search

nats-io / nats-box

A container with NATS utilities
Apache License 2.0
117 stars 35 forks source link

Deploying nats helm chart gives nats-box KO /root permission denied #72

Open antoinetran opened 7 months ago

antoinetran commented 7 months ago

What version were you using?

nats helm chart 1.1.10

What environment was the server running in?

Kubernetes OpenShift

Is this defect reproducible?

Yes

  1. In OpenShift environment with no root policy. When deploying nats helm chart:

    helm upgrade --install my-nats nats/nats --version 1.1.10 --namespace nats

  2. In a simpler way, with just docker:

    docker run -u 12345 --rm -ti natsio/nats-box:0.14.2 sh -c "id && pwd && cd /root"
uid=12345 gid=0(root) groups=0(root)
/
sh: cd: line 0: can't cd to /root: Permission denied

Given the capability you are leveraging, describe your expectation?

The working dir set in Dockerfile https://github.com/nats-io/nats-box/blob/main/Dockerfile#L54 should not be /root, because in production environment, images are launched as non root. Instead, the working dir should be agnostic of that, by example by setting it to /tmp.

Given the expectation, what is the defect you are observing?

Deployment of nats-box in error. Logs says permission denied for /root.

antoinetran commented 7 months ago

Workaround in nats helm chart. Write a values.yaml:

natsBox:
  container:
    merge:
      resources: {}
      # OpenShift: no root means cd /root gives permission denied
      workingDir: /tmp

Although I am using nats helm chart, this is for me a bug in nats-box image itself. Which is why this issue is in this repository.