mssql-docker icon indicating copy to clipboard operation
mssql-docker copied to clipboard

Published 20 hours ago verified publisher icon microsoft

mcr.microsoft.com/mssql/rhel/server:2019-latest: permission issue

Open ebattat opened this issue 2 years ago • 1 comments

When running mcr.microsoft.com/mssql/rhel/server:2019-latest inside pod on kubernetes with

        securityContext:
          capabilities:
            drop: 
              - all

Got the following permission issue:

/opt/mssql/bin/permissions_check.sh: line 59: /opt/mssql/bin/sqlservr: Operation not permitted
/opt/mssql/bin/permissions_check.sh: line 59: /opt/mssql/bin/sqlservr: Success

Can you please let me know the right securityContext for running mssql image mcr.microsoft.com/mssql/rhel/server:2019-latest ?

ebattat avatar Jul 11 '22 08:07 ebattat

Hi, @amvin87 / @jamesongithub do you have any estimated date for the issue resolution?

pjgg avatar Sep 22 '22 12:09 pjgg

The first line in the log This container is running as user 1000880000. should be 'running as user mssql'

As a workaround allow the used service account (default) anyuid for your namespace (mssql). oc adm policy add-scc-to-user anyuid system:serviceaccount:mssql:default

rbaumgar avatar Oct 03 '22 11:10 rbaumgar

@ebattat the issue is, sqlservr is not able to boot up due to restricted-v2 dropping ALL, which also drops NET_BIND_SERVICE, which sqlservr uses to bind the default MSDTC RPC on port 135 (unfortunately the message you see above is very vague Operation not permitted, but it's because the capability is not present to the Container but the sqlservr binary has it set via setcap - you can validate via getcap - so Kubelet is throwing):

# Go into the SQL Server container and run this
getcap /opt/mssql/bin/sqlservr
/opt/mssql/bin/sqlservr = cap_net_bind_service+ep # <---- NET_BIND_SERVICE

If you're using a StatefulSet to host your SQL Server pod, you can add the following, without any new SCCs besides restricted-v2 (accessible to any Pod as default service account), it will work on OCP 4.11 (I've tested):

# Inside StatefulSet, add this all the way in the container spec (not the Pod spec, but the individual container spec)
securityContext:
 capabilities:
  add:
   - NET_BIND_SERVICE

There's a bigger issue that I'm discussing with @camilamacedo86 and @taylorjordanNC here: https://github.com/redhat-openshift-ecosystem/community-operators-prod/discussions/1417

Because NET_BIND_SERVICE disqualifies you from OCP 4.10 restricted SCC (so this solution is not backwards compatible). OCP 4.10 used to blanket offer NET_BIND_SERVICE to all Containers via CRI-O.

So basically:

  • For OCP 4.11, you need to explicitly ask for the capability. If you don't ask OCP 4.11, it will complain.
  • For OCP 4.10, don't ask, it's already there via CRI-O (which is why sqlservr worked as is). If you ask OCP 4.10, it will complain.

mdrakiburrahman avatar Jan 03 '23 23:01 mdrakiburrahman