Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The pravega zookeeper docker image run as root by default #538

Open
patrickdung opened this issue Mar 19, 2023 · 2 comments · May be fixed by #561
Open

The pravega zookeeper docker image run as root by default #538

patrickdung opened this issue Mar 19, 2023 · 2 comments · May be fixed by #561

Comments

@patrickdung
Copy link

Description

This is the Dockerfile
https://github.com/pravega/zookeeper-operator/blob/master/docker/Dockerfile

No user is created and it runs the docker as root (UID 0)

Importance

This is not a good security practice.

Location

https://github.com/pravega/zookeeper-operator/blob/master/docker/Dockerfile

Suggestions for an improvement

Create a dedicated user and specify it to run instead of root/UID 0.
janhoy added a commit to janhoy/zookeeper-operator that referenced this issue Jun 28, 2023
@janhoy
Run Zookeeper container with user 'zookeeper' instead of root
6ddae45 
Fixes pravega#538

Signed-off-by: Jan Høydahl <[email protected]>
@janhoy janhoy linked a pull request Jun 28, 2023 that will close this issue
Open
@janhoy
Copy link

janhoy commented Jun 28, 2023

Filed a PR for the user change itself.

It would be nice to follow up this with the Operator adding a a securityContext.runAsNonRoot: true to the POD container, which would silence such policy warnings by default.

@janhoy
Copy link

janhoy commented Jun 28, 2023
edited
Loading

Actually the base image of this image already creates the zookeeper user with UID=1000. So a workaround to run as non-root is to specify user 1000 in the helm chart:

pod:
  securityContext:
    runAsNonRoot: true
    runAsUser: 1000
    fsGroup: 1000

EDIT: Note that you also need to supply fsGroup here so that the POD will have write access to the data volume. Also, if you apply this change on an existing cluster, you will need to delete the PVC for each zk pod as they are upgraded, else there will be permission errors.

@silveiralexf silveiralexf mentioned this issue Oct 1, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Run Zookeeper container with user 'zookeeper' instead of 'root' janhoy/zookeeper-operator
2 participants
@janhoy @patrickdung