Looking to run Xibo on Openshift but am running into a permissions issue. I believe the Xibo image is trying to run with root privileges which isn’t allowed. Does anyone have a work around for this or could the Dockerfile be updated to run as anyuser? As per support for Support Arbitrary User IDs: https://docs.openshift.com/container-platform/3.3/creating_images/guidelines.html
I just had a look at the entrypoint.sh, and there are several points that are not OpenShift compliant, and even strange for a containerized app.
- run as root: On OpenShift, containers are run with undetermined UID or fixed unprivileged UID (often 1001) unless explicitly needed. Therefore, all the “root” tasks must be done in the build phase.
- chown apache : This needs to have root access. It is better to do it in the “build” phase
- Logging: as Openshift has a logging mechanism, it is better to log everything on default console instead to log in a file that will not be taken into account by OpenShift
- use OpenShift secret/file mapping mechanism for secrets and certificates
- rm -rf /var/www/cms/cache/*: This is strange, as this is done in entrypoint.sh, and at this point, the directory should always be empty since containerized
- Put cron outside container. There is a specific cron mechanism in openshift: Job resource
- Use of file mapping instead of editing config files (i.e. /etc/apache2/conf.d/cms.conf, …)
This needs a specific development, and I do not have the time right now to do it.
We aren’t aiming for OpenShift here.
The containers initially run as root, and drop privilege after that as needed.
chown on files stored outside the container can’t be done at build time - by their very nature they aren’t there at that point.
rm -rf /var/www/cms/cache/* - correct this is inside the container, but we clear it on a container restart necessarily to reduce support overhead.
The containers as they stand are designed to give a low support overhead on a standard Docker install. We wouldn’t be interested in modifying them to require OpenShift to run them at all.
If someone wanted to make OpenShift compatible versions, with those limitations associated with that process, then they would be very welcome to develop, contribute and maintain those on an ongoing basis.
Thanks Marc, those pointers really helped, particularly the logging. I now have a basic working installation. Still a little more to do but its progress