JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 1

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 2

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Introduction

Users can run JS7 containers from specific user accounts:

...

Jira
serverSOS JIRA
columnIdsissuekey,summary,issuetype,created,updated,duedate,assignee,reporter,priority,status,resolution
columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
serverId6dc67751-9d67-34cd-985b-194a8cdc9602
keyJS-2044

Specifying User Accounts

Names of user accounts and groups are not relevant for the operating system of the container. Instead, the User ID and Group ID assigned the user account are specified.

  • Examples for OS commands which return names and IDs of user accounts and groups:
    • User Account: id -u -n
    • Group Name: id -g -n
    • User ID: id -u
    • Group ID: id -g
  • Syntactically user accounts are specified as <user-id>:<group-id>, for example 1000:1000.
  • The name of the user account in any JS7 container is jobscheduler.
    • By default the jobscheduler user account is assigned the User ID 1000 and Group ID 0 (Group Name: root).
    • The name of the user account remains unchanged on start-up of a container. Instead, the container's user account is assigned the User ID and Group ID as specified on container start-up.

Accessing Volume Mounts

JS7 containers expose volumes

...

  • If containers are operated for the root account then directories and files in exposed volumes are accessible to the root account only.
  • If containers are operated for a specific account then directories and files in exposed volumes are accessible to the given account.

Starting Containers from the root Account

The default behavior for container management systems such as Kubernetes® is to start containers from the root account. However, this can be changed by security contexts (policies).

...

  • Users are free to specify any user account for which the container will be operated.
  • On start-up the container will actively own relevant directories and files to the user account specified.
  • If a non-root Group ID is specified then group permissions will be handed over to this group.

Using Run-time Accounts

Using Run-time Accounts for Docker

Find examples for user account settings using the Docker run command:

...

Code Block
languageyml
titleOperate container for the root account (not recommended)
# specify the root account's User ID and Group ID
docker run --user="0:0"

Using Run-time Accounts for Kubernetes

Find example for user account settings with Kubernetes® deployment files:

...

Code Block
languageyml
titleOperate container for the root account (not recommended)
- name: RUN_JS_USER_ID
      value:  "0:0"

Starting Containers from non-root Accounts

The default behavior for container management systems such as OpenShift® is to start containers from a non-root user account that is assigned the root group.

...

Using Run-time Accounts for Docker

Find examples for user account settings using the Docker run command:

...

Code Block
languageyml
titleOperate container for a specific user account which is assigned the root group
# specify the account's User ID and the Group ID of the root account
docker run --user="100000:0"

Using Run-time Accounts for Kubernetes, OpenShift

Find examples for user account settings with Kubernetes® and OpenShift® deployment files:

...