How do I change the permissions in openshift container platform?

Question

I am new to Openshift. I have deployed an application in openshift. When I checked the logs, there is permission denied error for some files. Now, I want to change the permissions on the the container that is already deployed in Openshift, but I am getting, "Operation not permitted" warning. How do I fix this ?

This is for linux running latest version of MongoDB. I have already tried executing RUN chmod 777 /path/to/directory in my docker file, created the image and pulled the same image in my yaml file, which I am deploying in my openshift. However, when I check my docker container, it shows that the permissions are changed for that directory, but when I deploy, I get the warning in my logs as "permission denied".

FROM node:10.16.3

RUN apt update && apt install -y openjdk-8-jdk

RUN useradd -ms /bin/bash admin

# Set the workdir /var/www/myapp
WORKDIR /var/www/myapp

# Copy the package.json to workdir
COPY package.json .

# Run npm install - install the npm dependencies
RUN npm install

RUN npm install sqlite3

# Copy application source
COPY . .

RUN chown -R admin:admin /var/www/myapp

RUN chmod 775 /var/www/myapp

USER admin

# Copy .env.docker to workdir/.env - use the docker env
#COPY .env.docker ./.env

# Expose application ports - (4300 - for API and 4301 - for front end)
# EXPOSE 4300 4301
EXPOSE 52000

CMD [ "npm", "start" ]

Athough, when I run my dockerifle, the permissions have changed, but when I try to deploy in my openshift, I get permission denied for some files in that directory.

Answer 1

The following changes in the Dockerfile solved the issue for me

#Add user 
RUN useradd -rm -d /home/ubuntu -s /bin/bash -g root -G sudo -u 1001 ubuntu
#Add permissions
RUN chown -R ubuntu:root /home/ubuntu && \
    chgrp -R 0 /home/ubuntu && \
    chmod -R 775 /home/ubuntu 
##Specify the user with UID
USER 1001

Answer 2

Adding this to my Dockerfile worked:

RUN chgrp -R 0 /some/directory && \
    chmod -R g=u /some/directory 

Answer 3

OpenShift runs the Pod with arbitrary UID by default. You can check what UID is used by in the pod using oc rsh <pod name> id. Your pod might run not using admin you specified.

The container you built is required admin permission, so you should configure anyuid SCC to the default serviceaccount for avoid the permission error. Further information about SCC is here: Enable Container Images that Require Root .

e.g.> default scc is using to run pod by default

$ oc adm policy add-scc-to-user anyuid -z default
$ oc delete pod <your pod name>

FYI, before building your image, checking here:General Container Image Guidelines is helpful to build your image used on OpenShift.

Answer 4

By default any container started in OpenShift gets a random user ID. Therefor images not designed to handle such a random UID will fail with permission errors.

In order to get your image working I recommed you read following Article of the latest OpenShift documentation: https://docs.openshift.com/container-platform/4.2/openshift_images/create-images.html

Here the short version that relates to your issue:

SUPPORT ARBITRARY USER IDS

By default, OpenShift Container Platform runs containers using an arbitrarily assigned user ID. This provides additional security against processes escaping the container due to a container engine vulnerability and thereby achieving escalated permissions on the host node.

For an image to support running as an arbitrary user, directories and files that may be written to by processes in the image should be owned by the root group and be read/writable by that group. Files to be executed should also have group execute permissions.

Adding the following to your Dockerfile sets the directory and file permissions to allow users in the root group to access them in the built image:

RUN chgrp -R 0 /some/directory && \
    chmod -R g=u /some/directory 

Because the container user is always a member of the root group, the container user can read and write these files. The root group does not have any special permissions (unlike the root user) so there are no security concerns with this arrangement. In addition, the processes running in the container must not listen on privileged ports (ports below 1024), since they are not running as a privileged user.