Skip to content

Changes to UBI-based Dockerfiles to support restricted SCC usage on OpenShift

Jenn Power requested to merge jpower1/CNG:feat/changes-for-openshift-ubi8 into master

What does this MR do?

This MR adds changes to the UBI-based Dockerfiles and adds a nss_wrapper script to allow the GitLab applications to run under the restricted SCC in OpenShift. The user has been changed to a UID and the expected GID is 0. A nss_wrapper solution has been used to dynamically create the passwd file with the git user and container UID.

Note: The default Gitaly socket path had to be changed to a subdirectory of /home/git because Gitaly tries to chmod that directory during start up.

How to test (acceptance criteria)

  1. Test UBI-Images with securityContext values unset to validate restricted SCC support (all workloads are healthy)
  2. Test UBI-Images with default Helm-chart configuration + anyuid SCC using GitLab operator (all workloads are healthy)
  3. Validate instances running on OCP4 using GitLab QA locally (tests pass to indicate the GitLab instance is fully functional)

Related issues

Related to gitlab-org/charts/gitlab#1069

Checklist

See Definition of done.

For anything in this list which will not be completed, please provide a reason in the MR discussion

Required

  • Merge Request Title, and Description are up to date, accurate, and descriptive
  • MR targeting the appropriate branch
  • MR has a green pipeline on GitLab.com

Expected (please provide an explanation if not completing)

  • Test plan indicating conditions for success has been posted and passes
  • Documentation created/updated
  • Integration tests added to GitLab QA
  • The impact any change in container size has should be evaluated
Edited by Jenn Power

Merge request reports

Loading