This message was deleted.
# opal
s
This message was deleted.
o
Hi @Susan Mustafa, I’m not sure what would be the issue; might be some limitations on using volumes set in your Openshift. The docker file is already configured not to run the server as root; so there shouldn’t be an issue on that regard. I’ll check with the rest of the team.
r
Hey @Susan Mustafa , As part of OpenShift security tweaks, each docker image will be deployed with a random UID, which means the user that is mentioned in the image itself (Opal user) will be overridden by a random uid. To fix this, I suggest to follow the guide that Or sent, but basically you’ll need to create SCC for the deployment, that will allow it to use any uid.
🙏 1
s
The problem is reading on stackoverflow, almost everyone was saying oc adm policy add-scc-to-user anyuid -z nginx-sa is a hack and is very insecure that is why I disregarded it as a solution. However if Redhat itself is meantioning it in their documentation, then at least I have some way of defending it. Thank you for answering @Or Weis and @Raz Co
r
It is a bit risky in theory, as anyuid means that an image that runs with a root user can be deployed on your cluster. The other option is to set “nonroot” scc but it only works with images that set the user as an integer and not a string, which in that case won’t work with the current Opal image. But… you can obviously change the dockerfile to have an integer uid, and build it yourself :)
s
Thanks, I have modified the docker file many times to try to get it to work. I can look into the second article tomorrow.
Just to update you guys, I resolved by modifying the docker file and adding RUN chrgrp. This is required by openshift it seems in order to run https://docs.openshift.com/container-platform/4.11/openshift_images/create-images.html#use-uid_create-images
Copy code
RUN chgrp -R 0 /opal && \
    chmod -R g=u /opal

WORKDIR /opal
This is needed for openshift specifically. I re-recreated the server image: docker build -t permitio/opal-server --target server -f docker/Dockerfile . Thank you @Raz Co @Or Weis