[Container-tools] [Devtools] openshift is way too permissive in the CDK/ADB
Aslak Knutsen
aslak at redhat.com
Wed May 18 11:18:58 UTC 2016
I think most teams at the Brno F2F were struggling with this. It works
locally, but semi-obscure failures when pushed 'live'. And out of the 30 RH
engineers there, none knew 100% or was able to dig up a doc that explained
why and how to fix it...
This is/will be a massive pain point moving from Dev to Production. The
very least we need some very clear, simple guides on how to make it work.
-aslak-
On Wed, May 18, 2016 at 1:10 PM, Clayton Coleman <ccoleman at redhat.com>
wrote:
> It was a deliberate choice, predicated on other changes coming to
> Docker (user namespaces) plus the desire to ensure demos run.
>
> Ultimately, the CDK is a playground. Putting up chain link fences
> around the playground sends the wrong message.
>
> I'd prefer to have it easier to go between the levels in the short
> term than to ratchet it back.
>
> > On May 17, 2016, at 11:27 PM, Dusty Mabe <dusty at dustymabe.com> wrote:
> >
> >
> > Currently we are configuring openshift in the CDK/ADB to be more
> > permissive than it should be when running containers.
> >
> > At [1] we are setting:
> >
> > oadm policy add-scc-to-group anyuid system:authenticated
> >
> > From my experiments this means that containers run as anyuid and thus
> > can be root, cc clayton for confirmation.
> >
> > What this means is that we are misleading users to thinking things
> > will run in production OpenShift, when the production OpenShift most
> > likely won't have things configured this way.
> >
> > We should probably not be doing this. Reverting this change will also
> > mean that proposed demos, etc.. should be retested on the newer version
> > meticulously.
> >
> > Dusty
> >
> > [1]
> https://github.com/projectatomic/adb-utils/blob/01adadd904dea98033c9c83d0648d90f5e8f2806/services/openshift/scripts/openshift_provision#L47
>
> _______________________________________________
> Devtools mailing list
> Devtools at redhat.com
> https://www.redhat.com/mailman/listinfo/devtools
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/container-tools/attachments/20160518/f8cd8f3f/attachment.htm>
More information about the Container-tools
mailing list