Your installation method requires *way* too many privileges

[gregswift]

I am a cluster-admin, and so I did not create a special user with cluster-admin privileges, or anyuid, or scc, etc. A normal app that we deploy in our environment should not have these privileges.

From your new-app command:

* WARNING: Image "jfrog-int-docker-open-docker.bintray.io/artifactory-pro/openshift:5.2.1.pro" runs as the 'root' user which may not be permitted by your cluster administrator

If this is intended to run on openshift, you really should make a few changes.

• Privileges on files should have Other level access (755 for ro/execute and 777 for write)
• Set a UID (this doesn't totally matter, but really its good to use an ID thats not root). And create this user in the bocker build, not in the entrypoint.sh

In os.sh one of the steps is oc adm policy add-scc-to-group anyuid system:authenticated Which grants anyuid to any user that has authenticated on the system.

So the container starting account (the service account) has now been granted the “anyuid” capability which means it can start as root and therefore perform chown/chmod and other root level commands. Of course, I would much rather that the container was changed to be able to run without requiring root permissions, but I am trying to run a pre-packaged image here. source

Whether I add the rest of the permissions or not this is what I get when I start the app:

=====================================
2017-05-11 21:07:46   [41 entrypoint-artifactory.sh] Checking open files and processes limits
2017-05-11 21:07:46   [44 entrypoint-artifactory.sh] Current max open files is 1048576
2017-05-11 21:07:46   [56 entrypoint-artifactory.sh] Current max open processes is 1048576
2017-05-11 21:07:46   [66 entrypoint-artifactory.sh] Checking if /var/opt/jfrog/artifactory is mounted
2017-05-11 21:07:46   [71 entrypoint-artifactory.sh] /var/opt/jfrog/artifactory is mounted
2017-05-11 21:07:46   [77 entrypoint-artifactory.sh] Setting up data directories if missing
2017-05-11 21:07:46   [87 entrypoint-artifactory.sh] Create artifactory user if missing
2017-05-11 21:07:46   [90 entrypoint-artifactory.sh] User does not exist. Creating it...
useradd: Permission denied.
useradd: cannot lock /etc/passwd; try again later.
2017-05-11 21:07:46   [31 entrypoint-artifactory.sh] ERROR: Failed creating user artifactory

[lpshikhar]

This is an ephemeral demo which requires these dependencies as there are a lot of variants of RedHat Openshift like OCP, Openshift dedicated and other offerings. The idea is to just give a glimpse into how artifactory runs inside openshift and not to be used for production environment openshift installations.