Failing to adapt the image to run in Openshift (k8s) as non-default (not oracle) user

[dpanassoll]

We have oracle db 19c container with some preloaded data in CI pipeline. It runs fine in VMs with docker and in AKS. But we have to migrate whole CI setup to openshift. Openshift runs all containers with random uid which must be between [1001220000, 1001229999] and, as its written here, this users group is root (gid 0).
https://docs.redhat.com/en/documentation/openshift_container_platform/3.11/html/creating_images/creating-images-guidelines#openshift-specific-guidelines

Which is a problem because default user for container is oracle with UID 54321 and the same GID. So database container fails to start.

We can replicate this problem with simple docker compose

services:
  database:
    environment:
      - DB_SERVICE_NAME=myservice
      - TZ=Europe/Warsaw
    image: myregistry/mydb:3.31.0.0.d
    container_name: oracledb19
    ports:
      - 1521:1521
    user: 1001220000:0

And error

e trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

sudo: no tty present and no askpass program specified

LSNRCTL for Linux: Version 19.0.0.0.0 - Production on 11-JUL-2025 10:43:01

Copyright (c) 1991, 2019, Oracle.  All rights reserved.

Starting /opt/oracle/product/19c/dbhome_1/bin/tnslsnr: please wait...

TNSLSNR for Linux: Version 19.0.0.0.0 - Production
System parameter file is /opt/oracle/product/19c/dbhome_1/network/admin/listener.ora
Log messages written to /opt/oracle/diag/tnslsnr/c1a8382da7e7/listener/alert/log.xml
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1)))
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=0.0.0.0)(PORT=1521)))

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1)))
STATUS of the LISTENER
------------------------
Alias                     LISTENER
Version                   TNSLSNR for Linux: Version 19.0.0.0.0 - Production
Start Date                11-JUL-2025 10:43:01
Uptime                    0 days 0 hr. 0 min. 0 sec
Trace Level               off
Security                  ON: Local OS Authentication
SNMP                      OFF
Listener Parameter File   /opt/oracle/product/19c/dbhome_1/network/admin/listener.ora
Listener Log File         /opt/oracle/diag/tnslsnr/c1a8382da7e7/listener/alert/log.xml
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1)))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=0.0.0.0)(PORT=1521)))
The listener supports no services
The command completed successfully

SQL*Plus: Release 19.0.0.0.0 - Production on Fri Jul 11 10:43:01 2025
Version 19.3.0.0.0

Copyright (c) 1982, 2019, Oracle.  All rights reserved.

ERROR:
ORA-12547: TNS:lost contact

Enter user-name: Enter password:
ERROR:
ORA-12547: TNS:lost contact

Enter user-name: SP2-0306: Invalid option.
Usage: CONN[ECT] [{logon|/|proxy} [AS {SYSDBA|SYSOPER|SYSASM|SYSBACKUP|SYSDG|SYSKM|SYSRAC}] [edition=value]]
where <logon> ::= <username>[/<password>][@<connect_identifier>]
      <proxy> ::= <proxyuser>[<username>][/<password>][@<connect_identifier>]
SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus
The following output is now a tail of the alert.log:
2025-07-09T15:24:23.996671+00:00
PKOUR12(3):Resize operation completed for file# 11, old size 378880K, new size 384000K
2025-07-09T15:25:14.877105+00:00
Thread 1 advanced to log sequence 24 (LGWR switch)
  Current log# 3 seq# 24 mem# 0: /opt/oracle/oradata/MYPROJECT/redo03.log
2025-07-09T15:28:00.734204+00:00
Resize operation completed for file# 1, old size 921600K, new size 931840K
2025-07-09T15:30:12.421623+00:00
Thread 1 advanced to log sequence 25 (LGWR switch)
  Current log# 1 seq# 25 mem# 0: /opt/oracle/oradata/MYPROJECT/redo01.log

We tried various things, adding user to 0 guid and setting this group as /opt group, chmod 777 on /opt , but all failed the same way (as above).

