Docker container won't start in non-priviledged user mode

[francoisserra]

The KSQL-server container won't start with a non-privileged user (e.g. to start in a openshift cluster with the MustRunAsNonRoot setting) because the path /etc/ksql-server lacks group write permission

docker run --user=104 --group-add=0 --rm confluentinc/cp-ksql-server:5.0.1 ... Command [/usr/local/bin/dub path /etc/ksql-server/ writable] FAILED !

[apurvam]

I think this is the first report of this issue. The examples here all work and don't require special privileges.

Those examples don't work for you when tried verbatim?

[francoisserra]

@apurvam : The exemples your mention work well on my local machine but not on the Openshift cluster of my company because the confluentinc/cp-ksql-server:5.0.1 runs by default with the root user. My company cluster has a security constraint that prevents containers to be run as root (the user inside the container). I have created an issue in the confluentinc/cp-helm-charts (see https://github.com/confluentinc/cp-helm-charts/issues/173#issuecomment-437449997), @maxzheng pointed me to the relevant openshift doc : https://docs.openshift.com/container-platform/3.9/creating_images/guidelines.html#openshift-specific-guidelines. This doc says "For an image to support running as an arbitrary user, directories and files that may be written to by processes in the image should be owned by the root group and be read/writable by that group."

My aim is to to make a PR in the cp-helm-charts that fixes https://github.com/confluentinc/cp-helm-charts/issues/173 but I must ensure the cp-ksql-server image is compliant with an hardened openshift cluster.

you can easily reproduce from your example with the latest 5.1.0 image by launching the container with an arbitrary user that belongs to the root group e.g.:

docker run --user=1000 --group-add=0  -p 127.0.0.1:8088:8088 \
-e KSQL_BOOTSTRAP_SERVERS=localhost:9092 \
-e KSQL_LISTENERS=http://0.0.0.0:8088/ \
-e KSQL_KSQL_SERVICE_ID=confluent_test_2 \
confluentinc/cp-ksql-server:5.1.0`

==> ENV Variables ...
COMPONENT=ksql-server
CUB_CLASSPATH="/usr/share/java/cp-base-new/*"
HOME=/
HOSTNAME=8f83365fa394
KSQL_BOOTSTRAP_SERVERS=localhost:9092
KSQL_CLASSPATH=/usr/share/java/ksql-server/*
KSQL_KSQL_SERVICE_ID=confluent_test_2
KSQL_LISTENERS=http://0.0.0.0:8088/
LANG=C.UTF-8
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
PWD=/
SHLVL=1
_=/usr/bin/env
===> User
uid=1000 gid=0(root) groups=0(root)
===> Configuring ...
Command [/usr/local/bin/dub path /etc/ksql-server/ writable] FAILED !

[sbelyankin]

@apurvam any updates on this since @francoisserra provided additional details? I am seeing the same issue in a Kubernetes environment where root user usage is prohibited. Updating the chart to run as a non-root user produces the same error.

[balazsmaria]

I'm having the same problem. Any update on this?

[supervacuum]

Seems an OpenShift-related problem as the container runs privileged. Same issue on Minishift 3.11.

[TheUltimateDeployer]

We use Openshift 3.11 and faced the same issue. Our solution is to wrap the image like this: FROM confluentinc/cp-ksql-server:5.2.0 RUN mkdir -p /etc/ksql-server/ && chmod -R g+rw /etc/ksql-server/ RUN mkdir -p /usr/logs/ && chmod -R g+rw /usr/logs/

I would prefer if it is done in the main image.

[cstmgl]

another one here... same issue

[c0desurfer]

Still not working without root privilege, please fix.

[funsatish]

Still facing the issue with cp-zookeeper too.

[Shahzad24]

Was getting same error in Openshift:

===> User uid=1000810000(1000810000) gid=0(root) groups=0(root),1000810000 ===> Configuring ... Command [/usr/local/bin/dub path /etc/ksqldb-server/ writable] FAILED !

Solved it by adding user securityContext in deployment config:

<-- code snippet--->

spec:
  serviceAccountName: "<service account>"
  securityContext:
    runAsNonRoot: true
    runAsUser: 1000
  containers:

The ksql process runs as user appsuser: sh-4.4$ cat /etc/passwd |grep appuser appuser:x:1000:1000::/home/appuser:/bin/bash

sh-4.4$ ls -l /etc/ksqldb-server/ total 12 -rw-r--r--. 1 appuser appuser 574 Nov 4 18:01 connect.properties -rw-r--r--. 1 appuser appuser 811 Nov 4 18:01 ksqldb-server.properties -rw-r--r--. 1 appuser appuser 350 Nov 4 18:01 log4j.properties drwxr-xr-x. 2 appuser appuser 6 Nov 21 2020 secrets

sh-4.4$ ps -ef |grep ksql appuser 1 0 1 18:01 ? 00:00:14 java -cp /usr/share/java/confluent-security/ksql/:/usr/share/java/confluent-telemetry/:/usr/share/java/confluent-common/:/usr/share/java/ksqldb-server/ -Xms512M -Xmx512M -server -XX:+UseConcMarkSweepGC -XX:+CMSClassUnloadingEnabled -XX:+CMSScavengeBeforeRemark -XX:+ExplicitGCInvokesConcurrent -XX:NewRatio=1 -Djava.awt.headless=true -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.port=5555 -Dksql.log.dir=/usr/logs -Dlog4j.configuration=file:/etc/ksqldb-server/log4j.properties -Dksql.server.install.dir=/usr -Xlog:gc*:file=/usr/logs/ksql-server-gc.log:time,tags:filecount=10,filesize=102400 io.confluent.ksql.rest.server.KsqlServerMain /etc/ksqldb-server/ksqldb-server.properties

[Tarasovych]

Same issue here, securityContext doesn't help

[ryanfasching]

Also having the same issue with ksqldb in Rosa 4.10 Openshift

[jirislav]

This is still an issue at the end of 2023. It is especially frustrating when attempting to install kSQL using the official Helm chart, which even doesn't support specifying custom securityContext.