I’m trying to export a docker format image and use it in openshift, but it falled.
The reason seems like that I have to create a non-root docker in habitat, but I
have no idea.
I have tried to change the ‘pkg_svc_user’ in ‘Plan.sh’, and it make no sense.
Is there any tips to help me to do it?
I don’t have any experience with OpenShift, but this blog post from last year touched on Hab and OpenShift a bit: https://www.habitat.sh/blog/2018/02/openshift-support/
How did it fail? It’s difficult to diagnose the issue or provide help without any details. Please post any logs or diagnostics relevant to the failure.
The plan.sh variable pkg_svc_user causes that user to be created in the exported image and the supervisor to setuid to that user when executing your service. The exported image is still a “root docker image” because the supervisor itself runs as root under normal circumstances.
If I’m not mistaken, on OpenShift, the container runs as an anonymous random high uid without CAP_SETUID, CAP_SETGID, and CAP_CHOWN. The link that @mattray posted indicates that in this scenario, the Habitat supervisor cannot setuid to the user specified by pkg_svc_user and falls back to executing your service as the uid running the container instead.
Thank you for your answer! Is that means I needn't to change 'pkg_svc_user' or anything in habitat side?
Because I create a image and it runs well in Docker, but when I put it into Openshift, the log just shows like below,
which I can't see anything wrong:
hab-sup(MR): core/hab-sup (core/hab-sup/0.69.0/20181127183841)
hab-sup(MR): Supervisor Member-ID 8a14e99b39fd49ffa3653c2355f2d8fd
hab-sup(AG): The xlktest1/sample-node-app service was successfully loaded
hab-sup(MR): Starting xlktest1/sample-node-app (xlktest1/sample-node-app/1.1.1/20181205091012)
sample-node-app.default(UCW): Watching user.toml
hab-sup(MR): Starting gossip-listener on 0.0.0.0:9638
hab-sup(MR): Starting ctl-gateway on 127.0.0.1:9632
hab-sup(MR): Starting http-gateway on 0.0.0.0:9631
sample-node-app.default(HK): Modified hook content in /hab/svc/sample-node-app/hooks/run
sample-node-app.default(SR): Hooks recompiled
sample-node-app.default(CF): Created configuration file /hab/svc/sample-node-app/config/config.json
sample-node-app.default(SR): Initializing
sample-node-app.default(SV): Starting service as user=hab, group=hab
But the application just shows' Habitat Supervisor API documentation':
Correct. From what the docs say, In OpenShift, the value of pkg_svc_user is meaningless and changing it won’t do anything.
From that log, everything look like it’s working inside the container. I think you might be accessing the container on the wrong port.
The supervisor listens on port 9631 and shows the page in the screenshot. The sample-node-app (https://github.com/habitat-sh/sample-node-app) listens on port 8000. How are you trying to access the app? I’m more familiar with plain Kubernetes than OpenShift, but my first guess is that your Service/Ingress is set up to hit port 9631 instead of 8000.
Thank you soooooo much! I changed the port in Openshift from 9631 to 8000 just now, and it works!
How smart you are!
Thank you for your reply! It’s really helpful!
No problem! Glad to help 