search

powerapi-ng / hwpc-sensor

Hardware Performance Counters monitoring agent for containers.
BSD 3-Clause "New" or "Revised" License
14 stars 16 forks source link

Running the sensor without root #10

Closed PierreRustOrange closed 2 years ago

PierreRustOrange commented 2 years ago

The sensor container must currently run as a privileged container and the user inside the container is root. This is generally an issue when running on productions systems as ops often require (and rightly so!) that we use non-root user inside our containers and that containers are not privileged.

The sensor can however run perfectly fine in a non-root container, provided it has been granted the correct capabilities

For example I use in my dockerfile

RUN    groupadd sensorgrp && \
    useradd -u 1001 -g sensorgrp --home-dir /home/powerapi powerapi  && \
    mkdir /home/powerapi

RUN setcap "cap_sys_admin=ep" /usr/bin/hwpc-sensor && \
    setcap -v "cap_sys_admin=ep" /usr/bin/hwpc-sensor

An at the end of the Docker file: 

USER powerapi
ENTRYPOINT ["/usr/bin/run.sh"]

Then, when running the container, I add the capa

docker run --name sensortest -it --rm --cap-add SYS_ADMIN noroot-sensor:latest

Would you consider changing the sensor image so that it runs without root by default ? It also requires disabling the check in sensor.c (https://github.com/powerapi-ng/hwpc-sensor/blob/ae0b8fc3894dc788460e8040aa3ae939a90e2953/src/sensor.c#L169)