Is this a BUG REPORT or FEATURE REQUEST?
Choose one: BUG REPORT or FEATURE REQUEST
A BUG REPORT
What happened:
When attempting to set the Kubernetes PodSecurityContext's runAsGroup property at container level, to a non-root user (e.g., attempted both group IDs 1000 and 100001 as shown below)
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 10001
runAsGroup: 10001
we encountered the following container entrypoint error.
Error: failed to create containerd task: OCI runtime create failed: container_linux.go:380: starting container process caused: exec: "./chaos-exporter": stat ./chaos-exporter: permission denied: unknown
Upon further investigation, it was noticed that the Chaos Exporter binary possessed the following file ownership and permissions.
-rwxr-xr-x 1 root root 40740790 Jan 27 14:10 chaos-exporter
What you expected to happen:
The Chaos Exporter binary to execute without requiring the executing Linux user to be root or be a part of root user group.
How to reproduce it (as minimally and precisely as possible):
Use the following PodSecurityContext at Chaos Exporter container level.
securityContext:
...
runAsUser: 10001
runAsGroup: 10001
Anything else we need to know?:
This works fine when we only set the user ID to the non-root user's ID (in other words, when you only set runAsUser).
Options:
-
Add to PATH for execution.
You can add the Exporter binary to a directory set in the PATH such as, /usr/local/bin as in the case of Chaos Operator.
-
Create and use a non-root user who is not attached to the root user group when building the Docker image.
Provide it necessary ownership and permissions to execute the Chaos Exporter binary.
Sample for creating a user with the non-root group attached.
RUN \
addgroup -S -g 10001 litmus \
&& adduser -S -u 10001 -h ${USER_HOME} -G 10001 10001
And provide ownership and execution permissions for the Chaos Exporter binary, to this user.
This user and group could be used in Kubernetes based deployments.
Is this a BUG REPORT or FEATURE REQUEST?
Choose one: BUG REPORT or FEATURE REQUEST
A BUG REPORT
What happened:
When attempting to set the Kubernetes PodSecurityContext's
runAsGroupproperty at container level, to a non-root user (e.g., attempted both group IDs1000and100001as shown below)we encountered the following container entrypoint error.
Upon further investigation, it was noticed that the Chaos Exporter binary possessed the following file ownership and permissions.
What you expected to happen:
The Chaos Exporter binary to execute without requiring the executing Linux user to be root or be a part of root user group.
How to reproduce it (as minimally and precisely as possible):
Use the following PodSecurityContext at Chaos Exporter container level.
Anything else we need to know?:
This works fine when we only set the user ID to the non-root user's ID (in other words, when you only set
runAsUser).Options:
Add to PATH for execution.
You can add the Exporter binary to a directory set in the PATH such as,
/usr/local/binas in the case of Chaos Operator.Create and use a non-root user who is not attached to the root user group when building the Docker image.
Provide it necessary ownership and permissions to execute the Chaos Exporter binary.
Sample for creating a user with the non-root group attached.
And provide ownership and execution permissions for the Chaos Exporter binary, to this user.
This user and group could be used in Kubernetes based deployments.