[BUG] incorrect permissions on /usr/share/opensearch/ in docker container

[jbnjohnathan]

What is the bug?

In the docker image opensearchproject/opensearch:2.9.0 the permission for the opensearch folder is causing issues [opensearch@dc433e3d119d ~]$ ls -ld /usr/share/opensearch/ drwx------ 1 opensearch opensearch 4096 Jul 18 22:43 /usr/share/opensearch/

How can one reproduce the bug?

Run the image in a kubernetes pod where the securityContext assigns a random UID for the user, for example 1000800000 Since the opensearch folder is only accessible for the opensearch user with UID 1000 the entrypoint script /usr/share/opensearch/opensearch-docker-entrypoint.sh cannot be run

What is the expected behavior?

Since the script itself is set with these permissions: -rwxr-xr-x (allow other to read and execute) it would be logical for the previous directories to have the same permissions

What is your host/environment?

Kubernetes OpenSearch cluster

Do you have any screenshots?

N/A

Do you have any additional context?

[marcosox]

This prevents starting the image also when user namespace remapping is on:

ms@expertbookms:~$ id
uid=1000(ms) gid=1000(ms) gruppi=1000(ms),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),122(lpadmin),134(lxd),135(sambashare),137(wireshark),999(docker)
ms@expertbookms:~$ cat /etc/docker/daemon.json 
{
  "userns-remap": "ms"
}
ms@expertbookms:~$ docker run -it --rm opensearchproject/opensearch:2.11.0
/bin/bash: ./opensearch-docker-entrypoint.sh: Permission denied
ms@expertbookms:~$ docker run -it --rm --entrypoint bash opensearchproject/opensearch:2.11.0
bash: /usr/share/opensearch/.bashrc: Permission denied
bash-5.2$ id                
uid=1000(opensearch) gid=1000(opensearch) groups=1000(opensearch)
bash-5.2$ ls -al /usr/share/
total 192
drwxr-xr-x  1 root root       4096 Oct 13 03:45 .
drwxr-xr-x  1 root root       4096 Oct 10 22:51 ..
drwxr-xr-x  2 root root       4096 Jan 30  2023 X11
drwxr-xr-x  2 root root       4096 Jan 30  2023 aclocal
drwxr-xr-x  2 root root       4096 Jan 30  2023 appdata
drwxr-xr-x  2 root root       4096 Jan 30  2023 applications
drwxr-xr-x  3 root root       4096 Oct 10 22:51 augeas
drwxr-xr-x  2 root root       4096 Oct 10 22:51 awk
drwxr-xr-x  2 root root       4096 Jan 30  2023 backgrounds
drwxr-xr-x  4 root root       4096 Jan 31  2023 bash-completion
drwxr-xr-x 11 root root       4096 Oct 10 22:51 crypto-policies
drwxr-xr-x  2 root root       4096 Jan 30  2023 desktop-directories
drwxr-xr-x  2 root root       4096 Jan 30  2023 dict
drwxr-xr-x  1 root root       4096 Oct 13 03:45 doc
dr-xr-xr-x  2 root root       4096 Jan 30  2023 empty
drwxr-xr-x  2 root root       4096 Oct 10 22:51 file
drwxr-xr-x  2 root root       4096 Jan 30  2023 games
lrwxrwxrwx  1 root root         14 Aug 14 20:55 gawk -> /usr/share/awk
drwxr-xr-x  3 root root       4096 Oct 10 22:51 gcc-11
drwxr-xr-x  3 root root       4096 Oct 10 22:51 gdb
drwxr-xr-x  3 root root       4096 Oct 10 22:51 glib-2.0
drwxr-xr-x  2 root root       4096 Jan 30  2023 gnome
drwxr-xr-x  2 root root       4096 Jan 30  2023 help
drwxr-xr-x  4 root root       4096 Oct 10 22:51 i18n
drwxr-xr-x  2 root root       4096 Jan 30  2023 icons
drwxr-xr-x  2 root root       4096 Jan 30  2023 idl
drwxr-xr-x  1 root root       4096 Oct 13 03:45 info
drwxr-xr-x  2 root root       4096 Oct 10 22:51 libgpg-error
drwxr-xr-x  5 root root       4096 Oct 10 22:51 libreport
drwxr-xr-x  1 root root       4096 Oct 13 03:45 licenses
drwxr-xr-x  1 root root       4096 Oct 13 03:45 locale
drwxr-xr-x  4 root root       4096 Oct 10 22:51 lua
lrwxrwxrwx  1 root root         10 Aug 30 20:17 magic -> misc/magic
drwxr-xr-x  1 root root       4096 Oct 13 03:45 man
drwxr-xr-x  2 root root       4096 Jan 30  2023 metainfo
drwxr-xr-x  2 root root       4096 Jan 30  2023 mime-info
drwxr-xr-x  2 root root       4096 Oct 10 22:51 misc
drwxr-xr-x  2 root root       4096 Jan 30  2023 omf
drwx------  1 root opensearch 4096 Oct 13 03:45 opensearch
drwxr-xr-x  3 root root       4096 Oct 10 22:51 p11-kit
drwxr-xr-x  2 root root       4096 Jan 30  2023 pixmaps
drwxr-xr-x  4 root root       4096 Oct 10 22:51 pki
lrwxrwxrwx  1 root root         25 Jan 29  2023 python-wheels -> /usr/share/python3-wheels
drwxr-xr-x  2 root root       4096 Oct 10 22:51 python3-wheels
drwxr-xr-x  2 root root       4096 Jan 30  2023 sounds
drwxr-xr-x  2 root root       4096 Oct 10 22:51 tabset
drwxr-xr-x 23 root root       4096 Oct 10 22:51 terminfo
drwxr-xr-x  2 root root       4096 Jan 30  2023 themes
drwxr-xr-x  2 root root       4096 Jan 30  2023 wayland-sessions
drwxr-xr-x  2 root root       4096 Jan 30  2023 xsessions
drwxr-xr-x 20 root root       4096 Oct 10 22:51 zoneinfo
bash-5.2$ ls -al /usr/share/opensearch/
ls: cannot open directory '/usr/share/opensearch/': Permission denied

[peterzhuamazon]

Hi,

we are currently not using this repo for docker images.

Here is the latest setup on docker for OpenSearch/Dashboards: https://github.com/opensearch-project/opensearch-build/tree/main/docker

Also, if you are using kubernetes use init containers to change the folder permission or ownership and then start the containers.

Or you can rebuilt the opensearch image with your desired user uid.

Thanks.

[maikelnight]

Hi,

we are currently not using this repo for docker images.

Here is the latest setup on docker for OpenSearch/Dashboards: https://github.com/opensearch-project/opensearch-build/tree/main/docker

Also, if you are using kubernetes use init containers to change the folder permission or ownership and then start the containers.

Or you can rebuilt the opensearch image with your desired user uid.

Thanks.

Hi,

we are currently not using this repo for docker images.

Here is the latest setup on docker for OpenSearch/Dashboards: https://github.com/opensearch-project/opensearch-build/tree/main/docker

Also, if you are using kubernetes use init containers to change the folder permission or ownership and then start the containers.

Or you can rebuilt the opensearch image with your desired user uid.

Thanks.

Hi Peter, how could you use init containers to set folder permissions in a following opensearch container? Can you please scheme how that would work? Thanks and Regards.