dockerkubernetesopenshiftminishift

Apache user removed from image in openshift build -- whoami error

I have been shifting a project from kube to openshift. In minikube the project was working fine, but in minishift it gives the error

 — Crash loop back off

This is from the minishift logs

[WARN] $TIMEZONE not set.
[INFO] Docker date set to: Tue Apr 20 17:39:02 UTC 2021
[INFO] $PHP_FPM_ENABLE not set. PHP-FPM support disabled.
[INFO] $CUSTOM_HTTPD_CONF_DIR not set. No custom include directory added.
[INFO] Starting Server version: Apache/2.2.15 (Unix)
whoami: cannot find name for user ID 1000140000

Here is the relevant deployment.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  annotations:
    kompose.cmd: kompose convert
    kompose.version: 1.22.0 (HEAD)
  creationTimestamp: null
  labels:
    io.kompose.service: occtool
  name: occtool
spec:
  replicas: 1
  selector:
    matchLabels:
      io.kompose.service: occtool
  strategy: {}
  template:
    metadata:
      annotations:
        kompose.cmd: kompose convert
        kompose.version: 1.22.0 (HEAD)
      creationTimestamp: null
      labels:
        io.kompose.network/backend: "true"
        io.kompose.network/frontend: "true"
        io.kompose.service: occtool
    spec:
      containers:
        - image: private.registry.com/image:tag
          imagePullPolicy: IfNotPresent
          name: occtool
          ports:
            - containerPort: 80
            - containerPort: 443
          resources: {}
      restartPolicy: Always
status: {}

Here is the Dockerfile

FROM cytopia/apache-2.2:0.9
# lines that copied files were omitted for convenience
USER root

I haven't found much relevant information. USER root had been omitted originally so the user was apache. using minishift ssh and docker exec I noticed the user apache doesn't exist in the pod, but when building the image I am unable to run a command to create the user because the user does exist in the image. I believe this is the basis of the problem, but I haven't found a way to create the user in openshift, nor do I know why the user is removed when the pod is built.

Solution

  • OpenShift ignores the USER-directive from Dockerfiles and instead generates a random UID for the user in the container. There are some idea about security behind this.

    From OpenShift documentation:

    Support Arbitrary User IDs

    By default, OpenShift Container Platform runs containers using an arbitrarily assigned user ID. This provides additional security against processes escaping the container due to a container engine vulnerability and thereby achieving escalated permissions on the host node.

    For an image to support running as an arbitrary user, directories and files that may be written to by processes in the image should be owned by the root group and be read/writable by that group. Files to be executed should also have group execute permissions.