I have a Jenkins pod running in OpenShift.
I have enabled anyuid for my project as per http://appagile.io/2017/03/29/how-to-run-a-pod-as-root/.
However, I'm unable to get the initial admin password due to the following issue
<html><head><meta http-equiv='refresh' content='1;url=/login?from=%2F' /><script>window.location.replace('/login?from=%2F');</script></head><body style='background-color:white; color:white;'>
Authentication required
<!--
You are authenticated as: anonymous
Groups that you are in:
Permission you need to have (but didn't): hudson.model.Hudson.Read
... which is implied by: hudson.security.Permission.GenericRead
... which is implied by: hudson.model.Hudson.Administer
-->
As per the solution mentioned in this - https://stackoverflow.com/a/41055670
I tried adding jenkins user as part of root.
sudo usermod -a -G root jenkins
But sudo package was not installed in the Jenkins pod.
I tried su -i but it's asking for root password which I don't know.
In Docker, I use docker exec -u root option to log in as root.
But I don't see any such option in oc. Are there any other option we can try to resolve this issue?
Related
I was trying to download a project file from Google cloud sdk environment and got a docker command from Google cloud support.
I fallowed these instructions:
[![enter image description here][1]][1]
I was able to run almost all the commands, but the docker cp command encountered an error "A required privilege is not held by the client." Here's what I did:
C:\Users\*\AppData\Local\Google\Cloud SDK>gcloud auth login
Your browser has been opened to visit:
https://accounts.google.com/o/oauth2/auth---
You are now logged in as [*#gmail.com].
Your current project is [nodejs-301100]. You can change this setting by running:
$ gcloud config set project PROJECT_ID
C:\Users\*\AppData\Local\Google\Cloud SDK>gcloud auth configure-docker
WARNING: Your config file at [C:\Users\*\.docker\config.json] contains these credential helper entries:
{
"credHelpers": {
"gcr.io": "gcloud",
"us.gcr.io": "gcloud",
"eu.gcr.io": "gcloud",
"asia.gcr.io": "gcloud",
"staging-k8s.gcr.io": "gcloud",
"marketplace.gcr.io": "gcloud"
}
}
Adding credentials for all GCR repositories.
WARNING: A long list of credential helpers may cause delays running 'docker build'. We recommend passing the registry name to configure only the registry you are using.
gcloud credential helpers already registered correctly.
C:\Users\*\AppData\Local\Google\Cloud SDK>docker pull asia.gcr.io/nodejs 301100/appengine/default.20210108t204554:latest
latest: Pulling from nodejs-301100/appengine/default.20210108t204554
Digest: sha256:a1bf8c73e54a357b9aa3d251e73deb0f8ffba4eecef9c6767efa666f3781c600
Status: Image is up to date for asia.gcr.io/nodejs-301100/appengine/default.20210108t204554:latest
asia.gcr.io/nodejs-301100/appengine/default.20210108t204554:latest
C:\Users\*\AppData\Local\Google\Cloud SDK>docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
asia.gcr.io/nodejs-301100/appengine/default.20210108t204554 latest b0c9100e95b4 4 weeks ago 741MB
C:\Users\*\AppData\Local\Google\Cloud SDK>docker run -d b0c9100e95b4
34600f7b8b20238c816a53c8dd08e19fcc0496628139d9c9251e7ad5683ef837
C:\Users\*\AppData\Local\Google\Cloud SDK>docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
34600f7b8b20 b0c9100e95b4 "/bin/sh -c 'npm sta…" 41 seconds ago Up 40 seconds angry_einstein
77bcc0536ac9 b0c9100e95b4 "/bin/sh -c 'npm sta…" 20 minutes ago Up 20 minutes goofy_feistel
C:\Users\*\AppData\Local\Google\Cloud SDK>docker exec -it goofy_feistel pwd
/app
C:\Users\*\AppData\Local\Google\Cloud SDK>docker cp goofy_feistel:app/ google-cloud-sdk
symlink ..\ejs\bin\cli.js C:\Users\*\AppData\Local\Google\Cloud SDK\google-cloud sdk\app\node_modules\.bin\ejs: A required privilege is not held by the client.
What should I do?
