A common issue when porting Docker images on Openshift is that the image might be engineered to run with a root user. Let’s see how to deal with Security Context Contraints on Openshift.
So let’s say you want to try deploying a Docker image like tomcat:latest to Openshift
As you can see from the above warning, the image runs with a Root user. What this means in practice is that, when the Pod will be created and started with a non-root user (hence with an UID not 0), you will end up with your Pod crashing with:
Jan 26, 2017 8:05:34 AM org.apache.catalina.startup.Catalina load WARNING: Unable to load server configuration from [/usr/local/tomcat/conf/server.xml] Jan 26, 2017 8:05:34 AM org.apache.catalina.startup.Catalina load WARNING: Permissions incorrect, read permission is not allowed on the file. Jan 26, 2017 8:05:34 AM org.apache.catalina.startup.Catalina load WARNING: Unable to load server configuration from [/usr/local/tomcat/conf/server.xml] Jan 26, 2017 8:05:34 AM org.apache.catalina.startup.Catalina load WARNING: Permissions incorrect, read permission is not allowed on the file. Jan 26, 2017 8:05:34 AM org.apache.catalina.startup.Catalina start SEVERE: Cannot start server. Server instance is not configured.
In order to relax the security in your cluster so that you are allowed to run as the root UID if no USER is specified in the Dockerfile execute:
$ oadm policy add-scc-to-group anyuid system:authenticated
Once done, you will be able to deploy your tomcat image like a charm:
Finish off by creating a route to expose your Service:
Now your Tomcat web server is available to be accessed through the Openshift router:
Thanks to Slava Semushin for providing a tip on how to solve this issue.