[Devtools] openshift is way too permissive in the CDK/ADB

Lalatendu Mohanty lmohanty at redhat.com
Wed May 18 12:34:34 UTC 2016 

On 05/18/2016 05:58 PM, Dusty Mabe wrote:
>
> On 05/18/2016 07:10 AM, Clayton Coleman wrote:
>> It was a deliberate choice, predicated on other changes coming to
>> Docker (user namespaces) plus the desire to ensure demos run.
>>
> I guess this was surprising to me. To me part of the "promise" of
> the CDK is that you are running in an Environment that more closely
> resembles production. I know there are many places where this promise
> falls apart, but this seems like a fundamental one since this is the
> one huge learning gap when going from running in kube to running in
> openshift.

Will a documentation in CDK/ADB about how to migrate application to 
production OpenShift will help? Till we have "oc debug".

> I would almost prefer for this to be a question asked on startup of
> the cdk (that can be overriden). The question could explain the
> limitation and why it will exist in production and then the user can
> choose if they want to ignore and run without restrictions.

I am conservative about asking questions during setup as it reduces the 
user experience and we are not sure if the user has enough knowledge 
about it.

> As a side note, how far off are user namespaces? From my understanding
> that's not really coming soon.
>
>> Ultimately, the CDK is a playground.  Putting up chain link fences
>> around the playground sends the wrong message.
>>
>> I'd prefer to have it easier to go between the levels in the short
>> term than to ratchet it back.
>>
>
>>> On May 17, 2016, at 11:27 PM, Dusty Mabe <dusty at dustymabe.com> wrote:
>>>
>>>
>>> Currently we are configuring openshift in the CDK/ADB to be more
>>> permissive than it should be when running containers.
>>>
>>> At [1] we are setting:
>>>
>>>     oadm policy add-scc-to-group anyuid system:authenticated
>>>
>>>  From my experiments this means that containers run as anyuid and thus
>>> can be root, cc clayton for confirmation.
>>>
>>> What this means is that we are misleading users to thinking things
>>> will run in production OpenShift, when the production OpenShift most
>>> likely won't have things configured this way.
>>>
>>> We should probably not be doing this. Reverting this change will also
>>> mean that proposed demos, etc.. should be retested on the newer version
>>> meticulously.
>>>
>>> Dusty
>>>
>>> [1] https://github.com/projectatomic/adb-utils/blob/01adadd904dea98033c9c83d0648d90f5e8f2806/services/openshift/scripts/openshift_provision#L47
> _______________________________________________
> Devtools mailing list
> Devtools at redhat.com
> https://www.redhat.com/mailman/listinfo/devtools

More information about the Devtools mailing list