This is OS permissions issue - Docker can't access some files;
Fix A Required Privilege Is Not Held By The Client Error: The Error 0x80070522 means that you are trying to copy or create a file inside a directory where you don’t have the required permission or privilege. Generally, you get this error when you try to copy, paste, or modify something inside Windows folders and Microsoft doesn’t allow unauthorized access to the Windows installation. Even the users are prompted with the error “A Required Privilege Is Not Held By The Client Error” because these files are strictly accessible to the only System.
Quick way is to open the command prompt as "administrator" and run the commands again.
Some clues can be found in similar questions:
Robocopy Error - "a required privilege is not held by the client"
Can I change the date and time in a Windows Docker Container?
and in the "workaround" github discussion #Mahboob linked in the comments.
And here's a proper way to do this as John Hanley suggested:
Running the command in an Administrators prompt is not a good solution and has security implications. The correct solution is to add the user to the correct group removing the requirement for administrator rights
Here's how to do this; here's another example.
I Want to setup Rancher to manage my Kubernetes Cluster.
I installed rancher on the Ubuntu and when try to connect I got the error.
Steps that I ran:
curl --insecure -sfL https://localhost/v3/import/zkzmqg5kjpcqmw9qplrskzwwvwhgbbzdk2z9dn579rhpp66wt65wgj.yaml | kubectl apply -f -
I got this error:
curl --insecure -sfL https://localhost/v3/import/zkzmqg5kjpcqmw9qplrskzwwvwhgbbzdk2z9dn579rhpp66wt65wgj.yaml | kubectl apply -f -
Error from server (Forbidden): <html><head><meta http-equiv='refresh' content='1;url=/login?from=%2Fswagger-2.0.0.pb-v1%3Ftimeout%3D32s'/><script>window.location.replace('/login?from=%2Fswagger-2.0.0.pb-v1%3Ftimeout%3D32s');</script></head><body style='background-color:white; color:white;'>
Authentication required
<!--
You are authenticated as: anonymous
Groups that you are in:
Permission you need to have (but didn't): hudson.model.Hudson.Read
... which is implied by: hudson.security.Permission.GenericRead
... which is implied by: hudson.model.Hudson.Administer
-->
Any idea how I can To fix the problem?
I am using Docker 1.13 community edition on a CentOS 7 x64 machine. When I was following a Docker Compose sample from Docker official tutorial, all things were OK until I added these lines to the docker-compose.yml file:
volumes:
- .:/code
After adding it, I faced the following error:
can't open file 'app.py': [Errno 13] Permission denied. It seems that the problem is due to a SELinux limit. Using this post I ran the following command:
su -c "setenforce 0"
to solve the problem temporarily, but running this command:
chcon -Rt svirt_sandbox_file_t /path/to/volume
couldn't help me.
Finally I found the correct rule to add to SELinux:
# ausearch -c 'python' --raw | audit2allow -M my-python
# semodule -i my-python.pp
I found it when I opened the SELinux Alert Browser and clicked on 'Details' button on the row related to this error. The more detailed information from SELinux:
SELinux is preventing /usr/local/bin/python3.4 from read access on the
file app.py.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that python3.4 should be allowed read access on the
app.py file by default. Then you should report this as a bug. You can
generate a local policy module to allow this access. Do allow this
access for now by executing:
ausearch -c 'python' --raw | audit2allow -M my-python
semodule -i my-python.pp
I'm trying to "su" in the container deployed in IBM Containers/Bluemix.
But it fails like this.
root#ubuntu142:/tmp# cf ic exec -it mysshd bash
[root#instance-001652d1 /]# adduser ubuntu
[root#instance-001652d1 /]# su - ubuntu
su: cannot create child process: Resource temporarily unavailable
This works fine in my local docker environment.
I also tried to "su" in the startup script( user is already defined ), but it also failed with the same message( from the log ).
( Actually, I'm trying to deploy DB2-Express-C using "su db2inst1".. )
Is there any restriction that "su" is prohibited in IBM container?
Thanks in advance.
I've seen this problem in Centos 7 container instances only (it works fine for Ubuntu).
