Let me explain very clearly, so you fully understand why some images work, some don’t in OpenShift ๐:
๐ฏ Big Picture: OpenShift Is Different from Vanilla Kubernetes
| Topic | Kubernetes | OpenShift |
|---|---|---|
| Can run root containers? | โ Allowed by default | โ Not allowed by default (Security!) |
| Need special non-root images? | โ No | โ Yes, or modify yourself |
| Handles normal Docker images easily? | โ Yes | ๐ก Sometimes extra care needed |
| Focus | Flexible | Secure by Design |
โ
OpenShift enforces Security Context Constraints (SCC)
โ
OpenShift forces containers to run non-root by default.
๐ Why nginx-unprivileged worked but others failed?
| Image | Why it Worked / Failed |
|---|---|
nginxinc/nginx-unprivileged | โ Built specifically to run as non-root, listens on 8080 |
registry.redhat.io/rhscl/nginx-116-rhel7 | ๐ It’s a S2I base image, not runnable directly |
nginx:latest (official) | ๐ Tries to bind port 80, needs root |
bitnami/nginx | โ Works if you map to 8080 |
| Any random DockerHub NGINX | ๐ Fails unless it listens >1024 and runs non-root |
๐ The 3 Problems You Face with Most Docker Images in OpenShift
| Issue | Why Happens | How to Solve |
|---|---|---|
| Image expects to run as root | OpenShift blocks root by default | Use non-root images (unprivileged) or modify Dockerfile |
| Image tries to bind port 80 | Only root can bind ports <1024 | Configure container to listen on 8080 or higher |
| Image is an S2I base (not normal app) | Meant for building apps, not direct run | Use oc new-app + --strategy=source or use proper image |
๐ง In simple words:
- Normal Kubernetes: You can pull almost any DockerHub image and it runs.
- OpenShift: You must care about non-root and correct ports, or your app won’t run.
๐ How to Choose Images for OpenShift:
โ
Prefer images labeled as “OpenShift Ready”, “non-root”, or “unprivileged”.
โ
If using random DockerHub images:
- Make sure they don’t require root user.
- Make sure they listen on port >1024 (like 8080, 8443).
โ For NGINX specifically:
- Use
nginxinc/nginx-unprivileged(best for OpenShift). - Or customize your own nginx Dockerfile to listen on port 8080 and remove
user nginx;line.
๐ฅ Quick Visual:
| Image Type | Works Directly in OpenShift? | Extra Work Needed? |
|---|---|---|
| nginxinc/nginx-unprivileged | โ Yes | No |
| bitnami/nginx | โ Mostly | Adjust port sometimes |
| nginx:latest | โ No | Must modify (port, user) |
| registry.redhat.io/rhscl/nginx-116-rhel7 | ๐ Not direct | Use S2I build process |
| Your own custom Docker image | ๐ If root | Modify to non-root |
๐ข Final Cheat Sheet for You
| What to Check | Why Important |
|---|---|
| Running user (root or non-root) | OpenShift only allows random high UID (non-root) |
| Listening Port | Must be >1024 (8080, 8443, etc.) |
| Image type | Is it runnable app image or just a S2I builder base? |
| OpenShift SCCs (Security Context Constraints) | Forces strict security on containers |
โจ In one line:
In OpenShift, containers must be non-root, non-privileged, and ports >1024 โ otherwise they fail!
๐ Bonus
Would you also like me to give you:
- ๐ฆ How to convert any Docker image into OpenShift-ready by adjusting Dockerfile?
- ๐ฅ Full tutorial: Best practices for building OpenShift-compliant containers?
Iโm a DevOps/SRE/DevSecOps/Cloud Expert passionate about sharing knowledge and experiences. I have worked at Cotocus. I share tech blog at DevOps School, travel stories at Holiday Landmark, stock market tips at Stocks Mantra, health and fitness guidance at My Medic Plus, product reviews at TrueReviewNow , and SEO strategies at Wizbrand.
Do you want to learn Quantum Computing?
Please find my social handles as below;
Rajesh Kumar Personal Website
Rajesh Kumar at YOUTUBE
Rajesh Kumar at INSTAGRAM
Rajesh Kumar at X
Rajesh Kumar at FACEBOOK
Rajesh Kumar at LINKEDIN
Rajesh Kumar at WIZBRAND
