SlideShare a Scribd company logo

[Devconf.cz][2017] Understanding OpenShift Security Context Constraints

Alessandro Arrichiello
Alessandro Arrichiello

The document discusses OpenShift security context constraints (SCCs) and how to configure them to allow running a WordPress container. It begins with an overview of SCCs and their purpose in OpenShift for controlling permissions for pods. It then describes issues running the WordPress container under the default "restricted" SCC due to permission errors. The document explores editing the "restricted" SCC and removing capabilities and user restrictions to address the errors. Alternatively, it notes the "anyuid" SCC can be used which is more permissive and standard for allowing the WordPress container to run successfully.

Technology
1 of 37
Understanding OpenShift Security Context Constraints A practical walkthrough Alessandro Arrichiello - alezzandro@gmail.com Federico Nebiolo - fnebiolo@gmail.com
OpenShift
What is OpenShift? ● Platform as a Service ● Open Source ● Container based ● Kubernetes based ● Development oriented ● Multitenant ● Web-based interface ● Integrated Registries ● HA configurable ● Integrated metrics ● git lover ★ You care about service and its technologies ★ Github hosted code ★ Docker and more ★ Do you know Google? :) ★ Automated builds and much more ★ Many users, grants, policies and isolation ★ Who cares? :) ★ Who needs internet? Local Registries! ★ Set the replicas and Origin will care ★ Do you like graphs? ★ Yeah, we love git!
All cool but.. Where is the start button? $ oc cluster up -- Checking OpenShift client ... OK -- Checking Docker client ... OK -- Checking Docker version ... OK -- Checking for existing OpenShift container ... OK -- Checking for openshift/origin:v1.3.1 image ... OK -- Checking Docker daemon configuration ... OK -- Checking for available ports ... OK -- Checking type of volume mount ... Using nsenter mounter for OpenShift volumes -- Creating host directories ... OK -- Finding server IP ... Using public hostname IP 192.168.123.1 as the host IP Using 192.168.123.1 as the server IP -- Starting OpenShift container ... Starting OpenShift using container 'origin' Waiting for API server to start listening OpenShift server started -- Installing registry ... OK -- Installing router ... OK -- Importing image streams ... OK -- Importing templates ... OK -- Login to server ... OK -- Creating initial project "myproject" ... Now using project "myproject" on server "https://192.168.123.1:8443". -- Server Information ... OpenShift server started. The server is accessible via web console at: https://192.168.123.1:8443
What are Security Context Constraints? ● OpenShift gives its administrators the ability to manage a set of security context constraints (SCCs) for limiting and securing their cluster. ● Security context constraints allow administrators to control permissions for pods. SCCs allow an administrator: 1. Run privileged containers. 2. Set capabilities a container can request. 3. Use of host directories as volumes. 4. Set SELinux context of the container. 5. Set the user ID for the container. 6. The use of host namespaces and networking. 7. Define ‘FSGroup’ for the pod’s volumes 8. Configure allowable supplemental groups 9. Require the use of a read only file system 10. Control the usage of volume types A pod is the smallest OpenShift’s compute unit. It’s one or more containers) deployed together on one host.
Security Context Constraints: What? I want run my container!
The wordpress container https://hub.docker.com/_/wordpress/ https://github.com/docker-library/wordpress
Setting up prerequisites for the wordpress container The following environment variables are also honored for configuring your WordPress instance: -e WORDPRESS_DB_HOST=... (defaults to the IP and port of the linked mysql container) -e WORDPRESS_DB_USER=... (defaults to "root") -e WORDPRESS_DB_PASSWORD=... $ oc new-app mariadb -e MYSQL_ROOT_PASSWORD=mysecret --> Found image 1dc122b (3 weeks old) in image stream "mariadb" in project "openshift" under tag "10.1" for "mariadb" MariaDB 10.1 ------------ MariaDB is a multi-user, multi-threaded SQL database server Tags: database, mysql, mariadb, mariadb101, rh-mariadb101, galera * This image will be deployed in deployment config "mariadb" * Port 3306/tcp will be load balanced by service "mariadb" * Other containers can access this service through the hostname "mariadb" * This image declares volumes and will default to use non-persistent, host-local storage. You can add persistent volumes later by running 'volume dc/mariadb --add ...' ...
Stop talking: run my container! $ oc new-app wordpress -e WORDPRESS_DB_HOST=mariadb -e WORDPRESS_DB_USER=root -e WORDPRESS_DB_PASSWORD=mysecret --> Found Docker image ed69ee3 (6 days old) from Docker Hub for "wordpress" * An image stream will be created as "wordpress:latest" that will track this image * This image will be deployed in deployment config "wordpress" * Port 80/tcp will be load balanced by service "wordpress" * Other containers can access this service through the hostname "wordpress" * This image declares volumes and will default to use non-persistent, host-local storage. You can add persistent volumes later by running 'volume dc/wordpress --add ...' * WARNING: Image "wordpress" runs as the 'root' user which may not be permitted by your cluster administrator --> Creating resources with label app=wordpress ... $ oc get pods NAME READY STATUS RESTARTS AGE wordpress-1-deploy 1/1 Running 0 17s wordpress-1-072ui 0/1 Error 0 14s $ oc logs wordpress-1-072ui AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.7. Set the 'ServerName' directive globally to suppress this message (13)Permission denied: AH00072: make_sock: could not bind to address [::]:80 (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80 no listening sockets available, shutting down AH00015: Unable to open logs
Ok, fun but.. What happened to my container? $ oc describe pod/wordpress-1-072ui | head Name: wordpress-1-072ui Namespace: myproject Security Policy: restricted Node: 192.168.123.1/192.168.123.1 Start Time: Thu, 12 Jan 2017 12:47:04 +0100 Labels: app=wordpress deployment=wordpress-1 deploymentconfig=wordpress Status: Running IP: 172.17.0.7 $ oc debug wordpress-1-072ui Debugging with pod/wordpress-1-072ui-debug, original command: docker-entrypoint.sh apache2-foreground Waiting for pod to start ... Pod IP: 172.17.0.4 If you don't see a command prompt, try pressing enter. $ id uid=1000040000 gid=0(root) groups=0(root),1000040000
Solutions For your lovely container ● Edit the ‘restricted’ SCC OR ● Use the ‘anyuid’ SCC OR ● Rebuild through Dockerfile
Edit the ‘restricted’ SCC First option: the worst one
Security Context Constraints available in OpenShift $ oc login -u system:admin Logged into "https://192.168.123.1:8443" as "system:admin" using existing credentials. $ oc get scc NAME PRIV CAPS SELINUX RUNASUSER FSGROUP SUPGROUP PRIORITY READONLYROOTFS VOLUMES anyuid false [] MustRunAs RunAsAny RunAsAny RunAsAny 10 false [configMap downwardAPI emptyDir persistentVolumeClaim secret] hostaccess false [] MustRunAs MustRunAsRange MustRunAs RunAsAny <none> false [configMap downwardAPI emptyDir hostPath persistentVolumeClaim secret] hostmount-anyuid false [] MustRunAs RunAsAny RunAsAny RunAsAny <none> false [configMap downwardAPI emptyDir hostPath nfs persistentVolumeClaim secret] hostnetwork false [] MustRunAs MustRunAsRange MustRunAs MustRunAs <none> false [configMap downwardAPI emptyDir persistentVolumeClaim secret] nonroot false [] MustRunAs MustRunAsNonRoot RunAsAny RunAsAny <none> false [configMap downwardAPI emptyDir persistentVolumeClaim secret] privileged true [] RunAsAny RunAsAny RunAsAny RunAsAny <none> false [*] restricted false [] MustRunAs MustRunAsRange MustRunAs RunAsAny <none> false [configMap downwardAPI emptyDir persistentVolumeClaim secret]
Inspecting the ‘restricted’ SCC $ oc get scc/restricted -o yaml allowHostDirVolumePlugin: false allowHostIPC: false allowHostNetwork: false allowHostPID: false allowHostPorts: false allowPrivilegedContainer: false allowedCapabilities: null apiVersion: v1 defaultAddCapabilities: null fsGroup: type: MustRunAs groups: - system:authenticated kind: SecurityContextConstraints metadata: annotations: kubernetes.io/description: restricted denies access to all host features and requires pods to be run with a UID, and SELinux context that are allocated to the namespace. This is the most restrictive SCC. creationTimestamp: 2016-12-22T10:04:27Z name: restricted resourceVersion: "102" selfLink: /api/v1/securitycontextconstraints/restricted uid: 05f68498-c82e-11e6-b2bd-68f7286606f4 priority: null readOnlyRootFilesystem: false requiredDropCapabilities: - KILL - MKNOD - SYS_CHROOT - SETUID - SETGID runAsUser: type: MustRunAsRange seLinuxContext: type: MustRunAs supplementalGroups: type: RunAsAny volumes: - configMap - downwardAPI - emptyDir - persistentVolumeClaim - secret
Editing the ‘restricted’ SCC $ oc get scc restricted -o yaml | grep runAsUser -A1 runAsUser: type: MustRunAsRange $ oc edit scc restricted securitycontextconstraints "restricted" edited $ oc get scc restricted -o yaml | grep runAsUser -A1 runAsUser: type: RunAsAny $ oc get pod NAME READY STATUSRESTARTS AGE mariadb-1-l4ycb 1/1 Running 0 2h wordpress-1-ai3gj 1/1 Running 0 52s
Take a look to container’s logs $ oc logs wordpress-1-ai3gj WordPress not found in /var/www/html - copying now... Complete! WordPress has been successfully copied to /var/www/html AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.4. Set the 'ServerName' directive globally to suppress this message AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.4. Set the 'ServerName' directive globally to suppress this message [Thu Jan 12 13:47:46.849951 2017] [unixd:alert] [pid 170] (1)Operation not permitted: AH02156: setgid: unable to set group id to Group 33 [Thu Jan 12 13:47:46.850406 2017] [unixd:alert] [pid 171] (1)Operation not permitted: AH02156: setgid: unable to set group id to Group 33 [Thu Jan 12 13:47:46.850735 2017] [unixd:alert] [pid 172] (1)Operation not permitted: AH02156: setgid: unable to set group id to Group 33 [Thu Jan 12 13:47:46.851119 2017] [unixd:alert] [pid 173] (1)Operation not permitted: AH02156: setgid: unable to set group id to Group 33 [Thu Jan 12 13:47:46.851398 2017] [mpm_prefork:notice] [pid 1] AH00163: Apache/2.4.10 (Debian) PHP/5.6.29 configured -- resuming normal operations [Thu Jan 12 13:47:46.851458 2017] [core:notice] [pid 1] AH00094: Command line: 'apache2 -D FOREGROUND' [Thu Jan 12 13:47:46.851500 2017] [unixd:alert] [pid 174] (1)Operation not permitted: AH02156: setgid: unable to set group id to Group 33
A step back to the ‘restricted’ SCC $ oc get scc/restricted -o yaml allowHostDirVolumePlugin: false allowHostIPC: false allowHostNetwork: false allowHostPID: false allowHostPorts: false allowPrivilegedContainer: false allowedCapabilities: null apiVersion: v1 defaultAddCapabilities: null fsGroup: type: MustRunAs groups: - system:authenticated kind: SecurityContextConstraints metadata: annotations: kubernetes.io/description: restricted denies access to all host features and requires pods to be run with a UID, and SELinux context that are allocated to the namespace. This is the most restrictive SCC. creationTimestamp: 2016-12-22T10:04:27Z name: restricted resourceVersion: "102" selfLink: /api/v1/securitycontextconstraints/restricted uid: 05f68498-c82e-11e6-b2bd-68f7286606f4 priority: null readOnlyRootFilesystem: false requiredDropCapabilities: - KILL - MKNOD - SYS_CHROOT - SETUID - SETGID runAsUser: type: MustRunAsRange seLinuxContext: type: MustRunAs supplementalGroups: type: RunAsAny volumes: - configMap - downwardAPI - emptyDir - persistentVolumeClaim - secret Dropped Capabilities
Editing *AGAIN* the ‘restricted’ SCC $ oc edit scc restricted securitycontextconstraints "restricted" edited $ oc get scc restricted -o yaml | grep DropCap -A5 requiredDropCapabilities: - KILL - MKNOD - SYS_CHROOT runAsUser: type: RunAsAny $ oc logs wordpress-1-0kz6o WordPress not found in /var/www/html - copying now... Complete! WordPress has been successfully copied to /var/www/html AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.4. Set the 'ServerName' directive globally to suppress this message AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.4. Set the 'ServerName' directive globally to suppress this message [Thu Jan 12 14:13:12.437336 2017] [mpm_prefork:notice] [pid 1] AH00163: Apache/2.4.10 (Debian) PHP/5.6.29 configured -- resuming normal operations [Thu Jan 12 14:13:12.437365 2017] [core:notice] [pid 1] AH00094: Command line: 'apache2 -D FOREGROUND'
Add a route and test it! $ cat wordpress-route.yaml apiVersion: v1 kind: Route metadata: labels: app: wordpress name: wordpress spec: host: wordpress.192.168.123.1.xip.io port: targetPort: 80-tcp to: kind: Service name: wordpress weight: 100 $ oc create -f wordpress-route.yaml route "wordpress" created $ curl -L http://wordpress.192.168.123.1.xip.io 2>/dev/null | head <!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-US"> <head> <meta name="viewport" content="width=device-width" /> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="robots" content="noindex,nofollow" /> <title>WordPress &rsaquo; Installation</title> <link rel='stylesheet' id='buttons-css' href='http://wordpress.192.168.123.1.xip.io/wp-includ es/css/buttons.min.css?ver=4.7' type='text/css' media='all' /> <link rel='stylesheet' id='install-css' href='http://wordpress.192.168.123.1.xip.io/wp-admin/ css/install.min.css?ver=4.7' type='text/css' media='all' />
