Why my container is getting permission denied on Openshift but not on Kubernetes?
Welcome back people, this time we will look at Openshift permissions. Recently I have been working on Openshift and I found it is dealing users in container differently unlink kubernetes, I’m able launch my application/container on Kubernetes but not on Openshift. In container logs I see permission denied error which is strange(it is not!). After I did some research, it is Openshift default behaviour to “prevent process inside container run as root user”.
Let’s start from docker and then Openshift.
The Docker Containers
First of all, I want to talk about Docker containers briefly. If you take a closer look at the docker container, it is nothing but a “process” having cgroups constraints and linux namesapces. So, when an process running in a container is no difference from normal process running in host i.e containers are trusted boundaries. Generally we knew it is not recommended to run a process as root, same rule does apply here too i.e If process running in container as root is equal to process running as root in host.
To understand this, I have create a file
root can only edit it and normal user
veeru can’t. Now we will try to edit
secert.txt from docker container and see that is possible or not.
- Launch a docker container
- Now let’s go inside the docker(which means
/bin/bash) and edit the
You can see something happened when I run
docker exec command, I went inside the docker container as “root”. I didn’t specify any user while launching container, but I’m root. This is because docker’s default behaviour, if we don’t specify “UID” while launching docker, it will be
root i.e UID is 0. Same happens if you don’t specify
USER in Dockerfile while create Docker image, your application or process run as root user.
Now lets do some observation in Openshift and Kubernetes.
For sake of this blog I have create a simple and dummy application run that runs in tomcat servlet container.
The Dockerfile is nothing but a Ubuntu 14.04 base image, java installation and a tomcat with sample app.
run.sh runs while starting of container.
I’ve see some docker image are like this i.e. modifying config files or create directories while starting of container