Open iiidddaaannn102 opened 3 years ago
LibreNMS has nothing to do with s6 and will work perfectly fine despite these errors. I'm unsure if it is even used in the image. Probably can be resolved in the docker image though.
LibreNMS has nothing to do with s6 and will work perfectly fine despite these errors. I'm unsure if it is even used in the image. Probably can be resolved in the docker image though.
Cool..so how i do it? You have best practice for that?
@murrant
LibreNMS has nothing to do with s6 and will work perfectly fine despite these errors. I'm unsure if it is even used in the image. Probably can be resolved in the docker image though.
s6 is used in this image through s6-overlay to be able to manage services.
I'm having issues when the container is on init(running /init) and there is a lot of "Operation not permitted" on /var/run/s6 directory.
If you have a read-only root fs you might need to follow these steps.
Hello @crazy-max,
I have the same issue as @iiidddaaannn102 about permissions to s6.
I try to deploy libreNMS into my company EKS cluster with same problematic about the non-root user restriction.
Even with the use of the variable "S6_READ_ONLY_ROOT", container encounters an error concerning s6 :
s6-overlay-preinit: fatal: unable to mkdir /var/run/s6: Permission denied
Here is my deployment manifest :
kind: Deployment
metadata:
name: librenms-deployment
namespace: nms
spec:
selector:
matchLabels:
app: nms_webui
replicas: 1
template:
metadata:
labels:
app: nms_webui
spec:
containers:
- name: librenms
image: librenms/librenms:21.4.0
ports:
- containerPort: 8000
env:
- name: S6_READ_ONLY_ROOT
value: '1'
resources:
requests:
memory: "250Mi"
cpu: "500m"
limits:
memory: "250Mi"
cpu: "500m"
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
volumeMounts:
- name: application-volume
mountPath: /opt/librenms
- name: application-socket
mountPath: /sock
- name: application-volume
mountPath: /var
volumes:
- name: application-volume
emptyDir: {}
- name: application-socket
emptyDir:
medium: Memory
I suspect variable "S6_READ_ONLY_ROOT" is not being taken into account... Could you confirm that set this variable is enough to a non-root environnment or if something else is required ?
Thanks to you
Hello,
Has anyone an idea of how docker stack can be start with no root rights ?
If more information is needed, don't hesitate and ask me ;)
Thanks to you !
I'm running into this same issue which given our organizational policies makes this a blocker for us. Can someone please advise if this is a configuration problem, requires development, or won't fix issue?
To summarize the problem when forcing pod to run as non-root user using: securityContext: runAsNonRoot: true
The pod crashes with : s6-overlay-preinit: fatal: unable to mkdir /var/run/s6: Read-only file system
What does runAsNonRoot do? LibreNMS always runs without root priveledges. Or does that mean S6 runs without root? Not sure how that would work.
Perhaps if /run is writable (mounted to tmpfs), /var/run is linked, and S6_READ_ONLY_ROOT is set, that would be enough.
https://github.com/just-containers/s6-overlay#read-only-root-filesystem
Probably not though as s6 sets up the other services. Perhaps this could be distilled down to a feature request to run with a read-only file system.
What does runAsNonRoot do? LibreNMS always runs without root priveledges. Or does that mean S6 runs without root? Not sure how that would work.
Basically, it requires that the pod be submitted with a non-zero runAsUser or have the USER directive defined (using a numeric UID) in the image. This ensures container is not running as 0.
hi, because i can not use a root user in my company, i tried to run docker image with other users (librenms user and more). I'm having issues when the container is on init(running /init) and there is a lot of "Operation not permitted" on /var/run/s6 directory. i tried to use PUID and PGID env, and to give the user permissions to s6 recursively and to commit the image but every time the base librenms image is on init, it runs the /init and the issue is happened again. in the documents write about the feature "non-root user" - so how i do it?
thanks all