Working with Habitat and Openshift


#1

I’m trying to export a docker format image and use it in openshift, but it falled.
The reason seems like that I have to create a non-root docker in habitat, but I
have no idea.
I have tried to change the ‘pkg_svc_user’ in ‘Plan.sh’, and it make no sense.
Is there any tips to help me to do it?


#2

I don’t have any experience with OpenShift, but this blog post from last year touched on Hab and OpenShift a bit: https://www.habitat.sh/blog/2018/02/openshift-support/


#3

How did it fail? It’s difficult to diagnose the issue or provide help without any details. Please post any logs or diagnostics relevant to the failure.

The plan.sh variable pkg_svc_user causes that user to be created in the exported image and the supervisor to setuid to that user when executing your service. The exported image is still a “root docker image” because the supervisor itself runs as root under normal circumstances.

If I’m not mistaken, on OpenShift, the container runs as an anonymous random high uid without CAP_SETUID, CAP_SETGID, and CAP_CHOWN. The link that @mattray posted indicates that in this scenario, the Habitat supervisor cannot setuid to the user specified by pkg_svc_user and falls back to executing your service as the uid running the container instead.


#4

Thank you for your answer! Is that means I needn’t to change ‘pkg_svc_user’ or anything in habitat side?
Because I create a image and it runs well in Docker, but when I put it into Openshift, the log just shows like below,
which I can’t see anything wrong:
hab-sup(MR): core/hab-sup (core/hab-sup/0.69.0/20181127183841)
hab-sup(MR): Supervisor Member-ID 8a14e99b39fd49ffa3653c2355f2d8fd
hab-sup(AG): The xlktest1/sample-node-app service was successfully loaded
hab-sup(MR): Starting xlktest1/sample-node-app (xlktest1/sample-node-app/1.1.1/20181205091012)
sample-node-app.default(UCW): Watching user.toml
hab-sup(MR): Starting gossip-listener on 0.0.0.0:9638
hab-sup(MR): Starting ctl-gateway on 127.0.0.1:9632
hab-sup(MR): Starting http-gateway on 0.0.0.0:9631
sample-node-app.default(HK): Modified hook content in /hab/svc/sample-node-app/hooks/run
sample-node-app.default(SR): Hooks recompiled
sample-node-app.default(CF): Created configuration file /hab/svc/sample-node-app/config/config.json
sample-node-app.default(SR): Initializing
sample-node-app.default(SV): Starting service as user=hab, group=hab
But the application just shows’ Habitat Supervisor API documentation’:


#5

Correct. From what the docs say, In OpenShift, the value of pkg_svc_user is meaningless and changing it won’t do anything.

From that log, everything look like it’s working inside the container. I think you might be accessing the container on the wrong port.

The supervisor listens on port 9631 and shows the page in the screenshot. The sample-node-app (https://github.com/habitat-sh/sample-node-app) listens on port 8000. How are you trying to access the app? I’m more familiar with plain Kubernetes than OpenShift, but my first guess is that your Service/Ingress is set up to hit port 9631 instead of 8000.


#6

Thank you soooooo much! I changed the port in Openshift from 9631 to 8000 just now, and it works!
How smart you are!:star_struck:


#7

Thank you for your reply! It’s really helpful!


#8

No problem! Glad to help :slight_smile: