From 9df2614e8a2e62e49ca5f0b10db5e3e170f960c8 Mon Sep 17 00:00:00 2001
From: Rock Baek <rockb1017@gmail.com>
Date: Sun, 14 Nov 2021 12:50:13 -0800
Subject: [PATCH] add initContainer for running as non root user

---
 CHANGELOG.md                                  |  1 +
 docs/advanced-configuration.md                |  6 +++
 .../templates/daemonset.yaml                  | 46 +++++++++++++++++--
 .../splunk-otel-collector/values.schema.json  |  3 ++
 helm-charts/splunk-otel-collector/values.yaml |  9 +++-
 5 files changed, 61 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e2730f1b04..b2dbef3bd0 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 ### Added
 
 - Field name compatibility for SCK (#258)
+- Add initContainer for file operations for running as non root user (#263)
 
 ### Changed
 
diff --git a/docs/advanced-configuration.md b/docs/advanced-configuration.md
index bf6cb3e04c..e3e78509d7 100644
--- a/docs/advanced-configuration.md
+++ b/docs/advanced-configuration.md
@@ -121,6 +121,12 @@ Here is the summary of performance benchmarks run internally.
 
 The data pipelines for these test runs involved reading container logs as they are being written, then parsing filename for metadata, enriching it with kubernetes metadata, reformatting data structure, and sending them (without compression) to Splunk HEC endpoint.
 
+## Running the container in non-root user mode
+
+Collecting logs often requires reading log files that are owned by the root user. By default, the container runs with `securityContext.runAsUser = 0` which gives the `root` user permission to read those files. To run the container in `non-root` user mode, set `.Values.otelAgent.runInitForNonRoot` to `true`to cause the container to run the required file system operations as UID and GID `20000`.
+
+Note: `cri-o` container runtime did not work during internal testing.
+
 ## Additional telemetry sources
 
 Use `autodetect` config option to enable additional telemetry sources.
diff --git a/helm-charts/splunk-otel-collector/templates/daemonset.yaml b/helm-charts/splunk-otel-collector/templates/daemonset.yaml
index 0b53e8c26d..e692091092 100644
--- a/helm-charts/splunk-otel-collector/templates/daemonset.yaml
+++ b/helm-charts/splunk-otel-collector/templates/daemonset.yaml
@@ -124,6 +124,45 @@ spec:
               mountPath: /var/log
             - name: varlibdockercontainers
               mountPath: /var/lib/docker/containers
+        {{- if .Values.otelAgent.runInitForNonRoot }}
+        - name: chown
+          image: registry.access.redhat.com/ubi8/ubi
+          command: ['sh', '-c', '
+          mkdir -p {{ .Values.logsCollection.checkpointPath }};
+          chown -Rv {{ .Values.otelAgent.securityContext.runAsUser | default 20000 }}:{{ .Values.otelAgent.securityContext.runAsGroup | default 20000 }} {{ .Values.logsCollection.checkpointPath }};
+          chmod -v g+rwxs {{ .Values.logsCollection.checkpointPath }};
+          {{ if .Values.logsCollection.containers.enabled -}}
+          if [ -d "/var/lib/docker/containers" ];
+          then
+              chgrp -Rv {{ .Values.otelAgent.securityContext.runAsGroup | default 20000 }} /var/lib/docker/containers;
+              chmod -R g+rxs /var/lib/docker/containers;
+              setfacl -n -Rm d:g:{{ .Values.otelAgent.securityContext.runAsGroup | default 20000 }}:rx,g:{{ .Values.otelAgent.securityContext.runAsGroup | default 20000 }}:rx /var/lib/docker/containers;
+          fi;
+          if [ -d "/var/log/crio/pods" ];
+          then
+              chgrp -Rv {{ .Values.otelAgent.securityContext.runAsGroup | default 20000 }} /var/log/crio/pods;
+              chmod -R g+rxs /var/log/crio/pods;
+              setfacl -n -Rm d:g:{{ .Values.otelAgent.securityContext.runAsGroup | default 20000 }}:rx,g:{{ .Values.otelAgent.securityContext.runAsGroup | default 20000 }}:rx /var/log/crio/pods;
+          fi;
+          if [ -d "/var/log/pods" ];
+          then
+              chgrp -Rv {{ .Values.otelAgent.securityContext.runAsGroup | default 20000 }} /var/log/pods;
+              chmod -R g+rxs /var/log/pods;
+              setfacl -n -Rm d:g:{{ .Values.otelAgent.securityContext.runAsGroup | default 20000 }}:rx,g:{{ .Values.otelAgent.securityContext.runAsGroup | default 20000 }}:rx /var/log/pods;
+          fi;
+          {{- end }}']
+          securityContext:
+            runAsUser: 0
+          volumeMounts:
+            - name: checkpoint
+              mountPath: {{ .Values.logsCollection.checkpointPath }}
+            {{- if .Values.logsCollection.containers.enabled }}
+            - name: varlog
+              mountPath: /var/log
+            - name: varlibdockercontainers
+              mountPath: /var/lib/docker/containers
+            {{- end }}
+        {{- end }}
         {{- end }}
       {{- end }}
       containers:
@@ -192,14 +231,15 @@ spec:
         {{- end }}
         image: {{ template "splunk-otel-collector.image.otelcol" . }}
         imagePullPolicy: {{ .Values.image.otelcol.pullPolicy }}
-        {{- if or .Values.otelAgent.securityContext (and (eq (include "splunk-otel-collector.logsEnabled" $) "true") (eq .Values.logsEngine "otel")) }}
+        {{- if and (eq (include "splunk-otel-collector.logsEnabled" $) "true") (eq .Values.logsEngine "otel") }}
         securityContext:
-          {{- if and (eq (include "splunk-otel-collector.logsEnabled" $) "true") (eq .Values.logsEngine "otel") }}
+          {{- if not .Values.otelAgent.runInitForNonRoot }}
           runAsUser: 0
-          {{- end }}
+          {{- else }}
           {{- if .Values.otelAgent.securityContext }}
           {{ toYaml .Values.otelAgent.securityContext | nindent 10 }}
           {{- end }}
+          {{- end }}
         {{- end }}
         env:
           - name: SPLUNK_MEMORY_TOTAL_MIB
diff --git a/helm-charts/splunk-otel-collector/values.schema.json b/helm-charts/splunk-otel-collector/values.schema.json
index b6cbeaab7e..54eb6948c8 100644
--- a/helm-charts/splunk-otel-collector/values.schema.json
+++ b/helm-charts/splunk-otel-collector/values.schema.json
@@ -319,6 +319,9 @@
             }
           }
         },
+        "runInitForNonRoot": {
+          "type": "boolean"
+        },
         "securityContext": {
           "type": "object"
         },
diff --git a/helm-charts/splunk-otel-collector/values.yaml b/helm-charts/splunk-otel-collector/values.yaml
index c238aec174..aedcadba24 100644
--- a/helm-charts/splunk-otel-collector/values.yaml
+++ b/helm-charts/splunk-otel-collector/values.yaml
@@ -240,7 +240,14 @@ otelAgent:
       # This value is being used as a source for default memory_limiter processor configurations
       memory: 500Mi
 
-  securityContext: {}
+  # Boolean for running initContainer that will change group ownership of directories for container logs and journald logs.
+  # It is required for running the agent as a non root user. By default, it will run as UID and GID 20000.
+  # Disable it if you would rather run it as root user.
+  runInitForNonRoot: false
+
+  securityContext:
+    runAsUser: 20000
+    runAsGroup: 20000
 
   # OTel agent annotations
   annotations: {}