search

opendistro-for-elasticsearch / opendistro-build

🧰 Open Distro Build Scripts
https://opendistro.github.io/
Apache License 2.0
345 stars 176 forks source link

Could not run Elastic Search conatiner as non-root #790

Open vijeswari opened 2 years ago

vijeswari commented 2 years ago

Describe the bug A clear and concise description of what the bug is. As mentioned in the enhancement https://github.com/opendistro-for-elasticsearch/opendistro-build/pull/703, we tried creating ODFE pods running as non-root user using ODFE 1.13.2 docker image and helm chart. The pod creation fails with the following error:

xxxx]$ kubectl logs -f test-opendistro-es-client-6bbb7dd9fd-przsc elasticsearch OpenDistro for Elasticsearch Security Demo Installer Warning: Do not use on production or public reachable systems Basedir: /usr/share/elasticsearch Elasticsearch install type: rpm/deb on CentOS Linux release 7.9.2009 (Core) Elasticsearch config dir: /usr/share/elasticsearch/config Elasticsearch config file: /usr/share/elasticsearch/config/elasticsearch.yml Elasticsearch bin dir: /usr/share/elasticsearch/bin Elasticsearch plugins dir: /usr/share/elasticsearch/plugins Elasticsearch lib dir: /usr/share/elasticsearch/lib Detected Elasticsearch Version: x-content-7.10.2 Detected Open Distro Security Version: 1.13.1.0 Success Execute this script now on all your nodes and then start all nodes

tee: securityadmin_demo.sh: Permission denied

To Reproduce Steps to reproduce the behavior:

  1. Download ODFE helm 1.13.2
  2. Run 'helm install test . -f values-nonroot.yaml'
  3. Pod creation fails

Expected behavior A clear and concise description of what you expected to happen. ES container should be up and running as non root

Configuration (please complete the following information):

Relevant information Please include any relevant log snippets or files here.

xxxx]$ kubectl logs -f test-opendistro-es-client-6bbb7dd9fd-przsc elasticsearch OpenDistro for Elasticsearch Security Demo Installer Warning: Do not use on production or public reachable systems Basedir: /usr/share/elasticsearch Elasticsearch install type: rpm/deb on CentOS Linux release 7.9.2009 (Core) Elasticsearch config dir: /usr/share/elasticsearch/config Elasticsearch config file: /usr/share/elasticsearch/config/elasticsearch.yml Elasticsearch bin dir: /usr/share/elasticsearch/bin Elasticsearch plugins dir: /usr/share/elasticsearch/plugins Elasticsearch lib dir: /usr/share/elasticsearch/lib Detected Elasticsearch Version: x-content-7.10.2 Detected Open Distro Security Version: 1.13.1.0 Success Execute this script now on all your nodes and then start all nodes

tee: securityadmin_demo.sh: Permission denied

oomichi commented 2 years ago

@vijeswari Hello, I am facing the same issue. Do you find some solution for this issue?

/cc @oomichi

oomichi commented 2 years ago

@vijeswari Hello, I am facing the same issue. Do you find some solution for this issue?

/cc @oomichi

I found a solution for this issue. By specifying

  extraEnvs:
    - name: DISABLE_INSTALL_DEMO_CONFIG
      value: "true"

in values.yaml, the demo mode is disabled and it solves this issue on my side.

vijeswari commented 2 years ago

@oomichi This solution did not work for us. We are relying on demo certificates for time being so disabling the demo config scripts has impact on the internal node communication on port 9300. Have you configured certificates post disabling demo config script?

Thank you