Earlier this year I explored using Tutor to install OpenEdx onto a test OpenShift cluster. I was able to get everything running after asking our cluster admin to allow containers to run as root. Encouraging but not immediately helpful as my organization would not allow this config in a real cluster.
I recently checked back and noticed updates around k8s and root containers. I decided to give it another try and report my results. My cluster is v4.6, which is k8s v1.19.
Upon re-initializing my config, I ran
tutor k8s start. The only pod that came up initially was caddy. Caddy’s log, however, ended with an error, which I haven’t yet looked into:
run: loading initial config: loading new config: http app module: start: tcp: listening on :80: listen tcp :80: bind: permission denied
All of the replica sets that had failed to bring up a pod had a similar error:
Error creating: pods "cms-857476898f-" is forbidden: unable to validate against any security context constraint: [spec.containers.securityContext.runAsUser: Invalid value: 1000: must be in the ranges: [1001340000, 1001349999]]
I looked through the deployment yaml and noticed all the
securityContext settings. I don’t have deep expertise around security context constraints but from what I can tell, Red Hat images (pre-packaged or those built on the cluster) do not alter
securityContext. OpenShift manages the UID and it just works (the acceptable range is random and per-namespace so there is no way to specify a UID that will work for everyone).
I went through the yaml and removed these settings and upon re initialization, Minio and mongodb were fine. Exim starts up but all I see in the log is
exim: permission denied
The pods for the OpenEdx variants made it further but the application logs were reporting trouble with read-only directories. E.g.,
PermissionError: [Errno 13] Permission denied: '/openedx/data/logs'
emtpyDir mounts for the following to see if I could get further:
After making these changes, the LMS/CMS pods along with their worker pods all came up and, based on their logs, appeared to be ready to go.
That’s all I have for now. Look forward to feedback from the community and to helping with efforts to get Tutor/OpenEdx working smoothly on OpenShift.