On average, the current CDK is move of an evaluator's tool, not a for-real dev tool. In a for-real dev scenario some super user would have configured a team server and prepopulated it with "proper" base images, not ones from Docker Hub. <div><br></div><div>If we locked down the CDK to only production ready base images then it would fail for the average evaluator who is trying their first experience with Linux containers.<span></span><br><br>On Wednesday, May 18, 2016, Aslak Knutsen <<a href="mailto:aslak@redhat.com">aslak@redhat.com</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">An <a href="http://index.openshift.org" target="_blank">index.openshift.org</a> with proper images similar to '<a href="http://index.docker.org" target="_blank">index.docker.org</a>' would be a start :)</div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, May 18, 2016 at 1:31 PM, Max Rydahl Andersen <span dir="ltr"><<a href="javascript:_e(%7B%7D,'cvml','manderse@redhat.com');" target="_blank">manderse@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><u></u> <div> <div><div style="white-space:normal"> <p dir="auto">Yeah, if CDK was running with this enabled I would not be able to run anything <br> in any meaningful timeframe on openshift.</p> <p dir="auto">I wish there was a better way though.</p> <p dir="auto">i.e. that I could set a flag for a specific deployment wether<br> it should be allowed to run as root or not without making this a fully global flag.</p> <p dir="auto">But in short - without this permission I don't see CDK/ADB being useful to anyone<br> trying to use it for docker based development because dockerhub just has too many<br> containers that requires it.</p> <p dir="auto">/max</p> <blockquote style="border-left:2px solid #3983c4;color:#3983c4;margin:0 0 5px;padding-left:5px"> </blockquote></div><div><div> <blockquote style="border-left:2px solid #3983c4;color:#3983c4;margin:0 0 5px;padding-left:5px"><div dir="ltr">I think most teams at the Brno F2F were struggling with this. It works locally, but semi-obscure failures when pushed 'live'. And out of the 30 RH engineers there, none knew 100% or was able to dig up a doc that explained why and how to fix it...<div><br></div><div>This is/will be a massive pain point moving from Dev to Production. The very least we need some very clear, simple guides on how to make it work. </div><div><br></div><div>-aslak- </div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, May 18, 2016 at 1:10 PM, Clayton Coleman <span dir="ltr"><<a href="javascript:_e(%7B%7D,'cvml','ccoleman@redhat.com');" target="_blank">ccoleman@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">It was a deliberate choice, predicated on other changes coming to<br> Docker (user namespaces) plus the desire to ensure demos run.<br> <br> Ultimately, the CDK is a playground. Putting up chain link fences<br> around the playground sends the wrong message.<br> <br> I'd prefer to have it easier to go between the levels in the short<br> term than to ratchet it back.<br> <div><div><br> > On May 17, 2016, at 11:27 PM, Dusty Mabe <<a href="javascript:_e(%7B%7D,'cvml','dusty@dustymabe.com');" target="_blank">dusty@dustymabe.com</a>> wrote:<br> ><br> ><br> > Currently we are configuring openshift in the CDK/ADB to be more<br> > permissive than it should be when running containers.<br> ><br> > At [1] we are setting:<br> ><br> > oadm policy add-scc-to-group anyuid system:authenticated<br> ><br> > From my experiments this means that containers run as anyuid and thus<br> > can be root, cc clayton for confirmation.<br> ><br> > What this means is that we are misleading users to thinking things<br> > will run in production OpenShift, when the production OpenShift most<br> > likely won't have things configured this way.<br> ><br> > We should probably not be doing this. Reverting this change will also<br> > mean that proposed demos, etc.. should be retested on the newer version<br> > meticulously.<br> ><br> > Dusty<br> ><br> > [1] <a href="https://github.com/projectatomic/adb-utils/blob/01adadd904dea98033c9c83d0648d90f5e8f2806/services/openshift/scripts/openshift_provision#L47" rel="noreferrer" target="_blank">https://github.com/projectatomic/adb-utils/blob/01adadd904dea98033c9c83d0648d90f5e8f2806/services/openshift/scripts/openshift_provision#L47</a><br> <br> _______________________________________________<br> Devtools mailing list<br> <a href="javascript:_e(%7B%7D,'cvml','Devtools@redhat.com');" target="_blank">Devtools@redhat.com</a><br> <a href="https://www.redhat.com/mailman/listinfo/devtools" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/devtools</a><br> </div></div></blockquote></div><br></div></blockquote> </div></div><div style="white-space:normal"><div><div> <blockquote style="border-left:2px solid #3983c4;color:#3983c4;margin:0 0 5px;padding-left:5px"> <hr> <p dir="auto">Devtools mailing list<br> <a href="javascript:_e(%7B%7D,'cvml','Devtools@redhat.com');" target="_blank">Devtools@redhat.com</a><br> <a href="https://www.redhat.com/mailman/listinfo/devtools" target="_blank">https://www.redhat.com/mailman/listinfo/devtools</a></p> </blockquote> </div></div><p dir="auto">/max<br> <a href="http://about.me/maxandersen" target="_blank">http://about.me/maxandersen</a></p> </div> </div> </div> </blockquote></div><br></div> </blockquote></div>