OpenShift3 Pro doesn't run a simple Centos image which runs locally on minishift

Question

I have a simple Centos6 docker image:

FROM centos:6
MAINTAINER Simon 1905 <simbo@x.com>
RUN yum -y update && yum -y install httpd && yum clean all
RUN sed -i "s/Listen 80/Listen 8080/" /etc/httpd/conf/httpd.conf && \
  chown apache:apache /var/log/httpd && \
  chmod ug+w,a+rx /var/log/httpd && \
  chown apache:apache /var/run/httpd
RUN mkdir -p /var/www/html && echo "hello world!" >> /var/www/html/index.html
EXPOSE 8080
USER apache
CMD /usr/sbin/httpd -D FOREGROUND

I can run this locally and push it up to hub.docker.com. If I then go into the web console of the Redhat OpenShift Container Developer Kit (CDK) running locally and deploy the image from dockerhub it works fine. If I go into the OpenShift3 Pro web console the pod goes into a crash loop. There are no logs on the console or the command line to diagnose the problem. Any help much appreciated.

To try to see if it was a problem only with Centos7 I changed the first line to be centos:7 and once again it works on minishift CDK but doesn't work on OpenShift3 Pro. It does show something on the logs tab of the pod:

AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 10.128.2.55. Set the 'ServerName' directive globally to suppress this message
(13)Permission denied: AH00058: Error retrieving pid file /run/httpd/httpd.pid
AH00059: Remove it before continuing if it is corrupted.

Answer 1

From the redhat enterprise docs at https://docs.openshift.com/container-platform/3.5/creating_images/guidelines.html#openshift-container-platform-specific-guidelines:

By default, OpenShift Container Platform runs containers using an arbitrarily assigned user ID. This provides additional security against processes escaping the container due to a container engine vulnerability and thereby achieving escalated permissions on the host node. For an image to support running as an arbitrary user, directories and files that may be written to by processes in the image should be owned by the root group and be read/writable by that group. Files to be executed should also have group execute permissions.

RUN chgrp -R 0 /some/directory \
  && chmod -R g+rwX /some/directory

So in this case the modified Docker file which runs on OpenShift 3 Online Pro is:

FROM centos:6
MAINTAINER Simon 1905 <simbo@x.com>
RUN yum -y install httpd && yum clean all
RUN sed -i "s/Listen 80/Listen 8080/" /etc/httpd/conf/httpd.conf && \
  chown apache:0 /etc/httpd/conf/httpd.conf && \
  chmod g+r /etc/httpd/conf/httpd.conf && \
  chown apache:0 /var/log/httpd && \
  chmod g+rwX /var/log/httpd && \
  chown apache:0 /var/run/httpd && \
  chmod g+rwX /var/run/httpd
RUN mkdir -p /var/www/html && echo "hello world!" >> /var/www/html/index.html && \
  chown -R apache:0 /var/www/html && \
  chmod -R g+rwX /var/www/html
EXPOSE 8080
USER apache
CMD /usr/sbin/httpd -D FOREGROUND

Answer 2

It is failing because your image expects to run as a specific user.

In Minishift this is allowed, as is being able to run images as root.

On OpenShift Online your images will run as an arbitrary assigned UID and can never run as a selected UID and never as root.

If you are only after a way of hosting static files, see:

• https://github.com/sclorg/httpd-container

This is a S2I builder for taking static files for Apache and running them up in a container.

You could use it as a S2I builder by running:

oc new-app centos/httpd-24-centos7~<repository-url> --name httpd
oc expose svc/httpd

Or you could create a derived image if you wanted to try and customise it.

Either way, look at how it is implemented if wanting to build your own.