New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Deployment fails on Openshift #175

Closed
cyril-dussert opened this Issue Mar 15, 2017 · 11 comments

Comments

4 participants
@cyril-dussert

cyril-dussert commented Mar 15, 2017

Hi, I'm trying to deploy cachet using the DeploymentConfig provided

But I'm facing an issue, the deployment fails each time with the following error message :

Error creating: pods "cachet-1-" is forbidden: unable to validate against any security context constraint: [securityContext.runAsUser: Invalid value: 0: UID on container cachet does not match required range. Found 0, required min: 1000250000 max: 1000259999]

So the pod can't be created...

I tried with both OpenShift 3.3 & 3.4

Hope you will can help me

Regards,
Cyril D.

@djdefi

This comment has been minimized.

Show comment
Hide comment
@djdefi

djdefi Mar 16, 2017

Contributor
Contributor

djdefi commented Mar 16, 2017

@gamkiller77

This comment has been minimized.

Show comment
Hide comment
@gamkiller77

gamkiller77 Mar 16, 2017

You have to have a SCC setup for less restrictive for this to work. It beat to aka Openshift support for those doc.

Also way is to run it priv but that is not recommended.

gamkiller77 commented Mar 16, 2017

You have to have a SCC setup for less restrictive for this to work. It beat to aka Openshift support for those doc.

Also way is to run it priv but that is not recommended.

@cyril-dussert

This comment has been minimized.

Show comment
Hide comment
@cyril-dussert

cyril-dussert Mar 16, 2017

I am on a production platform which prevents containers running as root, for security reasons.

Is there any way to have dockerized cachet running as non root ?

cyril-dussert commented Mar 16, 2017

I am on a production platform which prevents containers running as root, for security reasons.

Is there any way to have dockerized cachet running as non root ?

@gamkiller77

This comment has been minimized.

Show comment
Hide comment
@gamkiller77

gamkiller77 Mar 16, 2017

So this less restrictive lets a pod start as root then switch so in production it ok. We do this at my company as most containers out in the wild do have root setup.

On the other hand @djdefi you guys should look at removing the need to run the container as root.

gamkiller77 commented Mar 16, 2017

So this less restrictive lets a pod start as root then switch so in production it ok. We do this at my company as most containers out in the wild do have root setup.

On the other hand @djdefi you guys should look at removing the need to run the container as root.

@cyril-dussert

This comment has been minimized.

Show comment
Hide comment
@cyril-dussert

cyril-dussert Mar 17, 2017

Ok guys,

I made it work using source to image with official cachet (and some dirty manipulations)

cyril-dussert commented Mar 17, 2017

Ok guys,

I made it work using source to image with official cachet (and some dirty manipulations)

@gamkiller77

This comment has been minimized.

Show comment
Hide comment
@gamkiller77

gamkiller77 Mar 17, 2017

@cyril-dussert yah we do not use S2I where I work. I still think @djdefi that container needs to not run in root. This is going to be a bigger problem as more people use Kubernetes.

gamkiller77 commented Mar 17, 2017

@cyril-dussert yah we do not use S2I where I work. I still think @djdefi that container needs to not run in root. This is going to be a bigger problem as more people use Kubernetes.

@prestonvanloon

This comment has been minimized.

Show comment
Hide comment
@prestonvanloon

prestonvanloon commented Mar 20, 2017

@cyril-dussert

This comment has been minimized.

Show comment
Hide comment
@cyril-dussert

cyril-dussert Mar 20, 2017

It is pretty easy, but not usable for production deployment, if you wantto share a full template of cachet fully automated, you will have to automate these steps :

  • First, fork the CachetHQ repository : https://github.com/CachetHQ/Cachet

  • Then, add to the bootstrap/autoload.php file the following line :
    ini_set('xdebug.max_nesting_level', 300);
    Just before : define('LARAVEL_START', microtime(true));

This will increase perfs of original RedHat's php image

  • Deploy a PostgreSQL (ephemeral or persistent) inside your openShift project

  • Then : oc new-app php~http://your-forked-repo.com -e DOCUMENTROOT=/public

  • oc rsh to your deployed cachet pod

And copy .env.example to a .env, with database credentials, your app url and so on...

And enjoy then ;)

It is not really comfortable but it works..

You can also pass through environment variables your database credentials, but don't forget to remove them from your .env file unless, the file has priority over environment variables

cyril-dussert commented Mar 20, 2017

It is pretty easy, but not usable for production deployment, if you wantto share a full template of cachet fully automated, you will have to automate these steps :

  • First, fork the CachetHQ repository : https://github.com/CachetHQ/Cachet

  • Then, add to the bootstrap/autoload.php file the following line :
    ini_set('xdebug.max_nesting_level', 300);
    Just before : define('LARAVEL_START', microtime(true));

This will increase perfs of original RedHat's php image

  • Deploy a PostgreSQL (ephemeral or persistent) inside your openShift project

  • Then : oc new-app php~http://your-forked-repo.com -e DOCUMENTROOT=/public

  • oc rsh to your deployed cachet pod

And copy .env.example to a .env, with database credentials, your app url and so on...

And enjoy then ;)

It is not really comfortable but it works..

You can also pass through environment variables your database credentials, but don't forget to remove them from your .env file unless, the file has priority over environment variables

@djdefi

This comment has been minimized.

Show comment
Hide comment
@djdefi

djdefi Mar 21, 2017

Contributor

I shipped #178 which should run everything as a non-root user. I don't have an environment to reproduce your issue in, so let me know if there is anything else we can do here.

Contributor

djdefi commented Mar 21, 2017

I shipped #178 which should run everything as a non-root user. I don't have an environment to reproduce your issue in, so let me know if there is anything else we can do here.

@gamkiller77

This comment has been minimized.

Show comment
Hide comment
@gamkiller77

gamkiller77 Mar 21, 2017

Thanks @djdefi Rayn i will test this out later this week and remove the less restrictive from my DC config.

gamkiller77 commented Mar 21, 2017

Thanks @djdefi Rayn i will test this out later this week and remove the less restrictive from my DC config.

@djdefi

This comment has been minimized.

Show comment
Hide comment
@djdefi

djdefi Apr 17, 2017

Contributor

Please open an new issue if you are still having trouble with the latest v2.3.11 release.

Contributor

djdefi commented Apr 17, 2017

Please open an new issue if you are still having trouble with the latest v2.3.11 release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment