arthurbarr
commented
3 years ago First of all, cp.icr.io/cp/ibm-mqadvanced-server:9.1.5.0-r1-amd64 is an IBM certified container, and the certified containers are only supported using LDAP, and not with OS users.
Secondly, you should be advised that MQ 9.1.5 goes out of support in the next few weeks, support for CD releases only lasts for one year.
From MQ 9.1.5 onwards, MQ uses the new "no install" package to install MQ, instead of the usual RPM packages. This new install way of installing MQ was created to allow MQ to work within Red Hat OpenShift's security model, which is optimized for secure containers. In this model, containers are run with a random UID, which is always part of the "root" group (GID 0). This gets rid of the "mqm" user and group, and moves to a security model where multiple queue managers can run on a single multi-tenanted machine, without any fear of security clashes. The UID 1001 is used at container build time, and is part of the root group, but it is not normally used at run time. So in your top Dockerfile example, you could set USER 1001 instead of USER mqm.
Another change which was made as part of adopting this security model, was to remove any use of "privilege escalation". Normally, MQ has some process with a "setuid" bit set, to allow MQ to act as the "root" super-user to check operating system (OS) passwords. When install with the "no install" package, MQ doesn't have any special privileges, and so cannot authenticate OS users.
As part of this change, group permissions are no longer possible, so everything must be authorized based on user IDs.
I'd recommend the use of LDAP for authentication. If however you need to pursue the use of OS users, then you can build your own container image from the samples in this repository, using the MQ RPM installers, using an older code branch from 9.1.4 (which should still be compatible with the latest MQ, but will be missing some of the latest enhancement in the sample). That will allow you to run a newer version of MQ with RPMs, and OS users. Note however that the sample code itself will not be supported in this case (it's a sample), but the queue manager itself will still be supported.
Hi Arthur,
We are trying to add an additional user to the image 'cp.icr.io/cp/ibm-mqadvanced-server:9.1.5.0-r1-amd64'. Say, we use the below docker file to do this:
FROM cp.icr.io/cp/ibm-mqadvanced-server:9.1.5.0-r1-amd64 USER root RUN useradd xxxuser USER mqm
But that gets to the container crashing at start-up and reporting that the user 'mqm' does not exist or a similar error. We had earlier been doing the same with 'cp.icr.io/cp/ibm-mqadvanced-server:9.1.4.0-r1-amd64' and did not run into issues. We now understand that from v9.1.5.0 onwards, the server image do not contain user 'mqm' and hence the container crashes, due to the last conflicting instruction 'USER mqm' in our docker file. So we remove this last instruction and the docker file now looks like below:
FROM cp.icr.io/cp/ibm-mqadvanced-server:9.1.5.0-r1-amd64 USER root RUN useradd xxxuser
With the above, the container crashes but this time with a different error 'Error 119 starting queue manager: AMQ7077E: You are not authorized to perform the requested operation'. I understand that this could be due to the second instruction 'USER root' in the above docker file, that effects the container to run as 'root' user (we are running our container on OpenShift)? I am pasting the complete logs from the container start-up below for you to see and validate my understanding please.
2021-03-05T15:53:32.064Z Using queue manager name: ACESWITCHQM 2021-03-05T15:53:32.065Z CPU architecture: amd64 2021-03-05T15:53:32.065Z Linux kernel version: 4.18.0-193.41.1.el8_2.x86_64 2021-03-05T15:53:32.065Z Container runtime: kube 2021-03-05T15:53:32.066Z Base image: Red Hat Enterprise Linux 8.1 (Ootpa) 2021-03-05T15:53:32.066Z Running as user ID 0 with primary group 0 2021-03-05T15:53:32.066Z Capabilities (bounding set): chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read 2021-03-05T15:53:32.066Z Capabilities (ambient set): chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read 2021-03-05T15:53:32.066Z seccomp enforcing mode: disabled 2021-03-05T15:53:32.066Z Process security attributes: system_u:system_r:spc_t:s0 2021-03-05T15:53:32.066Z Detected 'ext4' volume mounted to /mnt/mqm 2021-03-05T15:53:32.077Z Created directory structure under /var/mqm 2021-03-05T15:53:32.077Z Image created: 2020-03-31T07:00:04+00:00 2021-03-05T15:53:32.077Z Image tag: ibm-mqadvanced-server:9.1.5.0-r1-amd64 2021-03-05T15:53:32.098Z MQ version: 9.1.5.0 2021-03-05T15:53:32.098Z MQ level: p915-L200316 2021-03-05T15:53:32.098Z MQ license: Production 2021-03-05T15:53:33.361Z Creating queue manager ACESWITCHQM 2021-03-05T15:53:33.375Z Detected existing queue manager ACESWITCHQM 2021-03-05T15:53:33.388Z Starting queue manager 2021-03-05T15:53:33.402Z Error 119 starting queue manager: AMQ7077E: You are not authorized to perform the requested operation.
Our requirement is still to use MQ v9.1.5.0 and extend the base image 'cp.icr.io/cp/ibm-mqadvanced-server:9.1.5.0-r1-amd64' with the additional user 'xxxuser'. Could you please suggest an approach for us to extend the image and get a running container without breaking any of the functionality/processes of the base MQ?
Thanks in advance for your response and guidance on this.