[K8S-266] Don't require root permissions to run the Couchbase container on openshift - Couchbase database

XML

Word

Printable

Details

Type: Bug
Status: Resolved
Priority: Critical
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 1.0.0
Component/s: openshift
Labels:
None

Description

I think we should be able to create a container that doesn't require root to run.

Attachments

Issue Links

relates to

MB-29366 Couchbase containers do not start on OpenShift without giving them extra uneeded permissions

Closed

Gerrit Reviews

- Issue Only
- Show All Reviews
- Show Open Reviews
- Show All Issues
- Show Open Issues

No reviews matched the request. Check your Options in the drop-down menu of this sections header.

Activity

Ascending order - Click to sort in descending order

Simon Murray added a comment - 10/Apr/18 7:36 AM

Just a note, being able to 'docker exec' into a couchbase-server container and install packages as root (e.g. tcpdump and iputils) is quite a good thing. I'd rather we not lose this debug functionality if at all possible.

Simon Murray added a comment - 10/Apr/18 7:36 AM Just a note, being able to 'docker exec' into a couchbase-server container and install packages as root (e.g. tcpdump and iputils) is quite a good thing. I'd rather we not lose this debug functionality if at all possible.

Mike Wiederhold [X] (Inactive) added a comment - 10/Apr/18 8:54 AM

Simon,

This is specifically for openshift. I haven't looked into the details yet so I'm not sure exactly what we should do, but right now we need to add extra privileges (oc adm policy add-scc-to-user anyuid system:serviceaccount:myproject:default) for a user to run our containers. This isn't usually required by default and some users are uncomfortable needing to do this. We have separate openshift containers and I think using those would solve this issue, but I haven't had a chance to test it out yet.

Mike Wiederhold [X] (Inactive) added a comment - 10/Apr/18 8:54 AM Simon, This is specifically for openshift. I haven't looked into the details yet so I'm not sure exactly what we should do, but right now we need to add extra privileges (oc adm policy add-scc-to-user anyuid system:serviceaccount:myproject:default) for a user to run our containers. This isn't usually required by default and some users are uncomfortable needing to do this. We have separate openshift containers and I think using those would solve this issue, but I haven't had a chance to test it out yet.

People

Assignee:: Mike Wiederhold [X] (Inactive)

Reporter:: Mike Wiederhold [X] (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 06/Apr/18 8:55 AM

Updated:: 19/Jul/18 1:50 PM

Resolved:: 19/Jul/18 1:50 PM

Gerrit Reviews

There are no open Gerrit changes

Show There are 4 closed Gerrit changes

Hide There are 4 closed Gerrit changes

K8S-266: Add ability to set a SecurityContext for all pods: Gerrit Review:

K8S-266: Add ability to set a SecurityContext for all pods: Gerrit Review:

K8S-266: Don't set a security context by default: Gerrit Review:

Revert "K8S-266: Don't set a security context by default": Gerrit Review:

PagerDuty

Couchbase Kubernetes

Details

Description

Attachments

Issue Links

Gerrit Reviews

Activity

People

Dates

Gerrit Reviews

PagerDuty