search

linuxserver / docker-heimdall

GNU General Public License v3.0
325 stars 48 forks source link

Heimdall doesn't run rootless (Kubernetes) #115

Closed ArthurVardevanyan closed 1 year ago

ArthurVardevanyan commented 1 year ago

linuxserver.io

Desired Behavior

Heimdall Should be able to run rootless with Random UIDs

Current Behavior

Heimdall Requires Root

Alternatives Considered

Currently Running as Root.

Details:

Heimdall doesn't run rootless on Kubernetes with proper SecurityContexts. When providing root, the container works just fine.

Error

s6-overlay-suexec: warning: unable to gain root privileges (is the suid bit set?)
s6-mkdir: warning: unable to mkdir /run/s6: Permission denied
s6-mkdir: warning: unable to mkdir /run/service: Permission denied
s6-overlay-suexec: fatal: child failed with exit code 11

Yaml

apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: heimdall
  namespace: heimdall
  labels:
    app: heimdall
    app.kubernetes.io/instance: heimdall
spec:
  replicas: 1
  serviceName: heimdall-service
  selector:
    matchLabels:
      app: heimdall
  revisionHistoryLimit: 0
  template:
    metadata:
      labels:
        app: heimdall
      annotations:
        enable.version-checker.io/heimdall: "true"
        pin-major.version-checker.io/heimdall: "2"
    spec:
      automountServiceAccountToken: false
      containers:
        - image: linuxserver/heimdall:2.4.13
          imagePullPolicy: IfNotPresent
          name: heimdall
          env:
            - name: PUID
              value: "1001"
            - name: PGID
              value: "1001"
          securityContext:
            capabilities:
              drop:
                - ALL
            runAsNonRoot: true
            allowPrivilegeEscalation: false
            seccompProfile:
              type: RuntimeDefault
          ports:
            - containerPort: 80
              name: http-80
              protocol: TCP
            - containerPort: 443
              name: https-443
              protocol: TCP
          resources:
            requests:
              memory: "128Mi"
              cpu: "50m"
            limits:
              memory: "256Mi"
              cpu: "300m"
          # volumeMounts:
          #   - mountPath: /config
          #     name: heimdall-pvc
      hostname: heimdall
      restartPolicy: Always
      # volumes:
      #   - name: heimdall-pvc
      #     persistentVolumeClaim:
      #       claimName: heimdall-pvc

Previous Discussion: https://github.com/linuxserver/Heimdall/issues/926

github-actions[bot] commented 1 year ago

Thanks for opening your first issue here! Be sure to follow the bug or feature issue templates!

aptalca commented 1 year ago

We don't support rootless containers

github-actions[bot] commented 1 year ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.