Difficulty: intermediate
Estimated Time: 5-10 minutes

In this scenario, you will learn why it's important that containers do not run as root. You will also learn how to relax the default policy so that containers can run as any user ID, even root.

This tutorial is divided into four parts.

  1. Introduction to running containers as root or any user ID
  2. Containers don't run as root in OpenShift by default
  3. Allowing containers to run as root or any user ID
  4. Running containers with a specific user ID

In this tutorial, you learnt about how to run containers as any user or as root in OpenShift.

Please read Further information in the docs.

And more about managing security.

Don’t stop now! The next scenario will only take about 10 minutes to complete.

Running pods as root

Step 1 of 4

Topic 1 - Introduction to running containers as any user ID or root

Just like with any normal Linux machine, it is important that applications do not run as root, simply because, if they do, they have full access and control over the Operating System.

The same is true for Linux Containers.

However, sometimes it is still necessary to run containers as specific user IDs or even as root, possibly because of a legacy application that demands it.

To allow containers to run as any user or as root in OpenShift a policy needs to be set on the service account your container is running under.

Later on, we will change the security policy for the default service account of the project.

Take a look at the Dockerfile we will be using:

clear; cat build-root/Dockerfile

The Dockerfile simply builds an image, copies a file into the image and when the image is launched it starts a long-running process sleep 999999 and does nothing.

First, we will see what happens if we try to run a container as root on OpenShift, using the default policy.

Before we get started, you need to log in and create a project in OpenShift to work in.

To log in to the OpenShift cluster used for this course from the Terminal,

run:

oc login -u developer -p developer

This will log you in using the credentials:

  • Username: developer

  • Password: developer

You should see the output:

Login successful.

You don't have any projects. You can try to create a new project, by running

    oc new-project <projectname>

To create a new project called myproject run the command:

oc new-project myproject

You should see output similar to:


Now using project "myproject" on server "https://172.17.0.41:8443".
...

Show that containers running on OpenShift cannot run as root (by default).

Build a new example container in OpenShift using the above example Dockerfile.

Note that the Dockerfile contains "USER 0", i.e. the container should run as root.

Create a new build configuration:

oc new-build --name mypod --binary

Start the build and view the output (this can take a minute before you see the "Push successful" message):

oc start-build mypod --from-dir=build-root --follow --wait

So, now we have a fresh image called mypod, let's launch a container from it:

oc new-app mypod

Fetch the pod ID:

POD_ID=$(sh ~/get-pod-id mypod); echo $POD_ID

Exec into the container and you will see it is running as non-root (not 0).

oc exec $POD_ID id

You can see that the container is running as uid=1000050000 (or similar). The uid is a value pre-allocate by OpenShift. The container is not running as root because OpenShift does not allow containers to run as root, by default.

Remote shell into the container and see who owns the file:

oc rsh $POD_ID

ls -l /tmp/somefile

See which UID is used to run the processes.

ps -ef

You can see the processes are running as the UID 1000050000 (or similar).

Exit from the container:

exit

This is not entirely related to the topic of this scenario but you can see the file belongs to root, but the process is not running as root (UID!=0). Note that when creating container images using Dockerfiles, commands can run as root to do things like install packages and files as root or even install malicious content.

Next, we'll try the same with plain Docker.