The only solution which moved us a little bit further was creating oracle2 user with specific UID, adding it to the same groups as original oracle and setting it as owner of /opt

Dockerfile

# docker buildx build -t test_db:1.0 .
FROM myregistry/mydb:3.31.0.0.d

USER root
# we separated these to separate steps for debugging purposes
RUN chmod 777 -R /opt && chmod -R 777 /home/oracle && chmod -R 777 /tmp
RUN useradd -u 1001220000 -g oinstall -l -m -s /bin/bash oracle2
RUN usermod -a -G oinstall,dba,oper,backupdba,dgdba,kmdba,racdba oracle2
RUN chown -R oracle2:oinstall /opt
RUN echo 'oracle2 ALL=(ALL) NOPASSWD:ALL' > /etc/sudoers
USER oracle2

Which still gives us some error. We need some assistance here ...

LSNRCTL for Linux: Version 19.0.0.0.0 - Production on 11-JUL-2025 13:02:11

Copyright (c) 1991, 2019, Oracle.  All rights reserved.

Starting /opt/oracle/product/19c/dbhome_1/bin/tnslsnr: please wait...

TNSLSNR for Linux: Version 19.0.0.0.0 - Production
System parameter file is /opt/oracle/product/19c/dbhome_1/network/admin/listener.ora
Log messages written to /opt/oracle/diag/tnslsnr/b4fd48830f05/listener/alert/log.xml
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1)))
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=0.0.0.0)(PORT=1521)))

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC1)))
STATUS of the LISTENER
------------------------
Alias                     LISTENER
Version                   TNSLSNR for Linux: Version 19.0.0.0.0 - Production
Start Date                11-JUL-2025 13:02:11
Uptime                    0 days 0 hr. 0 min. 0 sec
Trace Level               off
Security                  ON: Local OS Authentication
SNMP                      OFF
Listener Parameter File   /opt/oracle/product/19c/dbhome_1/network/admin/listener.ora
Listener Log File         /opt/oracle/diag/tnslsnr/b4fd48830f05/listener/alert/log.xml
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1)))
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=0.0.0.0)(PORT=1521)))
The listener supports no services
The command completed successfully

SQL*Plus: Release 19.0.0.0.0 - Production on Fri Jul 11 13:02:12 2025
Version 19.3.0.0.0

Copyright (c) 1982, 2019, Oracle.  All rights reserved.

Connected to an idle instance.

SQL> ORACLE instance started.

Total System Global Area 1610609928 bytes
Fixed Size                  9135368 bytes
Variable Size             822083584 bytes
Database Buffers          771751936 bytes
Redo Buffers                7639040 bytes
Database mounted.
Database opened.
SQL>
System altered.

SQL>
System altered.

SQL>
PL/SQL procedure successfully completed.

SQL> Disconnected from Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
The following output is now a tail of the alert.log:
2025-07-11T13:03:41.439665+02:00
ALTER SYSTEM SET audit_sys_operations=FALSE SCOPE=SPFILE;
2025-07-11T13:03:41.450997+02:00
ALTER SYSTEM SET audit_trail='NONE' SCOPE=SPFILE;
2025-07-11T13:03:42.067475+02:00
===========================================================
Dumping current patch information
===========================================================
No patches have been applied
===========================================================
2025-07-11T13:03:44.640935+02:00
TABLE SYS.WRP$_REPORTS: ADDED INTERVAL PARTITION SYS_P221 (5671) VALUES LESS THAN (TO_DATE(' 2025-07-12 01:00:00', 'SYYYY-MM-DD HH24:MI:SS', 'NLS_CALENDAR=GREGORIAN'))
TABLE SYS.WRP$_REPORTS_DETAILS: ADDED INTERVAL PARTITION SYS_P222 (5671) VALUES LESS THAN (TO_DATE(' 2025-07-12 01:00:00', 'SYYYY-MM-DD HH24:MI:SS', 'NLS_CALENDAR=GREGORIAN'))
TABLE SYS.WRP$_REPORTS_TIME_BANDS: ADDED INTERVAL PARTITION SYS_P225 (5670) VALUES LESS THAN (TO_DATE(' 2025-07-11 01:00:00', 'SYYYY-MM-DD HH24:MI:SS', 'NLS_CALENDAR=GREGORIAN'))
2025-07-11T13:04:27.544971+02:00
Warning: VKTM detected a forward time drift.
Please see the VKTM trace file for more details:
/opt/oracle/diag/rdbms/MYPROJECT/MYPROJECT/trace/MYPROJECT_vktm_54.trc

