Running as keystone

In order to run the various Keystone containers as the Keystone user, we can use the modification specified here.

First, add a keystone service account and a security constraint to let it run as the keystone user. This is probably more power than we really want to give it, but it will force things to work. Update the deployment config to use this new service account.

$  oc create serviceaccount keystone
serviceaccount/keystone created
$ oc adm policy add-scc-to-user anyuid -z keystone --as system:admin
securitycontextconstraints.security.openshift.io/anyuid added to: ["system:serviceaccount:keystondev:keystone"]
$ oc patch deploymentconfig.apps.openshift.io/keystone-db-init --patch '{"spec":{"template":{"spec":{"serviceAccountName": "keystone"}}}}'deploymentconfig.apps.openshift.io/keystone-db-init patched

Now looking at the log:

$ oc logs pod/keystone-db-init-2-nwg8g
Databasedb-sync+ echo -n Database
+ echo -n db-sync
+ keystone-manage db_sync
 [COMPLETE]
bootstrap + echo ' [COMPLETE]'
+ echo -n 'bootstrap '
+ keystone-manage bootstrap --bootstrap-password=FreeIPA4All
/etc/keystone/fernet-keys/ does not exist
 [COMPLETE]
+ echo ' [COMPLETE]'

We see that the application ran without throwing an error.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.