0

I have setup a deployment for an image that doesn't specify any user to run on. When the image starts, it tries to create a directory at /data/cache and it encounter permission denied error.

I try to create the directory from the terminal in pods, and encounter the same issue:

$ whoami
1000910000
$ mkdir /data/cache
mkdir: cannot create directory ‘/data/cache’: Permission denied

Found this but it requires the image to be run as a specific user, and i can't change the Dockerfile. Any way to allow the image write access to /data?

Thank you

ipohfly
  • 1,959
  • 6
  • 30
  • 57

2 Answers2

1

This is due to how OpenShift create/manage the images as every time you deploy, it creates a random user ID.

You should check how to support arbitrary user ids:

https://docs.openshift.com/container-platform/4.7/openshift_images/create-images.html

Support arbitrary user ids

By default, OpenShift Container Platform runs containers using an arbitrarily assigned user ID. This provides additional security against processes escaping the container due to a container engine vulnerability and thereby achieving escalated permissions on the host node.

For an image to support running as an arbitrary user, directories and files that are written to by processes in the image must be owned by the root group and be read/writable by that group. Files to be executed must also have group execute permissions.

Adding the following to your Dockerfile sets the directory and file permissions to allow users in the root group to access them in the built image:

RUN chgrp -R 0 /some/directory && \
    chmod -R g=u /some/directory

Because the container user is always a member of the root group, the container user can read and write these files.

So you should really try to bend it following these rules.

Dharman
  • 30,962
  • 25
  • 85
  • 135
Tomas
  • 21
  • 3
0

If you cannot change the container itself, then mounting an emptyDir directory in this place could be an option.

Add it like so to the Deployment:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: example-deployment
  labels:
    app: example
spec:
...
    spec:
      containers:
      - name: example
        image: nginx:1.14.2
        ports:
        - containerPort: 80
        volumeMounts:
        - mountPath: /data/cache
          name: cache-volume
      volumes:
      - name: cache-volume
        emptyDir: {}
Simon
  • 4,251
  • 2
  • 24
  • 34
  • this should work. another option would be to run the pods created by the container with a specific serviceaccount and add the anyuid scc to this SA – meaningqo May 19 '21 at 13:19