[dpanassoll]

AI pointed at The listener supports no services and suggested to add these to startupDB.sh script

ALTER SYSTEM SET LOCAL_LISTENER='(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521))' SCOPE=BOTH;
 ALTER SYSTEM REGISTER;

so final startDB.sh looks like this

#!/bin/bash
# LICENSE UPL 1.0
#
# Copyright (c) 1982-2016 Oracle and/or its affiliates. All rights reserved.
#
# Since: November, 2016
# Author: gerald.venzl@oracle.com
# Description: Starts the Listener and Oracle Database.
#              The ORACLE_HOME and the PATH has to be set.
#
# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
#

# Check that ORACLE_HOME is set
if [ "$ORACLE_HOME" == "" ]; then
  script_name=`basename "$0"`
  echo "$script_name: ERROR - ORACLE_HOME is not set. Please set ORACLE_HOME and PATH before invoking this script."
  exit 1;
fi;

# Run cron to delete traces
sudo crond -p -s
#crond -p -s

# Start Listener
lsnrctl start

# Start database and register services
sqlplus / as sysdba << EOF
   STARTUP;
   ALTER SYSTEM SET LOCAL_LISTENER='(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521))' SCOPE=BOTH;
   ALTER SYSTEM REGISTER;
   ALTER SYSTEM SET audit_sys_operations=FALSE SCOPE=SPFILE;
   ALTER SYSTEM SET audit_trail=NONE SCOPE=SPFILE;
   EXEC DBMS_STATS.INIT_PACKAGE();
   EXIT;
EOF

echo "The following output is now a tail of the alert.log:"
tail -f $ORACLE_BASE/diag/rdbms/*/*/trace/alert*.log &
childPID=$!
wait $childPID

I also asked it about failing healthcheck. It suggested replacing query for DB_ROLE and few other improvements

#!/bin/bash
# LICENSE UPL 1.0
#
# Copyright (c) 1982-2022 Oracle and/or its affiliates. All rights reserved.
#
# Since: May, 2017
# Author: gerald.venzl@oracle.com
# Description: Checks the status of Oracle Database.
# Return codes: 0 = Database is healthy and ready to use
#               1 = Database role is neither PRIMARY nor STANDBY
#               2 = PDB is not open in required mode
#               3 = Sql Plus execution failed
#               4 = Observer is not running
# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
#

# Function to trim whitespace
trim() {
  echo "$1" | awk '{$1=$1;print}'
}

# Function to check database role: either Primary or Secondary
checkDatabaseRole() {
   # Obtain DB_ROLE using SQLPlus
   DB_ROLE=$(sqlplus -s / as sysdba << EOF
set heading off feedback off verify off pagesize 0
SELECT database_role FROM v\$database;
exit;
EOF
)
   ret=$?
   DB_ROLE=$(trim "$DB_ROLE")

   echo "DEBUG: Database role='$DB_ROLE', SQL*Plus exit code=$ret"

   if [ $ret -ne 0 ]; then
      echo "ERROR: SQL*Plus failed to get database role"
      exit 3
   fi

   if [ "$DB_ROLE" != "PRIMARY" ] && [ "$DB_ROLE" != "PHYSICAL STANDBY" ]; then
      echo "ERROR: Database role is neither PRIMARY nor PHYSICAL STANDBY"
      exit 1
   fi
}