Use the ‘anyuid’ SCC Second option: the standard one
Security Context Constraints available in OpenShift $ oc login -u system:admin Logged into "https://192.168.123.1:8443" as "system:admin" using existing credentials. $ oc get scc NAME PRIV CAPS SELINUX RUNASUSER FSGROUP SUPGROUP PRIORITY READONLYROOTFS VOLUMES anyuid false [] MustRunAs RunAsAny RunAsAny RunAsAny 10 false [configMap downwardAPI emptyDir persistentVolumeClaim secret] hostaccess false [] MustRunAs MustRunAsRange MustRunAs RunAsAny <none> false [configMap downwardAPI emptyDir hostPath persistentVolumeClaim secret] hostmount-anyuid false [] MustRunAs RunAsAny RunAsAny RunAsAny <none> false [configMap downwardAPI emptyDir hostPath nfs persistentVolumeClaim secret] hostnetwork false [] MustRunAs MustRunAsRange MustRunAs MustRunAs <none> false [configMap downwardAPI emptyDir persistentVolumeClaim secret] nonroot false [] MustRunAs MustRunAsNonRoot RunAsAny RunAsAny <none> false [configMap downwardAPI emptyDir persistentVolumeClaim secret] privileged true [] RunAsAny RunAsAny RunAsAny RunAsAny <none> false [*] restricted false [] MustRunAs MustRunAsRange MustRunAs RunAsAny <none> false [configMap downwardAPI emptyDir persistentVolumeClaim secret]
Inspecting the ‘anyuid’ SCC $ oc get scc/anyuid -o yaml allowHostDirVolumePlugin: false allowHostIPC: false allowHostNetwork: false allowHostPID: false allowHostPorts: false allowPrivilegedContainer: false allowedCapabilities: null apiVersion: v1 defaultAddCapabilities: null fsGroup: type: RunAsAny groups: - system:cluster-admins kind: SecurityContextConstraints metadata: annotations: kubernetes.io/description: anyuid provides all features of the restricted SCC but allows users to run with any UID and any GID. This is the default SCC for authenticated users. creationTimestamp: 2016-12-22T10:04:27Z name: anyuid resourceVersion: "103" selfLink: /api/v1/securitycontextconstraints/anyuid uid: 05f6bbdb-c82e-11e6-b2bd-68f7286606f4 priority: 10 readOnlyRootFilesystem: false requiredDropCapabilities: - MKNOD - SYS_CHROOT runAsUser: type: RunAsAny seLinuxContext: type: MustRunAs supplementalGroups: type: RunAsAny volumes: - configMap - downwardAPI - emptyDir - persistentVolumeClaim - secret
Use the ‘anyuid’ How can I do it? Using Service Accounts Service accounts provide a flexible way to control API access without sharing a regular user’s credentials. Every service account has an associated username that can be granted roles, just like a regular user. The username is derived from its project and name: system:serviceaccount:<project>:<name>
Service Account creation and configuration $ oc project wpoption2 Already on project "wpoption2" on server "https://192.168.123.1:8443". $ oc create serviceaccount wp-sa serviceaccount "wp-sa" created $ oc whoami system:admin $ oc adm policy add-scc-to-user anyuid system:serviceaccount:wpoption2:wp-sa $ oc get scc/anyuid -o yaml | tail supplementalGroups: type: RunAsAny users: - system:serviceaccount:wpoption2:wp-sa volumes: - configMap - downwardAPI - emptyDir - persistentVolumeClaim - secret
Inspecting wordpress DeploymentConfig apiVersion: v1 kind: DeploymentConfig ... template: metadata: annotations: openshift.io/container.wordpress.image.entrypoint: '["docker-entrypoint.sh","apache2-foreground"]' openshift.io/generated-by: OpenShiftNewApp creationTimestamp: null labels: app: wordpress deploymentconfig: wordpress spec: containers: - env: - name: WORDPRESS_DB_HOST value: mariadb - name: WORDPRESS_DB_PASSWORD value: mysecret - name: WORDPRESS_DB_USER value: root image: wordpress@sha256:0bb659eafa22cdb9f14bc05d17be97132842 eb122eb8ff346ecafe7553f48f22 imagePullPolicy: Always name: wordpress ports: - containerPort: 80 protocol: TCP resources: {} terminationMessagePath: /dev/termination-log volumeMounts: - mountPath: /var/www/html name: wordpress-volume-1 dnsPolicy: ClusterFirst restartPolicy: Always securityContext: {} terminationGracePeriodSeconds: 30 volumes: - emptyDir: {} name: wordpress-volume-1 ...
Editing wordpress DeploymentConfig $ oc edit dc/wordpress deploymentconfig "wordpress" edited $ oc get dc/wordpress -o yaml | grep wp-sa -B15 -A1 value: root image: wordpress@sha256:0bb659eafa22cdb9f14bc05d17be97132842 eb122eb8ff346ecafe7553f48f22 imagePullPolicy: Always name: wordpress ports: - containerPort: 80 protocol: TCP resources: {} terminationMessagePath: /dev/termination-log volumeMounts: - mountPath: /var/www/html name: wordpress-volume-1 dnsPolicy: ClusterFirst restartPolicy: Always securityContext: {} serviceAccount: wp-sa serviceAccountName: wp-sa terminationGracePeriodSeconds: 30 $ oc describe dc wordpress | head -16 Name: wordpress Namespace: myproject Created: 28 hours ago Labels: app=wordpress Annotations: openshift.io/generated-by=OpenShiftNewApp Latest Version: 2 Selector: app=wordpress,deploymentconfig=wordpress Replicas: 1 Triggers: Config, Image(wordpress@latest, auto=true) Strategy: Rolling Template: Labels: app=wordpress deploymentconfig=wordpress Annotations: openshift.io/container.wordpress.image.entrypoint=["d ocker-entrypoint.sh","apache2-foreground"] openshift.io/generated-by=OpenShiftNewApp Service Account: wp-sa
Check if it’s working... $ oc logs wordpress-2-sqd8f WordPress not found in /var/www/html - copying now... Complete! WordPress has been successfully copied to /var/www/html AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.9. Set the 'ServerName' directive globally to suppress this message AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.9. Set the 'ServerName' directive globally to suppress this message [Fri Jan 13 16:15:15.728548 2017] [mpm_prefork:notice] [pid 1] AH00163: Apache/2.4.10 (Debian) PHP/5.6.29 configured -- resuming normal operations [Fri Jan 13 16:15:15.728574 2017] [core:notice] [pid 1] AH00094: Command line: 'apache2 -D FOREGROUND' $ oc describe pod wordpress-2-sqd8f | head Name: wordpress-2-sqd8f Namespace: myproject Security Policy: anyuid Node: 192.168.123.1/192.168.123.1 Start Time: Fri, 13 Jan 2017 17:14:58 +0100 Labels: app=wordpress deployment=wordpress-2 deploymentconfig=wordpress Status: Running IP: 172.17.0.9
Rebuild through Dockerfile Third option: the best one
Really? Why rebuild the container image? ● You may not be OpenShift cluster administrator ● All the previous solutions require admin privileges ● You should not grant root on thirdparty containers
First: Locate the Dockerfile ● Search on DockerHub/DockerStore: https://store.docker.com/search?q =wordpress&source=verified&ty pe=image ● Download the Dockerfile: https://github.com/docker-library /wordpress/blob/7d40c4237f0189 2bb6dbc67d1a82f5b15f807ca1/ph p5.6/apache/Dockerfile ● Make the edits and upload it somewhere!
Inspecting default ‘wordpress’ Dockerfile FROM php:5.6-apache # install the PHP extensions we need RUN set -ex; apt-get update; apt-get install -y libjpeg-dev libpng12-dev ; rm -rf /var/lib/apt/lists/*; docker-php-ext-configure gd --with-png-dir=/usr --with-jpeg-dir=/usr; docker-php-ext-install gd mysqli opcache # TODO consider removing the *-dev deps and only keeping the necessary lib* packages # set recommended PHP.ini settings # see https://secure.php.net/manual/en/opcache.installation.php RUN { echo 'opcache.memory_consumption=128'; echo 'opcache.interned_strings_buffer=8'; echo 'opcache.max_accelerated_files=4000'; echo 'opcache.revalidate_freq=2'; echo 'opcache.fast_shutdown=1'; echo 'opcache.enable_cli=1'; } > /usr/local/etc/php/conf.d/opcache-recommended.ini RUN a2enmod rewrite expires VOLUME /var/www/html ENV WORDPRESS_VERSION 4.7.1 ENV WORDPRESS_SHA1 8e56ba56c10a3f245c616b13e46bd996f63793d6 RUN set -ex; curl -o wordpress.tar.gz -fSL "https://wordpress.org/wordpress-${WORDPRESS_VERSION}.tar .gz"; echo "$WORDPRESS_SHA1 *wordpress.tar.gz" | sha1sum -c -; # upstream tarballs include ./wordpress/ so this gives us /usr/src/wordpress tar -xzf wordpress.tar.gz -C /usr/src/; rm wordpress.tar.gz; chown -R www-data:www-data /usr/src/wordpress COPY docker-entrypoint.sh /usr/local/bin/ ENTRYPOINT ["docker-entrypoint.sh"] CMD ["apache2-foreground"]
Editing ‘wordpress’ Dockerfile FROM php:5.6-apache # install the PHP extensions we need RUN set -ex; apt-get update; apt-get install -y libjpeg-dev libpng12-dev ; rm -rf /var/lib/apt/lists/*; docker-php-ext-configure gd --with-png-dir=/usr --with-jpeg-dir=/usr; docker-php-ext-install gd mysqli opcache # TODO consider removing the *-dev deps and only keeping the necessary lib* packages # set recommended PHP.ini settings # see https://secure.php.net/manual/en/opcache.installation.php RUN { echo 'opcache.memory_consumption=128'; echo 'opcache.interned_strings_buffer=8'; echo 'opcache.max_accelerated_files=4000'; echo 'opcache.revalidate_freq=2'; echo 'opcache.fast_shutdown=1'; echo 'opcache.enable_cli=1'; } > /usr/local/etc/php/conf.d/opcache-recommended.ini RUN a2enmod rewrite expires VOLUME /var/www/html RUN sed -i 's/Listen 80/Listen 8080/g' /etc/apache2/ports.conf EXPOSE 8080 RUN chmod g+w /var/log/apache2 RUN chmod g+w /var/lock/apache2 RUN chmod g+w /var/run/apache2 ENV WORDPRESS_VERSION 4.7 ENV WORDPRESS_SHA1 1e14144c4db71421dc4ed22f94c3914dfc3b7020 RUN set -ex; curl -o wordpress.tar.gz -fSL "https://wordpress.org/wordpress-${WORDPRESS_VERSION}.tar .gz"; echo "$WORDPRESS_SHA1 *wordpress.tar.gz" | sha1sum -c -; # upstream tarballs include ./wordpress/ so this gives us /usr/src/wordpress tar -xzf wordpress.tar.gz -C /usr/src/; rm wordpress.tar.gz; chmod -R 777 /usr/src/wordpress COPY docker-entrypoint.sh /usr/local/bin/ ENTRYPOINT ["docker-entrypoint.sh"] CMD ["apache2-foreground"]
Editing container’s entrypoint: docker-entrypoint.sh #!/bin/bash #set -euo pipefail # usage: file_env VAR [DEFAULT] # ie: file_env 'XYZ_DB_PASSWORD' 'example' # (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of # "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) file_env() { local var="$1" local fileVar="${var}_FILE" local def="${2:-}" if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then echo >&2 "error: both $var and $fileVar are set (but are exclusive)" exit 1 fi local val="$def" if [ "${!var:-}" ]; then val="${!var}" elif [ "${!fileVar:-}" ]; then val="$(< "${!fileVar}")" fi export "$var"="$val" unset "$fileVar" } Bash strict run
Creating a new-app with Dockerfile source $ oc new-app https://github.com/alezzandro/wordpress-in-userspace -e WORDPRESS_DB_HOST=mariadb -e WORDPRESS_DB_USER=root -e WORDPRESS_DB_PASSWORD=mysecret --> Found Docker image 01b23de (18 hours old) from Docker Hub for "php:5.6-apache" * An image stream will be created as "php:5.6-apache" that will track the source image * A Docker build using source code from https://github.com/alezzandro/wordpress-in-userspace will be created * The resulting image will be pushed to image stream "wordpress-in-userspace:latest" * Every time "php:5.6-apache" changes a new build will be triggered * This image will be deployed in deployment config "wordpress-in-userspace" * Port 8080/tcp will be load balanced by service "wordpress-in-userspace" * Other containers can access this service through the hostname "wordpress-in-userspace" * WARNING: Image "php:5.6-apache" runs as the 'root' user which may not be permitted by your cluster administrator --> Creating resources with label app=wordpress-in-userspace ... imagestream "php" created imagestream "wordpress-in-userspace" created buildconfig "wordpress-in-userspace" created deploymentconfig "wordpress-in-userspace" created service "wordpress-in-userspace" created --> Success Build scheduled, use 'oc logs -f bc/wordpress-in-userspace' to track its progress. Run 'oc status' to view your app.
Adding ‘emptyDir’ volume and the supplementalGroup $ oc volume dc/wordpress-in-userspace --add --name=wordpress-volume-1 -t emptyDir --mount-path=/var/www/html deploymentconfigs/wordpress-in-userspace $ oc edit dc/wordpress-in-userspace deploymentconfigs/wordpress-in-userspace $ oc get dc wordpress-in-userspace -o yaml|grep -A2 security securityContext: supplementalGroups: - 33 $ oc get pods NAME READY STATUS RESTARTS AGE mariadb-1-sscl5 1/1 Running 0 40m wordpress-in-userspace-1-build 0/1 Completed 0 34m wordpress-in-userspace-3-isov6 1/1 Running 0 15m $ oc rsh wordpress-in-userspace-3-isov6 $ id uid=1000140000 gid=0(root) groups=0(root),33(www-data),1000140000 $ ls -ld /var/run/apache2 drwxrwxr-x. 2 www-data www-data 4096 Jan 23 17:27 /var/run/apache2
Create a route and check the result $ oc create -f wp-route.yml route/wordpress-in-userspace $ curl http://wpoption3.192.168.123.1.xip.io 2>/dev/null|head <!DOCTYPE html> <html lang="en-US" class="no-js no-svg"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="profile" href="http://gmpg.org/xfn/11"> <script>(function(html){html.className = html.className.replace(/bno-jsb/,'js')})(document.documentElement);</script> <title>Test website &#8211; Just another WordPress site</title> <meta name='robots' content='noindex,follow' />
Thank You! Questions?

