How do you run an Openshift Docker container as something besides root?

Asked 9/6, 2016 at 10:29 Answered 5/6, 2019 at 13:25

I'm currently running Openshift, but I am running into a problem when I try to build/deploy my custom Docker container. The container works properly on my local machine, but once it gets built in openshift and I try to deploy it, I get the error message. I believe the problem is because I am trying to run commands inside of the container as root.

(13)Permission denied: AH00058: Error retrieving pid file /run/httpd/httpd.pid

My Docker file that I am deploying looks like this -

FROM centos:7
MAINTAINER me<me@me>
RUN yum update -y
RUN yum install -y git https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

RUN yum install -y ansible && yum clean all -y
RUN git clone https://github.com/dockerFileBootstrap.git
RUN ansible-playbook "-e edit_url=andrewgarfield edit_alias=emmastone site_url=testing.com" dockerAnsible/dockerFileBootstrap.yml
RUN (cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); \
rm -f /lib/systemd/system/multi-user.target.wants/*;\
rm -f /etc/systemd/system/*.wants/*;\
rm -f /lib/systemd/system/local-fs.target.wants/*; \
rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
rm -f /lib/systemd/system/basic.target.wants/*;\
rm -f /lib/systemd/system/anaconda.target.wants/*;
COPY supervisord.conf /usr/etc/supervisord.conf
RUN rm -rf supervisord.conf
VOLUME [ "/sys/fs/cgroup" ]
EXPOSE 80 443
#CMD ["/usr/bin/supervisord"]
CMD ["/usr/sbin/httpd", "-D", "FOREGROUND"]

Ive run into a similar problem multiple times where it will say things like Permission Denied on file /supervisord.log or something similar.

How can I set it up so that my container doesnt run all of the commands as root? It seems to be causing all of the problems that I am having.

Izaguirre answered 9/6, 2016 at 10:29 Comment(0)

Openshift has strictly security policy regarding custom Docker builds.

Have a look a this OpenShift Application Platform

In particular at point 4 into the FAQ section, here quoted.

4. Why doesn't my Docker image run on OpenShift?

Security! Origin runs with the following security policy by default:

Containers run as a non-root unique user that is separate from other system users They cannot access host resources, run privileged, or become root They are given CPU and memory limits defined by the system administrator Any persistent storage they access will be under a unique SELinux label, which prevents others from seeing their content These settings are per project, so containers in different projects cannot see each other by default Regular users can run Docker, source, and custom builds By default, Docker builds can (and often do) run as root. You can control who can create Docker builds through the builds/docker and builds/custom policy resource. Regular users and project admins cannot change their security quotas.

Many Docker containers expect to run as root (and therefore edit all the contents of the filesystem). The Image Author's guide gives recommendations on making your image more secure by default:

Don't run as root

Make directories you want to write to group-writable and owned by group id 0 Set the net-bind capability on your executables if they need to bind to ports <1024

Otherwise, you can see the security documentation for descriptions on how to relax these restrictions.

I hope it helps.

Grammar answered 9/6, 2016 at 10:48 Comment(4)

Thanks, ill be sure to look into it. Appreciate the reference – Izaguirre 9/6, 2016 at 12:43

You can relax the restriction with oc adm add-scc-to-user anyuid -z default (give the default service account in the current namespace the ability to use the "anyuid" SCC). – Ivanna 9/6, 2016 at 14:10

@Ivanna I get an "Error from server (Forbidden): User "xxx" cannot get securitycontextconstraints at the cluster scope" – Kev 7/9, 2017 at 18:3

Changing security context constraints requires cluster admin rights. It cannot be done as a project admin or normal user. – Acarology 30/11, 2017 at 0:25

Although you don't have access to root, your OpenShift container, by default, is a member of the root group. You can change some dir/file permissions to avoid the Permission Denied errors.

If you're using a Dockerfile to deploy an image to OpenShift, you can add the following RUN command to your Dockerfile:

RUN chgrp -R 0 /run && chmod -R g=u /run

This will change the group for everything in the /run directory to the root group and then set the group permission on all files to be equivalent to the owner (group equals user) of the file. Essentially, any user in the root group has the same permissions as the owner for every file.

Psittacine answered 5/6, 2019 at 13:25 Comment(1)

I wish I could give you +100 points for this. Thanks. – Valletta 24/3, 2021 at 11:32

You can run docker as any user , also root (and not Openshift default build-in account UID - 1000030000 when issuing this two commands in sequence on command line oc cli tools oc login -u system:admin -n default following with oc adm policy add-scc-to-user anyuid -z default -n projectname where projectname is name of your project inside which you assigned under your docker

Glossary answered 29/4, 2018 at 22:57 Comment(0)

Recommended topics

Hot tags