Ksql: Docker container won't start in non-priviledged user mode

Created on 17 Dec 2018 · 7Comments · Source: confluentinc/ksql

The KSQL-server container won't start with a non-privileged user (e.g. to start in a openshift cluster with the MustRunAsNonRoot setting) because the path /etc/ksql-server lacks group write permission

docker run --user=104 --group-add=0 --rm confluentinc/cp-ksql-server:5.0.1
...
Command [/usr/local/bin/dub path /etc/ksql-server/ writable] FAILED !

Source

francoisserra

👍1

Most helpful comment

We use Openshift 3.11 and faced the same issue.
Our solution is to wrap the image like this:
FROM confluentinc/cp-ksql-server:5.2.0
RUN mkdir -p /etc/ksql-server/ && chmod -R g+rw /etc/ksql-server/
RUN mkdir -p /usr/logs/ && chmod -R g+rw /usr/logs/

I would prefer if it is done in the main image.

TheUltimateDeployer on 22 Aug 2019

👍2

All 7 comments

I think this is the first report of this issue. The examples here all work and don't require special privileges.

Those examples don't work for you when tried verbatim?

apurvam on 17 Dec 2018

@apurvam : The exemples your mention work well on my local machine but not on the Openshift cluster of my company because the confluentinc/cp-ksql-server:5.0.1 runs by default with the root user. My company cluster has a security constraint that prevents containers to be run as root (the user _inside_ the container). I have created an issue in the confluentinc/cp-helm-charts (see https://github.com/confluentinc/cp-helm-charts/issues/173#issuecomment-437449997), @maxzheng pointed me to the relevant openshift doc : https://docs.openshift.com/container-platform/3.9/creating_images/guidelines.html#openshift-specific-guidelines. This doc says "For an image to support running as an arbitrary user, directories and files that may be written to by processes in the image should be owned by the root group and be read/writable by that group."

My aim is to to make a PR in the cp-helm-charts that fixes https://github.com/confluentinc/cp-helm-charts/issues/173 but I must ensure the cp-ksql-server image is compliant with an hardened openshift cluster.

you can easily reproduce from your example with the latest 5.1.0 image by launching the container with an arbitrary user that belongs to the root group e.g.:

docker run --user=1000 --group-add=0  -p 127.0.0.1:8088:8088 \
-e KSQL_BOOTSTRAP_SERVERS=localhost:9092 \
-e KSQL_LISTENERS=http://0.0.0.0:8088/ \
-e KSQL_KSQL_SERVICE_ID=confluent_test_2 \
confluentinc/cp-ksql-server:5.1.0`

==> ENV Variables ...
COMPONENT=ksql-server
CUB_CLASSPATH="/usr/share/java/cp-base-new/*"
HOME=/
HOSTNAME=8f83365fa394
KSQL_BOOTSTRAP_SERVERS=localhost:9092
KSQL_CLASSPATH=/usr/share/java/ksql-server/*
KSQL_KSQL_SERVICE_ID=confluent_test_2
KSQL_LISTENERS=http://0.0.0.0:8088/
LANG=C.UTF-8
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
PWD=/
SHLVL=1
_=/usr/bin/env
===> User
uid=1000 gid=0(root) groups=0(root)
===> Configuring ...
Command [/usr/local/bin/dub path /etc/ksql-server/ writable] FAILED !

francoisserra on 20 Dec 2018

👍1

@apurvam any updates on this since @francoisserra provided additional details? I am seeing the same issue in a Kubernetes environment where root user usage is prohibited. Updating the chart to run as a non-root user produces the same error.