Fix Openshift permission issues (#721)

* Fix Openshift permission issues * Minor review
vmware-archive · Apr 30, 2018 · 44c2cba · 44c2cba
1 parent 552a11c
commit 44c2cba
Show file tree

Hide file tree

Showing 6 changed files with 23 additions and 6 deletions.
diff --git a/docker/runtime/golang/Dockerfile.init b/docker/runtime/golang/Dockerfile.init
@@ -3,17 +3,20 @@ FROM golang:1.10
 # Install dep
 RUN curl https://raw.githubusercontent.com/golang/dep/master/install.sh | sh
 RUN go get golang.org/x/net/context
-RUN mkdir -p /go/pkg/dep && chown 1000:1000 /go/pkg/dep
+RUN mkdir -p /go/pkg/dep
 
 # Prepare function environment
 RUN ln -s /kubeless $GOPATH/src/kubeless 
 
 # Install controller
-USER 1000
 RUN mkdir -p $GOPATH/src/github.com/kubeless/kubeless/pkg/functions
 ADD pkg/functions/* $GOPATH/src/github.com/kubeless/kubeless/pkg/functions
 RUN mkdir -p $GOPATH/src/controller
 ADD docker/runtime/golang/Gopkg.toml $GOPATH/src/controller/
 WORKDIR $GOPATH/src/controller/
 ADD docker/runtime/golang/kubeless.tpl.go $GOPATH/src/controller/
 RUN dep ensure
+RUN chmod -R a+w $GOPATH
+RUN chmod -R a+w /go/pkg/dep
+
+USER 1000
diff --git a/docker/runtime/php/Dockerfile b/docker/runtime/php/Dockerfile
@@ -48,8 +48,7 @@ COPY config/default.conf /etc/nginx/conf.d/default.conf
 RUN rm /etc/nginx/sites-available/default && \
     mkdir -p /app && \
     touch /run/nginx.pid && \
-    chown 1000:1000 -R /run/nginx.pid /app /var/lib/nginx /var/log/nginx
+    chmod -R a+w /run/nginx.pid /app /var/lib/nginx /var/log/nginx
 USER 1000
 
-ENTRYPOINT [ "" ]
 CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/conf.d/supervisord.conf"]
diff --git a/kubeless-non-rbac.jsonnet b/kubeless-non-rbac.jsonnet
@@ -140,7 +140,7 @@ local runtime_images ='[
       {
         "name": "php72",
         "version": "7.2",
-        "runtimeImage": "kubeless/php@sha256:82b94c691302bc82f3900444255cabb8f230487764eafeba7866ac49d90ddc3b",
+        "runtimeImage": "kubeless/php@sha256:4e44ab60f597e93097bf9f5ea91d58bd9c308bf206043db2a9809ec16a8ff2f4",
         "initImage": "composer:1.6"
       }
     ],
@@ -155,7 +155,7 @@ local runtime_images ='[
         "name": "go1.10",
         "version": "1.10",
         "runtimeImage": "kubeless/go@sha256:bf72622344a54e4360f31d3fea5eb9dca2c96fbedc6f0ad7c54f3eb8fb7bd353",
-        "initImage": "kubeless/go-init@sha256:ce6ef4fafe518ed78b3a68b03947c064fec1cf8c667cd109e9331f227877b3a9"
+        "initImage": "kubeless/go-init@sha256:e262f70639594b3a9e3481843171ecbbe82e84b786825ebe28bc1a3ae89310d3"
       }
     ],
     "depName": "Gopkg.toml",

diff --git a/kubeless-openshift.jsonnet b/kubeless-openshift.jsonnet
@@ -1,10 +1,14 @@
 # Builds on kubeless.ksonnet to produce a deployable manifest on OpenShift 1.5
 # Modifies apiVersion for kubeless-controller Deployment to extensions/v1beta1
 # Modifies ClusterRole and ClusterRoleBinding apiVersions to v1
+local k = import "ksonnet.beta.1/k.libsonnet";
 local kubeless = import "kubeless.jsonnet";
 
+local config = kubeless.cfg + k.core.v1.configMap.data({"deployment":'{"spec":{"template":{"spec":{"securityContext":{}}}}}'});
+
 kubeless + {
   controller: kubeless.controller + { apiVersion: "extensions/v1beta1" },
   controllerClusterRole: kubeless.controllerClusterRole + { apiVersion: "v1" },
   controllerClusterRoleBinding: kubeless.controllerClusterRoleBinding + { apiVersion: "v1" },
+  cfg: config,
 }
diff --git a/pkg/langruntime/langruntime.go b/pkg/langruntime/langruntime.go
@@ -210,6 +210,8 @@ func (l *Langruntimes) GetBuildContainer(runtime, depsChecksum string, env []v1.
 	case strings.Contains(runtime, "nodejs"):
 		registry := "https://registry.npmjs.org"
 		scope := ""
+		// Force HOME to a folder with permissions to avoid issues in OpenShift #694
+		env = append(env, v1.EnvVar{Name: "HOME", Value: "/tmp"})
 		for _, v := range env {
 			if v.Name == "NPM_REGISTRY" {
 				registry = v.Value

diff --git a/pkg/langruntime/langruntime_test.go b/pkg/langruntime/langruntime_test.go
@@ -137,6 +137,15 @@ func TestGetBuildContainer(t *testing.T) {
 	if !strings.Contains(c.Args[0], "npm config set myorg:registry http://reg.com && npm install") {
 		t.Errorf("Unexpected command %s", c.Args[0])
 	}
+	home := v1.EnvVar{Name: "HOME"}
+	for _, v := range c.Env {
+		if v.Name == "HOME" {
+			home = v
+		}
+	}
+	if home.Value != "/tmp" {
+		t.Error("It should set /tmp as home")
+	}
 
 	// It should return the proper build image for ruby
 	c, err = lr.GetBuildContainer("ruby2.4", "abc123", env, vol1)