Comments (5)
Since this issue is still open, I'll share some tips based on my experience creating applications that can run on OpenShift, in the hope that they'll be useful to somebody. The things that trip people up the most when running containers under OpenShift are that:
- In the
restricted
security context constraint, containers will run with a namespace-specific UID range (each namespace gets a different range), so it'll be something like:uid=1206236612 gid=0
- This means that the binary should be world-readable (I usually set binaries to
0555
, so that permissions are always the same regardless of the running user) - OpenShift and RHEL run with SELinux enabled by default, and for containers it just means that containers and volumes are labelled with the same SELinux labels (I haven't seen this cause any issues in practice)
These are useful things to do regardless of whether the image runs under OpenShift or not, because it gives operators much more flexibility to select whatever uid/gid they want to run as.
This is a useful doc that describes how OpenShift runs images and why it does that: https://docs.openshift.com/container-platform/4.13/openshift_images/create-images.html#use-uid_create-images
from collector.
@aherkarsatish11 Thanks for reaching out - we're currently reviewing what we can do so the collector image can run on OpenShift.
For context, the collector image today already drops privileges to run as an unprivileged user for the collector process (see https://github.com/pganalyze/collector/blob/master/contrib/docker-entrypoint.sh#L13), but it doesn't correctly interact with systems that don't give root to the container initially (such as OpenShift). We're reviewing the steps needed to get this to run directly as the user specified by Docker in these scenarios.
from collector.
@lfittl : I've shared you the updated docker file and entrypoint script ( To support email ), could you please verify and confirm - if we can utilize that image for production env
from collector.
@lfittl Any update ??
from collector.
See #174
from collector.
Related Issues (20)
- Scheduler: Don't schedule runner intervals on fixed cron expressions HOT 5
- Documentation/support for Google Cloud SQL Auth Proxy or Connector HOT 2
- Update collector README to reference pg_monitor role for setup instructions HOT 3
- Handle read-only filesystem gracefully HOT 1
- Make IdentifierMap cache TTL configurable HOT 3
- Could not collect activity for server HOT 8
- Unable to DB_USE_IAM_AUTH with aws RDS instance HOT 4
- Error calling pg_stat_statements_reset() as requested intermittently HOT 2
- Regular collector oom-kill at midnight UTC on Sundays HOT 1
- Publish Docker image to ECR public registry HOT 1
- Error to send snapshots HOT 2
- Upgrade go.uuid module HOT 3
- Missing image for v0.50.1 HOT 2
- Additional security settings for pganalyze collector HOT 3
- Add rudimentary test suite for Helm chart
- Debian build uses EOL version HOT 1
- Error: Failed to reload collector HOT 1
- OTEL connector - can it support Datadog APM traces for PostgreSQL HOT 2
- OTEL connector - can it support Datadog?
- Feature request: Add DB_PASSWORD_FILE or similar HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from collector.