Open hishamanver opened 2 months ago
The below article explains what needs to done to use single Dockerfile to create an image that functions correctly, both on OpenShift and on Kubernetes.
We will be removing the need for Temporal to write to the filesytem for our docker containers, which will avoid this issue.
Relevant PR: https://github.com/temporalio/temporal/pull/6251
temporalio/ui also writes to the filesytem. the above PR fix ui image also?
That would need to be handled separately, I'll look at this once we've fixed it for Temporal server. https://github.com/temporalio/ui/issues/1703
Is your feature request related to a problem? Please describe.
I attempted to deploy temporal via helm (https://github.com/temporalio/helm-charts/tree/main) onto an openshift cluster.
Ran into issues running the temporal server and temporal ui containers on openshift due to security constraints (running on openshift - https://cloud.redhat.com/blog/a-guide-to-openshift-and-uids)
Identified the root cause to be the following sections:
Essentially what we are observing is openshift enforces specific UID and GID for the running containers that do not match the predefined values in the image definition and therefore fail with the following error:
Describe the solution you'd like
Dockerfile definition should not pin specific UIDs for non root user enforcement, but instead ensure that all directories that are required for functionality have sufficient privileges.
To get around this issue the following Dockerfile was used and confirmed to work