# Function to check if at least one PDB is open in "READ WRITE" mode for Primary database
# Or in case of Secondary Database PDBs should be opened only in "READ ONLY" mode
checkPDBOpen() {
   # Obtain OPEN_MODE for PDB using SQLPlus
   PDB_OPEN_MODE=$(sqlplus -s / as sysdba << EOF
set heading off feedback off verify off pagesize 0
SELECT DISTINCT open_mode FROM v\$pdbs;
exit;
EOF
)
   ret=$?
   PDB_OPEN_MODE=$(trim "$PDB_OPEN_MODE")

   echo "DEBUG: PDB open modes='$PDB_OPEN_MODE', SQL*Plus exit code=$ret"

   if [ $ret -ne 0 ]; then
      echo "ERROR: SQL*Plus failed to get PDB open modes"
      exit 3
   fi

   if [ "$DB_ROLE" = "PRIMARY" ] && ! echo "$PDB_OPEN_MODE" | grep -q "READ WRITE"; then
      echo "ERROR: No PDB open in READ WRITE mode on PRIMARY database"
      exit 2
   elif [ "$DB_ROLE" = "PHYSICAL STANDBY" ] && ! echo "$PDB_OPEN_MODE" | grep -q "READ ONLY"; then
      echo "ERROR: PDBs not open in READ ONLY mode on PHYSICAL STANDBY database"
      exit 2
   fi
}

# Function to check that observer is running or not
checkObserver() {
   dg_observer_status=$(dgmgrl sys@"$PRIMARY_DB_CONN_STR" "show observer" << EOF
${ORACLE_PWD}
EOF
)
   if ! echo "$dg_observer_status" | grep -q 'Observer ".*"' ; then
      echo "ERROR: Data Guard observer is not running"
      exit 4
   fi
}

#############################################
################ MAIN #######################
#############################################

# Setting up ORACLE_PWD if podman secret is passed on
if [ -e '/run/secrets/oracle_pwd' ]; then
   export ORACLE_PWD="$(cat '/run/secrets/oracle_pwd')"
fi

if [ "$DG_OBSERVER_ONLY" = "true" ]; then
   checkObserver
else
   # Set ORACLE_SID from oratab and export environment variables
   ORACLE_SID="$(grep "$ORACLE_HOME" /etc/oratab | cut -d: -f1)"
   export ORACLE_SID
   export ORAENV_ASK=NO

   # Source oraenv to set Oracle environment variables
   if [ -f /usr/local/bin/oraenv ]; then
      source /usr/local/bin/oraenv
   elif [ -f /opt/oracle/product/19c/dbhome_1/bin/oraenv ]; then
      source /opt/oracle/product/19c/dbhome_1/bin/oraenv
   else
      echo "ERROR: oraenv script not found"
      exit 3
   fi

   # Debug environment
   echo "DEBUG: ORACLE_HOME=$ORACLE_HOME"
   echo "DEBUG: ORACLE_SID=$ORACLE_SID"
   echo "DEBUG: PATH=$PATH"
   echo "DEBUG: User=$(whoami) Groups=$(groups)"

   checkDatabaseRole
   checkPDBOpen
fi

exit 0

# customised:
# "as sysdbain SQL*Plus connection" - Ensures proper privileges for queries
# "SQL*Plus output clean-up commands" - Cleaner output, easier parsing
# "trimfunction" - Removes whitespace for accurate string comparison
# "Debug and error messages" - Better troubleshooting and log clarity
# "Improved PDB mode check with grep" - Handles multiple PDB modes robustly
# "Environment variable exports" - Ensures Oracle environment is correctly set
# "Conditional sourcing oforaenv" - More portable and robust environment setup
# "Debug info on environment" - Easier diagnosis of environment issues

my Dockerfile contains this

COPY custom_startDB.sh /opt/oracle/startDB.sh
COPY custom_checkDBStatus.sh /opt/oracle/checkDBStatus.sh
RUN chown -R oracleopenshift:oinstall /opt/oracle/checkDBStatus.sh /opt/oracle/startDB.sh && \
  chmod +x /opt/oracle/checkDBStatus.sh /opt/oracle/startDB.sh

It works all fine now.