Closed hishamanver closed 3 months ago
Same issue for me. With current image, I get the following error (only log from nats-box container I get) :
mkdir: can't create directory '/nsc/': Permission denied
would using runAsUser be an alternative here?
spec:
securityContext:
runAsUser: 1000
runAsGroup: 1000
Unfortunately not, as openshift assigns a random uid from a pool allocated by cluster administrators that we have no control over.
@hishamanver interesting, thanks for clarifying. Then I guess there would be a similar issue happen when running the nats-server official image and other components...
Oddly not, it just works š¤
is that with the nats:2.10.7-alpine
or using the scratch nats:2.10.7
image?
nats:2.10.3-alpine
which is used by the helm chart here https://github.com/nats-io/k8s/blob/nats-1.1.2/helm/charts/nats/values.yaml#L310-L311
@wallyqs my error while running nats-box
is due to FS access rights, see my earlier comment. I too use OpenShift as K8s distribution and its hardenned environnement.
Main nats
image may not have this problem as its not trying to write in / directly, and uses a PVC for JetStream datas. Im new to NATS so please correct if Im wrong here. I can confirm nats-2.10-alpine
just works for me too.
@hishamanver See PR https://github.com/nats-io/nats-box/pull/65 couldnt test yet, but this shoul fix our Openshift specific issue.
@hishamanver See PR #65 couldnt test yet, but this shoul fix our Openshift specific issue.
@sboulkour Just tested on openshift and this does not work, I get the following log from the failed container in openshift:
trap true INT TERM; sleep infinity & wait: cd: line 9: can't cd to /root: Permission denied
when running the container locally using docker and emulating a random user (which is what openshift does) I can understand why its failing:
# normal non-root execution as default nats user
$docker run --rm -it harbor.tools.telstra.com/public-cache/natsio/nats-box:0.14.2-nonroot
_ _
_ __ __ _| |_ ___ | |__ _____ __
| '_ \ / _` | __/ __|_____| '_ \ / _ \ \/ /
| | | | (_| | |_\__ \_____| |_) | (_) > <
|_| |_|\__,_|\__|___/ |_.__/ \___/_/\_\
nats-box v0.14.2
bb267464d043:~$ id
uid=1000(nats) gid=1000(nats) groups=1000(nats)
bb267464d043:~$ echo $HOME
/home/nats
bb267464d043:~$
# custom non-root execution as arbitrary user
$docker run --rm -it -u 100000001:100000001 harbor.tools.telstra.com/public-cache/natsio/nats-box:0.14.2-nonroot
_ _
_ __ __ _| |_ ___ | |__ _____ __
| '_ \ / _` | __/ __|_____| '_ \ / _ \ \/ /
| | | | (_| | |_\__ \_____| |_) | (_) > <
|_| |_|\__,_|\__|___/ |_.__/ \___/_/\_\
nats-box v0.14.2
37a7a7106231:~$ pwd
/
37a7a7106231:~$ echo $HOME
/
37a7a7106231:~$
It is due to the fact that 0.14.2 is not up to date with main https://github.com/nats-io/nats-box/compare/v0.14.2...main. We need the WORKDIR step in order to get this to not take effect https://github.com/nats-io/nats-box/blob/main/entrypoint.sh#L3-L5
Once the image is rebuilt from main things should work, however for a bit of housekeeping I have updated the MR to clean up the redundant step in the entrypoint file, feel free to close this if not required
@wallyqs any chance we can get an updated release with the updates from main?
as per title
we have issues running this container on openshift due to security constraints (running on openshift - https://cloud.redhat.com/blog/a-guide-to-openshift-and-uids)
converting this to use non root user without needing to pin a uid
struggled to build the image as is so tested with the following
Test Dockerfile
Results (on docker):
Results (on openshift)