Recommended

Intro to AWS Developer Tools, featuring AWS CodeStar
Intro to AWS Developer Tools, featuring AWS CodeStarIntro to AWS Developer Tools, featuring AWS CodeStar
Intro to AWS Developer Tools, featuring AWS CodeStar
Amazon Web Services
 
Life as a SRE at Instana
Life as a SRE at InstanaLife as a SRE at Instana
Life as a SRE at Instana
Marcel Birkner
 
APIsecure 2023 - API orchestration: to build resilient applications, Cherish ...
APIsecure 2023 - API orchestration: to build resilient applications, Cherish ...APIsecure 2023 - API orchestration: to build resilient applications, Cherish ...
APIsecure 2023 - API orchestration: to build resilient applications, Cherish ...
apidays
 
CI/CD with AWS Developer Tools and Fargate
CI/CD with AWS Developer Tools and FargateCI/CD with AWS Developer Tools and Fargate
CI/CD with AWS Developer Tools and Fargate
Amazon Web Services
 
Containers Anywhere with OpenShift by Red Hat
Containers Anywhere with OpenShift by Red HatContainers Anywhere with OpenShift by Red Hat
Containers Anywhere with OpenShift by Red Hat
Amazon Web Services
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Security
Karthik Gaekwad
 
Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)
Kangaroot
 
K8s on AWS - Introducing Amazon EKS
K8s on AWS - Introducing Amazon EKSK8s on AWS - Introducing Amazon EKS
K8s on AWS - Introducing Amazon EKS
Amazon Web Services
 

Recommended

Intro to AWS Developer Tools, featuring AWS CodeStar
Intro to AWS Developer Tools, featuring AWS CodeStarIntro to AWS Developer Tools, featuring AWS CodeStar
Intro to AWS Developer Tools, featuring AWS CodeStar
Amazon Web Services
 
Life as a SRE at Instana
Life as a SRE at InstanaLife as a SRE at Instana
Life as a SRE at Instana
Marcel Birkner
 
APIsecure 2023 - API orchestration: to build resilient applications, Cherish ...
APIsecure 2023 - API orchestration: to build resilient applications, Cherish ...APIsecure 2023 - API orchestration: to build resilient applications, Cherish ...
APIsecure 2023 - API orchestration: to build resilient applications, Cherish ...
apidays
 
CI/CD with AWS Developer Tools and Fargate
CI/CD with AWS Developer Tools and FargateCI/CD with AWS Developer Tools and Fargate
CI/CD with AWS Developer Tools and Fargate
Amazon Web Services
 
Containers Anywhere with OpenShift by Red Hat
Containers Anywhere with OpenShift by Red HatContainers Anywhere with OpenShift by Red Hat
Containers Anywhere with OpenShift by Red Hat
Amazon Web Services
 
Kubernetes Security
Kubernetes SecurityKubernetes Security
Kubernetes Security
Karthik Gaekwad
 
Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)
Kangaroot
 
K8s on AWS - Introducing Amazon EKS
K8s on AWS - Introducing Amazon EKSK8s on AWS - Introducing Amazon EKS
K8s on AWS - Introducing Amazon EKS
Amazon Web Services
 
Openshift presentation
Openshift presentationOpenshift presentation
Openshift presentation
Armağan Ersöz
 
CI/CD Pipeline Security: Advanced Continuous Delivery Best Practices: Securit...
CI/CD Pipeline Security: Advanced Continuous Delivery Best Practices: Securit...CI/CD Pipeline Security: Advanced Continuous Delivery Best Practices: Securit...
CI/CD Pipeline Security: Advanced Continuous Delivery Best Practices: Securit...
Amazon Web Services
 
Microservices Architecture
Microservices ArchitectureMicroservices Architecture
Microservices Architecture
Izzet Mustafaiev
 
Scaling Prometheus Metrics in Kubernetes with Telegraf | Chris Goller | Influ...
Scaling Prometheus Metrics in Kubernetes with Telegraf | Chris Goller | Influ...Scaling Prometheus Metrics in Kubernetes with Telegraf | Chris Goller | Influ...
Scaling Prometheus Metrics in Kubernetes with Telegraf | Chris Goller | Influ...
InfluxData
 
Kubernetes Clusters Security with Amazon EKS (CON338-R1) - AWS re:Invent 2018
Kubernetes Clusters Security with Amazon EKS (CON338-R1) - AWS re:Invent 2018Kubernetes Clusters Security with Amazon EKS (CON338-R1) - AWS re:Invent 2018
Kubernetes Clusters Security with Amazon EKS (CON338-R1) - AWS re:Invent 2018
Amazon Web Services
 
Navigating Disaster Recovery in Kubernetes and CNCF Crossplane
Navigating Disaster Recovery in Kubernetes and CNCF Crossplane Navigating Disaster Recovery in Kubernetes and CNCF Crossplane
Navigating Disaster Recovery in Kubernetes and CNCF Crossplane
Carlos Santana
 
Introduction to Kubernetes Workshop
Introduction to Kubernetes WorkshopIntroduction to Kubernetes Workshop
Introduction to Kubernetes Workshop
Bob Killen
 
Introduction to Amazon EKS
Introduction to Amazon EKSIntroduction to Amazon EKS
Introduction to Amazon EKS
Amazon Web Services
 
Developer Experience on AWS
Developer Experience on AWSDeveloper Experience on AWS
Developer Experience on AWS
Amazon Web Services
 
Build CICD Pipeline for Container Presentation Slides
Build CICD Pipeline for Container Presentation SlidesBuild CICD Pipeline for Container Presentation Slides
Build CICD Pipeline for Container Presentation Slides
Amazon Web Services
 
Power of Azure Devops
Power of Azure DevopsPower of Azure Devops
Power of Azure Devops
Azure Riyadh User Group
 
