datadog-agent
datadog-agent copied to clipboard
DataDog
Set fix-attrs ownership to 100:0 for dd-agent user
What does this PR do?
Change the owner root in /etc/s6/init/init-stage2-fixattrs.txt to 100:0 (UID:GID) to eliminate error logs when starting the container with the dd-agent (UID:100) user.
Motivation
When running the datadog-agent container as a regular user dd-agent, below error messages will be thrown:
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
s6-chown: fatal: unable to chown /var/run/s6/etc/cont-init.d/50-ci.sh: Operation not permitted
s6-chown: fatal: unable to chown /var/run/s6/etc/cont-init.d/01-check-apikey.sh: Operation not permitted
s6-chown: fatal: unable to chown /var/run/s6/etc/cont-init.d/50-ecs.sh: Operation not permitted
s6-chown: fatal: unable to chown /var/run/s6/etc/cont-init.d/50-eks.sh: Operation not permitted
s6-chown: fatal: unable to chown /var/run/s6/etc/cont-init.d/50-kubernetes.sh: Operation not permitted
s6-chown: fatal: unable to chown /var/run/s6/etc/cont-init.d/50-mesos.sh: Operation not permitted
s6-chown: fatal: unable to chown /var/run/s6/etc/cont-init.d/51-docker.sh: Operation not permitted
s6-chown: fatal: unable to chown /var/run/s6/etc/cont-init.d/59-defaults.sh: Operation not permitted
s6-chown: fatal: unable to chown /var/run/s6/etc/cont-init.d/60-sysprobe-check.sh: Operation not permitted
s6-chown: fatal: unable to chown /var/run/s6/etc/cont-init.d/60-network-check.sh: Operation not permitted
s6-chown: fatal: unable to chown /var/run/s6/etc/cont-init.d/89-copy-customfiles.sh: Operation not permitted
s6-chown: fatal: unable to chown /var/run/s6/etc/services.d/agent/run: Operation not permitted
s6-chown: fatal: unable to chown /var/run/s6/etc/services.d/process/run: Operation not permitted
s6-chown: fatal: unable to chown /var/run/s6/etc/services.d/security/run: Operation not permitted
s6-chown: fatal: unable to chown /var/run/s6/etc/services.d/sysprobe/run: Operation not permitted
s6-chown: fatal: unable to chown /var/run/s6/etc/services.d/trace/run: Operation not permitted
s6-chown: fatal: unable to chown /var/run/s6/etc/services.d/agent/finish: Operation not permitted
s6-chown: fatal: unable to chown /var/run/s6/etc/services.d/process/finish: Operation not permitted
s6-chown: fatal: unable to chown /var/run/s6/etc/services.d/security/finish: Operation not permitted
s6-chown: fatal: unable to chown /var/run/s6/etc/services.d/sysprobe/finish: Operation not permitted
s6-chown: fatal: unable to chown /var/run/s6/etc/services.d/trace/finish: Operation not permitted
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
The reason is that the regular user dd-agent doesn't have permission to change the owner of files to root as specified in /etc/s6/init/init-stage2-fixattrs.txt, which is from s6-overlay. The errors and failing to change the ownership don't have negative effects on starting the container. But adding this line in the Dockerfile can make it work on both root and dd-agent user, eliminting the error logs.
Possible Drawbacks / Trade-offs
The owner of the directories and files under /var/run/s6/etc/* becomes dd-agent instead of root. That should not matter because the permissions of those directories and files stay unchanged and both dd-agent and root can read, write and execute them.
Describe how to test/QA your changes
Build a new docker image and configure to run it as regular user dd-agent (UID:100).
Reviewer's Checklist
- [ ] If known, an appropriate milestone has been selected; otherwise the
Triagemilestone is set. - [ ] Use the
major_changelabel if your change either has a major impact on the code base, is impacting multiple teams or is changing important well-established internals of the Agent. This label will be use during QA to make sure each team pay extra attention to the changed behavior. For any customer facing change use a releasenote. - [ ] A release note has been added or the
changelog/no-changeloglabel has been applied. - [ ] Changed code has automated tests for its functionality.
- [ ] Adequate QA/testing plan information is provided. Except if the
qa/skip-qalabel, with required eitherqa/doneorqa/no-code-changelabels, are applied. - [ ] At least one
team/..label has been applied, indicating the team(s) that should QA this change. - [ ] If applicable, docs team has been notified or an issue has been opened on the documentation repo.
- [ ] If applicable, the
need-change/operatorandneed-change/helmlabels have been applied. - [ ] If applicable, the
k8s/<min-version>label, indicating the lowest Kubernetes version compatible with this feature. - [ ] If applicable, the config template has been updated.
Codecov Report
All modified and coverable lines are covered by tests :white_check_mark:
Project coverage is 45.41%. Comparing base (
680baa2) to head (8d13c30). Report is 1 commits behind head on main.
:exclamation: Current head 8d13c30 differs from pull request most recent head a24f66a
Please upload reports for the commit a24f66a to get more accurate results.
Additional details and impacted files
@@ Coverage Diff @@
## main #22715 +/- ##
==========================================
+ Coverage 36.95% 45.41% +8.46%
==========================================
Files 3073 2108 -965
Lines 342187 251334 -90853
==========================================
- Hits 126459 114150 -12309
+ Misses 205895 128004 -77891
+ Partials 9833 9180 -653
| Flag | Coverage Δ | |
|---|---|---|
| amzn_aarch64 | ? |
|
| centos_x86_64 | ? |
|
| ubuntu_aarch64 | ? |
|
| ubuntu_x86_64 | 45.41% <ø> (+8.48%) |
:arrow_up: |
Flags with carried forward coverage won't be shown. Click here to find out more.
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
![codecov[bot] avatar](https://avatars.githubusercontent.com/in/254?v=4 "Published by a pub.dev verified publisher"){kind=small}