Skip to content

fail to start on openshift #251

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
shakenfr opened this issue Aug 10, 2020 · 3 comments
Closed

fail to start on openshift #251

shakenfr opened this issue Aug 10, 2020 · 3 comments
Labels
question Usability question, not directly related to an error with the image

Comments

@shakenfr
Copy link

hello, I try dind-rootless because I have openshift security contains

the result is fail 👍
last log file is

Signature ok
subject=CN = docker:dind client

Getting CA Private Key
/certs/client/cert.pem: OK
find: /run/secrets/rhsm: Permission denied
error: attempting to run rootless dockerd but missing necessary entries in /etc/subuid and/or /etc/subgid for 1000690000

Any idea ?

regards
bruno

@wglambert
Copy link

OpenShift runs as a random non-root UID https://cookbook.openshift.org/users-and-role-based-access-control/why-do-my-applications-run-as-a-random-user-id.html

For Debian based Docker images nss_wrapper can be used to "fake" /etc/passwd contents, see docker-library/postgres#448 docker-library/postgres#359

But the Docker-in-Docker container images are exclusively Alpine Linux which doesn't have the nss_wrapper package https://gitlab.alpinelinux.org/alpine/aports/-/issues/6710

@yosifkit
Copy link
Member

I don't think an /etc/passwd entry is necessary, but when running as a random user, entries in /etc/subuid and /etc/subgid are necessary for the user (by ID or name).

Also note that --privileged is still necessary for rootless dind.

@wglambert wglambert added the question Usability question, not directly related to an error with the image label Aug 11, 2020
@wglambert
Copy link

Because you're getting errors about /etc/subuid and /etc/subgid I think this is Podman-specific. I came cross this blogpost that goes into some nuance about how Podman does user mappings and those files https://www.redhat.com/en/blog/understanding-root-inside-and-outside-container

The /etc/subuid file is what’s used to map the user inside the container to a user outside of the container, but the user must be defined in the container image or Podman can’t start the container:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
question Usability question, not directly related to an error with the image
Projects
None yet
Development

No branches or pull requests

3 participants