0

I have a simple Centos6 docker image: 

FROM centos:6
MAINTAINER Simon 1905 <simbo@x.com>
RUN yum -y update && yum -y install httpd && yum clean all
RUN sed -i "s/Listen 80/Listen 8080/" /etc/httpd/conf/httpd.conf && \
  chown apache:apache /var/log/httpd && \
  chmod ug+w,a+rx /var/log/httpd && \
  chown apache:apache /var/run/httpd
RUN mkdir -p /var/www/html && echo "hello world!" >> /var/www/html/index.html
EXPOSE 8080
USER apache
CMD /usr/sbin/httpd -D FOREGROUND

I can run this locally and push it up to hub.docker.com. If I then go into the web console of the Redhat OpenShift Container Developer Kit (CDK) running locally and deploy the image from dockerhub it works fine. If I go into the OpenShift3 Pro web console the pod goes into a crash loop. There are no logs on the console or the command line to diagnose the problem. Any help much appreciated.

To try to see if it was a problem only with Centos7 I changed the first line to be centos:7 and once again it works on minishift CDK but doesn't work on OpenShift3 Pro. It does show something on the logs tab of the pod: 

AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 10.128.2.55. Set the 'ServerName' directive globally to suppress this message
(13)Permission denied: AH00058: Error retrieving pid file /run/httpd/httpd.pid
AH00059: Remove it before continuing if it is corrupted.
simbo1905
  • 6,321
  • 5
  • 58
  • 86
  • I just tried changing the first line to be `FROM centos:7` and once again it works on the local CDK but fails but the logs tab actual says something useful: – simbo1905 Jul 24 '17 at 20:27

2 Answers2

2

It is failing because your image expects to run as a specific user.

In Minishift this is allowed, as is being able to run images as root.

On OpenShift Online your images will run as an arbitrary assigned UID and can never run as a selected UID and never as root.

If you are only after a way of hosting static files, see:

This is a S2I builder for taking static files for Apache and running them up in a container.

You could use it as a S2I builder by running:

oc new-app centos/httpd-24-centos7~<repository-url> --name httpd
oc expose svc/httpd

Or you could create a derived image if you wanted to try and customise it.

Either way, look at how it is implemented if wanting to build your own.

Graham Dumpleton
  • 57,726
  • 6
  • 119
  • 134
  • Thanks. A bit off topic but I am working at a large shop where teams want to use vendor supported builder images not s2i. So whilst I get it that that the easy path for some its not really going to get buy in from folks that have their own vendor or community supported images. – simbo1905 Jul 26 '17 at 11:00
  • 1
    Aha https://docs.openshift.com/container-platform/3.5/creating_images/guidelines.html#openshift-container-platform-specific-guidelines – simbo1905 Jul 26 '17 at 11:06
  • As I understand it, that S2I image for httpd will become part of the supported image set if you are using OpenShift Container Platform with a Red Hat subscription. If that level of support is not enough, I wouldn't expect images you get elsewhere would be any better. Pretty well everything on Docker Hub comes with no support and for those that might, you still have to pay someone for that support. – Graham Dumpleton Jul 26 '17 at 11:15
  • apache is just the simplest thing I could think to demo the issue. the actual tech we use varies across the many agencies and many services. Microsoft's SDK Docker images would be one example where the latest vendor supported images are ahead of the s2i images so it's likely our C# teams will pick the vendor images. A Java microservices team and a Scala team a similar organisation didn't go with s2i. R is another language that the data science team like the community templates. Once again thanks for the pointers. – simbo1905 Jul 26 '17 at 15:47
  • For any third party images, the issue of not being able to run as root is going to be a continual problem. This is because people out there are not designing images with best practices in mind around this issue. They assume you are running a single tenant Docker service on your own machine and that you don't care that running as root is not a good idea. Those same images aren't going to work on any systems that employs better security practices and prevent you from running as root, or assign a user to you. Keep asking vendors to fix their images. – Graham Dumpleton Jul 26 '17 at 21:00
0

From the redhat enterprise docs at https://docs.openshift.com/container-platform/3.5/creating_images/guidelines.html#openshift-container-platform-specific-guidelines:

By default, OpenShift Container Platform runs containers using an arbitrarily assigned user ID. This provides additional security against processes escaping the container due to a container engine vulnerability and thereby achieving escalated permissions on the host node. For an image to support running as an arbitrary user, directories and files that may be written to by processes in the image should be owned by the root group and be read/writable by that group. Files to be executed should also have group execute permissions.

RUN chgrp -R 0 /some/directory \
  && chmod -R g+rwX /some/directory

So in this case the modified Docker file which runs on OpenShift 3 Online Pro is: 

FROM centos:6
MAINTAINER Simon 1905 <simbo@x.com>
RUN yum -y install httpd && yum clean all
RUN sed -i "s/Listen 80/Listen 8080/" /etc/httpd/conf/httpd.conf && \
  chown apache:0 /etc/httpd/conf/httpd.conf && \
  chmod g+r /etc/httpd/conf/httpd.conf && \
  chown apache:0 /var/log/httpd && \
  chmod g+rwX /var/log/httpd && \
  chown apache:0 /var/run/httpd && \
  chmod g+rwX /var/run/httpd
RUN mkdir -p /var/www/html && echo "hello world!" >> /var/www/html/index.html && \
  chown -R apache:0 /var/www/html && \
  chmod -R g+rwX /var/www/html
EXPOSE 8080
USER apache
CMD /usr/sbin/httpd -D FOREGROUND
simbo1905
  • 6,321
  • 5
  • 58
  • 86
  • A key point here is that whilst the root user 0 is privileged the root group 0 doesn't appear to be privileged under may Linux groups as discussed at https://unix.stackexchange.com/questions/44077/what-does-it-mean-to-be-in-group-0 – simbo1905 Jul 26 '17 at 19:25