Improving Infrastructure Governance on AWS - AWS June 2016 Webinar Series
Improving Infrastructure Governance on AWS - AWS June 2016 Webinar SeriesImproving Infrastructure Governance on AWS - AWS June 2016 Webinar Series
Improving Infrastructure Governance on AWS - AWS June 2016 Webinar Series
Amazon Web Services
 
Infrastructure as Code
Infrastructure as CodeInfrastructure as Code
Infrastructure as Code
Robert Greiner
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
Sonatype
 
Serverless Streaming Data Processing using Amazon Kinesis Analytics
Serverless Streaming Data Processing using Amazon Kinesis AnalyticsServerless Streaming Data Processing using Amazon Kinesis Analytics
Serverless Streaming Data Processing using Amazon Kinesis Analytics
Amazon Web Services
 
AMP Kynetics - ELC 2018 Portland
AMP Kynetics - ELC 2018 PortlandAMP Kynetics - ELC 2018 Portland
AMP Kynetics - ELC 2018 Portland
Kynetics
 
Red Hat OpenShift Container Platform Overview
Red Hat OpenShift Container Platform OverviewRed Hat OpenShift Container Platform Overview
Red Hat OpenShift Container Platform Overview
James Falkner
 
How to contribute to OpenStack
How to contribute to OpenStackHow to contribute to OpenStack
How to contribute to OpenStack
Opsta
 
OpenShift 4, the smarter Kubernetes platform
OpenShift 4, the smarter Kubernetes platformOpenShift 4, the smarter Kubernetes platform
OpenShift 4, the smarter Kubernetes platform
Kangaroot
 
Kubernetes API code-base tour
Kubernetes API code-base tourKubernetes API code-base tour
Kubernetes API code-base tour
Stefan Schimanski
 
Red Hat OpenShift on Bare Metal and Containerized Storage
Red Hat OpenShift on Bare Metal and Containerized StorageRed Hat OpenShift on Bare Metal and Containerized Storage
Red Hat OpenShift on Bare Metal and Containerized Storage
Greg Hoelzer
 
Minishift (Run OpenShift locally)
Minishift (Run OpenShift locally)Minishift (Run OpenShift locally)
Minishift (Run OpenShift locally)
Praveen Kumar
 

More Related Content

What's hot

Openshift presentation
Openshift presentationOpenshift presentation
Openshift presentation
Armağan Ersöz
 
CI/CD Pipeline Security: Advanced Continuous Delivery Best Practices: Securit...
CI/CD Pipeline Security: Advanced Continuous Delivery Best Practices: Securit...CI/CD Pipeline Security: Advanced Continuous Delivery Best Practices: Securit...
CI/CD Pipeline Security: Advanced Continuous Delivery Best Practices: Securit...
Amazon Web Services
 
Microservices Architecture
Microservices ArchitectureMicroservices Architecture
Microservices Architecture
Izzet Mustafaiev
 
Scaling Prometheus Metrics in Kubernetes with Telegraf | Chris Goller | Influ...
Scaling Prometheus Metrics in Kubernetes with Telegraf | Chris Goller | Influ...Scaling Prometheus Metrics in Kubernetes with Telegraf | Chris Goller | Influ...
Scaling Prometheus Metrics in Kubernetes with Telegraf | Chris Goller | Influ...
InfluxData
 
Kubernetes Clusters Security with Amazon EKS (CON338-R1) - AWS re:Invent 2018
Kubernetes Clusters Security with Amazon EKS (CON338-R1) - AWS re:Invent 2018Kubernetes Clusters Security with Amazon EKS (CON338-R1) - AWS re:Invent 2018
Kubernetes Clusters Security with Amazon EKS (CON338-R1) - AWS re:Invent 2018
Amazon Web Services
 
Navigating Disaster Recovery in Kubernetes and CNCF Crossplane
Navigating Disaster Recovery in Kubernetes and CNCF Crossplane Navigating Disaster Recovery in Kubernetes and CNCF Crossplane
Navigating Disaster Recovery in Kubernetes and CNCF Crossplane
Carlos Santana
 
Introduction to Kubernetes Workshop
Introduction to Kubernetes WorkshopIntroduction to Kubernetes Workshop
Introduction to Kubernetes Workshop
Bob Killen
 
Introduction to Amazon EKS
Introduction to Amazon EKSIntroduction to Amazon EKS
Introduction to Amazon EKS
Amazon Web Services
 
Developer Experience on AWS
Developer Experience on AWSDeveloper Experience on AWS
Developer Experience on AWS
Amazon Web Services
 
Build CICD Pipeline for Container Presentation Slides
Build CICD Pipeline for Container Presentation SlidesBuild CICD Pipeline for Container Presentation Slides
Build CICD Pipeline for Container Presentation Slides
Amazon Web Services
 
Power of Azure Devops
Power of Azure DevopsPower of Azure Devops
Power of Azure Devops
Azure Riyadh User Group
 
Improving Infrastructure Governance on AWS - AWS June 2016 Webinar Series
Improving Infrastructure Governance on AWS - AWS June 2016 Webinar SeriesImproving Infrastructure Governance on AWS - AWS June 2016 Webinar Series
Improving Infrastructure Governance on AWS - AWS June 2016 Webinar Series
Amazon Web Services
 
Infrastructure as Code
Infrastructure as CodeInfrastructure as Code
Infrastructure as Code
Robert Greiner
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
Sonatype
 
Serverless Streaming Data Processing using Amazon Kinesis Analytics
Serverless Streaming Data Processing using Amazon Kinesis AnalyticsServerless Streaming Data Processing using Amazon Kinesis Analytics
Serverless Streaming Data Processing using Amazon Kinesis Analytics
Amazon Web Services
 
AMP Kynetics - ELC 2018 Portland
AMP Kynetics - ELC 2018 PortlandAMP Kynetics - ELC 2018 Portland
AMP Kynetics - ELC 2018 Portland
Kynetics
 
Red Hat OpenShift Container Platform Overview
Red Hat OpenShift Container Platform OverviewRed Hat OpenShift Container Platform Overview
Red Hat OpenShift Container Platform Overview
James Falkner
 
How to contribute to OpenStack
How to contribute to OpenStackHow to contribute to OpenStack
How to contribute to OpenStack
Opsta
 
OpenShift 4, the smarter Kubernetes platform
OpenShift 4, the smarter Kubernetes platformOpenShift 4, the smarter Kubernetes platform
OpenShift 4, the smarter Kubernetes platform
Kangaroot
 
Kubernetes API code-base tour
Kubernetes API code-base tourKubernetes API code-base tour
Kubernetes API code-base tour
Stefan Schimanski
 

What's hot (20)

Openshift presentation
Openshift presentationOpenshift presentation
Openshift presentation
 
CI/CD Pipeline Security: Advanced Continuous Delivery Best Practices: Securit...
CI/CD Pipeline Security: Advanced Continuous Delivery Best Practices: Securit...CI/CD Pipeline Security: Advanced Continuous Delivery Best Practices: Securit...
CI/CD Pipeline Security: Advanced Continuous Delivery Best Practices: Securit...
 
Microservices Architecture
Microservices ArchitectureMicroservices Architecture
Microservices Architecture
 
Scaling Prometheus Metrics in Kubernetes with Telegraf | Chris Goller | Influ...
Scaling Prometheus Metrics in Kubernetes with Telegraf | Chris Goller | Influ...Scaling Prometheus Metrics in Kubernetes with Telegraf | Chris Goller | Influ...
Scaling Prometheus Metrics in Kubernetes with Telegraf | Chris Goller | Influ...
 
Kubernetes Clusters Security with Amazon EKS (CON338-R1) - AWS re:Invent 2018
Kubernetes Clusters Security with Amazon EKS (CON338-R1) - AWS re:Invent 2018Kubernetes Clusters Security with Amazon EKS (CON338-R1) - AWS re:Invent 2018
Kubernetes Clusters Security with Amazon EKS (CON338-R1) - AWS re:Invent 2018
 
Navigating Disaster Recovery in Kubernetes and CNCF Crossplane
Navigating Disaster Recovery in Kubernetes and CNCF Crossplane Navigating Disaster Recovery in Kubernetes and CNCF Crossplane
Navigating Disaster Recovery in Kubernetes and CNCF Crossplane
 
Introduction to Kubernetes Workshop
Introduction to Kubernetes WorkshopIntroduction to Kubernetes Workshop
Introduction to Kubernetes Workshop
 
Introduction to Amazon EKS
Introduction to Amazon EKSIntroduction to Amazon EKS
Introduction to Amazon EKS
 
Developer Experience on AWS
Developer Experience on AWSDeveloper Experience on AWS
Developer Experience on AWS
 
Build CICD Pipeline for Container Presentation Slides
Build CICD Pipeline for Container Presentation SlidesBuild CICD Pipeline for Container Presentation Slides
Build CICD Pipeline for Container Presentation Slides
 
Power of Azure Devops
Power of Azure DevopsPower of Azure Devops
Power of Azure Devops
 
Improving Infrastructure Governance on AWS - AWS June 2016 Webinar Series
Improving Infrastructure Governance on AWS - AWS June 2016 Webinar SeriesImproving Infrastructure Governance on AWS - AWS June 2016 Webinar Series
Improving Infrastructure Governance on AWS - AWS June 2016 Webinar Series
 
Infrastructure as Code
Infrastructure as CodeInfrastructure as Code
Infrastructure as Code
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
 
Serverless Streaming Data Processing using Amazon Kinesis Analytics
Serverless Streaming Data Processing using Amazon Kinesis AnalyticsServerless Streaming Data Processing using Amazon Kinesis Analytics
Serverless Streaming Data Processing using Amazon Kinesis Analytics
 
AMP Kynetics - ELC 2018 Portland
AMP Kynetics - ELC 2018 PortlandAMP Kynetics - ELC 2018 Portland
AMP Kynetics - ELC 2018 Portland
 
Red Hat OpenShift Container Platform Overview
Red Hat OpenShift Container Platform OverviewRed Hat OpenShift Container Platform Overview
Red Hat OpenShift Container Platform Overview
 
How to contribute to OpenStack
How to contribute to OpenStackHow to contribute to OpenStack
How to contribute to OpenStack
 
OpenShift 4, the smarter Kubernetes platform
OpenShift 4, the smarter Kubernetes platformOpenShift 4, the smarter Kubernetes platform
OpenShift 4, the smarter Kubernetes platform
 
Kubernetes API code-base tour
Kubernetes API code-base tourKubernetes API code-base tour
Kubernetes API code-base tour
 

Viewers also liked

Red Hat OpenShift on Bare Metal and Containerized Storage
Red Hat OpenShift on Bare Metal and Containerized StorageRed Hat OpenShift on Bare Metal and Containerized Storage
Red Hat OpenShift on Bare Metal and Containerized Storage
Greg Hoelzer
 
Minishift (Run OpenShift locally)
Minishift (Run OpenShift locally)Minishift (Run OpenShift locally)
Minishift (Run OpenShift locally)
Praveen Kumar
 
OpenShift v3 Internal networking details
OpenShift v3 Internal networking detailsOpenShift v3 Internal networking details
OpenShift v3 Internal networking details
Etsuji Nakai
 
OpenShift Enterprise 3.1 vs kubernetes
OpenShift Enterprise 3.1 vs kubernetesOpenShift Enterprise 3.1 vs kubernetes
OpenShift Enterprise 3.1 vs kubernetes
Samuel Terburg
 
