Adding user ID and group ID in Dockerfile
When you deploy runtime data collectors on OpenShift 4.2 or higher, if the SCC strategy is MustRunAsRange, you must create the docker user and group ID in the range.
For more information about OpenShift SCC strategy, see Managing Security Context Constraints.
Check the SCC strategy for the namespace of the pod where you deploy runtime data collectors. For example, if the namespace is
icam, run the following command:
kubectl describe namespace icam
You can get the following output:
Name: icam Labels: <none> Annotations: mcm.ibm.com/accountID: id-mycluster-account mcm.ibm.com/type: System openshift.io/sa.scc.mcs: s0:c25,c5 openshift.io/sa.scc.supplemental-groups: 1000610000/10000 openshift.io/sa.scc.uid-range: 1000610000/10000 Status: Active No resource quota. No resource limits.
- Update your Dockerfile by adding the user and group with uid and gid in the range. You can get the range by referring to the SCC annotations in step 1.
Note: Add -l to not add the user to the
USER root RUN groupadd -g 1000610000 appgrp && useradd -l -r -d /home/appuser -u 1000610000 -g appgrp appuser && chown -R appuser:appgrp /opt/ibm && chown -R appuser:appgrp /logs USER appuser
faillogdatabases. Otherwise, docker image build hangs. See the Git issue for details.
- Update your application yaml file by adding the following lines in the Containers section:
securityContext: runAsUser: 1000610000 runAsGroup: 1000610000