[Container-tools] [Devtools] openshift is way too permissive in the CDK/ADB
Aslak Knutsen
aslak at redhat.com
Wed May 18 11:41:34 UTC 2016
An index.openshift.org with proper images similar to 'index.docker.org'
would be a start :)
On Wed, May 18, 2016 at 1:31 PM, Max Rydahl Andersen <manderse at redhat.com>
wrote:
> Yeah, if CDK was running with this enabled I would not be able to run
> anything
> in any meaningful timeframe on openshift.
>
> I wish there was a better way though.
>
> i.e. that I could set a flag for a specific deployment wether
> it should be allowed to run as root or not without making this a fully
> global flag.
>
> But in short - without this permission I don't see CDK/ADB being useful to
> anyone
> trying to use it for docker based development because dockerhub just has
> too many
> containers that requires it.
>
> /max
>
> I think most teams at the Brno F2F were struggling with this. It works
> locally, but semi-obscure failures when pushed 'live'. And out of the 30 RH
> engineers there, none knew 100% or was able to dig up a doc that explained
> why and how to fix it...
>
> This is/will be a massive pain point moving from Dev to Production. The
> very least we need some very clear, simple guides on how to make it work.
>
> -aslak-
>
> On Wed, May 18, 2016 at 1:10 PM, Clayton Coleman <ccoleman at redhat.com>
> wrote:
>
>> It was a deliberate choice, predicated on other changes coming to
>> Docker (user namespaces) plus the desire to ensure demos run.
>>
>> Ultimately, the CDK is a playground. Putting up chain link fences
>> around the playground sends the wrong message.
>>
>> I'd prefer to have it easier to go between the levels in the short
>> term than to ratchet it back.
>>
>> > On May 17, 2016, at 11:27 PM, Dusty Mabe <dusty at dustymabe.com> wrote:
>> >
>> >
>> > Currently we are configuring openshift in the CDK/ADB to be more
>> > permissive than it should be when running containers.
>> >
>> > At [1] we are setting:
>> >
>> > oadm policy add-scc-to-group anyuid system:authenticated
>> >
>> > From my experiments this means that containers run as anyuid and thus
>> > can be root, cc clayton for confirmation.
>> >
>> > What this means is that we are misleading users to thinking things
>> > will run in production OpenShift, when the production OpenShift most
>> > likely won't have things configured this way.
>> >
>> > We should probably not be doing this. Reverting this change will also
>> > mean that proposed demos, etc.. should be retested on the newer version
>> > meticulously.
>> >
>> > Dusty
>> >
>> > [1]
>> https://github.com/projectatomic/adb-utils/blob/01adadd904dea98033c9c83d0648d90f5e8f2806/services/openshift/scripts/openshift_provision#L47
>>
>> _______________________________________________
>> Devtools mailing list
>> Devtools at redhat.com
>> https://www.redhat.com/mailman/listinfo/devtools
>>
>
> ------------------------------
>
> Devtools mailing list
> Devtools at redhat.com
> https://www.redhat.com/mailman/listinfo/devtools
>
> /max
> http://about.me/maxandersen
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/container-tools/attachments/20160518/00487f7c/attachment.htm>
More information about the Container-tools
mailing list