Red Hat OpenShift V3 Overview and Deep Dive
Red Hat OpenShift V3 Overview and Deep DiveRed Hat OpenShift V3 Overview and Deep Dive
Red Hat OpenShift V3 Overview and Deep Dive
Greg Hoelzer
 
Containers for the Enterprise: Delivering OpenShift on OpenStack for Performa...
Containers for the Enterprise: Delivering OpenShift on OpenStack for Performa...Containers for the Enterprise: Delivering OpenShift on OpenStack for Performa...
Containers for the Enterprise: Delivering OpenShift on OpenStack for Performa...
Stephen Gordon
 
Openshift/Kubernetes integration with Apache YARN
Openshift/Kubernetes integration with Apache YARNOpenshift/Kubernetes integration with Apache YARN
Openshift/Kubernetes integration with Apache YARN
verbal1714
 
OpenShift meetup Bangalore
OpenShift meetup BangaloreOpenShift meetup Bangalore
OpenShift meetup Bangalore
Suraj Deshmukh
 
Workshop-Build e deploy avançado com Openshift e Kubernetes
Workshop-Build e deploy avançado com Openshift e KubernetesWorkshop-Build e deploy avançado com Openshift e Kubernetes
Workshop-Build e deploy avançado com Openshift e Kubernetes
juniorjbn
 
米聊服务器技术选型与架构
米聊服务器技术选型与架构米聊服务器技术选型与架构
米聊服务器技术选型与架构
Jinping Qu
 
Ultimate DevOps - Jenkins Enterprise & Red Hat OpenShift
Ultimate DevOps - Jenkins Enterprise & Red Hat OpenShiftUltimate DevOps - Jenkins Enterprise & Red Hat OpenShift
Ultimate DevOps - Jenkins Enterprise & Red Hat OpenShift
Andy Pemberton
 
OpenShift In a Nutshell - Episode 03 - Infrastructure part I
OpenShift In a Nutshell - Episode 03 - Infrastructure part IOpenShift In a Nutshell - Episode 03 - Infrastructure part I
OpenShift In a Nutshell - Episode 03 - Infrastructure part I
Behnam Loghmani
 
OpenShift In a Nutshell - Episode 04 - Infrastructure part II
OpenShift In a Nutshell - Episode 04 - Infrastructure part IIOpenShift In a Nutshell - Episode 04 - Infrastructure part II
OpenShift In a Nutshell - Episode 04 - Infrastructure part II
Behnam Loghmani
 
OpenShift In a Nutshell - Episode 05 - Core Concepts Part I
OpenShift In a Nutshell - Episode 05 - Core Concepts Part IOpenShift In a Nutshell - Episode 05 - Core Concepts Part I
OpenShift In a Nutshell - Episode 05 - Core Concepts Part I
Behnam Loghmani
 
OpenShift In a Nutshell - Episode 06 - Core Concepts Part II
OpenShift In a Nutshell - Episode 06 - Core Concepts Part IIOpenShift In a Nutshell - Episode 06 - Core Concepts Part II
OpenShift In a Nutshell - Episode 06 - Core Concepts Part II
Behnam Loghmani
 
Openshift Container Platform on Azure
Openshift Container Platform on AzureOpenshift Container Platform on Azure
Openshift Container Platform on Azure
Glenn West
 
DevOps with OpenShift - Fabien Dupont - ManageIQ Design Summit 2016
DevOps with OpenShift - Fabien Dupont - ManageIQ Design Summit 2016DevOps with OpenShift - Fabien Dupont - ManageIQ Design Summit 2016
DevOps with OpenShift - Fabien Dupont - ManageIQ Design Summit 2016
ManageIQ
 
Understanding DevOps in simpler way with Continuous Delivery
Understanding DevOps in simpler way with Continuous DeliveryUnderstanding DevOps in simpler way with Continuous Delivery
Understanding DevOps in simpler way with Continuous Delivery
Swapnil Jain
 
OpenShift In a Nutshell - Episode 02 - Architecture
OpenShift In a Nutshell - Episode 02 - ArchitectureOpenShift In a Nutshell - Episode 02 - Architecture
OpenShift In a Nutshell - Episode 02 - Architecture
Behnam Loghmani
 
Developing microservices with wildfly swarm and deploying on openshift
Developing microservices with wildfly swarm and deploying on openshiftDeveloping microservices with wildfly swarm and deploying on openshift
Developing microservices with wildfly swarm and deploying on openshift
andreas kuncoro
 

Viewers also liked (20)

Red Hat OpenShift on Bare Metal and Containerized Storage
Red Hat OpenShift on Bare Metal and Containerized StorageRed Hat OpenShift on Bare Metal and Containerized Storage
Red Hat OpenShift on Bare Metal and Containerized Storage
 
Minishift (Run OpenShift locally)
Minishift (Run OpenShift locally)Minishift (Run OpenShift locally)
Minishift (Run OpenShift locally)
 
OpenShift v3 Internal networking details
OpenShift v3 Internal networking detailsOpenShift v3 Internal networking details
OpenShift v3 Internal networking details
 
OpenShift Enterprise 3.1 vs kubernetes
OpenShift Enterprise 3.1 vs kubernetesOpenShift Enterprise 3.1 vs kubernetes
OpenShift Enterprise 3.1 vs kubernetes
 
Red Hat OpenShift V3 Overview and Deep Dive
Red Hat OpenShift V3 Overview and Deep DiveRed Hat OpenShift V3 Overview and Deep Dive
Red Hat OpenShift V3 Overview and Deep Dive
 
Containers for the Enterprise: Delivering OpenShift on OpenStack for Performa...
Containers for the Enterprise: Delivering OpenShift on OpenStack for Performa...Containers for the Enterprise: Delivering OpenShift on OpenStack for Performa...
Containers for the Enterprise: Delivering OpenShift on OpenStack for Performa...
 
Openshift/Kubernetes integration with Apache YARN
Openshift/Kubernetes integration with Apache YARNOpenshift/Kubernetes integration with Apache YARN
Openshift/Kubernetes integration with Apache YARN
 
OpenShift meetup Bangalore
OpenShift meetup BangaloreOpenShift meetup Bangalore
OpenShift meetup Bangalore
 
Workshop-Build e deploy avançado com Openshift e Kubernetes
Workshop-Build e deploy avançado com Openshift e KubernetesWorkshop-Build e deploy avançado com Openshift e Kubernetes
Workshop-Build e deploy avançado com Openshift e Kubernetes
 
米聊服务器技术选型与架构
米聊服务器技术选型与架构米聊服务器技术选型与架构
米聊服务器技术选型与架构
 
Ultimate DevOps - Jenkins Enterprise & Red Hat OpenShift
Ultimate DevOps - Jenkins Enterprise & Red Hat OpenShiftUltimate DevOps - Jenkins Enterprise & Red Hat OpenShift
Ultimate DevOps - Jenkins Enterprise & Red Hat OpenShift
 
OpenShift In a Nutshell - Episode 03 - Infrastructure part I
OpenShift In a Nutshell - Episode 03 - Infrastructure part IOpenShift In a Nutshell - Episode 03 - Infrastructure part I
OpenShift In a Nutshell - Episode 03 - Infrastructure part I
 
OpenShift In a Nutshell - Episode 04 - Infrastructure part II
OpenShift In a Nutshell - Episode 04 - Infrastructure part IIOpenShift In a Nutshell - Episode 04 - Infrastructure part II
OpenShift In a Nutshell - Episode 04 - Infrastructure part II
 
OpenShift In a Nutshell - Episode 05 - Core Concepts Part I
OpenShift In a Nutshell - Episode 05 - Core Concepts Part IOpenShift In a Nutshell - Episode 05 - Core Concepts Part I
OpenShift In a Nutshell - Episode 05 - Core Concepts Part I
 
OpenShift In a Nutshell - Episode 06 - Core Concepts Part II
OpenShift In a Nutshell - Episode 06 - Core Concepts Part IIOpenShift In a Nutshell - Episode 06 - Core Concepts Part II
OpenShift In a Nutshell - Episode 06 - Core Concepts Part II
 
Openshift Container Platform on Azure
Openshift Container Platform on AzureOpenshift Container Platform on Azure
Openshift Container Platform on Azure
 
DevOps with OpenShift - Fabien Dupont - ManageIQ Design Summit 2016
DevOps with OpenShift - Fabien Dupont - ManageIQ Design Summit 2016DevOps with OpenShift - Fabien Dupont - ManageIQ Design Summit 2016
DevOps with OpenShift - Fabien Dupont - ManageIQ Design Summit 2016
 
Understanding DevOps in simpler way with Continuous Delivery
Understanding DevOps in simpler way with Continuous DeliveryUnderstanding DevOps in simpler way with Continuous Delivery
Understanding DevOps in simpler way with Continuous Delivery
 
OpenShift In a Nutshell - Episode 02 - Architecture
OpenShift In a Nutshell - Episode 02 - ArchitectureOpenShift In a Nutshell - Episode 02 - Architecture
OpenShift In a Nutshell - Episode 02 - Architecture
 
Developing microservices with wildfly swarm and deploying on openshift
Developing microservices with wildfly swarm and deploying on openshiftDeveloping microservices with wildfly swarm and deploying on openshift
Developing microservices with wildfly swarm and deploying on openshift
 

Similar to [Devconf.cz][2017] Understanding OpenShift Security Context Constraints

Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slides
Docker, Inc.
 
Kubernetes Story - Day 1: Build and Manage Containers with Podman
Kubernetes Story - Day 1: Build and Manage Containers with PodmanKubernetes Story - Day 1: Build and Manage Containers with Podman
Kubernetes Story - Day 1: Build and Manage Containers with Podman
Mihai Criveti
 
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3
Velocidex Enterprises
 
Running Docker in Development & Production (#ndcoslo 2015)
Running Docker in Development & Production (#ndcoslo 2015)Running Docker in Development & Production (#ndcoslo 2015)
Running Docker in Development & Production (#ndcoslo 2015)
Ben Hall
 
Deploying Windows Containers on Windows Server 2016
Deploying Windows Containers on Windows Server 2016Deploying Windows Containers on Windows Server 2016
Deploying Windows Containers on Windows Server 2016
Ben Hall
 
Automate drupal deployments with linux containers, docker and vagrant
Automate drupal deployments with linux containers, docker and vagrant Automate drupal deployments with linux containers, docker and vagrant
Automate drupal deployments with linux containers, docker and vagrant
Ricardo Amaro
 
containerD
containerDcontainerD
containerD
strikr .
 
Docker workshop
Docker workshopDocker workshop
Docker workshop
Evans Ye
 
桃園市教育局Docker技術入門與實作
桃園市教育局Docker技術入門與實作桃園市教育局Docker技術入門與實作
桃園市教育局Docker技術入門與實作
Philip Zheng
 
How Reconnix Is Using Docker
How Reconnix Is Using DockerHow Reconnix Is Using Docker
How Reconnix Is Using Docker
Russ Mckendrick
 
Wordpress y Docker, de desarrollo a produccion
Wordpress y Docker, de desarrollo a produccionWordpress y Docker, de desarrollo a produccion
Wordpress y Docker, de desarrollo a produccion
Sysdig
 
Introduction to Docker - Learning containerization XP conference 2016
Introduction to Docker - Learning containerization XP conference 2016Introduction to Docker - Learning containerization XP conference 2016
Introduction to Docker - Learning containerization XP conference 2016
XP Conference India
 
手把手帶你學Docker 03042017
手把手帶你學Docker 03042017手把手帶你學Docker 03042017
手把手帶你學Docker 03042017
Paul Chao
 
Тарас Кирилюк — Docker basics. How-to for Drupal developers
Тарас Кирилюк — Docker basics. How-to for Drupal developersТарас Кирилюк — Docker basics. How-to for Drupal developers
Тарас Кирилюк — Docker basics. How-to for Drupal developers
LEDC 2016
 
Dockerizing WordPress
Dockerizing WordPressDockerizing WordPress
Dockerizing WordPress
Docker, Inc.
 
