search

opensearch-project / opensearch-build

🧰 OpenSearch / OpenSearch-Dashboards Build Systems
Apache License 2.0
136 stars 271 forks source link

[Enhancement] Running release docker image as non-opensearch(1000) user #3625

Open Raniz85 opened 1 year ago

Raniz85 commented 1 year ago

Describe the bug If trying to execute the docker image as someone other than UID 1000 (for example on OpenShift), startup fails with permission denied

To Reproduce Run docker image as an unprivileged user e.g.

$ podman run --rm -it --user 176000 docker.io/opensearchproject/opensearch:2.7.0@sha256:55f1f67e7d3645aa838b63a589bce5645154ba275814e52d4638d371ca0f8cb5
{"msg":"exec container process `/usr/share/opensearch/./opensearch-docker-entrypoint.sh`: Permission denied","level":"error","time":"2023-06-12T06:02:50.000600385Z"}

Expected behavior OpenSearch starts successfully

Host/Environment (please complete the following information): OpenSearch 2.7.0 (sha256:55f1f67e7d3645aa838b63a589bce5645154ba275814e52d4638d371ca0f8cb5)

Tested on:

Additional Information This is due to /usr/share/openshift having permission 0700:

$ podman run --rm -it --user 176000 docker.io/opensearchproject/opensearch:2.7.0 bash -c 'stat $(pwd)'
  File: '/usr/share/opensearch'
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: 68h/104d        Inode: 16810690    Links: 1
Access: (0700/drwx------)  Uid: ( 1000/opensearch)   Gid: ( 1000/opensearch)
Access: 1970-01-01 00:00:00.000000000 +0000
Modify: 2023-04-27 23:13:41.000000000 +0000
Change: 2023-06-09 12:00:31.588927632 +0000
 Birth: -

There are likely more ownership issues to iron out when running as an unprivileged user.

gaiksaya commented 1 year ago

@peterzhuamazon @prudhvigodithi Can you take a look at this? Looks like we had a similar issue with helm https://github.com/opensearch-project/helm-charts/issues/384

peterzhuamazon commented 1 year ago

Hi @Raniz85 we switch the user to 1000 here: https://github.com/opensearch-project/opensearch-build/blob/main/docker/release/dockerfiles/opensearch.al2.dockerfile#L82-L84

In your command, you have --user 176000 specified, so the docker container will run as --user 176000.

Is there a reason you cannot run as 1000 user here? (Edit: I am not familiar with OpenShift usages, so not sure if they have function to override this)

Thanks.

peterzhuamazon commented 1 year ago

This is not a bug but a feature request, which we are not having at the moment. Tho user can either modify the existing image or build a custom one with our docker scripts and files: https://github.com/opensearch-project/opensearch-build/tree/main/docker/release

Allowing non-opensearch(1000) user can potential change the structure of the docker image that we designed on. Need more research as we need to proceed on such feature.

cc: @bbarani to comment on this one.

Thanks.