source-to-image: build image fails on run ALLOWED_UIDS

moving from openshift/origin to sti - https://github.com/openshift/origin/issues/4409:

DESCRIPTION

today I’ve been running a fresh installation of openshift using the ansible cookbook and got the new openshift origin 1.0.5 version. Everything seems fine (existing docker images are getting deployed), but for the builder-part the process seems currently not working. It requires the specification of an UserID.

This is the oc logs build output. The same happens when initiating the build either from web console as well as from command line using the admin credentials.

cheers, Matthias

ENV

# oc version
oc v1.0.5-4-g3eee7d2-dirty
kubernetes v1.1.0-alpha.0-1605-g44c91b1

REPRODUCE

oc new-app wildfly~http://openshift-code.domain.tld/root/some_visualizer.git --name=some3

ISSUE:

[root@oc-master ~]# oc logs some3-1-build
I0828 11:39:41.279331       1 sti.go:74] The value of ALLOWED_UIDS is [1-]
I0828 11:39:41.286395       1 docker.go:211] Image openshift/wildfly-8-centos@sha256:457764eea8327d00ebb99686bc3a22f602f3f75e57e9f953c80d0af2de4b1884 available locally
I0828 11:39:41.286471       1 sti.go:96] Creating a new S2I builder with build config: "Builder Image:\t\topenshift/wildfly-8-centos@sha256:457764eea8327d00ebb99686bc3a22f602f3f75e57e9f953c80d0af2de4b1884\nSource:\t\t\thttp://openshift-code.domain.tld/root/some_visualizer.git\nOutput Image Tag:\t172.30.155.100:5000/dry1/some3:latest\nEnvironment:\t\tOPENSHIFT_BUILD_NAMESPACE=dry1,OPENSHIFT_BUILD_SOURCE=http://openshift-code.domain.tld/root/some_visualizer.git,OPENSHIFT_BUILD_NAME=some3-1\nIncremental Build:\tdisabled\nRemove Old Build:\tdisabled\nForce Pull:\t\tdisabled\nQuiet:\t\t\tdisabled\nLayered Build:\t\tdisabled\nDocker Endpoint:\tunix:///var/run/docker.sock\n"
I0828 11:39:41.293608       1 docker.go:211] Image openshift/wildfly-8-centos@sha256:457764eea8327d00ebb99686bc3a22f602f3f75e57e9f953c80d0af2de4b1884 available locally
F0828 11:39:41.302923       1 builder.go:47] Build error: image "openshift/wildfly-8-centos@sha256:457764eea8327d00ebb99686bc3a22f602f3f75e57e9f953c80d0af2de4b1884" must specify a user that is numeric and within the range of allowed users

reinstalled the whole environment - the same happens again. the issue does not occur when using https://github.com/openshift/nodejs-ex#master and the node.js builder image

About this issue

  • Original URL
  • State: closed
  • Created 9 years ago
  • Comments: 25 (14 by maintainers)

Most upvoted comments

already logged in origin issue: workaround found on https://trello.com/c/eGlfwXcs/603-3-prevent-sti-builder-images-from-running-as-root-build-security

I had to run:

oc edit scc privileged -n default

and add the last line.

users:
- system:serviceaccount:default:router
- system:serviceaccount:default:registry
- system:serviceaccount:openshift-infra:build-controller
- system:serviceaccount:sample01:builder

while sample01 is my project name…

+9
mrwiora on Sep 1, 2015

sample01

https://docs.okd.io/latest/admin_guide/manage_scc.html#enable-images-to-run-with-user-in-the-dockerfile

Grant all authenticated users access to the anyuid SCC:

$ oc adm policy add-scc-to-group anyuid system:authenticated

use this command can work fine!

+1
wuxinglec on Nov 28, 2018
Read more comments on GitHub
← origin: ZSH Completion not working: command not found: __kubectl_debug
source-to-image: Incremental build error (read/write on closed pipe) →