opendistro-build icon indicating copy to clipboard operation
opendistro-build copied to clipboard

Published 20 hours ago • verified publisher icon opendistro-for-elasticsearch

Could not run Elastic Search conatiner as non-root

Open vijeswari opened this issue 3 years ago • 3 comments
trafficstars

Describe the bug A clear and concise description of what the bug is. As mentioned in the enhancement https://github.com/opendistro-for-elasticsearch/opendistro-build/pull/703, we tried creating ODFE pods running as non-root user using ODFE 1.13.2 docker image and helm chart. The pod creation fails with the following error:

xxxx]$ kubectl logs -f test-opendistro-es-client-6bbb7dd9fd-przsc elasticsearch OpenDistro for Elasticsearch Security Demo Installer ** Warning: Do not use on production or public reachable systems ** Basedir: /usr/share/elasticsearch Elasticsearch install type: rpm/deb on CentOS Linux release 7.9.2009 (Core) Elasticsearch config dir: /usr/share/elasticsearch/config Elasticsearch config file: /usr/share/elasticsearch/config/elasticsearch.yml Elasticsearch bin dir: /usr/share/elasticsearch/bin Elasticsearch plugins dir: /usr/share/elasticsearch/plugins Elasticsearch lib dir: /usr/share/elasticsearch/lib Detected Elasticsearch Version: x-content-7.10.2 Detected Open Distro Security Version: 1.13.1.0 Success Execute this script now on all your nodes and then start all nodes

tee: securityadmin_demo.sh: Permission denied

To Reproduce Steps to reproduce the behavior:

  1. Download ODFE helm 1.13.2
  2. Run 'helm install test . -f values-nonroot.yaml'
  3. Pod creation fails

Expected behavior A clear and concise description of what you expected to happen. ES container should be up and running as non root

Configuration (please complete the following information):

  • ODFE/Kibana version 1.13.2
  • Distribution: NA
  • Host Machine:NA

Relevant information Please include any relevant log snippets or files here.

xxxx]$ kubectl logs -f test-opendistro-es-client-6bbb7dd9fd-przsc elasticsearch OpenDistro for Elasticsearch Security Demo Installer ** Warning: Do not use on production or public reachable systems ** Basedir: /usr/share/elasticsearch Elasticsearch install type: rpm/deb on CentOS Linux release 7.9.2009 (Core) Elasticsearch config dir: /usr/share/elasticsearch/config Elasticsearch config file: /usr/share/elasticsearch/config/elasticsearch.yml Elasticsearch bin dir: /usr/share/elasticsearch/bin Elasticsearch plugins dir: /usr/share/elasticsearch/plugins Elasticsearch lib dir: /usr/share/elasticsearch/lib Detected Elasticsearch Version: x-content-7.10.2 Detected Open Distro Security Version: 1.13.1.0 Success Execute this script now on all your nodes and then start all nodes

tee: securityadmin_demo.sh: Permission denied

vijeswari avatar Dec 06 '21 08:12 vijeswari

@vijeswari Hello, I am facing the same issue. Do you find some solution for this issue?

/cc @oomichi

oomichi avatar Jan 27 '22 17:01 oomichi

@vijeswari Hello, I am facing the same issue. Do you find some solution for this issue?

/cc @oomichi

I found a solution for this issue. By specifying

  extraEnvs:
    - name: DISABLE_INSTALL_DEMO_CONFIG
      value: "true"

in values.yaml, the demo mode is disabled and it solves this issue on my side.

oomichi avatar Feb 01 '22 23:02 oomichi

@oomichi This solution did not work for us. We are relying on demo certificates for time being so disabling the demo config scripts has impact on the internal node communication on port 9300. Have you configured certificates post disabling demo config script?

Thank you

vijeswari avatar Feb 15 '22 09:02 vijeswari