Just like with any normal Linux machine, it is important that applications do not run as root, simply because, if they do, they have full access and control over the Operating System.
The same is true for Linux Containers.
However, sometimes it is still necessary to run containers as specific user IDs or even as root, possibly because of a legacy application that demands it.
To allow containers to run as any user or as root in OpenShift a policy needs to be set on the service account your container is running under.
Later on, we will change the security policy for the default service account of the project.
Take a look at the Dockerfile we will be using:
clear; cat build-root/Dockerfile
The Dockerfile simply builds an image, copies a file into the image and when the image is launched it starts a long-running process
sleep 999999 and does nothing.
First, we will see what happens if we try to run a container as root on OpenShift, using the default policy.
Before we get started, you need to log in and create a project in OpenShift to work in.
To log in to the OpenShift cluster used for this course from the Terminal,
oc login -u developer -p developer
This will log you in using the credentials:
You should see the output:
Login successful. You don't have any projects. You can try to create a new project, by running oc new-project <projectname>
To create a new project called
myproject run the command:
oc new-project myproject
You should see output similar to:
Now using project "myproject" on server "https://172.17.0.41:8443". ...
Show that containers running on OpenShift cannot run as root (by default).
Build a new example container in OpenShift using the above example Dockerfile.
Note that the Dockerfile contains "USER 0", i.e. the container should run as root.
Create a new build configuration:
oc new-build --name mypod --binary
Start the build and view the output (this can take a minute before you see the "Push successful" message):
oc start-build mypod --from-dir=build-root --follow --wait
So, now we have a fresh image called mypod, let's launch a container from it:
oc new-app mypod
Fetch the pod ID:
POD_ID=$(sh ~/get-pod-id mypod); echo $POD_ID
Exec into the container and you will see it is running as non-root (not 0).
oc exec $POD_ID id
You can see that the container is running as uid=1000050000 (or similar). The uid is a value pre-allocate by OpenShift. The container is not running as root because OpenShift does not allow containers to run as root, by default.
Remote shell into the container and see who owns the file:
oc rsh $POD_ID
ls -l /tmp/somefile
See which UID is used to run the processes.
You can see the processes are running as the UID 1000050000 (or similar).
Exit from the container:
This is not entirely related to the topic of this scenario but you can see the file belongs to root, but the process is not running as root (UID!=0). Note that when creating container images using Dockerfiles, commands can run as root to do things like install packages and files as root or even install malicious content.
Next, we'll try the same with plain Docker.