The user of docker.elastic.co/elasticsearch/elasticsearch:6.4.2 is root

[hiroshi]

• Docker image used: docker.elastic.co/elasticsearch/elasticsearch:6.4.2
• Operating System: macOS (docker for mac)
• docker info output: sorry, but I don't think it matter
• docker inspect NAME|ID output: sorry, but I don't think it matter
• docker-compose --version, if relevant
• Steps to reproduce

  $ docker run --rm -ti docker.elastic.co/elasticsearch/elasticsearch:6.4.2 whoami 
  root
  $ docker run --rm -ti docker.elastic.co/elasticsearch/elasticsearch:5.4.1 whoami
  elasticsearch

Bug Description

Feature Description

[hiroshi]

As a workaround for can not run elasticsearch as root on a Kubernetes cluster.

      containers:
      - image: docker.elastic.co/elasticsearch/elasticsearch:6.4.2
        securityContext:
          runAsUser: 1000
        ...

[xeraa]

Thanks for opening the issue. But what's the expected outcome? This should be changed, better documented,...?

I think the commit that changed the behavior was https://github.com/elastic/elasticsearch-docker/commit/0abc1f8ca2e43062646e733d3c3d920f719a1aa7 when we switched from CMD to ENTRYPOINT (you have a good description in the commit why). And we are pretty explicit about it in the docs (without mentioning Kubernetes setups in specific for now): https://www.elastic.co/guide/en/elasticsearch/reference/6.4/docker.html#_b_bind_mounted_configuration

[hiroshi]

The commit, 0abc1f8, seems to affect 6.4.0 or later, but 6.3.0 is same result. (I'm sorry if the github tags are not matched docker image tags...)

$ docker run --rm -ti docker.elastic.co/elasticsearch/elasticsearch:6.3.0 whoami 
root

The commit message doesn't tell about the change of effective user of docker image.

Also in the document you mentioned; https://www.elastic.co/guide/en/elasticsearch/reference/6.4/docker.html#_b_bind_mounted_configuration

The container runs Elasticsearch as user elasticsearch using uid:gid 1000:1000.

I think this mean that the container will run the elasticsearch process in a container as the user elasticsearch.

But what's the expected outcome? This should be changed, better documented,...?

As a user of elasticsearch docker images, of cause not a developer of them, I expected that elasticsearch docker images run as user elasticsearch by default. Sorry, I thought it must be obvious...

[dliappis]

@hiroshi The reason for the confusion is that the entrypoint script implements some conditional logic on what gets executed as 1000:0 and your whoami command just happens to run as 0:0.

In short, if the user runs the image as is, it will execute elasticsearch as uid:gid 1000:0.

Additionally it will make an effort to ensure elasticsearch runs as 1000:0 even if image's default CMD gets overriden.

In all other cases though, like specifying /bin/bash as CMD, which is what you are doing with docker run -ti docker.elastic.co/elasticsearch/elasticsearch:6.4.2 /bin/bash the entrypoint will just execute things as the default user i.e. 0:0.

If you really want to exec /bin/bash using the same uid:gid used by Elasticsearch just use docker exec -u 1000:0 -ti docker.elastic.co/elasticsearhc/elasticsearch:6.4.2.

If you just want to verify that the Elasticsearch process runs with the the right uid:gid just try:

$ docker run -d --name estest --rm docker.elastic.co/elasticsearch/elasticsearch:6.4.2
43bd7436830cda3d4722976472afa2f1fec5236e7568e51159c6ced0e8a0ce5e
$ docker exec -ti estest /bin/bash -c 'ps -o uid,gid 1'
  UID   GID
 1000     0

[hiroshi]

@dliappis Thanks for your reply.

My bad, I posted over simplified symptom. I see the entrypoint script does trick.

I posted this issue because I observed launch failure can not run elasticsearch as root.

$ kubectl logs kibana-es-0
OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
OpenJDK 64-Bit Server VM warning: UseAVX=2 is not supported on this CPU, setting it to UseAVX=1
[2018-10-06T08:14:45,806][WARN ][o.e.b.ElasticsearchUncaughtExceptionHandler] [kibana-es-0] uncaught exception in thread [main]
org.elasticsearch.bootstrap.StartupException: java.lang.RuntimeException: can not run elasticsearch as root
    at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:140) ~[elasticsearch-6.4.2.jar:6.4.2]
    at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:127) ~[elasticsearch-6.4.2.jar:6.4.2]
    at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) ~[elasticsearch-6.4.2.jar:6.4.2]
    at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124) ~[elasticsearch-cli-6.4.2.jar:6.4.2]
    at org.elasticsearch.cli.Command.main(Command.java:90) ~[elasticsearch-cli-6.4.2.jar:6.4.2]
    at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:93) ~[elasticsearch-6.4.2.jar:6.4.2]
    at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:86) ~[elasticsearch-6.4.2.jar:6.4.2]
Caused by: java.lang.RuntimeException: can not run elasticsearch as root
    at org.elasticsearch.bootstrap.Bootstrap.initializeNatives(Bootstrap.java:104) ~[elasticsearch-6.4.2.jar:6.4.2]
    at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:171) ~[elasticsearch-6.4.2.jar:6.4.2]
    at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:326) ~[elasticsearch-6.4.2.jar:6.4.2]
    at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:136) ~[elasticsearch-6.4.2.jar:6.4.2]
    ... 6 more

It seems the cause is my command spec. It works with elasticsearch docker image 5.4.1.

        command:
        - 'elasticsearch'
        - '-Ediscovery.zen.ping.unicast.hosts=kibana-es'
        - '-Ediscovery.zen.minimum_master_nodes=2'

I'll remove command and specify those arguments as environment.