Origin: Can not run a containner as root

Created on 17 Aug 2016 · 6Comments · Source: openshift/origin

openshift-version: v1.3.0-alpha.2

I am trying to deploy a eclipse-che(codenvy/che:4.5.1) to openshift. But I meet some issues.
Here is my operations:

oc login
username:test
password:

create a new project

oc new-project test
logout
oc login -u system:admin

Because eclipse-che need to run as root(first time I got a error : "unknown userid 1000030000"):

oadm policy add-scc-to-group anyuid system:authenticated
oc edit scc restricted change the runAsUser.Type strategy to RunAsAny

But I still get the error

sudo: PERM_SUDOERS: setresuid(-1, 1, -1): Operation not permitted
sudo: no valid sudoers sources found, quitting
sudo: setresuid() [0, 0, 0] -> [1000, -1, -1]: Operation not permitted
sudo: unable to initialize policy plugin

what configuration is missing?

kinquestion prioritP2

Source

qeesung

Most helpful comment

@pweil awesome! The deployment config file fixed my issue!!! I think my previous configuration files have problems.

Thank a lot.

qeesung on 19 Aug 2016

🎉2

All 6 comments

Don't change the restricted scc, adding to the anyuid scc is sufficient. I think you are missing capabilities required to run sudo commands. Do you see dropped capabilities in your pod spec?

liggitt on 17 Aug 2016

@liggitt Thanks for your answer. I am base on this document here.I don't know why it's not working properly.

I tried to only adding to the anyuid scc with command:
oadm policy add-scc-to-group anyuid system:authenticated

But still throw a error "whoami: unknown uid 1000030000"

How to check the dropped capabilities in my pod spec?

qeesung on 18 Aug 2016

🎉2

@qeesung did you delete and recreate the pod? That output from whoami looks like it still validated under the restricted SCC and is running with an allocated UID.

To see dropped capabilities you may check the pod with oc get pod <name> -o json, look for the capabilities section which can contain an add and drop subsection.

pweil- on 18 Aug 2016

@pweil I deleted the project with command oc delete project test, then I remove related docker containner with docker command docker rm -f $(docker ps | grep k8s | awk '{print $1}').then create a new project test with command oc new-project test.

This is the correct operation to remove the pods?

qeesung on 18 Aug 2016

Recreating the pods is what I was getting at. You can just oc delete pod <name> and get rid of the pod. If you are using a deployment config then deleting the deployment config would delete the pods.

If you did that and had the correct grants on the SCC then you should've been able to validate under the anyuid SCC. However, I did a quick test of this and found that you will also need a host mount as the image requires access to the docker socket. There is a built in SCC that allows this called hostmount-anyuid.

Also, Che requires specific privs on the docker socket, you may have to run a sudo chmod 666 /var/run/docker.sock on your host. If so, the image will tell you that the permissions are not correct.

# you don't want to give this scc to the world unless this is a dev system.  
# Normally you'd grant it to a specific service account
oadm policy add-scc-to-group hostmount-anyuid system:authenticated

oc login -u test -p test
oc new-project test
oc create -f che.json

Deployment Config I used. Please note the host mounts that were added to the pod.

After this I was able to point my browser to the pod IP and see the Che dashboard.

che