docker-images icon indicating copy to clipboard operation
docker-images copied to clipboard

Published 20 hours ago verified publisher icon oracle

Permission denied in /opt/oracle/product/ folder

Open sflepp opened this issue 3 years ago • 2 comments

Hello everyone,

I am having trouble to run an oracle 19.3 Standard Edition 2 in OpenShift.

I built the image with:

./buildContainerImage.sh -v 19.3.0 -t oracle-db-standard:19.3.0 -s

On my local machine (MacOS and Windows) with the Docker Desktop the container works as expected with the following command:

docker run --name oracle-db -p 1521:1521 -p 5500:5500 -v /some-path/db/oradata:/opt/oracle/oradata -e ORACLE_PWD=<pw> oracle-db-standard:19.3.0

However, I'm getting an error when I run the Image in an OpenShift environment with the following deployment config:

...
    containers:
        - env:
            - name: ORACLE_PWD
              value: <some-pw>
          image: >-
            docker-registry.default.svc:5000/some-env/oracle-db-standard@sha256:ab3ab8ecb1a5cf609a21d23528b97085c57b72deeec6e49e7141df7c69dfd216
          imagePullPolicy: Always
          name: oracle
          ports:
            - containerPort: 1521
              protocol: TCP
            - containerPort: 5500
              protocol: TCP
          resources:
            limits:
              cpu: 1
              memory: 2Gi
            requests:
              cpu: 30m
              memory: 1Gi
          terminationMessagePath: /dev/termination-log
          terminationMessagePolicy: File
          volumeMounts:
            - mountPath: /opt/oracle/oradata
              name: volume-1y2b9
...

Following error is displayed:

ORACLE EDITION: STANDARD
touch: cannot touch '/opt/oracle/product/19c/dbhome_1/install/.docker_standard': Permission denied
ORACLE PASSWORD FOR SYS, SYSTEM AND PDBADMIN: <PASSWORD>
opt/oracle/createDB.sh: line 58: /opt/oracle/product/19c/dbhome_1/network/admin/sqlnet.ora: Permission denied

sflepp avatar Jun 09 '21 10:06 sflepp

As you already identified, the container user does not have any permission to write in the file system when running on OpenShift. This appears to be more of an OpenShift configuration or similar issue than with the image. Are there any security settings on OpenShift that may prevent the container user to have permissions to write files?

gvenzl avatar Jun 10 '21 00:06 gvenzl

Okay, the problem seems to be that the Image wants to run with user id 54321. One way around the problem seems to be to disable all security measures on OpenShift and allow the container to run with any user id. That's no solution.

"By default, OpenShift Container Platform runs containers using an arbitrarily assigned user ID. This provides additional security against processes escaping the container due to a container engine vulnerability and thereby achieving escalated permissions on the host node."

Is there any way to remove the constraint that the image needs to run with user id 54321?

sflepp avatar Jun 14 '21 14:06 sflepp