Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature Request] Support for OpenShift #2327

Open
hishamanver opened this issue Sep 13, 2024 · 2 comments
Open

[Feature Request] Support for OpenShift #2327

hishamanver opened this issue Sep 13, 2024 · 2 comments
Labels
enhancement New feature or request

Comments

@hishamanver
Copy link

hishamanver commented Sep 13, 2024
edited
Loading

Is your feature request related to a problem? Please describe.

I attempted to deploy temporal via helm (https://github.com/temporalio/helm-charts/tree/main) onto an openshift cluster.

Ran into issues running the temporal server and temporal ui containers on openshift due to security constraints (running on openshift - https://cloud.redhat.com/blog/a-guide-to-openshift-and-uids)

Identified the root cause to be the following sections:

Essentially what we are observing is openshift enforces specific UID and GID for the running containers that do not match the predefined values in the image definition and therefore fail with the following error:

2024/09/13 06:29:11 unable to create open ./config/docker.yaml: permission denied

Describe the solution you'd like

Dockerfile definition should not pin specific UIDs for non root user enforcement, but instead ensure that all directories that are required for functionality have sufficient privileges.

Describe alternatives you've considered

To get around this issue the following Dockerfile was used and confirmed to work

FROM temporalio/ui:2.30.3

RUN chmod o+w /home/ui-server/config
@hishamanver hishamanver added the enhancement New feature or request label Sep 13, 2024
This was referenced Sep 13, 2024
Open
Closed
@naaa760
Copy link

naaa760 commented Sep 23, 2024

Hello @hishamanver

I suggest you to improving Temporal deployment on OpenShift by adding user-customizable UID and GID fields in the Helm chart. startup script in the Dockerfile should change permissions on necessary directories based on the provided UID and GID. and i think the community feedback is welcome to refine this idea.

@mohan-alpheya
Copy link

@naaa760 ,

OpenShift uses arbitrary, or randomly assigned, user IDs (UIDs) to increase access security. This means that the IDs of the users accessing the pods and containers and running the application processes are unspecified and unpredictable. Using predefined UID and GID violates OpenShift uses arbitrary, or randomly assigned, user IDs (UIDs) to increase access security.

The solution to the issue is documented here to ensure that a single Dockerfile can be used to create an image that functions correctly, both on OpenShift and on Kubernetes.

https://developers.redhat.com/blog/2020/10/26/adapting-docker-and-kubernetes-containers-to-run-on-red-hat-openshift-container-platform#group_ownership_and_file_permission

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hishamanver @mohan-alpheya @naaa760