Hello Folks,
In my team we have been working to install AWX in the OpenShift instance, and now that we were able to install it, we are getting the following error when executing a playbook (for example the SCM update)
1 Identity added: /tmp/awx_15_c3yztD/credential_2 (/tmp/awx_15_c3yztD/credential_2)
2 bwrap: capset failed: Operation not permitted
As we are not allowed to add a privileged user or to run process as root in the containers we had to do 2 modifications to the installation playbook:
- Remove this task from “awx/installer/roles/kubernetes/tasks/openshift.yml”:
- name: Add privileged SCC to service account
shell: |
{{ openshift_oc_bin }} adm policy add-scc-to-user privileged system:serviceaccount:{{ openshift_project }}:awx
- Put privileged: false in the security context of the deployment template “awx/installer/roles/kubernetes/templates/deployment.yml.j2”
…
- name: {{ kubernetes_deployment_name }}-celery
securityContext:
privileged: false
image: “{{ kubernetes_task_image }}:{{ kubernetes_task_version }}”
command:…
…
If we do a ps -aux inside the celery container, we can see that all the process are started by the user “awx” that belongs to the group 0 root. Attached are the logs of awx-celery & image of ps -aux
Do you know if this error is related with the modifications that were done?
Is there a way to have it working without root ?
Thanks a lot for your help!