Here is the solution to fix it:
$ cf ic exec -it ads-centos bash
[root#instance-00173f1f /]# adduser ubuntu
[root#instance-00173f1f /]# su - ubuntu
su: cannot create child process: Resource temporarily unavailable
[root#instance-00173f1f /]# cd etc
[root#instance-00173f1f etc]# cd pam.d
[root#instance-00173f1f pam.d]# vi su
** change all session variables to 'optional' and save changes **
** see how file should be below **
[root#instance-00173f1f pam.d]# su - ubuntu
[ubuntu#instance-00173f1f ~]$ id
uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu)
[ubuntu#instance-00173f1f ~]$
Here is how the su file should be
#%PAM-1.0
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required pam_wheel.so use_uid
auth substack system-auth
auth include postlogin
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session optional system-auth
session optional postlogin
session optional pam_xauth.so
Im trying to get a docker-machine up and running on a Ubuntu 14.04TSL server in our network. I have installed docker+docker-machine on the server and im able to create the docker-machine on the server with this command from my computer:
docker-machine create --driver generic --generic-ip-address 10.10.3.76 --generic-ssh-key "/Users/username/Documents/keys/mysshkey.pem" --generic-ssh-user ubuntuuser dockermachinename
The command above creates the docker-machine and im able to list it with
docker-machine ls
Im able to SSH to it by running
docker-machine ssh dockermachinename
but when i try to connect the server with (-D for debug information)
docker-machine -D env dockermachinename
I get the following message
Docker Machine Version: 0.5.2 ( 0456b9f )
Found binary path at /usr/local/bin/docker-machine-driver-generic
Launching plugin server for driver generic
Plugin server listening at address 127.0.0.1:54213
() Calling .GetVersion
Using API Version 1
() Calling .SetConfigRaw
() Calling .GetMachineName
(dockermachinename) Calling .GetState
(dockermachinename) Calling .GetURL
Reading CA certificate from /Users/username/.docker/machine/certs/ca.pem
Reading server certificate from /Users/username/.docker/machine/machines/dockermachinename/server.pem
Reading server key from /Users/username/.docker/machine/machines/dockermachinename/server-key.pem
Error checking TLS connection: Error checking and/or regenerating the certs: There was an error validating certificates for host "10.10.3.76:2376": dial tcp 10.10.3.76:2376: i/o timeout
You can attempt to regenerate them using 'docker-machine regenerate-certs [name]'.
Be advised that this will trigger a Docker daemon restart which will stop running containers.
I really need to solve this so all help is appreciated!
On Ubuntu you will need to do following steps:
1. Create user which don't require password
sudo visudo
at the end of file add following line (make sure to specify your username):
username ALL=(ALL:ALL) NOPASSWD: ALL
and then save and exit. And after that add your username to docker group like this (change username with your actual username):
usermod -aG docker username
2. Edit docker config to open 2375 and 2376 ports
sudo systemctl edit docker.service
add following snippet to that file:
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:2376 -H tcp://0.0.0.0:2375
then save and exit. After that reload config and restart docker deamon with:
sudo systemctl daemon-reload
sudo systemctl restart docker.service
3. Create docker-machine
Remove existing machine which is failing with:
docker-machine rm machine1
and try to create it one more time like this:
docker-machine create -d generic --generic-ip-address ip --generic-ssh-key ~/.ssh/key --generic-ssh-user username --generic-ssh-port 22 machine1
please change ip, key, username and machine1 with you actual values.
If this produce error like this:
Error checking TLS connection: Error checking and/or regenerating the certs: There was an error validating certificates for host "192.168.0.26:2376": tls: oversized record received with length 20527
You can attempt to regenerate them using 'docker-machine regenerate-certs [name]'.
Be advised that this will trigger a Docker daemon restart which might stop running containers.
then SSH to your machine and cd into following directory:
cd /etc/systemd/system/docker.service.d/
list all files in it with:
ls -l
you will probably have something like this:
-rw-r--r-- 1 root root 274 Jul 2 17:47 10-machine.conf
-rw-r--r-- 1 root root 101 Jul 2 17:46 override.conf
you will need to delete all files except 10-machine.conf with sudo rm.
After that remove machine you created and create it again. It should now work. I hope this helps. Maybe you already steps 1 and 2 if so then skip them and just try to remove override.conf file or any file in that dir which is not 10-machine.conf.