alluxio icon indicating copy to clipboard operation
alluxio copied to clipboard

Published 20 hours ago verified publisher icon Alluxio

Failed to get user in Kubernetes with helm chart

Open ssz1997 opened this issue 2 years ago • 1 comments

Alluxio Version: Master

Describe the bug User 1000 does not exist in the containers in k8s. Worker is unable to find the user and login, and thus cannot talk to master. The cluster can't start successfully.

ssz1997 avatar Jul 29 '22 07:07 ssz1997

This issue happens due to https://github.com/Alluxio/alluxio/pull/15898 being merged. That PR forces the Alluxio docker image to run as the root user.

Can we refactor the Dockerfile to create a different admin user with permission to create users/groups & assign file ownership (i.e: a sudo-er), but isn't root (uid=0, gid=0)? The rest will still be the same; after creating the alluxio user & group you run the process as that user. This is just so that the container image itself doesn't run with a root user (which is very dangerous if people can enter the container runtime somehow).

  • Example blogpost: https://blog.aquasec.com/rootless-containers-boosting-container-security

ZhuTopher avatar Jul 29 '22 17:07 ZhuTopher

The PR caused the problem was reverted. Close this issue.

ssz1997 avatar Aug 15 '22 22:08 ssz1997