Deployment fails on Openshift

[Aokrip]

Hi, I'm trying to deploy cachet using the DeploymentConfig provided

But I'm facing an issue, the deployment fails each time with the following error message :

Error creating: pods "cachet-1-" is forbidden: unable to validate against any security context constraint: [securityContext.runAsUser: Invalid value: 0: UID on container cachet does not match required range. Found 0, required min: 1000250000 max: 1000259999]

So the pod can't be created...

I tried with both OpenShift 3.3 & 3.4

Hope you will can help me

Regards,
Cyril D.

[djdefi]

cc: @gamkiller77

[gamkiller77]

You have to have a SCC setup for less restrictive for this to work. It beat to aka Openshift support for those doc.

Also way is to run it priv but that is not recommended.

[Aokrip]

I am on a production platform which prevents containers running as root, for security reasons.

Is there any way to have dockerized cachet running as non root ?

[gamkiller77]

So this less restrictive lets a pod start as root then switch so in production it ok. We do this at my company as most containers out in the wild do have root setup.

On the other hand @djdefi you guys should look at removing the need to run the container as root.

[Aokrip]

Ok guys,

I made it work using source to image with official cachet (and some dirty manipulations)

[gamkiller77]

@cyril-dussert yah we do not use S2I where I work. I still think @djdefi that container needs to not run in root. This is going to be a bigger problem as more people use Kubernetes.

[prestonvanloon]

How @cyril-dussert ?

[Aokrip]

It is pretty easy, but not usable for production deployment, if you wantto share a full template of cachet fully automated, you will have to automate these steps :

• First, fork the CachetHQ repository : https://github.com/CachetHQ/Cachet

• Then, add to the bootstrap/autoload.php file the following line :
  ini_set('xdebug.max_nesting_level', 300);
  Just before : define('LARAVEL_START', microtime(true));

This will increase perfs of original RedHat's php image

• Deploy a PostgreSQL (ephemeral or persistent) inside your openShift project

• Then : oc new-app php~http://your-forked-repo.com -e DOCUMENTROOT=/public

• oc rsh to your deployed cachet pod

And copy .env.example to a .env, with database credentials, your app url and so on...

And enjoy then ;)

It is not really comfortable but it works..

You can also pass through environment variables your database credentials, but don't forget to remove them from your .env file unless, the file has priority over environment variables

[djdefi]

I shipped #178 which should run everything as a non-root user. I don't have an environment to reproduce your issue in, so let me know if there is anything else we can do here.

[gamkiller77]

Thanks @djdefi Rayn i will test this out later this week and remove the less restrictive from my DC config.

[djdefi]

Please open an new issue if you are still having trouble with the latest v2.3.11 release.