Image Filesystem permission issues when deploying on Openshift #194
Replies: 5 comments 9 replies
-
It runs fine for me:
It's likely that your runtime environment is imposing additional security restrictions. Do you know if it is running the image in a completely read-only container? Liberty does require some write access, but it should be configured to work out-of-the-box in most environments. |
Beta Was this translation helpful? Give feedback.
-
Like, usually when building an image to deploy on Openshift it is required to do this on the dirs your app is located:
|
Beta Was this translation helpful? Give feedback.
-
@rafaeltuelho Try using |
Beta Was this translation helpful? Give feedback.
-
We actually have an open issue on our end that I had forgotten. I can't reference it here because it's on a private repo but I'll paste the content: Expected BehaviorDeploying a Liberty image built with CNB to OpenShift should work without any extra configuration. Actual BehaviorDeploying a Liberty image built with CNB to OpenShift fails because of permission issues. To get the image to run, a special service account needs to be set up that can run as any user ID (extra configuration provided below). Note that this is only an issue when using the default stack. Using a Liberty stack does not have this issue because the GID used by the Liberty images matches what the GID the containers run with in OpenShift (i.e. Steps to Reproduce the Problem
apiVersion: apps.openliberty.io/v1beta2
kind: OpenLibertyApplication
metadata:
name: packaged-server-test
spec:
manageTLS: false
license:
accept: true
applicationImage: hwibell/packaged-server-demo:latest
service:
port: 9080
expose: true
env:
- name: WLP_LOGGING_MESSAGE_FORMAT
value: "json"
- name: WLP_LOGGING_MESSAGE_SOURCE
value: "message,trace,accessLog,ffdc,audit" Specifications
Workaround
$ oc create sa runasanyud
$ oc adm policy add-scc-to-user anyuid -z runasanyud --as system:admin
apiVersion: apps.openliberty.io/v1beta2
kind: OpenLibertyApplication
metadata:
name: packaged-server-test
spec:
manageTLS: false
license:
accept: true
applicationImage: hwibell/packaged-server-demo:latest
serviceAccountName: "runasanyuid"
securityContext:
runAsUser: 1000
runAsGroup: 1000
service:
port: 9080
expose: true
env:
- name: WLP_LOGGING_MESSAGE_FORMAT
value: "json"
- name: WLP_LOGGING_MESSAGE_SOURCE
value: "message,trace,accessLog,ffdc,audit" Resources |
Beta Was this translation helpful? Give feedback.
-
in the meanwhile as an alternative, I tried to fix the image filesystem permissions using buildpacks inline builder like here https://github.com/rafaeltuelho/openliberty-starter-app/blob/master/project.toml#L30-L35 But no success :( @dmikusa or @kevin-ortega do you know if this approach should work? |
Beta Was this translation helpful? Give feedback.
-
Trying to deploy an Openliberty container image built with Liberty Buildpacks on Openshift but getting the following error during POD runtime:
cmd line used to build the image
For security reasons, Openhsift runs the container using a random user. So, I think the main question is how to instruct buildpack to change the (app) filesystem writable for the root group and executable by any user? Is that even possible using buildpacks?
I'm using the Openliberty Operator for Kubernetes/Openshift to deploy this container app.
The image is publicly available here:
quay.io/rafaeltuelho/openliberty-starter-app:19-ec7ecea59c8ae57fcfe64f3c1e0eb9e358738190
Beta Was this translation helpful? Give feedback.
All reactions