Enabling Images to Run with the USER Specified in the Dockerfile

By default, programs in OpenShift containers run with a user the uid of which is automatically pre-allocated by the cluster. As we need the EMS server to run with the specific uid required by NFS, we must create a new Security Context Constraint (SCC) to address this. We will export the existing restricted SCC and use it as a basis for our new SCC.

Procedure

  1. As system:admin, export the restricted SCC into a file: 
    > oc get -o yaml scc/restricted > nfs-scc.yaml
  2. Edit this file and give this SCC a new name by changing restricted into nfs-scc and give it a higher priority.
  3. Add a uidRangeMax and a uidRangeMin field to the runAsUser entry. These define a range of allowed uid values and should match the values you expect your pods to use for accessing NFS. For example: 
    …
metadata:
…
  name: nfs-scc (1)
priority: 9 (2)
…
runAsUser:
  type: MustRunAsRange
  uidRangeMax: 13000 (3)
  uidRangeMin: 12000 (3)

    (1): Name of this new SCC.

    (2): Larger values mean greater priority.

    (3): The range of allowed uid values will be 12000-13000. This works with the 12500 uid set in Creating the Base Docker Image.

  4. Create the new SCC using the following command 
    > oc create -f nfs-scc.yaml
  5. Check the result 
    > oc get -o yaml scc/nfs-scc
    Note: Edit the new SCC using the command: 
    > oc edit scc/nfs-scc
    Note: You create the SSC once for the lifetime of the cluster.