In OpenShift 3, how to run a docker image that requires root?

Question

In OpenShift 3, how can deploy a docker image that requires root?

I'm voting to close this question as off-topic because it belongs on devops SE — Jared Smith, Nov 17 '17 at 14:10

score 0 · Answer 1 · answered Nov 17 '17 at 14:24

0

You can run oc edit scc restricted and edit runAsUser.Type from MustRunAsNonRoot to RunAsAny. This is not recommended for security reasons.

answered Nov 17 '17 at 14:24

BMitch

It gives: Error from server (Forbidden): User "xxxx" cannot get securitycontextconstraints at the cluster scope: User "xxxx" cannot get securitycontextconstraints at the cluster scope (get securitycontextconstraints root) – mabg Nov 18 '17 at 17:37
Adjusting security settings of the cluster requires cluster admin access. – BMitch Nov 18 '17 at 21:23
You can login to oc tools prior by `oc login -u system:admin -n default` and then management commands work – FantomX1 Apr 29 '18 at 22:51

score 0 · Answer 2 · answered Nov 17 '17 at 20:06

0

Easier command to grant containers in specific project to run as any UID, including root, is:

oc adm policy add-scc-to-user anyuid -z default -n myproject

This would need to be run as a cluster admin. A normal user, or even a project admin, cannot run this command.

If using OpenShift Online you will not be able to do this.

answered Nov 17 '17 at 20:06

Graham Dumpleton

It gives: Error from server (Forbidden): User "xxxx" cannot get securitycontextconstraints at the cluster scope: User "xxxx" cannot get securitycontextconstraints at the cluster scope (get securitycontextconstraints root) – mabg Nov 18 '17 at 17:37
I did say it had to be run as cluster admin. If you don't have full control of the cluster you cannot do it. Now perhaps indicate why you need it. What is the image you are trying to run and why does it require root? Images built to best practices would not need to run as root. Unfortunately a lot of images out there on Docker Hub aren't built with good security practices. – Graham Dumpleton Nov 18 '17 at 19:55
I have tested some docker images from the hub, and all require root privilegies. The last one was owncloud. – mabg Nov 19 '17 at 13:26
How can I be cluster admin on my account? – mabg Nov 19 '17 at 13:36
What OpenShift cluster are you using? – Graham Dumpleton Nov 19 '17 at 19:46
You can login to oc tools prior by `oc login -u system:admin -n default` and then management commands work, without `User "xxxx" cannot get securitycontextconstraints` error messages – FantomX1 Apr 29 '18 at 22:51

2 Answers2