docker-apache-atlas icon indicating copy to clipboard operation
docker-apache-atlas copied to clipboard
verified publisher icon sburn

Non-Root user

Open ghost opened this issue 4 years ago • 1 comments

Are you able to ensure this runs as a non-root user (e.g. 'atlas') so that it can be deployed to services such as Openshift?

Thanks

ghost avatar Apr 27 '21 14:04 ghost

While the suggestion above would certainly be the ideal solution, just wanted to point out a (less secure) workaround that you could use in the meantime that will at least technically work:

  1. Create a service account specific for Atlas, e.g. oc create sa apache-atlas
  2. Grant the anyuid security context constraint (SCC) to this service account, e.g. oc adm policy add-scc-to-user anyuid -z apache-atlas
  3. Ensure that your deployment mechanism for the Atlas container uses this service account created in (1), e.g. 
    kind: Deployment
apiVersion: apps/v1
metadata: ...
spec:
  template:
    spec:
      # use name of service account created in (1) below
      serviceAccountName: apache-atlas
      containers:
        - name: atlas
          image: sburn/apache-atlas
...

The container should then at least be run-able inside OpenShift. (You'll need to confirm for yourself that it's OK running with the anyuid SCC in your specific cluster and situation.)

cmgrote avatar May 19 '21 08:05 cmgrote