Let me explain very clearly, so you fully understand why some images work, some don’t in OpenShift π:
π― Big Picture: OpenShift Is Different from Vanilla Kubernetes
| Topic | Kubernetes | OpenShift |
|---|---|---|
| Can run root containers? | β Allowed by default | β Not allowed by default (Security!) |
| Need special non-root images? | β No | β Yes, or modify yourself |
| Handles normal Docker images easily? | β Yes | π‘ Sometimes extra care needed |
| Focus | Flexible | Secure by Design |
β
OpenShift enforces Security Context Constraints (SCC)
β
OpenShift forces containers to run non-root by default.
π Why nginx-unprivileged worked but others failed?
| Image | Why it Worked / Failed |
|---|---|
nginxinc/nginx-unprivileged | β Built specifically to run as non-root, listens on 8080 |
registry.redhat.io/rhscl/nginx-116-rhel7 | π It’s a S2I base image, not runnable directly |
nginx:latest (official) | π Tries to bind port 80, needs root |
bitnami/nginx | β Works if you map to 8080 |
| Any random DockerHub NGINX | π Fails unless it listens >1024 and runs non-root |
π The 3 Problems You Face with Most Docker Images in OpenShift
| Issue | Why Happens | How to Solve |
|---|---|---|
| Image expects to run as root | OpenShift blocks root by default | Use non-root images (unprivileged) or modify Dockerfile |
| Image tries to bind port 80 | Only root can bind ports <1024 | Configure container to listen on 8080 or higher |
| Image is an S2I base (not normal app) | Meant for building apps, not direct run | Use oc new-app + --strategy=source or use proper image |
π§ In simple words:
- Normal Kubernetes: You can pull almost any DockerHub image and it runs.
- OpenShift: You must care about non-root and correct ports, or your app won’t run.
π How to Choose Images for OpenShift:
β
Prefer images labeled as “OpenShift Ready”, “non-root”, or “unprivileged”.
β
If using random DockerHub images:
- Make sure they don’t require root user.
- Make sure they listen on port >1024 (like 8080, 8443).
β For NGINX specifically:
- Use
nginxinc/nginx-unprivileged(best for OpenShift). - Or customize your own nginx Dockerfile to listen on port 8080 and remove
user nginx;line.
π₯ Quick Visual:
| Image Type | Works Directly in OpenShift? | Extra Work Needed? |
|---|---|---|
| nginxinc/nginx-unprivileged | β Yes | No |
| bitnami/nginx | β Mostly | Adjust port sometimes |
| nginx:latest | β No | Must modify (port, user) |
| registry.redhat.io/rhscl/nginx-116-rhel7 | π Not direct | Use S2I build process |
| Your own custom Docker image | π If root | Modify to non-root |
π’ Final Cheat Sheet for You
| What to Check | Why Important |
|---|---|
| Running user (root or non-root) | OpenShift only allows random high UID (non-root) |
| Listening Port | Must be >1024 (8080, 8443, etc.) |
| Image type | Is it runnable app image or just a S2I builder base? |
| OpenShift SCCs (Security Context Constraints) | Forces strict security on containers |
β¨ In one line:
In OpenShift, containers must be non-root, non-privileged, and ports >1024 β otherwise they fail!
π Bonus
Would you also like me to give you:
- π¦ How to convert any Docker image into OpenShift-ready by adjusting Dockerfile?
- π₯ Full tutorial: Best practices for building OpenShift-compliant containers?
Iβm a DevOps/SRE/DevSecOps/Cloud Expert passionate about sharing knowledge and experiences. I am working at Cotocus. I blog tech insights at DevOps School, travel stories at Holiday Landmark, stock market tips at Stocks Mantra, health and fitness guidance at My Medic Plus, product reviews at I reviewed , and SEO strategies at Wizbrand.
Do you want to learn Quantum Computing?
Please find my social handles as below;
Rajesh Kumar Personal Website
Rajesh Kumar at YOUTUBE
Rajesh Kumar at INSTAGRAM
Rajesh Kumar at X
Rajesh Kumar at FACEBOOK
Rajesh Kumar at LINKEDIN
Rajesh Kumar at PINTEREST
Rajesh Kumar at QUORA
Rajesh Kumar at WIZBRAND
