helm-charts icon indicating copy to clipboard operation
helm-charts copied to clipboard

Published 20 hours ago verified publisher icon opensearch-project

When trying to create opensearch container in OpenShift the issue with privileged is appeared

Open thtarstar opened this issue 1 year ago • 4 comments

Describe the bug After trying to create opensearch container in OpenShift(OKD cluster) had an error: Warning Failed 95m (x1075 over 5h38m) kubelet (combined from similar events): Error: container create failed: time="2023-12-20T15:56:36+02:00" level=error msg="runc create failed: unable to start container process: exec: "./opensearch-docker-entrypoint.sh": stat ./opensearch-docker-entrypoint.sh: permission denied

Looks like OpenShift is crying for OpenSearch running as privileged container in cluster.

To Reproduce Steps to reproduce the behavior:

  1. Go to '...'
  2. Click on '....'
  3. Scroll down to '....'
  4. See error

Expected behavior A clear and concise description of what you expected to happen.

Chart Name Specify the Chart which is affected?

Screenshots If applicable, add screenshots to help explain your problem.

Host/Environment (please complete the following information):

  • Helm Version: [e.g. 3.7.2]
  • OpenShift

Additional context Add any other context about the problem here.

thtarstar avatar Dec 21 '23 20:12 thtarstar

Interested to know if there are any updates to this, as i'm having the same issue trying to deploy Opensearch in an Openshift cluster without privileged access and I'm facing the same error "runc create failed: unable to start container process: exec: "./opensearch-docker-entrypoint.sh": stat ./opensearch-docker-entrypoint.sh: permission denied.

If someone has managed to make it work, I would appreciate more insight.

tdominguezm avatar Jan 15 '24 11:01 tdominguezm

There are some open issues with respect to OpenShift cluster running the OpenSearch help chart. ~https://github.com/opensearch-project/helm-charts/issues/369~ https://github.com/opensearch-project/helm-charts/issues/384 https://github.com/opensearch-project/helm-charts/issues/480 https://github.com/opensearch-project/helm-charts/issues/512

It would be great someone can refactor the chart to make it work with OpenShift.

prudhvigodithi avatar Jan 16 '24 20:01 prudhvigodithi

@prudhvigodithi The first 2 issues (#369 and #384) are NOT OpenShift-specific; they are related to Kubernetes security best-practices. Even the 3rd issue (#480) is more a K8s security best practices issue than an OpenShift issue (although OpenShift is mentioned). These issue may crop up on OpenShift because it enforces/requires some of these best-practices but the underlying issue is that the OpenSearch container image is not configured securely. This is surprising since I suspect the AWS OpenSearch service has resolved these same issues. Unfortunately, some of these cannot be fixed via Helm chart changes and must be addressed in the container image itself.

gsmith-sas avatar Jan 16 '24 22:01 gsmith-sas

Thanks @gsmith-sas, what I was trying to say was it would be great if we can refactor the chart/docker-image or show us some pointers on how to still make it work with OpenShift enforcements. @gsmith-sas can you please elaborate more or open to contribute? to make sure there are no issues with OpenShift and works the same like other clusters.

We can ignore this issue https://github.com/opensearch-project/helm-charts/issues/369 as its more related to PA plugin writing logs to the read-only filesystem.

Adding @bbarani @peterzhuamazon @TheAlgo

prudhvigodithi avatar Jan 17 '24 16:01 prudhvigodithi