[Ci-users] apps.ci SCC and oci-kvm-hook ?

Brian Stinson brian at bstinson.com
Thu Feb 1 13:43:31 UTC 2018


On Jan 31 15:51, Colin Walters wrote:
> Hi, we'd like to migrate some of our workloads into
> Kubernetes jobs; see for example:
> https://github.com/projectatomic/papr/pull/70/commits/bdaabc975b6770e2c6826aa259cfd2c7fddd0b9e
> 
> What are the available resources in apps.ci versus Duffy?
> 
> A lot of our jobs want basically a "classic Docker"
> environment with e.g. uid 0, but not CAP_SYS_ADMIN.  And with seccomp disabled, etc.
> I was trying to create the test pod below, but it fails.  It looks like our accounts
> use the default SCC.  Can we lift these restrictions?
> 
> BTW, I'd also like oci-kvm-hook installed, with this patch: https://github.com/stefwalter/oci-kvm-hook/pull/4
> 
> apiVersion: v1
> kind: DeploymentConfig
> metadata:
>   labels:
>     run: cgwalters-shell
>   name: cgwalters-shell
> spec:
>   replicas: 1
>   selector:
>     run: cgwalters-shell
>   strategy:
>     resources: {}
>   template:
>     metadata:
>       labels:
>         run: cgwalters-shell
>     spec:
>       containers:
>       - args:
>         - sleep
>         - 24h
>         image: registry.fedoraproject.org/fedora:27
>         name: cgwalters-shell
>         # Run as uid 0
>         securityContext:
>           runAsUser: 0
> _______________________________________________
> Ci-users mailing list
> Ci-users at centos.org
> https://lists.centos.org/mailman/listinfo/ci-users

We have separate SCCs per-namespace for this. I'll see if I can get
a proper one on your project. 

As far as the oci-kvm-hook thing goes, do we know a timeline for
getting that merged?

--Brian



More information about the Ci-users mailing list