https://linen.dev logo
Powered by
Title
s

Susan Mustafa

05/25/2023, 7:19 PM
Hello Everyone, joined new so my apologies if the question has been asked previously. Currently trying to deploy opal-server on openshift and getting permission denied errors. Could someone kindly point me in the right direction on how to solve those. Openshit wont allow run as root. What I have tried: • If I do docker run -it opal-server sh, and then inside the container I can do mkdir /opal/jwks_dir ? whoami is opal and still succeeds in mkdir, so why it fails on openshift? • chmod and chown /opal directory • mounted a volume /opal but wont work because there are other important files in the original directory. • I thought that maybe the /usr/local where the python files are running as root, so I changed ownership to opal user, still fails.. I am almost out of ideas
o

Or Weis

05/25/2023, 7:37 PM
Hi @Susan Mustafa, I’m not sure what would be the issue; might be some limitations on using volumes set in your Openshift. The docker file is already configured not to run the server as root; so there shouldn’t be an issue on that regard. I’ll check with the rest of the team.
This seems like a relevant guide: https://www.redhat.com/sysadmin/security-context-constraint-permissions
r

Raz Co

05/25/2023, 8:19 PM
Hey @Susan Mustafa , As part of OpenShift security tweaks, each docker image will be deployed with a random UID, which means the user that is mentioned in the image itself (Opal user) will be overridden by a random uid. To fix this, I suggest to follow the guide that Or sent, but basically you’ll need to create SCC for the deployment, that will allow it to use any uid.
🙏 1
s

Susan Mustafa

05/25/2023, 8:55 PM
The problem is reading on stackoverflow, almost everyone was saying oc adm policy add-scc-to-user anyuid -z nginx-sa is a hack and is very insecure that is why I disregarded it as a solution. However if Redhat itself is meantioning it in their documentation, then at least I have some way of defending it. Thank you for answering @Or Weis and @Raz Co
r

Raz Co

05/25/2023, 9:05 PM
It is a bit risky in theory, as anyuid means that an image that runs with a root user can be deployed on your cluster. The other option is to set “nonroot” scc but it only works with images that set the user as an integer and not a string, which in that case won’t work with the current Opal image. But… you can obviously change the dockerfile to have an integer uid, and build it yourself :)
Found here a nice guide for setting the nonroot scc https://cookbook.openshift.org/users-and-role-based-access-control/how-can-i-enable-an-image-to-run-as-a-set-user-id.html
s

Susan Mustafa

05/25/2023, 9:07 PM
Thanks, I have modified the docker file many times to try to get it to work. I can look into the second article tomorrow.
Just to update you guys, I resolved by modifying the docker file and adding RUN chrgrp. This is required by openshift it seems in order to run https://docs.openshift.com/container-platform/4.11/openshift_images/create-images.html#use-uid_create-images 
RUN chgrp -R 0 /opal && \
    chmod -R g=u /opal

WORKDIR /opal
This is needed for openshift specifically. I re-recreated the server image: docker build -t permitio/opal-server --target server -f docker/Dockerfile . Thank you @Raz Co @Or Weis
#opalJoin Slack
Powered by