search

mendhak / docker-http-https-echo

Docker image that echoes request data as JSON; listens on HTTP/S, useful for debugging.
https://code.mendhak.com/docker-http-https-echo/
MIT License
641 stars 140 forks source link

Not working on Openshift. #16

Closed Sispheor closed 3 years ago

Sispheor commented 3 years ago

Hi, the last image is not working anymore on Openshift 4.

internal/fs/utils.js:308
    throw err;
    ^

Error: EACCES: permission denied, open 'privkey.pem'
    at Object.openSync (fs.js:476:3)
    at Object.readFileSync (fs.js:377:35)
    at Object.<anonymous> (/app/index.js:73:22)
    at Module._compile (internal/modules/cjs/loader.js:1063:30)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:1092:10)
    at Module.load (internal/modules/cjs/loader.js:928:32)
    at Function.Module._load (internal/modules/cjs/loader.js:769:14)
    at Function.executeUserEntryPoint [as runMain] (internal/modules/run_main.js:72:12)
    at internal/main/run_main_module.js:17:47 {
  errno: -13,
  syscall: 'open',
  code: 'EACCES',
  path: 'privkey.pem'
}

Here is the deploymentConfig I use (Ansible code)

- name: Create http-echo deployment
  k8s:
    kubeconfig: "{{ ocp_ignition_file_path }}/auth/kubeconfig"
    state: present
    namespace: "{{ project_name }}"
    definition:
      kind: DeploymentConfig
      apiVersion: v1
      metadata:
        labels:
          app: "{{ project_name }}"
        name: "{{ project_name }}-deployment"
        annotations:
          description: An http echo service
          template.alpha.openshift.io/wait-for-ready: 'true'
      spec:
        selector:
          name: "http-echo"
        template:
          metadata:
            labels:
              name: "http-echo"
          spec:
            containers:
              - name: "http-echo"
                image: "mendhak/http-https-echo" # https://github.com/mendhak/docker-http-https-echo
                env:
                  - name: HTTP_PORT
                    value: "8000"
                  - name: HTTPS_PORT
                    value: "9000"
                ports:
                  - containerPort: 80
                    protocol: TCP
        replicas: 1
        strategy:
          type: Recreate
        paused: false
        revisionHistoryLimit: 2
        minReadySeconds: 0
    wait: yes
    wait_condition:
      type: Available
      status: True

I tried as well with the "issue-14-non-root" tag.

mendhak commented 3 years ago

Another user ran into this, see: https://github.com/mendhak/docker-http-https-echo/issues/14#issuecomment-733965621

I am not familiar with OpenShift or k8s. Does the securityContext bit work for you?

securityContext:
    runAsUser: 1000
mendhak commented 3 years ago

Basically the way I test it is like this: https://github.com/mendhak/docker-http-https-echo#run-as-a-non-root-or-rootless-user

Sispheor commented 3 years ago

Actually, the best practice is to avoid running things as root when we can. And adding specific security context can be complicated on public cluster. On openshift it's even not possible at all to run a root container.

mendhak commented 3 years ago

Thanks for the PR it's merged now.

Can you try it, mendhak/http-https-echo:15

Sispheor commented 3 years ago

All good thanks.