Gateway userID needs to be hardcoded in OpenShift

[plagerweij]

In OpenShift, we are forced to pass a hardcoded userID and groupID to a Gateway:

spec:
  app:
    podSecurityContext:
      runAsUser: 1001620000
      runAsGroup: 1001620000
      runAsNonRoot: true

Why is this needed? We are running a standard on-prem version of OpenShift v4.14 with restricted-v2 SCC.

Hardcoding these values makes operations difficult, because the allowed UID ranges differ per namespace and are managed by OpenShift.

If we leave out runAsUser and runAsGroup, the Gateway fails to start:

SSG_GC_ARGS will be -Xlog:gc*:/opt/SecureSpan/Gateway/node/default/var/logs/ssg_gc.log
The system property 'com.l7tech.security.fips.enabled' has not been set to true in either the EXTRA_JAVA_ARGS environment variable or the system.properties file.
Disabling FIPS mode.
SSG_JVM_HEAP has been deprecated! Please use SSG_JVM_MIN_HEAP and SSG_JVM_MAX_HEAP going forward.
SSG_JVM_MIN_HEAP will be 2048m
SSG_JVM_MAX_HEAP will be 2048m
Using Derby database
SSG_CLUSTER_HOST will be gateway.brcmlabs.com
/opt/docker/entrypoint.sh: line 338: /opt/SecureSpan/Gateway/node/default/etc/bootstrap/bundle/001_update_admin_user.xml.req.bundle: Permission denied
/opt/docker/entrypoint.sh: line 354: /opt/SecureSpan/Gateway/node/default/etc/bootstrap/bundle/010_update_cluster_host.xml.req.bundle: Permission denied
Running script /opt/docker/rc.d/003-parse-custom-files.sh
***************************************************************************
scanning for graphman bundles in /opt/docker/graphman
***************************************************************************
du: cannot access '/opt/docker/graphman': No such file or directory
***************************************************************************
scanning for restman bundles in /opt/docker/custom/bundle
***************************************************************************
cp: cannot create regular file '/opt/SecureSpan/Gateway/node/default/etc/bootstrap/bundle/helloworld.bundle': Permission denied
helloworld.bundle written to /opt/SecureSpan/Gateway/node/default/etc/bootstrap/bundle/helloworld.bundle
***************************************************************************
scanning for graphman bundles in /opt/docker/custom/bundle
***************************************************************************
***************************************************************************
scanning for custom assertions in /opt/docker/custom/custom-assertions
***************************************************************************
***************************************************************************
scanning for modular assertions in /opt/docker/custom/modular-assertions
***************************************************************************
***************************************************************************
scanning for external libraries in /opt/docker/custom/external-libraries
***************************************************************************
du: cannot access '/opt/docker/custom/external-libraries': No such file or directory
***************************************************************************
scanning for custom properties in /opt/docker/custom/custom-properties
***************************************************************************
du: cannot access '/opt/docker/custom/custom-properties': No such file or directory
***************************************************************************
scanning for custom health checks in /opt/docker/custom/health-checks
***************************************************************************
du: cannot access '/opt/docker/custom/health-checks': No such file or directory
***************************************************************************
scanning for custom shell scripts in /opt/docker/custom/scripts
***************************************************************************
running preparesomething.sh
---------------------------------
---------------------------------
--- Doing something important ---
---------------------------------
---------------------------------
Starting gateway in foreground
touch: cannot touch '/opt/SecureSpan/Gateway/node/default/var/preboot': Permission denied
[0.000s][error][logging] Error opening log file '/opt/SecureSpan/Gateway/node/default/var/logs/ssg_gc.log': Permission denied
[0.000s][error][logging] Initialization of output 'file=/opt/SecureSpan/Gateway/node/default/var/logs/ssg_gc.log' using options '(null)' failed.
Invalid -Xlog option '-Xlog:gc*:/opt/SecureSpan/Gateway/node/default/var/logs/ssg_gc.log', see error log for details.
Error: Could not create the Java Virtual Machine.
Error: A fatal exception has occurred. Program will exit.

[Gazza7205]

Thanks @plagerweij - we will consider simplifying that in v1.2.1

In the meantime you could create a security context constraint and assign the Gateway Service account to it. The UID/GID for the gateway are 1001 which is consistent with Bitnami (vmware).