openshift跑app許可權報錯解決
理解scc sa
dc(sa)--pod,即定義dc時候指定使用哪個sa, 而sa可以加入到某個scc
https://blog.openshift.com/understanding-service-accounts-sccs/
簡單講就是授權的. 系統有一大堆許可權,包含訪問project的許可權,訪
問api的許可權等.新建個使用者後,酌情把這些許可權授權他們.在我新建的
project ,demo-project裡新建了個nginx. 報錯.
如果對openshift scc不太熟,還一時半會真不好解決.
報錯如下
參考:
https://docs.openshift.com/enterprise/3.2/admin_guide/manage_scc.html
解決:
Grant a Service Account Access to the Privileged SCC
First, create a service account. For
example, to create service account mysvcacct
in
project myproject
:
$ oc create serviceaccount mysvcacct -n myproject
Then, add the service account to the privileged
$ oadm policy add-scc-to-user privileged system:serviceaccount:myproject:mysvcacct
Enable Images to Run with USER in the Dockerfile
To relax the security in your cluster so that images are not forced to run as a pre-allocated UID, without granting everyone access to the privileged SCC:
-
Grant all authenticated users access to the anyuid SCC:
$ oadm policy add-scc-to-group anyuid system:authenticated
This allows images to run as the root UID if no USER is specified in the Dockerfile. |
openshift不能跑nginx
the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:2
nginx: [warn] the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:2
2016/09/23 15:58:10 [emerg] 1#1: mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)
nginx: [emerg] mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)
I solved this last issue by doing this:
$ oc edit scc anyuid
and add:
users:
- system:serviceaccount:default:default