Adding user ID and group ID in Dockerfile

When you deploy runtime data collectors on OpenShift 4.2 or higher, if the SCC strategy is MustRunAsRange, you must create the docker user and group ID in the range.

For more information about OpenShift SCC strategy, see Managing Security Context Constraints.

1. Check the SCC strategy for the namespace of the pod where you deploy runtime data collectors. For example, if the namespace is icam, run the following command:

   kubectl describe namespace icam
   

   You can get the following output:

   Name:         icam
   Labels:       <none>
   Annotations:  mcm.ibm.com/accountID: id-mycluster-account
                 mcm.ibm.com/type: System
                 openshift.io/sa.scc.mcs: s0:c25,c5
                 openshift.io/sa.scc.supplemental-groups: 1000610000/10000
                 openshift.io/sa.scc.uid-range: 1000610000/10000
   Status:       Active
   
   No resource quota.
   
   No resource limits.
   

2. Update your Dockerfile by adding the user and group with uid and gid in the range. You can get the range by referring to the SCC annotations in step 1.
   For example,

   USER root
   RUN groupadd -g 1000610000 appgrp && useradd -l -r -d /home/appuser -u 1000610000 -g appgrp appuser && chown -R appuser:appgrp /opt/ibm && chown -R appuser:appgrp /logs
   USER appuser
   

   Note: Add -l to not add the user to the lastlog and faillog databases. Otherwise, docker image build hangs. See the Git issue for details.
3. Update your application yaml file by adding the following lines in the Containers section:

   securityContext:
     runAsUser: 1000610000
     runAsGroup: 1000610000