use privileged scc for openshift user (!1589) · Merge requests · GitLab.org / omnibus-gitlab

Seth Jennings requested to merge sjenning/omnibus-gitlab:use-privileged-openshift into master May 26, 2017

sshd as configured in the gitlab ce image uses UsePrivilegeSeparation, which requires SYS_CHROOT permissions. The anyuid scc does not allow this.

$ oc describe scc anyuid Name: anyuid Priority: 10 Access: Users: system:serviceaccount:gitlab-ce:gitlab-ce-user Groups: system:cluster-admins Settings: Allow Privileged: false Default Add Capabilities: <none> Required Drop Capabilities: MKNOD,SYS_CHROOT <-- ...

However, privileged does. This PR updates the docs and unifies the method for updating the scc.

As an alternative to this PR, UsePrivilegeSeparation could be set to no in the sshd_config.

use privileged scc for openshift user

Merge request reports