Drone CI/CD 自動化測試及部署
Drone CI/CD 自動化測試及部署Drone CI/CD 自動化測試及部署
Drone CI/CD 自動化測試及部署
Bo-Yi Wu
 
Docker Networking - Common Issues and Troubleshooting Techniques
Docker Networking - Common Issues and Troubleshooting TechniquesDocker Networking - Common Issues and Troubleshooting Techniques
Docker Networking - Common Issues and Troubleshooting Techniques
Sreenivas Makam
 
Docker container management
Docker container managementDocker container management
Docker container management
Karol Kreft
 
Developing and Deploying PHP with Docker
Developing and Deploying PHP with DockerDeveloping and Deploying PHP with Docker
Developing and Deploying PHP with Docker
Patrick Mizer
 
Kubernetes Story - Day 2: Quay.io Container Registry for Publishing, Building...
Kubernetes Story - Day 2: Quay.io Container Registry for Publishing, Building...Kubernetes Story - Day 2: Quay.io Container Registry for Publishing, Building...
Kubernetes Story - Day 2: Quay.io Container Registry for Publishing, Building...
Mihai Criveti
 

Similar to [Devconf.cz][2017] Understanding OpenShift Security Context Constraints (20)

Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slides
 
Kubernetes Story - Day 1: Build and Manage Containers with Podman
Kubernetes Story - Day 1: Build and Manage Containers with PodmanKubernetes Story - Day 1: Build and Manage Containers with Podman
Kubernetes Story - Day 1: Build and Manage Containers with Podman
 
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3
 
Running Docker in Development & Production (#ndcoslo 2015)
Running Docker in Development & Production (#ndcoslo 2015)Running Docker in Development & Production (#ndcoslo 2015)
Running Docker in Development & Production (#ndcoslo 2015)
 
Deploying Windows Containers on Windows Server 2016
Deploying Windows Containers on Windows Server 2016Deploying Windows Containers on Windows Server 2016
Deploying Windows Containers on Windows Server 2016
 
Automate drupal deployments with linux containers, docker and vagrant
Automate drupal deployments with linux containers, docker and vagrant Automate drupal deployments with linux containers, docker and vagrant
Automate drupal deployments with linux containers, docker and vagrant
 
containerD
containerDcontainerD
containerD
 
Docker workshop
Docker workshopDocker workshop
Docker workshop
 
桃園市教育局Docker技術入門與實作
桃園市教育局Docker技術入門與實作桃園市教育局Docker技術入門與實作
桃園市教育局Docker技術入門與實作
 
How Reconnix Is Using Docker
How Reconnix Is Using DockerHow Reconnix Is Using Docker
How Reconnix Is Using Docker
 
Wordpress y Docker, de desarrollo a produccion
Wordpress y Docker, de desarrollo a produccionWordpress y Docker, de desarrollo a produccion
Wordpress y Docker, de desarrollo a produccion
 
Introduction to Docker - Learning containerization XP conference 2016
Introduction to Docker - Learning containerization XP conference 2016Introduction to Docker - Learning containerization XP conference 2016
Introduction to Docker - Learning containerization XP conference 2016
 
手把手帶你學Docker 03042017
手把手帶你學Docker 03042017手把手帶你學Docker 03042017
手把手帶你學Docker 03042017
 
Тарас Кирилюк — Docker basics. How-to for Drupal developers
Тарас Кирилюк — Docker basics. How-to for Drupal developersТарас Кирилюк — Docker basics. How-to for Drupal developers
Тарас Кирилюк — Docker basics. How-to for Drupal developers
 
Dockerizing WordPress
Dockerizing WordPressDockerizing WordPress
Dockerizing WordPress
 
Drone CI/CD 自動化測試及部署
Drone CI/CD 自動化測試及部署Drone CI/CD 自動化測試及部署
Drone CI/CD 自動化測試及部署
 
Docker Networking - Common Issues and Troubleshooting Techniques
Docker Networking - Common Issues and Troubleshooting TechniquesDocker Networking - Common Issues and Troubleshooting Techniques
Docker Networking - Common Issues and Troubleshooting Techniques
 
Docker container management
Docker container managementDocker container management
Docker container management
 
Developing and Deploying PHP with Docker
Developing and Deploying PHP with DockerDeveloping and Deploying PHP with Docker
Developing and Deploying PHP with Docker
 
Kubernetes Story - Day 2: Quay.io Container Registry for Publishing, Building...
Kubernetes Story - Day 2: Quay.io Container Registry for Publishing, Building...Kubernetes Story - Day 2: Quay.io Container Registry for Publishing, Building...
Kubernetes Story - Day 2: Quay.io Container Registry for Publishing, Building...
 

Recently uploaded

UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
Zilliz
 
OpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - AuthorizationOpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - Authorization
David Brossard
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Zilliz
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Things to Consider When Choosing a Website Developer for your Website | FODUU
Things to Consider When Choosing a Website Developer for your Website | FODUUThings to Consider When Choosing a Website Developer for your Website | FODUU
Things to Consider When Choosing a Website Developer for your Website | FODUU
FODUU
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
kumardaparthi1024
 
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
SitimaJohn
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
Ivanti
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 

Recently uploaded (20)

UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
 
OpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - AuthorizationOpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - Authorization
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Things to Consider When Choosing a Website Developer for your Website | FODUU
Things to Consider When Choosing a Website Developer for your Website | FODUUThings to Consider When Choosing a Website Developer for your Website | FODUU
Things to Consider When Choosing a Website Developer for your Website | FODUU
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
 
