examples/gitserver image needs a valid non-root user

[phemmer]

Version

oc v3.7.1+ab0f056
kubernetes v1.7.6+a08f5eeb62
features: Basic-Auth

Server https://192.168.99.100:8443
openshift v3.7.1+a8deba5-34
kubernetes v1.7.6+a08f5eeb62

Steps To Reproduce

Follow the directions in https://github.com/openshift/origin/tree/master/examples/gitserver

1. oc create -f gitserver-ephemeral.yaml

Current Result

error: initial clone failed:
* No user exists for uid 1000270000
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.

Expected Result

success

Additional Information

This is because the Dockerfile is not adding a valid user, so the container launches with a user ID in the restricted range, which doesn't exist within the container.

[phemmer]

See this document on how to build an image to properly work within OpenShift: https://docs.openshift.org/latest/creating_images/guidelines.html#openshift-specific-guidelines, Section "Support Arbitrary User IDs"

[smarterclayton]

@bparees we should move this into a separate repo and give it a real build process

[smarterclayton]

(and fix the issue)

[phemmer]

I might also request the Dockerfile use something a little lighter than the openshift/origin image. That thing is monstrous, and seems like overkill. All the image should need is the git tools and the gitserver binary (which is go and thus no deps).

[bparees]

@phemmer it's monstrous but it's also already pulled to every openshift node in most cases, so it's pretty much free.

[phemmer]

The one caveat with that is that we're trying to use openshift/origin-gitserver:v3.7, and it seems this tag is not the same as v3.7.1, even though v3.7.1 is the latest version. So even though we're on OpenShift 3.7.1, it still ends up downloading the whole thing.
The idea here was that the v3.7 image should be compatible with any 3.7.X cluster even if the tag is updated. Making it easier to manage. But even if the tag didn't match (e.g. using tag v3.7.1 on a 3.7.0 cluster), the app doesn't seem like it really depends on OpenShift at all, and so it shouldn't need to be built off a specific base image.

But this is mostly just a nitpick. It still works, just sucks up some disk & makes the build take longer. Or we can just have the management overhead of ensuring the tag we deploy matches the OpenShift version exactly.

[jwforres]

@openshift/sig-developer-experience

[wozniakjan]

looks like this has been fixed, maybe a pleasant side-effect of #19262? Feel free to reopen if you think your use-case is still not working

$ oc create -f gitserver-ephemeral.yaml
deploymentconfig.apps.openshift.io "git" created
service "git" created
serviceaccount "git" created
route.route.openshift.io "git" created

also pushing and pulling seems to work well

oc pod & svc

$ oc get pods -o wide
NAME                       READY     STATUS      RESTARTS   AGE       IP           NODE
git-1-wjcq6                1/1       Running     0          21m       172.17.0.6   localhost
ruby-hello-world-1-6d7r5   1/1       Running     0          11m       172.17.0.7   localhost
ruby-hello-world-1-build   0/1       Completed   0          12m       172.17.0.3   localhost

$ oc get svc -o wide
NAME               TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)    AGE       SELECTOR
git                ClusterIP   172.30.130.87    <none>        8080/TCP   21m       run-container=git
ruby-hello-world   ClusterIP   172.30.192.114   <none>        8080/TCP   12m       app=ruby-hello-world,deploymentconfig=ruby-hello-world

git push

$ git remote -v
openshift       http://172.30.130.87:8080/ruby-hello-world.git (fetch)
openshift       http://172.30.130.87:8080/ruby-hello-world.git (push)
origin  https://github.com/openshift/ruby-hello-world.git (fetch)
origin  https://github.com/openshift/ruby-hello-world.git (push)

$ git push openshift master                                                                                                                                                            
Counting objects: 296, done.                        
Delta compression using up to 2 threads.            
Compressing objects: 100% (187/187), done.          
Writing objects: 100% (296/296), 49.31 KiB | 0 bytes/s, done.                                            
Total 296 (delta 95), reused 296 (delta 95)         
remote: --> Found Docker image 77b9ffb (47 hours old) from Docker Hub for "centos/ruby-22-centos7"
remote:                                             
remote:     Ruby 2.2 
remote:     -------- 
remote:     Ruby 2.2 available as container is a base platform for building and running various Ruby 2.2 applications and frameworks. Ruby is the interpreted scripting language for quick and easy object-oriented programming. It has many features to process text files and to do system management tasks (as in Perl). It is simple, straight-forward, and extensible.
remote:                                             
remote:     Tags: builder, ruby, ruby22
remote:                                             
remote:     * An image stream will be created as "ruby-22-centos7:latest" that will track the source image
remote:     * A Docker build using source code from http://git:8080/ruby-hello-world.git will be created
remote:       * The resulting image will be pushed to image stream "ruby-hello-world:latest"
remote:       * Every time "ruby-22-centos7:latest" changes a new build will be triggered
remote:       * WARNING: this source repository may require credentials.
remote:                  Create a secret with your git credentials and use 'set build-secret' to assign it to the build config.
remote:     * This image will be deployed in deployment config "ruby-hello-world"
remote:     * Port 8080 will be load balanced by service "ruby-hello-world"
remote:       * Other containers can access this service through the hostname "ruby-hello-world"
remote:                                             
remote: --> Creating resources ...
remote:     imagestream "ruby-22-centos7" created
remote:     imagestream "ruby-hello-world" created
remote:     buildconfig "ruby-hello-world" created
remote:     deploymentconfig "ruby-hello-world" created
remote:     service "ruby-hello-world" created
remote: --> Success
remote:     Build scheduled, use 'oc logs -f bc/ruby-hello-world' to track its progress.
remote:     Application is not exposed. You can expose services to the outside world by executing one or more of the commands below:
remote:      'oc expose svc/ruby-hello-world' 
remote:     Run 'oc status' to view your app.
To http://172.30.130.87:8080/ruby-hello-world.git   
 * [new branch]      master -> master     

git pull

$ git clone http://172.30.130.87:8080/ruby-hello-world.git
Cloning into 'ruby-hello-world'...
remote: Counting objects: 296, done.
remote: Compressing objects: 100% (187/187), done.
remote: Total 296 (delta 95), reused 296 (delta 95)
Receiving objects: 100% (296/296), 49.31 KiB | 0 bytes/s, done.
Resolving deltas: 100% (95/95), done.