My campany deployed an Openshift okd4 cluster (4.7) in order to run our api's and web applications. For our build config, we use source to image (s2i) build strategy in order to generate our custom images in conjunction with gitlab to get our source code from. When the custom image is built we deploy it afterwards. During the build phase for php based project , we use the assemble script in order to install and generate our vendors with a composer install and some other installations as well.
I do face a probleme with project which use this strategy. When executing the assemble script , the openshift builder switch to user 1001 which lead to a permission denied during our build and thus a fail below are the logs from the build :
STEP 4: USER root
STEP 5: COPY upload/scripts /tmp/scripts
STEP 6: COPY upload/src /tmp/src
STEP 7: RUN chown -R 1001:0 /tmp/scripts /tmp/src
STEP 8: USER 1001
STEP 9: RUN /tmp/scripts/assemble
chown: cannot read directory '/var/lib/mysql': Permission denied
Is there any way to force the s2i builder to stay on root in step 8 ? any option to specify in the build config to do such thing ? Or is there any way to do a similar build using dockerfile strategy ?
i tried to specify in the build config this label :
labels:
app: build-app
io.openshift.s2i.assemble-user: root
The builder did not take it into account.
Any ideas might help
Best regards to all,
It's an Openshift security policy issue.
Useful links:
Openshift pod runnning with user id not matching with user in Dockerfile
https://cloud.redhat.com/blog/a-guide-to-openshift-and-uids