Open aherkarsatish11 opened 3 years ago
@aherkarsatish11 Thanks for reaching out - we're currently reviewing what we can do so the collector image can run on OpenShift.
For context, the collector image today already drops privileges to run as an unprivileged user for the collector process (see https://github.com/pganalyze/collector/blob/master/contrib/docker-entrypoint.sh#L13), but it doesn't correctly interact with systems that don't give root to the container initially (such as OpenShift). We're reviewing the steps needed to get this to run directly as the user specified by Docker in these scenarios.
@lfittl : I've shared you the updated docker file and entrypoint script ( To support email ), could you please verify and confirm - if we can utilize that image for production env
@lfittl Any update ??
Since this issue is still open, I'll share some tips based on my experience creating applications that can run on OpenShift, in the hope that they'll be useful to somebody. The things that trip people up the most when running containers under OpenShift are that:
restricted
security context constraint, containers will run with a namespace-specific UID range (each namespace gets a different range), so it'll be something like: uid=1206236612 gid=0
0555
, so that permissions are always the same regardless of the running user)These are useful things to do regardless of whether the image runs under OpenShift or not, because it gives operators much more flexibility to select whatever uid/gid they want to run as.
This is a useful doc that describes how OpenShift runs images and why it does that: https://docs.openshift.com/container-platform/4.13/openshift_images/create-images.html#use-uid_create-images
Hi Guys, I tried using existing image of collector ( collector:stable) into okd environment but due to RBAC policy restriction it won't let anything to run with root.. Does anyone know where can i find OKD 3.11 compatible version of collector