Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Dec 06 21:22
    dependabot[bot] edited #362
  • Dec 06 21:20
    dependabot[bot] edited #360
  • Dec 06 21:20
    dependabot[bot] edited #361
  • Dec 06 21:19
    dependabot[bot] edited #363
  • Dec 06 21:19
    dependabot[bot] edited #359
  • Dec 06 21:16
    dependabot[bot] edited #362
  • Dec 06 21:16
    dependabot[bot] synchronize #362
  • Dec 06 21:16
    dependabot[bot] edited #362
  • Dec 06 21:16

    dependabot[bot] on npm_and_yarn

    Bump stringstream from 0.0.5 to… (compare)

  • Dec 06 21:15
    dependabot[bot] synchronize #361
  • Dec 06 21:15
    dependabot[bot] opened #365
  • Dec 06 21:15
    dependabot[bot] edited #361
  • Dec 06 21:15

    dependabot[bot] on npm_and_yarn

    Bump jszip from 3.1.5 to 3.7.1 … (compare)

  • Dec 06 21:15
    dependabot[bot] labeled #365
  • Dec 06 21:15

    dependabot[bot] on npm_and_yarn

    Bump path-parse from 1.0.6 to 1… (compare)

  • Dec 06 21:15
    dependabot[bot] edited #361
  • Dec 06 21:15
    dependabot[bot] edited #360
  • Dec 06 21:15
    dependabot[bot] synchronize #360
  • Dec 06 21:15

    dependabot[bot] on npm_and_yarn

    Bump ini from 1.3.4 to 1.3.8 in… (compare)

  • Dec 06 21:15
    dependabot[bot] edited #360
Philip Durbin
@pdurbin
I'm getting /entrypoint.sh: line 101: cd: //dvinstall: No such file or directory and line 101 is here: https://github.com/nds-org/ndslabs-dataverse/blob/9ddc9efa54185ffd69e25487159a09c4bb2e56bf/dockerfiles/dataverse/entrypoint.sh#L101
Mike Lambert
@bodom0015
I think that that file should be located at /root/dvinstall... is the container running as root?
Philip Durbin
@pdurbin
I don't know. Do you expect it to be running as root?
Mike Lambert
@bodom0015
In this case, yes.. we haven't installed another user or anything so I would expect it to be running as root
Unless OpenShift has some fancy workaround there to create a user at runtime? That I don't know...
Philip Durbin
@pdurbin
My guess is that OpenShift is not running the container as root.
Mike Lambert
@bodom0015
That is currently my thinking as well :/ it may take some modifications to the Docker image to get a non-root user installed and working
Philip Durbin
@pdurbin
Ok. That makes sense.
By default, all containers that we try and launch within OpenShift, are set blocked from “RunAsAny” which basically means that they are not allowed to use a root user within the container. This prevents root actions such as chown or chmod from being run and is a sensible security precaution as, should a user be able to perform a local exploit to break out of the container, then they would not be running as root on the underlying container host. NB what about user-namespaces some of you are no doubt asking, these are definitely coming but the testing/hardening process is taking a while and whilst companies such as Red Hat are working hard in this space, there is still a way to go until they are ready for the mainstream.

That article does give a workaround though:

So we know why it failed, how do we fix this? Well ideally we fix the original docker image to not run as root. If this is not possible then we can tell OpenShift to allow this project to run as root using the below command to change the security context constraints (see manual for these here):

# oadm policy add-scc-to-user anyuid -z default
Philip Durbin
@pdurbin
hmm, oadm: command not found
And if I run oc edit scc anyuid I get Error from server (Forbidden): User "developer" cannot get securitycontextconstraints at the cluster scope.
ah, but I can see stuff I run this: oc edit scc anyuid --as system:admin
or oc get scc anyuid --as system:admin
Mike Lambert
@bodom0015
oc adm should also work as an alias to oadm
Philip Durbin
@pdurbin
oh! interesting
Mike Lambert
@bodom0015
maybe try this?
oc adm policy add-scc-to-user anyuid -z default --as system:admin
(No idea what I'm doing here.. never used the OpenShift CLI.. sorry!)
Philip Durbin
@pdurbin
It worked! I think?!? I left a comment at IQSS/dataverse#4040
Mike Lambert
@bodom0015
Fantastic!!! glad you're seeing some success with it! :D
Philip Durbin
@pdurbin
Some. :)
Mike Lambert
@bodom0015
Better than none :grin: hehe
Philip Durbin
@pdurbin
Absolutely. Thanks for your help.
Mike Lambert
@bodom0015
Anytime! Let me know if anything else comes up :)
Philip Durbin
@pdurbin
I think my current questions have more to do with OpenShift.
Philip Durbin
@pdurbin
@craig-willis hi! Are you around. More questions for you or @bodom0015 about running Docker containers as non-root. :)
Craig Willis
@craig-willis
I am now
Philip Durbin
@pdurbin
Cool. I have to run soon but I'm looking at "
Support Arbitrary User IDs
"By default, OpenShift Origin runs containers using an arbitrarily assigned user ID."
This is different than NDS Labs Workbench, right?
Craig Willis
@craig-willis
Yes indeed. Let me read for a sec.
Philip Durbin
@pdurbin
I was hoping adding "USER glassfish" to my Dockerfile would "just work" in the sense of running the entrypoint script as the glassfish user but no such luck.
When I add whoami to the entrypoint script I'm getting something similar to whoami: cannot find name for user ID 1000040000 from openshift/origin#11046
Craig Willis
@craig-willis
OK, so it looks like they are assigning you a unique UID for your project.
Philip Durbin
@pdurbin
confirmed, I just got whoami: cannot find name for user ID 1000240000
Craig Willis
@craig-willis
OK, this is involved enough that I'll need to look later (I need to deliver something in ~20 min)
Philip Durbin
@pdurbin
No worries. I need to go pick up the kids from school anyway.
Craig Willis
@craig-willis
I'll get back to you when I've had the chance to process the OpenShift docs.
Philip Durbin
@pdurbin
Thanks for looking and feeling my pain. :)
Philip Durbin
@pdurbin
@craig-willis hi! Any more thoughts on "By default, OpenShift Origin runs containers using an arbitrarily assigned user ID"? https://gitter.im/nds-org/ndslabs?at=59c5708f32fc8b7e402e3dc8
Philip Durbin
@pdurbin
@craig-willis @bodom0015 I just got my Dataverse/Glassfish container to run as non-root (something that OpenShift Online requires).
swarnim-s
@swarnim-s
I am unable to launch my Einstein toolkit workbench. It shows error.
Mike Lambert
@bodom0015
@swarnim-s Hello! I see that there is now a running JupterET service running for the swar user.. does this mean that you were able to get your ETK application working?
swarnim-s
@swarnim-s
Yes I did. But once. But now if I try to run it, it returns error.
Mike Lambert
@bodom0015
There does appear to be an error with creating new applications on this instance. I apologize for the inconvenience, and will look into this right away.
Thank you very much for reporting this issue, @swarnim-s
Philip Durbin
@pdurbin
@craig-willis hi! I thought I'd point you and others to this new discussion on integrating data repository systems with containerized analysis environments: https://groups.google.com/d/msg/dataverse-community/VG6gTMEd_Ps/Xy7jDhVoBwAJ