Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

config-reloader prevents running containers as non-root due to walking /etc instead of /etc/vm #510

Closed
brokenjacobs opened this issue Aug 10, 2022 · 4 comments
Closed

config-reloader prevents running containers as non-root due to walking /etc instead of /etc/vm #510

brokenjacobs opened this issue Aug 10, 2022 · 4 comments
Labels
bug Something isn't working

Comments

@brokenjacobs
Copy link

I've defined a securityContext for my vmagent pod:

    securityContext:
      fsGroup: 2003
      runAsGroup: 2003
      runAsNonRoot: true
      runAsUser: 2003

But when I do this, I see issues in the pod log:

2022-07-27T17:11:54.168Z error operator/internal/config-reloader/file_watch.go:159 cannot read file content: open /etc/crontabs/root: permission denied
2022-07-27T17:11:54.168Z error operator/internal/config-reloader/file_watch.go:179 cannot walk: cannot read file content: open /etc/crontabs/root: permission denied
2022-07-27T17:11:54.168Z error operator/internal/config-reloader/file_watch.go:210 cannot update dir watch cache: cannot walk path: /etc/vm, err: cannot read file content: open /etc/crontabs/root: permission denied
Any way to fix this so we can run as non-root? This seems non-ideal.

Originally:
VictoriaMetrics/helm-charts#353
@f41gh7 f41gh7 added the bug Something isn't working label Aug 11, 2022
@f41gh7
Copy link
Collaborator

f41gh7 commented Aug 11, 2022

Thanks for reporting, will be fixed soon.

f41gh7 added a commit that referenced this issue Aug 15, 2022
@f41gh7
internal/config-reloader: fixes walkDir path
99f8017 
previously it runs over parent directory, which leads to errors and logs and incorrect behaviour
if config-reloader doesn't have enough permissions
#510
@f41gh7
Copy link
Collaborator

f41gh7 commented Aug 15, 2022

Can you try to change image for config-reloader?

It could be done via modifying VMAgent spec:

kind: VMAgent
spec:
  containers:
   - name: config-reloader
     image: victoriametrics/operator:config-reloader-v0.27.0

Or globally via operator env vars:

- name: VM_CUSTOMCONFIGRELOADERIMAGE
  value: victoriametrics/operator:config-reloader-v0.27.0

@brokenjacobs
Copy link
Author

Happy to give it a shot but I’m on vacation for the next two weeks… I can report back after!

@brokenjacobs
Copy link
Author

This looks like it did the trick. LGTM!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@brokenjacobs @f41gh7