getting permission denied issues when running as non root

[spielkind]

When running the containers with this securityContext:

 podSecurityContext:
  fsGroup: 2000

securityContext:
  capabilities:
    drop:
    - ALL
  runAsNonRoot: true
  runAsUser: 1000

we get these issues

app-deployment:

+ BUNDLE='bundle check'
+ bundle check
The Gemfile's dependencies are satisfied
+ exec bundle exec rails s -p 3000 -b 0.0.0.0
docker/entrypoints/rails.sh: line 34: can't create ./log/prometheus_exporter.log: Permission denied
=> Booting Puma
=> Rails 6.1.5.1 application starting in production 
=> Run `bin/rails server --help` for more startup options
Exiting
/usr/local/lib/ruby/3.0.0/fileutils.rb:253:in `mkdir': Permission denied @ dir_s_mkdir - /app/tmp/cache (Errno::EACCES)
    from /usr/local/lib/ruby/3.0.0/fileutils.rb:253:in `fu_mkdir'
    from /usr/local/lib/ruby/3.0.0/fileutils.rb:231:in `block (2 levels) in mkdir_p'
    from /usr/local/lib/ruby/3.0.0/fileutils.rb:229:in `reverse_each'
    from /usr/local/lib/ruby/3.0.0/fileutils.rb:229:in `block in mkdir_p'
    from /usr/local/lib/ruby/3.0.0/fileutils.rb:211:in `each'
    from /usr/local/lib/ruby/3.0.0/fileutils.rb:211:in `mkdir_p'
    from /gems/ruby/3.0.0/gems/railties-6.1.5.1/lib/rails/commands/server/server_command.rb:72:in `block in create_tmp_directories'
    from /gems/ruby/3.0.0/gems/railties-6.1.5.1/lib/rails/commands/server/server_command.rb:71:in `each'
    from /gems/ruby/3.0.0/gems/railties-6.1.5.1/lib/rails/commands/server/server_command.rb:71:in `create_tmp_directories'
    from /gems/ruby/3.0.0/gems/railties-6.1.5.1/lib/rails/commands/server/server_command.rb:35:in `start'
    from /gems/ruby/3.0.0/gems/railties-6.1.5.1/lib/rails/commands/server/server_command.rb:144:in `block in perform'
    from <internal:kernel>:90:in `tap'
    from /gems/ruby/3.0.0/gems/railties-6.1.5.1/lib/rails/commands/server/server_command.rb:135:in `perform'
    from /gems/ruby/3.0.0/gems/thor-1.2.1/lib/thor/command.rb:27:in `run'
    from /gems/ruby/3.0.0/gems/thor-1.2.1/lib/thor/invocation.rb:127:in `invoke_command'
    from /gems/ruby/3.0.0/gems/thor-1.2.1/lib/thor.rb:392:in `dispatch'
    from /gems/ruby/3.0.0/gems/railties-6.1.5.1/lib/rails/command/base.rb:69:in `perform'
    from /gems/ruby/3.0.0/gems/railties-6.1.5.1/lib/rails/command.rb:48:in `invoke'
    from /gems/ruby/3.0.0/gems/railties-6.1.5.1/lib/rails/commands.rb:18:in `<main>'
    from /gems/ruby/3.0.0/gems/bootsnap-1.10.3/lib/bootsnap/load_path_cache/core_ext/kernel_require.rb:30:in `require'
    from /gems/ruby/3.0.0/gems/bootsnap-1.10.3/lib/bootsnap/load_path_cache/core_ext/kernel_require.rb:30:in `require'
    from bin/rails:4:in `<main>'

worker-deployment:

+ exec bundle exec sidekiq -C config/sidekiq.yml
docker/entrypoints/sidekiq.sh: line 6: can't create ./log/prometheus_exporter.log: Permission denied
E, [2022-06-21T16:04:17.209340 #1] ERROR -- : Prometheus Exporter, failed to send message Address not available - connect(2) for "localhost" port 8002
W, [2022-06-21T16:04:17.237576 #1]  WARN -- : [PlatformAppToken] COGNIGY_PLATFORM_APP_TOKEN not present
2022-06-21T16:04:17.241Z pid=1 tid=5wt INFO: Booting Sidekiq 6.4.1 with redis options {:url=>"redis://:REDACTED@cognigy-live-agent-redis-master:6379", :password=>"REDACTED", :reconnect_attempts=>2, :network_timeout=>5}
E, [2022-06-21T16:04:17.719756 #1] ERROR -- : Prometheus Exporter, failed to send message Address not available - connect(2) for "localhost" port 8002
E, [2022-06-21T16:04:18.223671 #1] ERROR -- : Prometheus Exporter, failed to send message Address not available - connect(2) for "localhost" port 8002
2022-06-21T16:04:18.273Z pid=1 tid=5wt INFO: Cron Jobs - added job with name: internal_check_new_versions_job
2022-06-21T16:04:18.285Z pid=1 tid=5wt INFO: Cron Jobs - added job with name: trigger_scheduled_items_job
2022-06-21T16:04:18.291Z pid=1 tid=5wt INFO: Cron Jobs - added job with name: trigger_imap_email_inboxes_job
E, [2022-06-21T16:04:18.886629 #1] ERROR -- : Prometheus Exporter, failed to send message Address not available - connect(2) for "localhost" port 8002
E, [2022-06-21T16:04:19.387823 #1] ERROR -- : Prometheus Exporter, failed to send message Address not available - connect(2) for "localhost" port 8002
W, [2022-06-21T16:04:19.436823 #1]  WARN -- : Creating scope :open. Overwriting existing method Conversation.open.
E, [2022-06-21T16:04:19.888763 #1] ERROR -- : Prometheus Exporter, failed to send message Address not available - connect(2) for "localhost" port 8002
E, [2022-06-21T16:04:20.390536 #1] ERROR -- : Prometheus Exporter, failed to send message Address not available - connect(2) for "localhost" port 8002
E, [2022-06-21T16:04:20.894459 #1] ERROR -- : Prometheus Exporter, failed to send message Address not available - connect(2) for "localhost" port 8002
E, [2022-06-21T16:04:21.577239 #1] ERROR -- : Prometheus Exporter, failed to send message Address not available - connect(2) for "localhost" port 8002
2022-06-21T16:04:21.661Z pid=1 tid=5wt INFO: Booted Rails 6.1.5.1 application in production environment
2022-06-21T16:04:21.661Z pid=1 tid=5wt INFO: Running in ruby 3.0.2p107 (2021-07-07 revision 0db68f0233) [x86_64-linux-musl]
2022-06-21T16:04:21.661Z pid=1 tid=5wt INFO: See LICENSE and the LGPL-3.0 for licensing details.
2022-06-21T16:04:21.661Z pid=1 tid=5wt INFO: Upgrade to Sidekiq Pro for more features and support: https://sidekiq.org
E, [2022-06-21T16:04:22.077904 #1] ERROR -- : Prometheus Exporter, failed to send message Address not available - connect(2) for "localhost" port 8002

[Nachox07]

Thanks for reporting this issue. It will be fixed on the upcoming releases of the Cognigy Live Agent Helm Chart. I will update the ticket then.

[spielkind]

Also when running the migration job as nonroot, the "init-posgres" fails because no user is set:

cognigy-live-agent-postgresql:5432 - no attempt
cognigy-live-agent-postgresql:5432 - no attempt
cognigy-live-agent-postgresql:5432 - no attempt
cognigy-live-agent-postgresql:5432 - no attempt
cognigy-live-agent-postgresql:5432 - no attempt

Either support an appuser in all images, or add the -U flag to pg_isready.