Running Scylla in Docker without root privileges

scylladb / scylladb

NoSQL data store using the seastar framework, compatible with Apache Cassandra

http://scylladb.com

GNU Affero General Public License v3.0

13.57k stars 1.29k forks source link

Running Scylla in Docker without root privileges #16253

Open rngcntr opened 11 months ago

rngcntr commented 11 months ago

This issue originated from #1485.

Description

Configuring containers to use unprivileged users is one of OWASP's top Docker Security rules. Especially with Kubernetes' SecurityContexts and enforcement policies, companies and users operating production environments are urged to eliminate privileges from users within Docker containers.

So far, the Scylla Docker container is unable to start successfully unless given root privileges. It instead prints the following error:

running: (['/opt/scylladb/scripts/scylla_dev_mode_setup', '--developer-mode', '1'],)
Requires root permission.

Steps to reproduce

docker run --user 107 scylladb/scylla

I choose the user scylla with UID 107 and primary GID 109 here, because it is listed in the /etc/passwd which is shipped with the container.

Installation details

Scylla version: 5.2.11 OS: Docker on any OS

SeanEClarke commented 9 months ago

I am surprised this hasn't come up more, not only is it (as you mentioned) OWASP's no2 rule, but many cloud hosts/PaaS/K8s as a service vendors have policy enforcements.

are there any workarounds?

I notice that Cassandra has a '-R' option you pass in on container startup which enables the container user to be non-root.

tzach commented 8 months ago

@tnozicka are you aware of this issue? Did we hit this issue in K8s deployments?

SeanEClarke commented 8 months ago

@tnozicka if the K8s cluster has no policy or an excessively open policy then everything will work fine, however many company have a restrictive policy enforcement which mandates that containers do not run as root internally, this is also listed as a container/docker best practice - its in these scenarios where the deployments fail.

I understand that for the full performance potential to be realised, ScyllaDB may need elevated access/permissions, however it would be extremely useful and beneficial if there - even with the additional caveats around performance etc.

tnozicka commented 8 months ago

I am well aware, but the current ScyllaDB setup uses root and additional capabilities extensively. Some don't need it, some are by its nature needed for tuning OS or itself (e.g. niceness). I think this would be fairly conceptual change for how ScyllaDB is setup in containers. E.g. in the operator we have extracted some scripts and run them from "priviledged" namespaces so regular users don't have to, mostly around perftune. And there is the supervisord that shouldn't be there. xref https://github.com/scylladb/scylla-operator/issues/1210 https://github.com/scylladb/scylla-operator/issues/106 https://github.com/scylladb/scylla-operator/issues/713

fyi, say Openshift runs by default with random UID