-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow the Docker image to be run with a random user id #12905
Conversation
Pinging @elastic/integrations-platforms (Team:Platforms) |
💔 Build FailedExpand to view the summary
Build stats
Test stats 🧪
Steps errorsExpand to view the steps failures
Log outputExpand to view the last 100 lines of log output
|
It seems we missed this one, sorry about that. This looks good to me, wdyt @jsoriano? jenkins, test this please |
Umm, this branch will need an update with master so we can run the packaging tests. I have tried it locally and some checks fail:
Is it needed to give write permissions to the group? |
Answering myself, this seems to be the recommendation from Openshift, so I am ok with the change, but we should update the checks. |
Hi, thanks for the feedback. |
run beats-ci/package |
Packaging tests failed for filebeat, something else seems to be needed. |
I will update the PR to fix that. |
Not sure if it is related to the PR. |
💔 Tests FailedExpand to view the summary
Build stats
Test stats 🧪
Test errorsExpand to view the tests failures
Steps errorsExpand to view the steps failures
Log outputExpand to view the last 100 lines of log output
|
run beats-ci/package |
Thanks @barkbay for doing some additional tests. The failure in Filebeat OSS build is not related. I have started another packaging build, if this goes well I think this can be merged. |
Modify docker images so files required by beats are owned by group root, this follows Openshifts recommendations to run containerized applications with custom user ids. (cherry picked from commit 9dbdc15) Co-Authored-By: Michael Morello <[email protected]>
Modify docker images so files required by beats are owned by group root, this follows Openshifts recommendations to run containerized applications with custom user ids. (cherry picked from commit 9dbdc15) Co-authored-by: Michael Morello <[email protected]>
…ic#12905)" (elastic#18872) This reverts commits 9dbdc15 and 3eac5f7. (cherry picked from commit 7927da7)
Apply the ownership changes of elastic#12905, without applying the permission changes, so it still satisfies strict perms checks.
…-stage-level * upstream/master: [CI] Fix permissions should not fail (elastic#18899) Revert "Allow the Docker image to be run with a random user id (elastic#12905)" (elastic#18872) Add new fields to HAProxy module of Metricbeat (elastic#18523) Avoid duplicate names in dynamic_templates (elastic#18849)
Prepare docker images to be run with arbitrary user ids. Following common practices and recommendations, files that need to be read by Beats have now read permissions for the group and belong to the root group. Also, the user included in the docker image is added to the root group so it can read these files when run on docker with default user and privileges. Some changes are also added to Kubernetes reference manifests to help running beats with arbitrary user ids, though this is not completely supported and it requires additional setup. Co-authored-by: Michael Morello <[email protected]>
elastic#18873) Prepare docker images to be run with arbitrary user ids. Following common practices and recommendations, files that need to be read by Beats have now read permissions for the group and belong to the root group. Also, the user included in the docker image is added to the root group so it can read these files when run on docker with default user and privileges. Some changes are also added to Kubernetes reference manifests to help running beats with arbitrary user ids, though this is not completely supported and it requires additional setup. Co-authored-by: Michael Morello <[email protected]> (cherry picked from commit 3ff02cb)
…) (#19555) Prepare docker images to be run with arbitrary user ids. Following common practices and recommendations, files that need to be read by Beats have now read permissions for the group and belong to the root group. Also, the user included in the docker image is added to the root group so it can read these files when run on docker with default user and privileges. Some changes are also added to Kubernetes reference manifests to help running beats with arbitrary user ids, though this is not completely supported and it requires additional setup. (cherry picked from commit 3ff02cb) Co-authored-by: Michael Morello <[email protected]>
elastic#18873) Prepare docker images to be run with arbitrary user ids. Following common practices and recommendations, files that need to be read by Beats have now read permissions for the group and belong to the root group. Also, the user included in the docker image is added to the root group so it can read these files when run on docker with default user and privileges. Some changes are also added to Kubernetes reference manifests to help running beats with arbitrary user ids, though this is not completely supported and it requires additional setup. Co-authored-by: Michael Morello <[email protected]>
On secured Kubernetes environments (not only Openshift) the user ID used to run a container can't be known in advance. Consequently the APM server container can't be started on these environments because it expects to run with the user 1000 or 0.
This PR brings some compatibility with such environments, based on the fact that on secured Kubernetes clusters and on Openshift the only thing you know is that the user is always a member of the root group.
You can find more details here: https://docs.openshift.com/container-platform/3.11/creating_images/guidelines.html#openshift-specific-guidelines
See elastic/apm-server#2325 and #12686
How to test
PLATFORMS=linux/amd64 mage package
.deploy
directory.BEAT_STRICT_PERMS
.