bbarani
commented
2 years ago Closed lindeberg25 closed 1 year ago
bbarani
commented
2 years ago bbarani
commented
2 years ago @lindeberg25 Closing this issue as we couldn't replicate it on the latest Docker image. Please feel free to re-open in if you are still facing this issue.
ElhamAhmadlou
commented
2 years ago Hi I also have same error . i have also changed the image version to the latest one , but it did't help.
level=error msg="container_linux.go:367: starting container process caused: exec: \"./opensearch-docker-entrypoint.sh\": stat ./opensearch-docker-entrypoint.sh: permission denied"
dion-dodgen
commented
1 year ago +1 error persists on :latest
dblock
commented
1 year ago I'll reopen and move this to opensearch-devops.
Ismo900123213
commented
1 year ago Had the same issue. Fix: at the container level, define the securityContext of runAsUser and runAsGroup to:
securityContext:
runAsUser: 1000
runAsGroup: 1000
peterzhuamazon
commented
1 year ago Echo @Ismo900123213, In our docker the user we user to run is having 1000 id. And the default user should be them as well.
If you are having another user trying to access the folder then it will error out. Thanks.
marcosox
commented
10 months ago as reported by another user in opensearch-project/docker-images#35:
Since the script itself is set with these permissions: -rwxr-xr-x (allow other to read and execute) it would be logical for the previous directories to have the same permissions
I have user namespace remapping enabled, and when starting the container the opensearch-owned files become owned by root:
bash-5.2# ls -al /usr/share/opensearch/opensearch-docker-entrypoint.sh
-rwxr-xr-x 1 root opensearch 4876 Oct 13 03:45 /usr/share/opensearch/opensearch-docker-entrypoint.shthe parent folder (/usr/share/opensearch) is not group readable:
bash-5.2$ ls -al /usr/share/
total 192
drwxr-xr-x 1 root root 4096 Oct 13 03:45 .
drwxr-xr-x 1 root root 4096 Oct 10 22:51 ..
drwxr-xr-x 2 root root 4096 Jan 30 2023 X11
drwxr-xr-x 2 root root 4096 Jan 30 2023 aclocal
drwxr-xr-x 2 root root 4096 Jan 30 2023 appdata
drwxr-xr-x 2 root root 4096 Jan 30 2023 applications
drwxr-xr-x 3 root root 4096 Oct 10 22:51 augeas
drwxr-xr-x 2 root root 4096 Oct 10 22:51 awk
drwxr-xr-x 2 root root 4096 Jan 30 2023 backgrounds
drwxr-xr-x 4 root root 4096 Jan 31 2023 bash-completion
drwxr-xr-x 11 root root 4096 Oct 10 22:51 crypto-policies
drwxr-xr-x 2 root root 4096 Jan 30 2023 desktop-directories
drwxr-xr-x 2 root root 4096 Jan 30 2023 dict
drwxr-xr-x 1 root root 4096 Oct 13 03:45 doc
dr-xr-xr-x 2 root root 4096 Jan 30 2023 empty
drwxr-xr-x 2 root root 4096 Oct 10 22:51 file
drwxr-xr-x 2 root root 4096 Jan 30 2023 games
lrwxrwxrwx 1 root root 14 Aug 14 20:55 gawk -> /usr/share/awk
drwxr-xr-x 3 root root 4096 Oct 10 22:51 gcc-11
drwxr-xr-x 3 root root 4096 Oct 10 22:51 gdb
drwxr-xr-x 3 root root 4096 Oct 10 22:51 glib-2.0
drwxr-xr-x 2 root root 4096 Jan 30 2023 gnome
drwxr-xr-x 2 root root 4096 Jan 30 2023 help
drwxr-xr-x 4 root root 4096 Oct 10 22:51 i18n
drwxr-xr-x 2 root root 4096 Jan 30 2023 icons
drwxr-xr-x 2 root root 4096 Jan 30 2023 idl
drwxr-xr-x 1 root root 4096 Oct 13 03:45 info
drwxr-xr-x 2 root root 4096 Oct 10 22:51 libgpg-error
drwxr-xr-x 5 root root 4096 Oct 10 22:51 libreport
drwxr-xr-x 1 root root 4096 Oct 13 03:45 licenses
drwxr-xr-x 1 root root 4096 Oct 13 03:45 locale
drwxr-xr-x 4 root root 4096 Oct 10 22:51 lua
lrwxrwxrwx 1 root root 10 Aug 30 20:17 magic -> misc/magic
drwxr-xr-x 1 root root 4096 Oct 13 03:45 man
drwxr-xr-x 2 root root 4096 Jan 30 2023 metainfo
drwxr-xr-x 2 root root 4096 Jan 30 2023 mime-info
drwxr-xr-x 2 root root 4096 Oct 10 22:51 misc
drwxr-xr-x 2 root root 4096 Jan 30 2023 omf
drwx------ 1 root opensearch 4096 Oct 13 03:45 opensearch
drwxr-xr-x 3 root root 4096 Oct 10 22:51 p11-kit
drwxr-xr-x 2 root root 4096 Jan 30 2023 pixmaps
drwxr-xr-x 4 root root 4096 Oct 10 22:51 pki
lrwxrwxrwx 1 root root 25 Jan 29 2023 python-wheels -> /usr/share/python3-wheels
drwxr-xr-x 2 root root 4096 Oct 10 22:51 python3-wheels
drwxr-xr-x 2 root root 4096 Jan 30 2023 sounds
drwxr-xr-x 2 root root 4096 Oct 10 22:51 tabset
drwxr-xr-x 23 root root 4096 Oct 10 22:51 terminfo
drwxr-xr-x 2 root root 4096 Jan 30 2023 themes
drwxr-xr-x 2 root root 4096 Jan 30 2023 wayland-sessions
drwxr-xr-x 2 root root 4096 Jan 30 2023 xsessions
drwxr-xr-x 20 root root 4096 Oct 10 22:51 zoneinfoSo I end up with permission denied and can't use the image.
Is the rwx------ permission crucial for /usr/share/opensearch/? could it be rwxr-xr-x like the files it contains? This would allow the image to be compatible with the typical setup for users which have namespace remapping enabled.
midprasanta
commented
2 months ago Is there any plan to fix the issue. Error happens in openshift only.
Hello...
I'm deploying an opensearch cluster on Openshift and I'm getting the permission denied error: ./opensearch-docker-entrypoint.sh: permission denied"
I've created an opensearch-sa service account and added it to master.yaml:
I've set opensearch-sa to privileged.
I believe the user created in the opensearch image doesn't have permission on /usr/share/opensearch/opensearch-docker-entrypoint.sh, which is a little weird. (I think the image user should already have permission to access that folder)
Could someone tell me what I'm missing?
Thanks in advance