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 

[Devconf.cz][2017] Understanding OpenShift Security Context Constraints

  • 1. Understanding OpenShift Security Context Constraints A practical walkthrough Alessandro Arrichiello - alezzandro@gmail.com Federico Nebiolo - fnebiolo@gmail.com
  • 3. What is OpenShift? ● Platform as a Service ● Open Source ● Container based ● Kubernetes based ● Development oriented ● Multitenant ● Web-based interface ● Integrated Registries ● HA configurable ● Integrated metrics ● git lover ★ You care about service and its technologies ★ Github hosted code ★ Docker and more ★ Do you know Google? :) ★ Automated builds and much more ★ Many users, grants, policies and isolation ★ Who cares? :) ★ Who needs internet? Local Registries! ★ Set the replicas and Origin will care ★ Do you like graphs? ★ Yeah, we love git!
  • 4. All cool but.. Where is the start button? $ oc cluster up -- Checking OpenShift client ... OK -- Checking Docker client ... OK -- Checking Docker version ... OK -- Checking for existing OpenShift container ... OK -- Checking for openshift/origin:v1.3.1 image ... OK -- Checking Docker daemon configuration ... OK -- Checking for available ports ... OK -- Checking type of volume mount ... Using nsenter mounter for OpenShift volumes -- Creating host directories ... OK -- Finding server IP ... Using public hostname IP 192.168.123.1 as the host IP Using 192.168.123.1 as the server IP -- Starting OpenShift container ... Starting OpenShift using container 'origin' Waiting for API server to start listening OpenShift server started -- Installing registry ... OK -- Installing router ... OK -- Importing image streams ... OK -- Importing templates ... OK -- Login to server ... OK -- Creating initial project "myproject" ... Now using project "myproject" on server "https://192.168.123.1:8443". -- Server Information ... OpenShift server started. The server is accessible via web console at: https://192.168.123.1:8443
  • 5. What are Security Context Constraints? ● OpenShift gives its administrators the ability to manage a set of security context constraints (SCCs) for limiting and securing their cluster. ● Security context constraints allow administrators to control permissions for pods. SCCs allow an administrator: 1. Run privileged containers. 2. Set capabilities a container can request. 3. Use of host directories as volumes. 4. Set SELinux context of the container. 5. Set the user ID for the container. 6. The use of host namespaces and networking. 7. Define ‘FSGroup’ for the pod’s volumes 8. Configure allowable supplemental groups 9. Require the use of a read only file system 10. Control the usage of volume types A pod is the smallest OpenShift’s compute unit. It’s one or more containers) deployed together on one host.
  • 6. Security Context Constraints: What? I want run my container!
  • 8. Setting up prerequisites for the wordpress container The following environment variables are also honored for configuring your WordPress instance: -e WORDPRESS_DB_HOST=... (defaults to the IP and port of the linked mysql container) -e WORDPRESS_DB_USER=... (defaults to "root") -e WORDPRESS_DB_PASSWORD=... $ oc new-app mariadb -e MYSQL_ROOT_PASSWORD=mysecret --> Found image 1dc122b (3 weeks old) in image stream "mariadb" in project "openshift" under tag "10.1" for "mariadb" MariaDB 10.1 ------------ MariaDB is a multi-user, multi-threaded SQL database server Tags: database, mysql, mariadb, mariadb101, rh-mariadb101, galera * This image will be deployed in deployment config "mariadb" * Port 3306/tcp will be load balanced by service "mariadb" * Other containers can access this service through the hostname "mariadb" * This image declares volumes and will default to use non-persistent, host-local storage. You can add persistent volumes later by running 'volume dc/mariadb --add ...' ...
  • 9. Stop talking: run my container! $ oc new-app wordpress -e WORDPRESS_DB_HOST=mariadb -e WORDPRESS_DB_USER=root -e WORDPRESS_DB_PASSWORD=mysecret --> Found Docker image ed69ee3 (6 days old) from Docker Hub for "wordpress" * An image stream will be created as "wordpress:latest" that will track this image * This image will be deployed in deployment config "wordpress" * Port 80/tcp will be load balanced by service "wordpress" * Other containers can access this service through the hostname "wordpress" * This image declares volumes and will default to use non-persistent, host-local storage. You can add persistent volumes later by running 'volume dc/wordpress --add ...' * WARNING: Image "wordpress" runs as the 'root' user which may not be permitted by your cluster administrator --> Creating resources with label app=wordpress ... $ oc get pods NAME READY STATUS RESTARTS AGE wordpress-1-deploy 1/1 Running 0 17s wordpress-1-072ui 0/1 Error 0 14s $ oc logs wordpress-1-072ui AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.7. Set the 'ServerName' directive globally to suppress this message (13)Permission denied: AH00072: make_sock: could not bind to address [::]:80 (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80 no listening sockets available, shutting down AH00015: Unable to open logs
  • 10. Ok, fun but.. What happened to my container? $ oc describe pod/wordpress-1-072ui | head Name: wordpress-1-072ui Namespace: myproject Security Policy: restricted Node: 192.168.123.1/192.168.123.1 Start Time: Thu, 12 Jan 2017 12:47:04 +0100 Labels: app=wordpress deployment=wordpress-1 deploymentconfig=wordpress Status: Running IP: 172.17.0.7 $ oc debug wordpress-1-072ui Debugging with pod/wordpress-1-072ui-debug, original command: docker-entrypoint.sh apache2-foreground Waiting for pod to start ... Pod IP: 172.17.0.4 If you don't see a command prompt, try pressing enter. $ id uid=1000040000 gid=0(root) groups=0(root),1000040000
  • 11. Solutions For your lovely container ● Edit the ‘restricted’ SCC OR ● Use the ‘anyuid’ SCC OR ● Rebuild through Dockerfile
  • 12. Edit the ‘restricted’ SCC First option: the worst one
  • 13. Security Context Constraints available in OpenShift $ oc login -u system:admin Logged into "https://192.168.123.1:8443" as "system:admin" using existing credentials. $ oc get scc NAME PRIV CAPS SELINUX RUNASUSER FSGROUP SUPGROUP PRIORITY READONLYROOTFS VOLUMES anyuid false [] MustRunAs RunAsAny RunAsAny RunAsAny 10 false [configMap downwardAPI emptyDir persistentVolumeClaim secret] hostaccess false [] MustRunAs MustRunAsRange MustRunAs RunAsAny <none> false [configMap downwardAPI emptyDir hostPath persistentVolumeClaim secret] hostmount-anyuid false [] MustRunAs RunAsAny RunAsAny RunAsAny <none> false [configMap downwardAPI emptyDir hostPath nfs persistentVolumeClaim secret] hostnetwork false [] MustRunAs MustRunAsRange MustRunAs MustRunAs <none> false [configMap downwardAPI emptyDir persistentVolumeClaim secret] nonroot false [] MustRunAs MustRunAsNonRoot RunAsAny RunAsAny <none> false [configMap downwardAPI emptyDir persistentVolumeClaim secret] privileged true [] RunAsAny RunAsAny RunAsAny RunAsAny <none> false [*] restricted false [] MustRunAs MustRunAsRange MustRunAs RunAsAny <none> false [configMap downwardAPI emptyDir persistentVolumeClaim secret]
  • 14. Inspecting the ‘restricted’ SCC $ oc get scc/restricted -o yaml allowHostDirVolumePlugin: false allowHostIPC: false allowHostNetwork: false allowHostPID: false allowHostPorts: false allowPrivilegedContainer: false allowedCapabilities: null apiVersion: v1 defaultAddCapabilities: null fsGroup: type: MustRunAs groups: - system:authenticated kind: SecurityContextConstraints metadata: annotations: kubernetes.io/description: restricted denies access to all host features and requires pods to be run with a UID, and SELinux context that are allocated to the namespace. This is the most restrictive SCC. creationTimestamp: 2016-12-22T10:04:27Z name: restricted resourceVersion: "102" selfLink: /api/v1/securitycontextconstraints/restricted uid: 05f68498-c82e-11e6-b2bd-68f7286606f4 priority: null readOnlyRootFilesystem: false requiredDropCapabilities: - KILL - MKNOD - SYS_CHROOT - SETUID - SETGID runAsUser: type: MustRunAsRange seLinuxContext: type: MustRunAs supplementalGroups: type: RunAsAny volumes: - configMap - downwardAPI - emptyDir - persistentVolumeClaim - secret
  • 15. Editing the ‘restricted’ SCC $ oc get scc restricted -o yaml | grep runAsUser -A1 runAsUser: type: MustRunAsRange $ oc edit scc restricted securitycontextconstraints "restricted" edited $ oc get scc restricted -o yaml | grep runAsUser -A1 runAsUser: type: RunAsAny $ oc get pod NAME READY STATUSRESTARTS AGE mariadb-1-l4ycb 1/1 Running 0 2h wordpress-1-ai3gj 1/1 Running 0 52s
  • 16. Take a look to container’s logs $ oc logs wordpress-1-ai3gj WordPress not found in /var/www/html - copying now... Complete! WordPress has been successfully copied to /var/www/html AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.4. Set the 'ServerName' directive globally to suppress this message AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.4. Set the 'ServerName' directive globally to suppress this message [Thu Jan 12 13:47:46.849951 2017] [unixd:alert] [pid 170] (1)Operation not permitted: AH02156: setgid: unable to set group id to Group 33 [Thu Jan 12 13:47:46.850406 2017] [unixd:alert] [pid 171] (1)Operation not permitted: AH02156: setgid: unable to set group id to Group 33 [Thu Jan 12 13:47:46.850735 2017] [unixd:alert] [pid 172] (1)Operation not permitted: AH02156: setgid: unable to set group id to Group 33 [Thu Jan 12 13:47:46.851119 2017] [unixd:alert] [pid 173] (1)Operation not permitted: AH02156: setgid: unable to set group id to Group 33 [Thu Jan 12 13:47:46.851398 2017] [mpm_prefork:notice] [pid 1] AH00163: Apache/2.4.10 (Debian) PHP/5.6.29 configured -- resuming normal operations [Thu Jan 12 13:47:46.851458 2017] [core:notice] [pid 1] AH00094: Command line: 'apache2 -D FOREGROUND' [Thu Jan 12 13:47:46.851500 2017] [unixd:alert] [pid 174] (1)Operation not permitted: AH02156: setgid: unable to set group id to Group 33
  • 17. A step back to the ‘restricted’ SCC $ oc get scc/restricted -o yaml allowHostDirVolumePlugin: false allowHostIPC: false allowHostNetwork: false allowHostPID: false allowHostPorts: false allowPrivilegedContainer: false allowedCapabilities: null apiVersion: v1 defaultAddCapabilities: null fsGroup: type: MustRunAs groups: - system:authenticated kind: SecurityContextConstraints metadata: annotations: kubernetes.io/description: restricted denies access to all host features and requires pods to be run with a UID, and SELinux context that are allocated to the namespace. This is the most restrictive SCC. creationTimestamp: 2016-12-22T10:04:27Z name: restricted resourceVersion: "102" selfLink: /api/v1/securitycontextconstraints/restricted uid: 05f68498-c82e-11e6-b2bd-68f7286606f4 priority: null readOnlyRootFilesystem: false requiredDropCapabilities: - KILL - MKNOD - SYS_CHROOT - SETUID - SETGID runAsUser: type: MustRunAsRange seLinuxContext: type: MustRunAs supplementalGroups: type: RunAsAny volumes: - configMap - downwardAPI - emptyDir - persistentVolumeClaim - secret Dropped Capabilities
  • 18. Editing *AGAIN* the ‘restricted’ SCC $ oc edit scc restricted securitycontextconstraints "restricted" edited $ oc get scc restricted -o yaml | grep DropCap -A5 requiredDropCapabilities: - KILL - MKNOD - SYS_CHROOT runAsUser: type: RunAsAny $ oc logs wordpress-1-0kz6o WordPress not found in /var/www/html - copying now... Complete! WordPress has been successfully copied to /var/www/html AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.4. Set the 'ServerName' directive globally to suppress this message AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.4. Set the 'ServerName' directive globally to suppress this message [Thu Jan 12 14:13:12.437336 2017] [mpm_prefork:notice] [pid 1] AH00163: Apache/2.4.10 (Debian) PHP/5.6.29 configured -- resuming normal operations [Thu Jan 12 14:13:12.437365 2017] [core:notice] [pid 1] AH00094: Command line: 'apache2 -D FOREGROUND'
  • 19. Add a route and test it! $ cat wordpress-route.yaml apiVersion: v1 kind: Route metadata: labels: app: wordpress name: wordpress spec: host: wordpress.192.168.123.1.xip.io port: targetPort: 80-tcp to: kind: Service name: wordpress weight: 100 $ oc create -f wordpress-route.yaml route "wordpress" created $ curl -L http://wordpress.192.168.123.1.xip.io 2>/dev/null | head <!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-US"> <head> <meta name="viewport" content="width=device-width" /> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="robots" content="noindex,nofollow" /> <title>WordPress &rsaquo; Installation</title> <link rel='stylesheet' id='buttons-css' href='http://wordpress.192.168.123.1.xip.io/wp-includ es/css/buttons.min.css?ver=4.7' type='text/css' media='all' /> <link rel='stylesheet' id='install-css' href='http://wordpress.192.168.123.1.xip.io/wp-admin/ css/install.min.css?ver=4.7' type='text/css' media='all' />
  • 20. Use the ‘anyuid’ SCC Second option: the standard one
