct 2, 2019 11:27 AM > > > > On Wed, Oct 2, 2019 at 1:38 PM Weiqiang Zhuang <wzhu...@us.ibm.com> wrote: > > On an Openshift 3.11 cluster, we tried to run docker commands but all > returned following error: > > ``` > Got permission denied while trying to connect to the Docker daemon socket > at unix:///var/run/docker.sock: Get > http://%2Fvar%2Frun%2Fdocker.sock/v1.39/version: dial unix > /var/run/docker.sock: connect: permission denied > ``` > > Has anyone run into similar situation and come up with a solution? I have > searched past posts and googled and tried, but so far without luck to make > it work. > > Detailed info: > > An example Pod yaml file is > > ``` > apiVersion: v1 > kind: Pod > metadata: > name: dood > spec: > securityContext: > privileged: true > containers: > - name: docker-cmds > image: argoproj/argoexec:v2.3.0 > command: ['sh', '-c', 'sleep 1d'] > resources: > requests: > cpu: 10m > memory: 256Mi > volumeMounts: > - mountPath: /var/run > name: docker-sock > volumes: > - name: docker-sock > hostPath: > path: /var/run > ``` > > On the host (compute nodes) machine, the socket looks like > > # ls -l /var/run/docker.sock > srw-rw----. 1 root docker 0 Sep 15 11:55 /var/run/docker.sock > > Inside the container, the mounted path looks like > > # ls -l /var/run/docker.sock > srw-rw----. 1 root 1001 0 Sep 15 18:55 /var/run/docker.sock > > The serviceaccount running the container has been added to the `anyuid` > and `hostmount-anyuid` scc. > > > can you confirm the pod container is running as uid 0/root? > > > > > Thanks. > > Adrian > > _______________________________________________ > users mailing list > users@lists.openshift.redhat.com > http://lists.openshift.redhat.com/openshiftmm/listinfo/users > > > > -- > Ben Parees | OpenShift > > > > > > > -- > Ben Parees | OpenShift > > > > > -- Ben Parees | OpenShift
_______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users