Testcontainer inside Openshift - Docker Non-root

[quentingosset]

Hello everyone,

I am facing a problem that is bothering me quite a bit, and I am not keen on the alternative of using an external database.
My problem is as follows:
I have a CICD under GitLab via GitLab runners (https://docs.gitlab.com/runner/configuration/configuring_runner_operator/), all installed on OpenShift. As you can see, GitLab Runner Operator and GitLab Runner pod run as non-root users. So I'm facing a problem because when I try to launch testcontainer on my pipeline, I get the error “could not find a valid Docker environment.” This is normal because after running a few tests, I have absolutely no Docker created. Is there a way to work around this problem with a “non-root” mode of Docker in TestContainer? I found this docker:dind-rootless while trying to add it as a complement to TestContainer, but it doesn't seem to work.

Does anyone have any ideas?
Thanks

[rameshreddy-adutla]

I've dealt with this exact issue running TestContainers in OpenShift CI pipelines. The core problem is that OpenShift runs containers as non-root with a random UID, which conflicts with how Docker/Podman expects to operate.

Solutions (pick one)

Option 1: Use Podman as the container runtime (Recommended for OpenShift)

TestContainers 2.x supports Podman natively. In your OpenShift pipeline:

# testcontainers.properties or environment variables
docker.host=unix:///run/podman/podman.sock
testcontainers.ryuk.disabled=true
ryuk.container.privileged=false

And in your GitLab CI config, use a Podman-enabled image:

image: quay.io/podman/stable
script:
  - podman system service -t 0 unix:///run/podman/podman.sock &
  - ./gradlew test

Option 2: Docker-in-Docker (DinD) with privileged SCC

If you must use Docker, you need the Docker socket or a DinD sidecar:

# OpenShift - grant the anyuid SCC to the service account
oc adm policy add-scc-to-user anyuid -z gitlab-runner -n your-namespace

Then mount the Docker socket or run DinD as a sidecar.

Option 3: Disable Ryuk + use pre-started containers

Ryuk (the cleanup container) often fails in restricted environments:

TESTCONTAINERS_RYUK_DISABLED=true
DOCKER_HOST=tcp://docker-in-docker-service:2375

Option 4: Skip TestContainers in CI, use real services

In OpenShift, you often already have PostgreSQL/Redis/Kafka as services. Use a test profile that connects to those instead:

# application-ci.properties
quarkus.datasource.jdbc.url=jdbc:postgresql://postgresql:5432/testdb

What I'd recommend

For OpenShift specifically, Option 1 (Podman) is the cleanest. Podman is rootless by design and is the default container runtime in OpenShift 4.x anyway. TestContainers 2.x has much better Podman support than 1.x.