search

appsody / tekton-example

Example implementation of a tekton pipeline that deploys an Appsody project. This repo will be archived soon.
Apache License 2.0
11 stars 20 forks source link

docker.sock permission denied on OpenShift #16

Closed dacleyra closed 5 years ago

dacleyra commented 5 years ago

Openshift 3.11

Service account is configured as

oc apply -n kabanero -f https://raw.githubusercontent.com/appsody/tekton-example/master/appsody-service-account.yaml
oc adm policy add-cluster-role-to-user cluster-admin -z appsody-sa -n kabanero
oc adm policy add-scc-to-user hostmount-anyuid -z appsody-sa -n kabanero
oc policy add-role-to-user system:image-builder system:serviceaccount:kabanero:appsody-sa

In one case, this is enough for build-task assemble-extract-step to access /var/run/docker.sock

In another case, access to docker.sock is denied until the following is added to build-task

  steps:
    - name: assemble-extract-step
      securityContext:
        privileged: true

Related https://danwalsh.livejournal.com/78373.html

The first case is an olded cluster, with some older selinux policy modules Either there was a security hole in case #1, or scc is not applying in case #2? not quite sure

dacleyra commented 5 years ago

appears to be a timing issue between when SCC is created and build task is created.

maybe worth a troubleshooting note

dacleyra commented 5 years ago

The root cause is this issue

https://github.com/tektoncd/pipeline/issues/1103

neeraj-laad commented 5 years ago

We would like to do this work as part of https://github.com/appsody/appsody/issues/96. Closing this issue.