Installation on OpenShift

Install / Update Deployment
1

Hello,

just discovering frappe.io and it’s a very good plateform :tada:

We are attempting to install Frappe on OpenShift, which enforces strict security rules, including:

  • Strict rootless mode

  • Users not assigned UID 1000 by default

  • /home/frappe/frappe-bench mounted as read-only, causing some commands to fail (see details below)

Nginx Root Privilege Issue

Nginx is required to run as root. I resolved this by:

  • Making /etc/nginx/conf.d writable by the group (chmod -R g+wX /etc/nginx/conf.d)

  • Using a customized nginx.conf with modifications similar to the nginx:unprivileged image (see below for details).

Stateless Image Challenges

I noticed that certain commands attempt to write to /home/frappe/frappe-bench instead of a Helm-created volume:

  • When creating a new site (bench new-site ...), a lock file is generated in /home/frappe/frappe-bench/config. Since this folder is local to the pod, does this mean the lock is ineffective if multiple jobs run in parallel, as the lock file would only exist within the individual job pod?

  • I attempted to mount a volume at /home/frappe/frappe-bench/config, but the bench command failed because the folder was no longer recognized as a bench directory. I suspect this is due to UID/GID mismatches, even though the volume was writable by the user.

  • When deleting a site, the command creates temporary archives in /home/frappe/frappe-bench before moving them to /home/frappe/frappe-bench/sites.

User UID Considerations In OpenShift, pods should run as the user/group of the namespace. This appears to impact Frappe, even when the user has write permissions to the relevant folders.

Other issue with dragonfly:
at first we try to use dragonfly ( via the provided helm chart) but we faced an reported in this bug report:

so we use redis for now.

Logs

in container, it’s a good practice to send all log to sysout/syserr. It seems that frappe logs are stored in /home/frappe/frappe-bench/sites//logs. Is there a way to redirect logs to sysout ?

Current issue

currently I can create a site but cant access to it. The issue is:

File "apps/frappe/frappe/utils/jinja_globals.py", line 137, in include_style
path = bundled_asset(path)
File "apps/frappe/frappe/utils/jinja_globals.py", line 155, in bundled_asset
path = bundled_assets.get(path) or path
^^^^^^^^^^^^^^^^^^
AttributeError: 'NoneType' object has no attribute 'get'
</pre>

Do you have any help on this error ?

Nginx.conf Modifications The following changes were made to nginx.conf (marked as # MODIFICATION):

worker_processes auto;
# MODIFICATION PID in /tmp
pid /tmp/nginx.pid;
error_log /var/log/nginx/error.log;
include /etc/nginx/modules-enabled/*.conf;
# MODIFICATION User mode
user frappe;

events {
	worker_connections 768;
	# multi_accept on;
}

http {
    # MODIFICATION paths in /tmp
    proxy_temp_path /tmp/proxy_temp;
    client_body_temp_path /tmp/client_temp;
    fastcgi_temp_path /tmp/fastcgi_temp;
    uwsgi_temp_path /tmp/uwsgi_temp;
    scgi_temp_path /tmp/scgi_temp;
OpenShift - nginx not running as root, /home/frappe/frappe-bench in read only mode,...