Root Access to Docker Images
Many docker images depend on having root access. It must be possible to enable root access on a deployment basis.
Did I overlook a config option or is there none currently?
root access is not possible on a public PaaS cloud because of many security issues. have a look at the following resources which describe this topic in deep detail:
In my opinion the best way to run applications on a OpenShift PaaS is tu use S2I and customize it (if needed) for your application.
There are many public docker images, which require you to use the root user. With this restriction Appuio isn't 100% docker compatible in my opinion.
Which user does openshift use? Can I chown stuff directly to the user?
I originally planned to build my images using herokuish to build my PHP images. (It installs all the PHP extensions etc. for me and builds a neat Image including a Procfile like Heroku.)
Without root permissions it will fail. https://github.com/gliderlabs/herokuish/blob/c797745854679d464ece4ce4770f20f4302fffd4/include/herokuish.bash#L62
@maennchen Unfortunately many Docker images on Docker Hub don't care much about security. Since all containers run on the same host kernel running a container as root pretty much means that it has access to the whole host and all containers and data on it. On the other hand OpenShift cares very much about security and follows a secure by default philosophy. For example, and to answer your previous question, OpenShift assigns a random, unique user id to every container.
However not all is lost. Builders (containers that build other containers) have root access for now. For the AppuIo final version we'll have to restrict builders to trusted images or find some other way to provide the best possibe security for all customers.
So let us check if we can integrate Herokuish as a custom builder and whether it's a candicate for such a trusted image. After all solving issues like this is one of the reasons for the AppuIo beta program.
For more information regarding Docker security I can also recommend this link: https://opensource.com/business/14/7/docker-security-selinux
Integrating Herokuish is not going to solve the problem. We have for example built an own herokuish base image. (builds a few things on top of the original image) As long as you don't want to whitelist every customer wish, the problem is going to persist.
So we know why it failed, how do we fix this? Well ideally we fix the original docker image to not run as root. If this is not possible then we can tell OpenShift to allow this project to run as root using the below command to change the security context constraints (see manual for these here):
# oadm policy add-scc-to-user anyuid -z default
This is the official recommendation from OpenShift. I'm however not able to do that without your help. I suppose you're not interested in whitelisting projects manually.