[4pt] Сhange the way you use USER instruction in Dockerfile #481
Assignees
Comments
dokshina
changed the title
mRrvz
added a commit
that referenced
this issue
Mar 26, 2021
It is possible to run an image generated with the ``cartridge pack docker`` command in an unprivileged Kubernetes container. It became possible, because tarantool user now always has ``UID = 1200`` and ``GID = 1200``. Closes #481
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What is meant? Now the default runtime container user is set like this:
USER tarantool:tarantoolWhat is the problem with this method? The problem occurs when trying to install an builded image in a unprivileged Kubernetes container. The problem is described here.
The error occurs because it is important for the Kubernetes how the user was assigned (by name or UID). If you set a user by name, then Kubernetes cannot check the user's privileges. This happens because the container runtime interface of the Kubernetes has either an UID or a username. UID and the following user name are mutually exclusive. It's just how the container runtime interface standard got designed.
The problem can be solved by installing the user (and his group) by UID (assuming tarantool UID and GID are 1200):
USER 1200:1200The text was updated successfully, but these errors were encountered: