ui icon indicating copy to clipboard operation
ui copied to clipboard
verified publisher icon temporalio

[Feature Request] Support for OpenShift

Open hishamanver opened this issue 1 year ago • 3 comments

Is your feature request related to a problem? Please describe.

I attempted to deploy temporal via helm (https://github.com/temporalio/helm-charts/tree/main) onto an openshift cluster.

Ran into issues running the temporal server and temporal ui containers on openshift due to security constraints (running on openshift - https://cloud.redhat.com/blog/a-guide-to-openshift-and-uids)

Identified the root cause to be the following sections:

  • server issue #1 - added to issue - https://github.com/temporalio/helm-charts/issues/558
  • server issue #2 - added to issue: https://github.com/temporalio/docker-builds/issues/241
  • ui - https://github.com/temporalio/ui-server/blob/main/Dockerfile#L32

Essentially what we are observing is openshift enforces specific UID and GID for the running containers that do not match the predefined values in the image definition and therefore fail with the following error:

2024/09/13 06:29:11 unable to create open ./config/docker.yaml: permission denied

Describe the solution you'd like

Dockerfile definition should not pin specific UIDs for non root user enforcement, but instead ensure that all directories that are required for functionality have sufficient privileges.

Describe alternatives you've considered

To get around this issue the following Dockerfile was used and confirmed to work

FROM temporalio/ui:2.30.3

RUN chmod o+w /home/ui-server/config

hishamanver avatar Sep 13 '24 06:09 hishamanver

Hello @hishamanver

I suggest you to improving Temporal deployment on OpenShift by adding user-customizable UID and GID fields in the Helm chart. startup script in the Dockerfile should change permissions on necessary directories based on the provided UID and GID. and i think the community feedback is welcome to refine this idea.

naaa760 avatar Sep 23 '24 07:09 naaa760

@naaa760 ,

OpenShift uses arbitrary, or randomly assigned, user IDs (UIDs) to increase access security. This means that the IDs of the users accessing the pods and containers and running the application processes are unspecified and unpredictable. Using predefined UID and GID violates OpenShift uses arbitrary, or randomly assigned, user IDs (UIDs) to increase access security.

The solution to the issue is documented here to ensure that a single Dockerfile can be used to create an image that functions correctly, both on OpenShift and on Kubernetes.

https://developers.redhat.com/blog/2020/10/26/adapting-docker-and-kubernetes-containers-to-run-on-red-hat-openshift-container-platform#group_ownership_and_file_permission

mohan-alpheya avatar Nov 06 '24 05:11 mohan-alpheya

This is needed by us as well. Any update on getting this released?

Platform: IBM Cloud

rohit-cohesity avatar Jan 30 '25 00:01 rohit-cohesity

Here is the modified image which worked for me:

FROM temporalio/server:1.25.1

# Give the root group, which the container will run as in OpenShift, write permissions for the config directory which it needs at runtime
USER root
RUN chgrp -R 0 /etc/temporal/config \
 && chmod -R g=u /etc/temporal/config \
 && chmod g+s /etc/temporal/config

USER temporal
# This is required by cgo at runtime to be set to something, even if the actual UID at runtime is not the same UID as the temporal user
ENV USER=temporal

guysmoilov avatar May 06 '25 08:05 guysmoilov