add initContainer for running as non root user

CHANGELOG.md

@@ -7,6 +7,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 ### Added
 
 - Field name compatibility for SCK (#258)
+- Add initContainer for file operations for running as non root user (#263)
 
 ### Changed
 

docs/advanced-configuration.md

@@ -121,6 +121,12 @@ Here is the summary of performance benchmarks run internally.
 
 The data pipelines for these test runs involved reading container logs as they are being written, then parsing filename for metadata, enriching it with kubernetes metadata, reformatting data structure, and sending them (without compression) to Splunk HEC endpoint.
 
+## Running the container in non-root user mode
+
+Collecting logs often requires reading log files that are owned by the root user. By default, the container runs with `securityContext.runAsUser = 0` which gives the `root` user permission to read those files. To run the container in `non-root` user mode, set `.Values.otelAgent.runInitForNonRoot` to `true`to cause the container to run the required file system operations as UID and GID `20000`.
+
+Note: `cri-o` container runtime did not work during internal testing.
+
 ## Additional telemetry sources
 
 Use `autodetect` config option to enable additional telemetry sources.

helm-charts/splunk-otel-collector/templates/daemonset.yaml

@@ -124,6 +124,45 @@ spec:
               mountPath: /var/log
             - name: varlibdockercontainers
               mountPath: /var/lib/docker/containers
+        {{- if .Values.otelAgent.runInitForNonRoot }}
+        - name: chown
+          image: registry.access.redhat.com/ubi8/ubi
+          command: ['sh', '-c', '
+          mkdir -p {{ .Values.logsCollection.checkpointPath }};
+          chown -Rv {{ .Values.otelAgent.securityContext.runAsUser | default 20000 }}:{{ .Values.otelAgent.securityContext.runAsGroup | default 20000 }} {{ .Values.logsCollection.checkpointPath }};
+          chmod -v g+rwxs {{ .Values.logsCollection.checkpointPath }};
+          {{ if .Values.logsCollection.containers.enabled -}}
+          if [ -d "/var/lib/docker/containers" ];
+          then
+              chgrp -Rv {{ .Values.otelAgent.securityContext.runAsGroup | default 20000 }} /var/lib/docker/containers;
+              chmod -R g+rxs /var/lib/docker/containers;
+              setfacl -n -Rm d:g:{{ .Values.otelAgent.securityContext.runAsGroup | default 20000 }}:rx,g:{{ .Values.otelAgent.securityContext.runAsGroup | default 20000 }}:rx /var/lib/docker/containers;
+          fi;
+          if [ -d "/var/log/crio/pods" ];
+          then
+              chgrp -Rv {{ .Values.otelAgent.securityContext.runAsGroup | default 20000 }} /var/log/crio/pods;
+              chmod -R g+rxs /var/log/crio/pods;
+              setfacl -n -Rm d:g:{{ .Values.otelAgent.securityContext.runAsGroup | default 20000 }}:rx,g:{{ .Values.otelAgent.securityContext.runAsGroup | default 20000 }}:rx /var/log/crio/pods;
+          fi;
+          if [ -d "/var/log/pods" ];
+          then
+              chgrp -Rv {{ .Values.otelAgent.securityContext.runAsGroup | default 20000 }} /var/log/pods;
+              chmod -R g+rxs /var/log/pods;
+              setfacl -n -Rm d:g:{{ .Values.otelAgent.securityContext.runAsGroup | default 20000 }}:rx,g:{{ .Values.otelAgent.securityContext.runAsGroup | default 20000 }}:rx /var/log/pods;
+          fi;
+          {{- end }}']
+          securityContext:
+            runAsUser: 0
+          volumeMounts:
+            - name: checkpoint
+              mountPath: {{ .Values.logsCollection.checkpointPath }}
+            {{- if .Values.logsCollection.containers.enabled }}
+            - name: varlog
+              mountPath: /var/log
+            - name: varlibdockercontainers
+              mountPath: /var/lib/docker/containers
+            {{- end }}
+        {{- end }}
         {{- end }}
       {{- end }}
       containers:
@@ -192,14 +231,15 @@ spec:
         {{- end }}
         image: {{ template "splunk-otel-collector.image.otelcol" . }}
         imagePullPolicy: {{ .Values.image.otelcol.pullPolicy }}
-        {{- if or .Values.otelAgent.securityContext (and (eq (include "splunk-otel-collector.logsEnabled" $) "true") (eq .Values.logsEngine "otel")) }}
+        {{- if and (eq (include "splunk-otel-collector.logsEnabled" $) "true") (eq .Values.logsEngine "otel") }}
         securityContext:
-          {{- if and (eq (include "splunk-otel-collector.logsEnabled" $) "true") (eq .Values.logsEngine "otel") }}
+          {{- if not .Values.otelAgent.runInitForNonRoot }}
           runAsUser: 0
-          {{- end }}
+          {{- else }}
           {{- if .Values.otelAgent.securityContext }}
           {{ toYaml .Values.otelAgent.securityContext | nindent 10 }}
           {{- end }}
+          {{- end }}
         {{- end }}
         env:
           - name: SPLUNK_MEMORY_TOTAL_MIB

helm-charts/splunk-otel-collector/values.schema.json

@@ -319,6 +319,9 @@
             }
           }
         },
+        "runInitForNonRoot": {
+          "type": "boolean"
+        },
         "securityContext": {
           "type": "object"
         },

helm-charts/splunk-otel-collector/values.yaml

@@ -240,7 +240,14 @@ otelAgent:
       # This value is being used as a source for default memory_limiter processor configurations
       memory: 500Mi
 
-  securityContext: {}
+  # Boolean for running initContainer that will change group ownership of directories for container logs and journald logs.
+  # It is required for running the agent as a non root user. By default, it will run as UID and GID 20000.
+  # Disable it if you would rather run it as root user.
+  runInitForNonRoot: false
+
+  securityContext:
+    runAsUser: 20000
+    runAsGroup: 20000
 
   # OTel agent annotations
   annotations: {}