Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1445856

Summary: [starter][paid]Users can't build docker images that contain VOLUME statements on OpenShift Online even if they have access
Product: OpenShift Container Platform Reporter: Clayton Coleman <ccoleman>
Component: ContainersAssignee: Antonio Murdaca <amurdaca>
Status: CLOSED WONTFIX QA Contact: Xiaoli Tian <xtian>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.11.0CC: abhgupta, aos-bugs, bparees, ccoleman, dwalsh, erich, hgomes, jfiala, jhonce, jokerman, mmccomas, mpatel, nagrawal, pweil, rhowe, xtian
Target Milestone: ---Keywords: OnlinePro, UpcomingRelease
Target Release: 3.11.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-05-19 17:39:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Clayton Coleman 2017-04-26 16:03:29 UTC 
Our plan is to enable user namespaces in OpenShift Online to allow end users to do Docker builds.  However, our current VOLUME protection on nodes (implemented in docker by rejecting VOLUME statements) prevents Docker builds from running, because in order to docker build an image with a VOLUME docker needs to create a container that has a volume in it.

We've had other discussions that the current approach of rejecting VOLUME statements that aren't mapped to volumes causes other problems for end users, and that the ideal outcome would be for VOLUME statements to be silently ignored by docker.

Desired outcome: Docker builds of Dockerfiles that contain VOLUME statements on OpenShift Online work, but rogue VOLUME protection still needs to work.

Blocks: enabling docker builds in OpenShift Online with user namespaces
Comment 1 Antonio Murdaca 2017-05-21 13:41:42 UTC 
how about images like gcr.io/k8s-testimages/redis:e2e which has a "/data" volume in the image Config (built with VOLUME /data)? if we ignore that volume the redis-server in the image is expecting a /data workdir, thus failing if that doesn't exist in the container. Do we just _mock_ the directory in the container (mkdir /data)?
Comment 2 Ryan Howe 2017-09-06 18:27:09 UTC 
@Antonio That scenario was lo (In reply to Antonio Murdaca from comment #1)
> how about images like gcr.io/k8s-testimages/redis:e2e which has a "/data"
> volume in the image Config (built with VOLUME /data)? if we ignore that
> volume the redis-server in the image is expecting a /data workdir, thus
> failing if that doesn't exist in the container. Do we just _mock_ the
> directory in the container (mkdir /data)?

That scenario describes bug 1471256: 
https://bugzilla.redhat.com/show_bug.cgi?id=1471256
Comment 6 Abhishek Gupta 2018-06-11 18:16:09 UTC 
Antonio: A while back Clayton and I had discussed that the data written to the directory (/data) in case of redis would simply be written to the container's top r/w layer. I am not sure if that requires "mocking" the volume mapping or not.
Comment 9 Red Hat Bugzilla 2023-09-14 03:57:01 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days