Adding user ID and group ID in Dockerfile

When you deploy runtime data collectors on OpenShift 4.2 or higher, if the SCC strategy is MustRunAsRange, you must create the docker user and group ID in the range.

For more information about OpenShift SCC strategy, see Managing Security Context Constraints.

  1. Check the SCC strategy for the namespace of the pod where you deploy runtime data collectors. For example, if the namespace is icam, run the following command:

    kubectl describe namespace icam

    You can get the following output:

    Name:         icam
    Labels:       <none>
    Annotations: id-mycluster-account
    Status:       Active
    No resource quota.
    No resource limits.
  2. Update your Dockerfile by adding the user and group with uid and gid in the range. You can get the range by referring to the SCC annotations in step 1.
    For example,
    USER root
    RUN groupadd -g 1000610000 appgrp && useradd -l -r -d /home/appuser -u 1000610000 -g appgrp appuser && chown -R appuser:appgrp /opt/ibm && chown -R appuser:appgrp /logs
    USER appuser
    Note: Add -l to not add the user to the lastlog and faillog databases. Otherwise, docker image build hangs. See the Git issue for details.
  3. Update your application yaml file by adding the following lines in the Containers section:
      runAsUser: 1000610000
      runAsGroup: 1000610000