[Devtools] openshift is way too permissive in the CDK/ADB

Max Rydahl Andersen manderse at redhat.com
Wed May 18 11:31:41 UTC 2016 

Yeah, if CDK was running with this enabled I would not be able to run 
anything
in any meaningful timeframe on openshift.

I wish there was a better way though.

i.e. that I could set a flag for a specific deployment wether
it should be allowed to run as root or not without making this a fully 
global flag.

But in short - without this permission I don't see CDK/ADB being useful 
to anyone
trying to use it for docker based development because dockerhub just has 
too many
containers that requires it.

/max


> I think most teams at the Brno F2F were struggling with this. It works
> locally, but semi-obscure failures when pushed 'live'. And out of the 
> 30 RH
> engineers there, none knew 100% or was able to dig up a doc that 
> explained
> why and how to fix it...
>
> This is/will be a massive pain point moving from Dev to Production. 
> The
> very least we need some very clear, simple guides on how to make it 
> work.
>
> -aslak-
>
> On Wed, May 18, 2016 at 1:10 PM, Clayton Coleman <ccoleman at redhat.com>
> wrote:
>
>> It was a deliberate choice, predicated on other changes coming to
>> Docker (user namespaces) plus the desire to ensure demos run.
>>
>> Ultimately, the CDK is a playground.  Putting up chain link fences
>> around the playground sends the wrong message.
>>
>> I'd prefer to have it easier to go between the levels in the short
>> term than to ratchet it back.
>>
>>> On May 17, 2016, at 11:27 PM, Dusty Mabe <dusty at dustymabe.com> 
>>> wrote:
>>>
>>>
>>> Currently we are configuring openshift in the CDK/ADB to be more
>>> permissive than it should be when running containers.
>>>
>>> At [1] we are setting:
>>>
>>>    oadm policy add-scc-to-group anyuid system:authenticated
>>>
>>> From my experiments this means that containers run as anyuid and 
>>> thus
>>> can be root, cc clayton for confirmation.
>>>
>>> What this means is that we are misleading users to thinking things
>>> will run in production OpenShift, when the production OpenShift most
>>> likely won't have things configured this way.
>>>
>>> We should probably not be doing this. Reverting this change will 
>>> also
>>> mean that proposed demos, etc.. should be retested on the newer 
>>> version
>>> meticulously.
>>>
>>> Dusty
>>>
>>> [1]
>> https://github.com/projectatomic/adb-utils/blob/01adadd904dea98033c9c83d0648d90f5e8f2806/services/openshift/scripts/openshift_provision#L47
>>
>> _______________________________________________
>> Devtools mailing list
>> Devtools at redhat.com
>> https://www.redhat.com/mailman/listinfo/devtools
>>


> _______________________________________________
> Devtools mailing list
> Devtools at redhat.com
> https://www.redhat.com/mailman/listinfo/devtools


/max
http://about.me/maxandersen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/devtools/attachments/20160518/093e9192/attachment.htm>

More information about the Devtools mailing list