0

I was able to run podman-rootless-no-privileged v4.2.0 in the VM,

[regular-user@localhost ~]$ podman run -u podman quay.io/podman/stable echo 'FROM busybox' > /tmp/Dockerfile && echo 'RUN echo hello' >> /tmp/Dockerfile && podman build -t test /tmp/.
STEP 1/2: FROM busybox
Resolved "busybox" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull docker.io/library/busybox:latest...
Getting image source signatures
Copying blob 205dae5015e7 done
Copying config 66ba00ad3d done
Writing manifest to image destination
Storing signatures
STEP 2/2: RUN echo hello
hello
COMMIT test
--> 7a12054883b
Successfully tagged localhost/test:latest
7a12054883be2c956cbb243c6930bbe60d73cd78ce8a4c551682cbb1190079ca

How do I convert this in Openshift 4.11? In Openshift its lock down to use users podman and even if you patch the uid,

oc patch ns gitlab-dev -p  '{"metadata": {"annotations": {"openshift.io/sa.scc.uid-range": "1001/10000"}}}'
oc patch ns gitlab-dev -p  '{"metadata": {"annotations": {"openshift.io/sa.scc.supplemental-groups": "1001/10000"}}}'

It still doesn't work with error can't mkdir /.local.

I can't this anywhere on the net. All solution is only docker/kubernetes but not in Openshift.

uniwinux
  • 19
  • 5
  • The only thing that run here inside the container "podman run -u podman quay.io/podman/stable echo 'FROM busybox' > /tmp/Dockerfile && echo 'RUN echo hello' >> /tmp/Dockerfile && podman build -t test /tmp/." is the first echo, the rest run on the host, that's you thought it run without unprivileged. – Ricky Vene Jan 27 '23 at 02:20

2 Answers2

1

This work, https://github.com/containers/buildah/blob/main/docs/tutorials/05-openshift-rootless-build.md

Check my gitlab pipeline here, https://gitlab.com/publicgroup16/jvm-openshift/-/pipelines

No privileged.

Ricky Vene
  • 105
  • 1
  • 11
  • buildconfig will also work excep that u have to store the jar in your git, https://gitlab.com/publicgroup16/jvm-openshift/-/pipelines/765615722 – Ricky Vene Feb 03 '23 at 22:31
0

I can't doit in pod.yaml but I was able to do it in gitlab runner where I need it, see the /ocp settings of custom-config-toml, there's no privelege there. The only problem I have right now, is the helm, it's asking for clusterrole so I might just be using oc later on.

https://gitlab.com/publicgroup16/jvm-openshift/-/pipelines

uniwinux
  • 19
  • 5
  • Ohh I remember oc is block by default inside the container in Openshift. – uniwinux Jan 26 '23 at 03:31
  • oc can run, just need right serviceaccount, but you need to make it ubi image and the certs is from your gitlab server. You need to put privileged true first, create the gitlab runner, run it, then turn of the privileged off, recreate the gitlab-runner, it should stay like that. And ditch helm, its asking for clusterrole, use it on the repo only to generate yaml. – uniwinux Jan 26 '23 at 16:55
  • Sorry I can't turn off the privileged false on the config.toml in gitlab-runner. – Ricky Vene Jan 26 '23 at 19:36
  • It work on this, https://stackoverflow.com/questions/75272599/behavior-of-podman4-2-0-without-privileged-create-folder-with-d/75276729#75276729 – Ricky Vene Jan 29 '23 at 19:30