Why root user for cAdvisor?

google / cadvisor

Analyzes resource usage and performance characteristics of running containers.

Other

16.95k stars 2.31k forks source link

Why root user for cAdvisor? #2452

Open stevebail opened 4 years ago

stevebail commented 4 years ago

Hi @dashpole I hope all is well.

I have inspected the docker container produced by the cAdvisor deamonset. This is what I found: Privileged: false --> OK Read access to /var/run, /sys, /var/lib/docker, /rootfs --> OK user: 0 (root) --> Why

Why is root needed? Is it actually required for read access to host filesystem?

carlbordum commented 4 years ago

I believe it is needed to read /var/lib/docker :-)

dashpole commented 4 years ago

Is it root in the container, or root on the host?

stevebail commented 4 years ago

It is root in the container that is running on the host. See line 215 in the attached PDF file. docker cadvisor.pdf

navidsh commented 3 years ago

Just curious about this one too. Is there any update on this issue?

vin01 commented 2 years ago

It also does not collect container metrics if you run docker with user namespace enabled (which one should in a production environment) because of the same limitation.