By default, OpenShift Container Platform runs containers using an arbitrarily assigned user ID. Example: 100068000
This provides additional security against processes escaping the container due to a container engine vulnerability and thereby achieving escalated permissions on the host node.
How it looks like from inside your running pod.
If the application running on the pod attempts to write a file, or make a directory, you will receive a PermissionDenied error.
To allow an image that is running as an arbitrary user, to write/access files in the image file system , then the files/directories must be owned by the root group and be read/writable by that group.
Files to be executed must also have group execute permissions.
Adding the following to your Dockerfile sets the directory and file permissions to allow users in the root group to access them in the built image.
RUN chgrp -R 0 /some/directory &&
chmod -R g=u /some/directory
If you are using a public image, then you will need to build it again using its dockerFile. As most likely the prebuilt ones will not work as they are on OpenShift.
Trying to run OPAL Server in OpenShift required that we modify the dockerFile and re-build the server image.
This would allow the application to write/read from /opal folder
# Add non-root user (with home dir at /opal)
RUN useradd -m -b / -s /bin/bash opal
RUN chgrp -R 0 /opal && \
chmod -R g=u /opal
WORKDIR /opal
User@SEGOTW4PXY2J3 /cygdrive/c/Project/github/opal
$ docker build -t permitio/opal-server --target server -f docker/Dockerfile .
Creating images | Images | OpenShift Container Platform 4.11
JCompetence AB 