  • 21. Security Context Constraints available in OpenShift $ oc login -u system:admin Logged into "https://192.168.123.1:8443" as "system:admin" using existing credentials. $ oc get scc NAME PRIV CAPS SELINUX RUNASUSER FSGROUP SUPGROUP PRIORITY READONLYROOTFS VOLUMES anyuid false [] MustRunAs RunAsAny RunAsAny RunAsAny 10 false [configMap downwardAPI emptyDir persistentVolumeClaim secret] hostaccess false [] MustRunAs MustRunAsRange MustRunAs RunAsAny <none> false [configMap downwardAPI emptyDir hostPath persistentVolumeClaim secret] hostmount-anyuid false [] MustRunAs RunAsAny RunAsAny RunAsAny <none> false [configMap downwardAPI emptyDir hostPath nfs persistentVolumeClaim secret] hostnetwork false [] MustRunAs MustRunAsRange MustRunAs MustRunAs <none> false [configMap downwardAPI emptyDir persistentVolumeClaim secret] nonroot false [] MustRunAs MustRunAsNonRoot RunAsAny RunAsAny <none> false [configMap downwardAPI emptyDir persistentVolumeClaim secret] privileged true [] RunAsAny RunAsAny RunAsAny RunAsAny <none> false [*] restricted false [] MustRunAs MustRunAsRange MustRunAs RunAsAny <none> false [configMap downwardAPI emptyDir persistentVolumeClaim secret]
  • 22. Inspecting the ‘anyuid’ SCC $ oc get scc/anyuid -o yaml allowHostDirVolumePlugin: false allowHostIPC: false allowHostNetwork: false allowHostPID: false allowHostPorts: false allowPrivilegedContainer: false allowedCapabilities: null apiVersion: v1 defaultAddCapabilities: null fsGroup: type: RunAsAny groups: - system:cluster-admins kind: SecurityContextConstraints metadata: annotations: kubernetes.io/description: anyuid provides all features of the restricted SCC but allows users to run with any UID and any GID. This is the default SCC for authenticated users. creationTimestamp: 2016-12-22T10:04:27Z name: anyuid resourceVersion: "103" selfLink: /api/v1/securitycontextconstraints/anyuid uid: 05f6bbdb-c82e-11e6-b2bd-68f7286606f4 priority: 10 readOnlyRootFilesystem: false requiredDropCapabilities: - MKNOD - SYS_CHROOT runAsUser: type: RunAsAny seLinuxContext: type: MustRunAs supplementalGroups: type: RunAsAny volumes: - configMap - downwardAPI - emptyDir - persistentVolumeClaim - secret
  • 23. Use the ‘anyuid’ How can I do it? Using Service Accounts Service accounts provide a flexible way to control API access without sharing a regular user’s credentials. Every service account has an associated username that can be granted roles, just like a regular user. The username is derived from its project and name: system:serviceaccount:<project>:<name>
  • 24. Service Account creation and configuration $ oc project wpoption2 Already on project "wpoption2" on server "https://192.168.123.1:8443". $ oc create serviceaccount wp-sa serviceaccount "wp-sa" created $ oc whoami system:admin $ oc adm policy add-scc-to-user anyuid system:serviceaccount:wpoption2:wp-sa $ oc get scc/anyuid -o yaml | tail supplementalGroups: type: RunAsAny users: - system:serviceaccount:wpoption2:wp-sa volumes: - configMap - downwardAPI - emptyDir - persistentVolumeClaim - secret
  • 25. Inspecting wordpress DeploymentConfig apiVersion: v1 kind: DeploymentConfig ... template: metadata: annotations: openshift.io/container.wordpress.image.entrypoint: '["docker-entrypoint.sh","apache2-foreground"]' openshift.io/generated-by: OpenShiftNewApp creationTimestamp: null labels: app: wordpress deploymentconfig: wordpress spec: containers: - env: - name: WORDPRESS_DB_HOST value: mariadb - name: WORDPRESS_DB_PASSWORD value: mysecret - name: WORDPRESS_DB_USER value: root image: wordpress@sha256:0bb659eafa22cdb9f14bc05d17be97132842 eb122eb8ff346ecafe7553f48f22 imagePullPolicy: Always name: wordpress ports: - containerPort: 80 protocol: TCP resources: {} terminationMessagePath: /dev/termination-log volumeMounts: - mountPath: /var/www/html name: wordpress-volume-1 dnsPolicy: ClusterFirst restartPolicy: Always securityContext: {} terminationGracePeriodSeconds: 30 volumes: - emptyDir: {} name: wordpress-volume-1 ...
  • 26. Editing wordpress DeploymentConfig $ oc edit dc/wordpress deploymentconfig "wordpress" edited $ oc get dc/wordpress -o yaml | grep wp-sa -B15 -A1 value: root image: wordpress@sha256:0bb659eafa22cdb9f14bc05d17be97132842 eb122eb8ff346ecafe7553f48f22 imagePullPolicy: Always name: wordpress ports: - containerPort: 80 protocol: TCP resources: {} terminationMessagePath: /dev/termination-log volumeMounts: - mountPath: /var/www/html name: wordpress-volume-1 dnsPolicy: ClusterFirst restartPolicy: Always securityContext: {} serviceAccount: wp-sa serviceAccountName: wp-sa terminationGracePeriodSeconds: 30 $ oc describe dc wordpress | head -16 Name: wordpress Namespace: myproject Created: 28 hours ago Labels: app=wordpress Annotations: openshift.io/generated-by=OpenShiftNewApp Latest Version: 2 Selector: app=wordpress,deploymentconfig=wordpress Replicas: 1 Triggers: Config, Image(wordpress@latest, auto=true) Strategy: Rolling Template: Labels: app=wordpress deploymentconfig=wordpress Annotations: openshift.io/container.wordpress.image.entrypoint=["d ocker-entrypoint.sh","apache2-foreground"] openshift.io/generated-by=OpenShiftNewApp Service Account: wp-sa
  • 27. Check if it’s working... $ oc logs wordpress-2-sqd8f WordPress not found in /var/www/html - copying now... Complete! WordPress has been successfully copied to /var/www/html AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.9. Set the 'ServerName' directive globally to suppress this message AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.9. Set the 'ServerName' directive globally to suppress this message [Fri Jan 13 16:15:15.728548 2017] [mpm_prefork:notice] [pid 1] AH00163: Apache/2.4.10 (Debian) PHP/5.6.29 configured -- resuming normal operations [Fri Jan 13 16:15:15.728574 2017] [core:notice] [pid 1] AH00094: Command line: 'apache2 -D FOREGROUND' $ oc describe pod wordpress-2-sqd8f | head Name: wordpress-2-sqd8f Namespace: myproject Security Policy: anyuid Node: 192.168.123.1/192.168.123.1 Start Time: Fri, 13 Jan 2017 17:14:58 +0100 Labels: app=wordpress deployment=wordpress-2 deploymentconfig=wordpress Status: Running IP: 172.17.0.9
  • 28. Rebuild through Dockerfile Third option: the best one
  • 29. Really? Why rebuild the container image? ● You may not be OpenShift cluster administrator ● All the previous solutions require admin privileges ● You should not grant root on thirdparty containers
  • 30. First: Locate the Dockerfile ● Search on DockerHub/DockerStore: https://store.docker.com/search?q =wordpress&source=verified&ty pe=image ● Download the Dockerfile: https://github.com/docker-library /wordpress/blob/7d40c4237f0189 2bb6dbc67d1a82f5b15f807ca1/ph p5.6/apache/Dockerfile ● Make the edits and upload it somewhere!
  • 31. Inspecting default ‘wordpress’ Dockerfile FROM php:5.6-apache # install the PHP extensions we need RUN set -ex; apt-get update; apt-get install -y libjpeg-dev libpng12-dev ; rm -rf /var/lib/apt/lists/*; docker-php-ext-configure gd --with-png-dir=/usr --with-jpeg-dir=/usr; docker-php-ext-install gd mysqli opcache # TODO consider removing the *-dev deps and only keeping the necessary lib* packages # set recommended PHP.ini settings # see https://secure.php.net/manual/en/opcache.installation.php RUN { echo 'opcache.memory_consumption=128'; echo 'opcache.interned_strings_buffer=8'; echo 'opcache.max_accelerated_files=4000'; echo 'opcache.revalidate_freq=2'; echo 'opcache.fast_shutdown=1'; echo 'opcache.enable_cli=1'; } > /usr/local/etc/php/conf.d/opcache-recommended.ini RUN a2enmod rewrite expires VOLUME /var/www/html ENV WORDPRESS_VERSION 4.7.1 ENV WORDPRESS_SHA1 8e56ba56c10a3f245c616b13e46bd996f63793d6 RUN set -ex; curl -o wordpress.tar.gz -fSL "https://wordpress.org/wordpress-${WORDPRESS_VERSION}.tar .gz"; echo "$WORDPRESS_SHA1 *wordpress.tar.gz" | sha1sum -c -; # upstream tarballs include ./wordpress/ so this gives us /usr/src/wordpress tar -xzf wordpress.tar.gz -C /usr/src/; rm wordpress.tar.gz; chown -R www-data:www-data /usr/src/wordpress COPY docker-entrypoint.sh /usr/local/bin/ ENTRYPOINT ["docker-entrypoint.sh"] CMD ["apache2-foreground"]
  • 32. Editing ‘wordpress’ Dockerfile FROM php:5.6-apache # install the PHP extensions we need RUN set -ex; apt-get update; apt-get install -y libjpeg-dev libpng12-dev ; rm -rf /var/lib/apt/lists/*; docker-php-ext-configure gd --with-png-dir=/usr --with-jpeg-dir=/usr; docker-php-ext-install gd mysqli opcache # TODO consider removing the *-dev deps and only keeping the necessary lib* packages # set recommended PHP.ini settings # see https://secure.php.net/manual/en/opcache.installation.php RUN { echo 'opcache.memory_consumption=128'; echo 'opcache.interned_strings_buffer=8'; echo 'opcache.max_accelerated_files=4000'; echo 'opcache.revalidate_freq=2'; echo 'opcache.fast_shutdown=1'; echo 'opcache.enable_cli=1'; } > /usr/local/etc/php/conf.d/opcache-recommended.ini RUN a2enmod rewrite expires VOLUME /var/www/html RUN sed -i 's/Listen 80/Listen 8080/g' /etc/apache2/ports.conf EXPOSE 8080 RUN chmod g+w /var/log/apache2 RUN chmod g+w /var/lock/apache2 RUN chmod g+w /var/run/apache2 ENV WORDPRESS_VERSION 4.7 ENV WORDPRESS_SHA1 1e14144c4db71421dc4ed22f94c3914dfc3b7020 RUN set -ex; curl -o wordpress.tar.gz -fSL "https://wordpress.org/wordpress-${WORDPRESS_VERSION}.tar .gz"; echo "$WORDPRESS_SHA1 *wordpress.tar.gz" | sha1sum -c -; # upstream tarballs include ./wordpress/ so this gives us /usr/src/wordpress tar -xzf wordpress.tar.gz -C /usr/src/; rm wordpress.tar.gz; chmod -R 777 /usr/src/wordpress COPY docker-entrypoint.sh /usr/local/bin/ ENTRYPOINT ["docker-entrypoint.sh"] CMD ["apache2-foreground"]
  • 33. Editing container’s entrypoint: docker-entrypoint.sh #!/bin/bash #set -euo pipefail # usage: file_env VAR [DEFAULT] # ie: file_env 'XYZ_DB_PASSWORD' 'example' # (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of # "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) file_env() { local var="$1" local fileVar="${var}_FILE" local def="${2:-}" if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then echo >&2 "error: both $var and $fileVar are set (but are exclusive)" exit 1 fi local val="$def" if [ "${!var:-}" ]; then val="${!var}" elif [ "${!fileVar:-}" ]; then val="$(< "${!fileVar}")" fi export "$var"="$val" unset "$fileVar" } Bash strict run
  • 34. Creating a new-app with Dockerfile source $ oc new-app https://github.com/alezzandro/wordpress-in-userspace -e WORDPRESS_DB_HOST=mariadb -e WORDPRESS_DB_USER=root -e WORDPRESS_DB_PASSWORD=mysecret --> Found Docker image 01b23de (18 hours old) from Docker Hub for "php:5.6-apache" * An image stream will be created as "php:5.6-apache" that will track the source image * A Docker build using source code from https://github.com/alezzandro/wordpress-in-userspace will be created * The resulting image will be pushed to image stream "wordpress-in-userspace:latest" * Every time "php:5.6-apache" changes a new build will be triggered * This image will be deployed in deployment config "wordpress-in-userspace" * Port 8080/tcp will be load balanced by service "wordpress-in-userspace" * Other containers can access this service through the hostname "wordpress-in-userspace" * WARNING: Image "php:5.6-apache" runs as the 'root' user which may not be permitted by your cluster administrator --> Creating resources with label app=wordpress-in-userspace ... imagestream "php" created imagestream "wordpress-in-userspace" created buildconfig "wordpress-in-userspace" created deploymentconfig "wordpress-in-userspace" created service "wordpress-in-userspace" created --> Success Build scheduled, use 'oc logs -f bc/wordpress-in-userspace' to track its progress. Run 'oc status' to view your app.
  • 35. Adding ‘emptyDir’ volume and the supplementalGroup $ oc volume dc/wordpress-in-userspace --add --name=wordpress-volume-1 -t emptyDir --mount-path=/var/www/html deploymentconfigs/wordpress-in-userspace $ oc edit dc/wordpress-in-userspace deploymentconfigs/wordpress-in-userspace $ oc get dc wordpress-in-userspace -o yaml|grep -A2 security securityContext: supplementalGroups: - 33 $ oc get pods NAME READY STATUS RESTARTS AGE mariadb-1-sscl5 1/1 Running 0 40m wordpress-in-userspace-1-build 0/1 Completed 0 34m wordpress-in-userspace-3-isov6 1/1 Running 0 15m $ oc rsh wordpress-in-userspace-3-isov6 $ id uid=1000140000 gid=0(root) groups=0(root),33(www-data),1000140000 $ ls -ld /var/run/apache2 drwxrwxr-x. 2 www-data www-data 4096 Jan 23 17:27 /var/run/apache2
  • 36. Create a route and check the result $ oc create -f wp-route.yml route/wordpress-in-userspace $ curl http://wpoption3.192.168.123.1.xip.io 2>/dev/null|head <!DOCTYPE html> <html lang="en-US" class="no-js no-svg"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="profile" href="http://gmpg.org/xfn/11"> <script>(function(html){html.className = html.className.replace(/bno-jsb/,'js')})(document.documentElement);</script> <title>Test website &#8211; Just another WordPress site</title> <meta name='robots' content='noindex,follow' />