search

opensearch-project / helm-charts

:wheel_of_dharma: A community repository for Helm Charts of OpenSearch Project.
https://opensearch.org/docs/latest/opensearch/install/helm/
Apache License 2.0
168 stars 228 forks source link

When trying to create opensearch container in OpenShift the issue with privileged is appeared #512

Open thtarstar opened 9 months ago

thtarstar commented 9 months ago

Describe the bug After trying to create opensearch container in OpenShift(OKD cluster) had an error: Warning Failed 95m (x1075 over 5h38m) kubelet (combined from similar events): Error: container create failed: time="2023-12-20T15:56:36+02:00" level=error msg="runc create failed: unable to start container process: exec: \"./opensearch-docker-entrypoint.sh\": stat ./opensearch-docker-entrypoint.sh: permission denied

Looks like OpenShift is crying for OpenSearch running as privileged container in cluster.

To Reproduce Steps to reproduce the behavior:

  1. Go to '...'
  2. Click on '....'
  3. Scroll down to '....'
  4. See error

Expected behavior A clear and concise description of what you expected to happen.

Chart Name Specify the Chart which is affected?

Screenshots If applicable, add screenshots to help explain your problem.

Host/Environment (please complete the following information):

Additional context Add any other context about the problem here.

tdominguezm commented 8 months ago

Interested to know if there are any updates to this, as i'm having the same issue trying to deploy Opensearch in an Openshift cluster without privileged access and I'm facing the same error "runc create failed: unable to start container process: exec: "./opensearch-docker-entrypoint.sh": stat ./opensearch-docker-entrypoint.sh: permission denied.

If someone has managed to make it work, I would appreciate more insight.

prudhvigodithi commented 8 months ago

There are some open issues with respect to OpenShift cluster running the OpenSearch help chart. ~https://github.com/opensearch-project/helm-charts/issues/369~ https://github.com/opensearch-project/helm-charts/issues/384 https://github.com/opensearch-project/helm-charts/issues/480 https://github.com/opensearch-project/helm-charts/issues/512

It would be great someone can refactor the chart to make it work with OpenShift.

gsmith-sas commented 8 months ago

@prudhvigodithi The first 2 issues (#369 and #384) are NOT OpenShift-specific; they are related to Kubernetes security best-practices. Even the 3rd issue (#480) is more a K8s security best practices issue than an OpenShift issue (although OpenShift is mentioned). These issue may crop up on OpenShift because it enforces/requires some of these best-practices but the underlying issue is that the OpenSearch container image is not configured securely. This is surprising since I suspect the AWS OpenSearch service has resolved these same issues. Unfortunately, some of these cannot be fixed via Helm chart changes and must be addressed in the container image itself.

prudhvigodithi commented 8 months ago

Thanks @gsmith-sas, what I was trying to say was it would be great if we can refactor the chart/docker-image or show us some pointers on how to still make it work with OpenShift enforcements. @gsmith-sas can you please elaborate more or open to contribute? to make sure there are no issues with OpenShift and works the same like other clusters.

We can ignore this issue https://github.com/opensearch-project/helm-charts/issues/369 as its more related to PA plugin writing logs to the read-only filesystem.

Adding @bbarani @peterzhuamazon @TheAlgo