Openshift container as root user

Question

Hi Iam working on CICD implementation on openshift 3.9. I have a jenkins pod running in openshift. Iam running selenium scripts in jenkins and below is the error which iam getting like missing a package

   Running TestSuite
/var/lib/jenkins/jobs/Pipeline/workspace/src/test/resources/chromedriver: error while loading shared libraries: libgconf-2.so.4: cannot open shared object file: No such file or directory
Nov 21, 2018 8:25:36 AM org.openqa.selenium.os.OsProcess checkForError
SEVERE: org.apache.commons.exec.ExecuteException: Process exited with an error: 127 (Exit value: 127)
Tests run: 8, Failures: 1, Errors: 0, Skipped: 7, Time elapsed: 21.9 sec <<< FAILURE! - in TestSuite
BrowserSettings(SecurityCheckList)  Time elapsed: 21.273 sec  <<< FAILURE!
org.openqa.selenium.WebDriverException: Timed out waiting for driver server to start.
Build info: version: '3.9.1', revision: '63f7b50', time: '2018-02-07T22:25:02.294Z'
System info: host: 'jenkins-1-7zgld', ip: '10.131.0.32', os.name: 'Linux', os.arch: 'i386', os.version: '3.10.0-957.el7.x86_64', java.version: '1.8.0_181'
Driver info: driver.version: ChromeDriver
    at java.util.concurrent.FutureTask.get(FutureTask.java:205)
    at com.google.common.util.concurrent.SimpleTimeLimiter.callWithTimeout(SimpleTimeLimiter.java:148)
    at org.openqa.selenium.net.UrlChecker.waitUntilAvailable(UrlChecker.java:75)
    at org.openqa.selenium.remote.service.DriverService.waitUntilAvailable(DriverService.java:187)
    at org.openqa.selenium.remote.service.DriverService.start(DriverService.java:178)
    at org.openqa.selenium.remote.service.DriverCommandExecutor.execute(DriverCommandExecutor.java:79)
    at org.openqa.selenium.remote.RemoteWebDriver.execute(RemoteWebDriver.java:601)
    at org.openqa.selenium.remote.RemoteWebDriver.startSession(RemoteWebDriver.java:219)

For that i want to install libgconf-2-4 in my jenkins container through the below command

yum install libgconf-2-4

When i try to install the below error is coming in my jenkins container

    sh-4.2$ yum install libgconf2-4
Loaded plugins: ovl, product-id, search-disabled-repos, subscription-manager
[Errno 13] Permission denied: '/etc/pki/entitlement-host'
ovl: Error while doing RPMdb copy-up:
[Errno 13] Permission denied: '/var/lib/rpm/.dbenv.lock'
You need to be root to perform this command.

When i goto specified location and try to change the permissions as chmod 777 .dbenv.lock

    sh-4.2$ cd /var/lib/rpm/
sh-4.2$ ls -latr
total 19560
-rw-r--r--. 1 root root        0 Aug  9 18:21 .dbenv.lock

it is throwing error as

sh-4.2$ chmod 777 .dbenv.lock
chmod: changing permissions of ‘.dbenv.lock’: Operation not permitted

My question is how to enter into jenkins pod as root user and install the rpm package libgconf-2-4 through yum install libgconf-2-4 in openshift?

score 1 · Answer 1 · answered Nov 21 '18 at 12:41

1

It seems you should customize the jenkins images as follows.[0]

Create the Dockerfile.

FROM registry.access.redhat.com/openshift3/jenkins-2-rhel7
USER 0
RUN yum -y install libgconf2-4 && yum clean all -y
USER 1001

Build the image using the Dockerfile.
```
docker build .
```

Login the internal registry of OpenShift for pushing image.

docker login -u admin -p  docker-registry.default.svc:5000

Retag as OpenShift image format and your tag policy.

docker tag  docker-registry.default.svc:5000/openshift/jenkins-2-rhel7-custom

Push the image.

docker push docker-registry.default.svc:5000/openshift/jenkins-2-rhel7-custom

Edit your deploymentConfig

oc edit dc/jenkins
...
containers:
   ...
   image: "openshift/jenkins-2-rhel7-custom"
   ...

I hope it help you. :^)

[0]General Container Image Guidelines

answered Nov 21 '18 at 12:41

Daein Park

3,601
2
7
16

Hi I have already setup jenkins and configurations are made on same pod. Could you let me know if i can have root access to my present pod instead of repeating the above steps. Is there a posiibility to get root access to the current running pod? – sudhir Nov 22 '18 at 15:40
@sudbir Yes, you can get root permission as granting anyuid to jenkins service account. “oc adm policy add-scc-to-user anyuid -z jenkins”, refer [Enable Container Images that Require Root](https://docs.openshift.com/container-platform/3.11/admin_guide/manage_scc.html#enable-dockerhub-images-that-require-root) for more details. – Daein Park Nov 22 '18 at 22:58
Hi I have used that command “oc adm policy add-scc-to-user anyuid -z jenkins” and logged in through putty with "oc rsh . but still when i install a package "yum install libgconf2-4" it gives below error. sh-4.2$ yum install libgconf2-4 Loaded plugins: ovl, product-id, search-disabled-repos, subscription-manager [Errno 13] Permission denied: '/etc/pki/entitlement-host' ovl: Error while doing RPMdb copy-up: [Errno 13] Permission denied: '/var/lib/rpm/.dbenv.lock' You need to be root to perform this command. What am i missing here to enter the container as root user? – sudhir Nov 23 '18 at 06:54
Would you check the uid using `id` cmd after `oc rsh ` ? You should restart the pod after `oc adm policy` cmd for changes. And `libgconf2-4` package is not existing in RHEL repositories, is it correct name ? – Daein Park Nov 23 '18 at 13:02
when i do oc rsh it gives sh-4.2$ id uid=1000130000(default) gid=0(root) groups=0(root),2001,1000130000 Iam looking on how to restart pod as well. Could u let me the command where i can restart that particularpod only. – sudhir Nov 27 '18 at 06:12
stop: `oc scale --replicas=0 dc/jenkins`, start: `oc scale --replicas=1 dc/jenkins`, or `oc delete pod `. – Daein Park Nov 27 '18 at 07:46
when i used oc scale --replicas=1 dc/jenkins nothing happened with no root access. then i used oc delete pod the pod became down. – sudhir Nov 28 '18 at 08:52
how did you start the pod ? It seems the deploymentConfig/replicationController is not using for deployment of the pods. – Daein Park Nov 28 '18 at 10:06

score -1 · Answer 2 · answered Jun 09 '20 at 15:35

-1

you can use USER root in your dockerfile that will solve your problem

answered Jun 09 '20 at 15:35

Saurabh Chandra Patel

9,983
3
77
72

This will not work because OpenShift uses a random UID at start of a container (see https://docs.openshift.com/container-platform/3.3/creating_images/guidelines.html#openshift-container-platform-specific-guidelines): "By default, OpenShift Container Platform runs containers using an arbitrarily assigned user ID. This provides additional security against processes escaping the container due to a container engine vulnerability and thereby achieving escalated permissions on the host node." – Konrad Kleine Nov 17 '20 at 14:30

Openshift container as root user

2 Answers2