charts icon indicating copy to clipboard operation
charts copied to clipboard

Published 20 hours ago verified publisher icon bitnami

[bitnami/elasticsearch] fix: Unable to run the image using the root user

Open liuweiGL opened this issue 8 months ago • 3 comments

Description of the change

Use the empty-dir volume instead of the {{ template "elasticsearch.master.tlsSecretName" . }} secret to mount the tls certificate files

Benefits

You can run elasticsearch as the root user to install some elasticsearch plug-ins that require special permissions

Possible drawbacks

Applicable issues

  • fixes #25280

Additional information

When you run elasticsearch container as the root user, the following code changes the ownership of the /opt/bitnami/elasticsearch/config directory to the 'elasticsearch' user. But the files mounted by secret are read-only, which can lead to script errors:

https://github.com/bitnami/containers/blame/f9c0491bc648c894ce0a47cd5ced5c50e755ff92/bitnami/elasticsearch/8/debian-12/rootfs/opt/bitnami/scripts/libelasticsearch.sh#L380-L383

Test

Install the elaticsearch chart with follow values:

fullnameOverride: elasticsearch
global:
  elasticsearch:
    service:
      name: elasticsearch
      ports:
        restAPI: 9200
  kibanaEnabled: false
  storageClass: longhorn
image:
  tag: 8.14.0-debian-12-r0
  debug: true
coordinating:
  replicaCount: 1
  resourcesPreset: medium
  containerSecurityContext:
    allowPrivilegeEscalation: true
    capabilities:
      drop:
        - ALL
    enabled: true
    privileged: true
    readOnlyRootFilesystem: false
    runAsGroup: 0
    runAsNonRoot: false
    runAsUser: 0
  podSecurityContext:
    enabled: true
    fsGroup: 0
data:
  replicaCount: 1
  resourcesPreset: medium
  containerSecurityContext:
    allowPrivilegeEscalation: true
    capabilities:
      drop:
        - ALL
    enabled: true
    privileged: true
    readOnlyRootFilesystem: false
    runAsGroup: 0
    runAsNonRoot: false
    runAsUser: 0
  podSecurityContext:
    enabled: true
    fsGroup: 0
ingest:
  replicaCount: 1
  resourcesPreset: medium
  containerSecurityContext:
    allowPrivilegeEscalation: true
    capabilities:
      drop:
        - ALL
    enabled: true
    privileged: true
    readOnlyRootFilesystem: false
    runAsGroup: 0
    runAsNonRoot: false
    runAsUser: 0
  podSecurityContext:
    enabled: true
    fsGroup: 0
master:
  masterOnly: true
  replicaCount: 1
  resourcesPreset: medium
  persistence:
    enabled: true
  containerSecurityContext:
    allowPrivilegeEscalation: true
    capabilities:
      drop:
        - ALL
    enabled: true
    privileged: true
    readOnlyRootFilesystem: false
    runAsGroup: 0
    runAsNonRoot: false
    runAsUser: 0
  podSecurityContext:
    enabled: true
    fsGroup: 0
security:
  elasticPassword: QcEFFcQ9xoFHdUu
  enabled: true
  tls:
    autoGenerated: true
plugins: https://infinilabs.eastcoal.tech/analysis-ik/stable/analysis-ik-8.14.0.zip

image

Checklist

  • [x] Chart version bumped in Chart.yaml according to semver. This is not necessary when the changes only affect README.md files.
  • [x] Variables are documented in the values.yaml and added to the README.md using readme-generator-for-helm
  • [x] Title of the pull request follows this pattern [bitnami/<name_of_the_chart>] Descriptive title
  • [x] All commits signed off and in agreement of Developer Certificate of Origin (DCO)

liuweiGL avatar Jun 21 '24 23:06 liuweiGL