How to change uid in CodeExecutor pod in Openshift

Epic555 · June 26, 2024, 11:19am

hi, I launched retool in Openshift, but CodeExecutor pod has this error: Code executor container is specified to run in unprivileged mode (CONTAINER_UNPRIVILEGED_MODE=true) but the user running container is not the expected user, retool_user (uid 1001) in retool_user_group (gid 1001)
How to solve it?

Gangeshwar_Krishnamurthy · June 29, 2024, 9:26pm

I am facing the same issue when deploying retool on GKE Autopilot cluster with unprivileged mode. How to solve this? Please help!

Tess · July 2, 2024, 4:08pm

Thanks for reaching out! You'll need to set up the container to run the startup command as retool_user (uid 1001) in retool_user_group (gid 1001)

For Open Shift, I would try setting the securityContext at the pod level, with runAsUser, runAsGroup settings as such:

securityContext: privileged: false runAsUser: 1001 runAsGroup: 1001 fsGroup: 1001

Similarly for GKE Autopilot, I believe there is also a securityContext.runAsUser setting

For other folks that may be running into this error, in the case of ECS / Fargate, see "user"

Let me know if you run into any issues!

Epic555 · July 3, 2024, 7:34am

I set config below, but still get error above. I used helm chart for k8s. What is the problem?

securityContext:
    privileged: false
    runAsUser: MY_UID
    fsGroup: MY_UID

Tess · July 8, 2024, 9:35pm

Thanks, @Epic555

What is the version of the helm chart you're using?

Epic555 · July 9, 2024, 4:31am

6.2.5

Epic555 · July 22, 2024, 7:26am

@Tess help pls

Tess · August 9, 2024, 11:49pm

Hey @Epic555, Apologies for the delay! That helm chart version sounds like it isn't an issue; thanks for confirming. I chatted with my team internally & it sounds like some folks have seen errors after getting the set up corrected, but the code executor still works despite the errors. Are you able to move past it/use the code executor?

@Gangeshwar_Krishnamurthy were you able to solve this?

Epic555 · August 12, 2024, 4:47am

Hey @Tess No, I can't use the code executor, because pod is always restarted.

Tess · August 15, 2024, 11:20pm

Hi @Epic555 thanks for letting me know Could you share more context on why your team needs to run in unprivileged mode? Is it a security requirement?

Unfortunately, I don't have the same exact set up on my side to test, but I'm curious if you could try the must run as user approach as described in the Openshift docs ?

Epic555 · August 16, 2024, 10:19am

@Tess Yes, it is security requirement to run in unprivileged mode. I tried to use "MustRunAs", it didn't help.

Tess · August 22, 2024, 12:47am

Darn It seems related to OpenShift security context constraints, but if you send me screenshots of your full configuration on the Retool side, I can review that to see if anything else jumps out

It might be worth checking with the OpenShift community as well Maybe some of the troubleshooting tips here will help? I'm not sure if Openshift is expecting other context like SupplementalGroups to be set. It looks like you can run a command to see the list of sccs Managing security context constraints | Authentication and authorization | OpenShift Container Platform 4.16