[Container-tools] [Devtools] openshift is way too permissive in the CDK/ADB
Clayton Coleman
ccoleman at redhat.com
Wed May 18 12:12:27 UTC 2016
This is a usecase "oc debug" was designed to solve.
1. Set your app up normally (as root)
2. Get it working
3. Run "oc debug dc/foo --as-user=xxx"
4. See that it works or not
I'll add that flag, although it will be a while before it makes it into an
origin release.
On May 18, 2016, at 7:55 AM, Burr Sutter <bsutter at redhat.com> wrote:
On average, the current CDK is move of an evaluator's tool, not a for-real
dev tool. In a for-real dev scenario some super user would have configured
a team server and prepopulated it with "proper" base images, not ones from
Docker Hub.
If we locked down the CDK to only production ready base images then it
would fail for the average evaluator who is trying their first experience
with Linux containers.
On Wednesday, May 18, 2016, Aslak Knutsen <aslak at redhat.com> wrote:
> An index.openshift.org with proper images similar to 'index.docker.org'
> would be a start :)
>
> On Wed, May 18, 2016 at 1:31 PM, Max Rydahl Andersen <manderse at redhat.com
> <javascript:_e(%7B%7D,'cvml','manderse at redhat.com');>> wrote:
>
>> Yeah, if CDK was running with this enabled I would not be able to run
>> anything
>> in any meaningful timeframe on openshift.
>>
>> I wish there was a better way though.
>>
>> i.e. that I could set a flag for a specific deployment wether
>> it should be allowed to run as root or not without making this a fully
>> global flag.
>>
>> But in short - without this permission I don't see CDK/ADB being useful
>> to anyone
>> trying to use it for docker based development because dockerhub just has
>> too many
>> containers that requires it.
>>
>> /max
>>
>> I think most teams at the Brno F2F were struggling with this. It works
>> locally, but semi-obscure failures when pushed 'live'. And out of the 30 RH
>> engineers there, none knew 100% or was able to dig up a doc that explained
>> why and how to fix it...
>>
>> This is/will be a massive pain point moving from Dev to Production. The
>> very least we need some very clear, simple guides on how to make it work.
>>
>> -aslak-
>>
>> On Wed, May 18, 2016 at 1:10 PM, Clayton Coleman <ccoleman at redhat.com
>> <javascript:_e(%7B%7D,'cvml','ccoleman at redhat.com');>> wrote:
>>
>>> It was a deliberate choice, predicated on other changes coming to
>>> Docker (user namespaces) plus the desire to ensure demos run.
>>>
>>> Ultimately, the CDK is a playground. Putting up chain link fences
>>> around the playground sends the wrong message.
>>>
>>> I'd prefer to have it easier to go between the levels in the short
>>> term than to ratchet it back.
>>>
>>> > On May 17, 2016, at 11:27 PM, Dusty Mabe <dusty at dustymabe.com
>>> <javascript:_e(%7B%7D,'cvml','dusty at dustymabe.com');>> wrote:
>>> >
>>> >
>>> > Currently we are configuring openshift in the CDK/ADB to be more
>>> > permissive than it should be when running containers.
>>> >
>>> > At [1] we are setting:
>>> >
>>> > oadm policy add-scc-to-group anyuid system:authenticated
>>> >
>>> > From my experiments this means that containers run as anyuid and thus
>>> > can be root, cc clayton for confirmation.
>>> >
>>> > What this means is that we are misleading users to thinking things
>>> > will run in production OpenShift, when the production OpenShift most
>>> > likely won't have things configured this way.
>>> >
>>> > We should probably not be doing this. Reverting this change will also
>>> > mean that proposed demos, etc.. should be retested on the newer version
>>> > meticulously.
>>> >
>>> > Dusty
>>> >
>>> > [1]
>>> https://github.com/projectatomic/adb-utils/blob/01adadd904dea98033c9c83d0648d90f5e8f2806/services/openshift/scripts/openshift_provision#L47
>>>
>>> _______________________________________________
>>> Devtools mailing list
>>> Devtools at redhat.com
>>> <javascript:_e(%7B%7D,'cvml','Devtools at redhat.com');>
>>> https://www.redhat.com/mailman/listinfo/devtools
>>>
>>
>> ------------------------------
>>
>> Devtools mailing list
>> Devtools at redhat.com <javascript:_e(%7B%7D,'cvml','Devtools at redhat.com');>
>> https://www.redhat.com/mailman/listinfo/devtools
>>
>> /max
>> http://about.me/maxandersen
>>
>
> _______________________________________________
Devtools mailing list
Devtools at redhat.com
https://www.redhat.com/mailman/listinfo/devtools
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/container-tools/attachments/20160518/454937c4/attachment.htm>
More information about the Container-tools
mailing list