Meilisearch Pod fails on Openshift due to root permission denial

[NathalieNX]

We are using Openshift, and none of the pods have root access (for security reasons). This means the line in the Dockerfile CMD ["/bin/sh" "-c" "./meilisearch"] fails with message Error: Permission denied (os error 13), and the meilisearch fails with a CrashLoopBackoff error.

We were able to reproduce this behavior by creating a debug pod and running the command with the same result :

~ $ /bin/sh -c ./meilisearch
Error: Permission denied (os error 13)

Do you know why root access is needed for this operation ? Do you know of any workarounds ? Thanks in advance.

[alallema]

Hi @NathalieNX, Thanks for raising this issue but I need some details about the context:

• Which version of Meilisearch did you use?
• Which version of meilisearch-kubernetes did you use?
• Which docker file are you referring to?
• Did you check the permission of your binary file?

[NathalieNX]

Thanks for the questions :

• Meilisearch version v0.19.0 (specified in the meilisearch-kubernetes charts/meilisearch/Chart.yaml)
• meilisearch-kubernetes version 0.1.14 (latest, released march 24th), included as a dependency in my project Helm chart
• The dockerfile I am referring to is the one I found on Dockerhub for Meilisearch v0.19.0 (line 8 ; this is the command I tried to reproduce in the debug pod, see above) : https://hub.docker.com/layers/getmeili/meilisearch/v0.19.0/images/sha256-c01c7ef570667ded0ae0c930d7a0eafc1fa7222318cbc701b86816c3b8f5d96e?context=explore
• testing the configuration locally shows the following permissions :

  $ kubectl exec -it test-ms-local-meilisearch-0 -- sh                        
  / # ls -la
  total 301348
  drwxr-xr-x    1 root     root          4096 May 10 16:09 .
  drwxr-xr-x    1 root     root          4096 May 10 16:09 ..
  -rwxr-xr-x    1 root     root             0 May 10 16:09 .dockerenv
  drwxr-xr-x    2 root     root          4096 Apr 23  2020 bin
  drwxr-xr-x    4 root     root          4096 May 10 16:09 data.ms
  drwxr-xr-x    5 root     root           360 May 10 16:09 dev
  drwxr-xr-x    1 root     root          4096 May 10 16:09 etc
  drwxr-xr-x    2 root     root          4096 Apr 23  2020 home
  drwxr-xr-x    1 root     root          4096 Apr 23  2020 lib
  drwxr-xr-x    5 root     root          4096 Apr 23  2020 media
  -rwxr-xr-x    1 root     root     308505312 Feb  9 15:01 meilisearch
  drwxr-xr-x    2 root     root          4096 Apr 23  2020 mnt
  drwxr-xr-x    2 root     root          4096 Apr 23  2020 opt
  dr-xr-xr-x  218 root     root             0 May 10 16:09 proc
  drwx------    1 root     root          4096 May 11 09:59 root
  drwxr-xr-x    1 root     root          4096 May 10 16:09 run
  drwxr-xr-x    1 root     root          4096 Feb  9 15:02 sbin
  drwxr-xr-x    2 root     root          4096 Apr 23  2020 srv
  dr-xr-xr-x   13 root     root             0 May 10 16:09 sys
  drwxrwxrwt    2 root     root          4096 Apr 23  2020 tmp
  drwxr-xr-x    1 root     root          4096 Apr 23  2020 usr
  drwxr-xr-x   11 root     root          4096 Apr 23  2020 var

I hope this helps, please tell me if you need more details.

[alallema]

Hi @NathalieNX, Thanks for your info. Everything looks good to me. meilisearch will never need root rights to run just write rights. So I guess the problem came from the fact that in Openshift the image is built as root and needs to run as the root user. But I suppose recommended best practice is to avoid containers that need to run as root. Hope this will help you

[alallema]

I'm closing this issue because it is outdated. Feel free to reopen it if you need it.