Closed jbnjohnathan closed 10 months ago
This prevents starting the image also when user namespace remapping is on:
ms@expertbookms:~$ id
uid=1000(ms) gid=1000(ms) gruppi=1000(ms),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),122(lpadmin),134(lxd),135(sambashare),137(wireshark),999(docker)
ms@expertbookms:~$ cat /etc/docker/daemon.json
{
"userns-remap": "ms"
}
ms@expertbookms:~$ docker run -it --rm opensearchproject/opensearch:2.11.0
/bin/bash: ./opensearch-docker-entrypoint.sh: Permission denied
ms@expertbookms:~$ docker run -it --rm --entrypoint bash opensearchproject/opensearch:2.11.0
bash: /usr/share/opensearch/.bashrc: Permission denied
bash-5.2$ id
uid=1000(opensearch) gid=1000(opensearch) groups=1000(opensearch)
bash-5.2$ ls -al /usr/share/
total 192
drwxr-xr-x 1 root root 4096 Oct 13 03:45 .
drwxr-xr-x 1 root root 4096 Oct 10 22:51 ..
drwxr-xr-x 2 root root 4096 Jan 30 2023 X11
drwxr-xr-x 2 root root 4096 Jan 30 2023 aclocal
drwxr-xr-x 2 root root 4096 Jan 30 2023 appdata
drwxr-xr-x 2 root root 4096 Jan 30 2023 applications
drwxr-xr-x 3 root root 4096 Oct 10 22:51 augeas
drwxr-xr-x 2 root root 4096 Oct 10 22:51 awk
drwxr-xr-x 2 root root 4096 Jan 30 2023 backgrounds
drwxr-xr-x 4 root root 4096 Jan 31 2023 bash-completion
drwxr-xr-x 11 root root 4096 Oct 10 22:51 crypto-policies
drwxr-xr-x 2 root root 4096 Jan 30 2023 desktop-directories
drwxr-xr-x 2 root root 4096 Jan 30 2023 dict
drwxr-xr-x 1 root root 4096 Oct 13 03:45 doc
dr-xr-xr-x 2 root root 4096 Jan 30 2023 empty
drwxr-xr-x 2 root root 4096 Oct 10 22:51 file
drwxr-xr-x 2 root root 4096 Jan 30 2023 games
lrwxrwxrwx 1 root root 14 Aug 14 20:55 gawk -> /usr/share/awk
drwxr-xr-x 3 root root 4096 Oct 10 22:51 gcc-11
drwxr-xr-x 3 root root 4096 Oct 10 22:51 gdb
drwxr-xr-x 3 root root 4096 Oct 10 22:51 glib-2.0
drwxr-xr-x 2 root root 4096 Jan 30 2023 gnome
drwxr-xr-x 2 root root 4096 Jan 30 2023 help
drwxr-xr-x 4 root root 4096 Oct 10 22:51 i18n
drwxr-xr-x 2 root root 4096 Jan 30 2023 icons
drwxr-xr-x 2 root root 4096 Jan 30 2023 idl
drwxr-xr-x 1 root root 4096 Oct 13 03:45 info
drwxr-xr-x 2 root root 4096 Oct 10 22:51 libgpg-error
drwxr-xr-x 5 root root 4096 Oct 10 22:51 libreport
drwxr-xr-x 1 root root 4096 Oct 13 03:45 licenses
drwxr-xr-x 1 root root 4096 Oct 13 03:45 locale
drwxr-xr-x 4 root root 4096 Oct 10 22:51 lua
lrwxrwxrwx 1 root root 10 Aug 30 20:17 magic -> misc/magic
drwxr-xr-x 1 root root 4096 Oct 13 03:45 man
drwxr-xr-x 2 root root 4096 Jan 30 2023 metainfo
drwxr-xr-x 2 root root 4096 Jan 30 2023 mime-info
drwxr-xr-x 2 root root 4096 Oct 10 22:51 misc
drwxr-xr-x 2 root root 4096 Jan 30 2023 omf
drwx------ 1 root opensearch 4096 Oct 13 03:45 opensearch
drwxr-xr-x 3 root root 4096 Oct 10 22:51 p11-kit
drwxr-xr-x 2 root root 4096 Jan 30 2023 pixmaps
drwxr-xr-x 4 root root 4096 Oct 10 22:51 pki
lrwxrwxrwx 1 root root 25 Jan 29 2023 python-wheels -> /usr/share/python3-wheels
drwxr-xr-x 2 root root 4096 Oct 10 22:51 python3-wheels
drwxr-xr-x 2 root root 4096 Jan 30 2023 sounds
drwxr-xr-x 2 root root 4096 Oct 10 22:51 tabset
drwxr-xr-x 23 root root 4096 Oct 10 22:51 terminfo
drwxr-xr-x 2 root root 4096 Jan 30 2023 themes
drwxr-xr-x 2 root root 4096 Jan 30 2023 wayland-sessions
drwxr-xr-x 2 root root 4096 Jan 30 2023 xsessions
drwxr-xr-x 20 root root 4096 Oct 10 22:51 zoneinfo
bash-5.2$ ls -al /usr/share/opensearch/
ls: cannot open directory '/usr/share/opensearch/': Permission denied
Hi,
we are currently not using this repo for docker images.
Here is the latest setup on docker for OpenSearch/Dashboards: https://github.com/opensearch-project/opensearch-build/tree/main/docker
Also, if you are using kubernetes use init containers to change the folder permission or ownership and then start the containers.
Or you can rebuilt the opensearch image with your desired user uid.
Thanks.
Hi,
we are currently not using this repo for docker images.
Here is the latest setup on docker for OpenSearch/Dashboards: https://github.com/opensearch-project/opensearch-build/tree/main/docker
Also, if you are using kubernetes use init containers to change the folder permission or ownership and then start the containers.
Or you can rebuilt the opensearch image with your desired user uid.
Thanks.
Hi,
we are currently not using this repo for docker images.
Here is the latest setup on docker for OpenSearch/Dashboards: https://github.com/opensearch-project/opensearch-build/tree/main/docker
Also, if you are using kubernetes use init containers to change the folder permission or ownership and then start the containers.
Or you can rebuilt the opensearch image with your desired user uid.
Thanks.
Hi Peter, how could you use init containers to set folder permissions in a following opensearch container? Can you please scheme how that would work? Thanks and Regards.
What is the bug?
In the docker image opensearchproject/opensearch:2.9.0 the permission for the opensearch folder is causing issues [opensearch@dc433e3d119d ~]$ ls -ld /usr/share/opensearch/ drwx------ 1 opensearch opensearch 4096 Jul 18 22:43 /usr/share/opensearch/
How can one reproduce the bug?
Run the image in a kubernetes pod where the securityContext assigns a random UID for the user, for example 1000800000 Since the opensearch folder is only accessible for the opensearch user with UID 1000 the entrypoint script /usr/share/opensearch/opensearch-docker-entrypoint.sh cannot be run
What is the expected behavior?
Since the script itself is set with these permissions: -rwxr-xr-x (allow other to read and execute) it would be logical for the previous directories to have the same permissions
What is your host/environment?
Kubernetes OpenSearch cluster
Do you have any screenshots?
N/A
Do you have any additional context?