Add support for running cortex through docker image without root uid #4107
Conversation
pkg/ruler/ruler.go
Outdated
| @@ -164,7 +164,7 @@ func (cfg *Config) RegisterFlags(f *flag.FlagSet) { | |||
| f.BoolVar(&cfg.EnableSharding, "ruler.enable-sharding", false, "Distribute rule evaluation using ring backend") | |||
| f.StringVar(&cfg.ShardingStrategy, "ruler.sharding-strategy", util.ShardingStrategyDefault, fmt.Sprintf("The sharding strategy to use. Supported values are: %s.", strings.Join(supportedShardingStrategies, ", "))) | |||
| f.DurationVar(&cfg.FlushCheckPeriod, "ruler.flush-period", 1*time.Minute, "Period with which to attempt to flush rule groups.") | |||
| f.StringVar(&cfg.RulePath, "ruler.rule-path", "/rules", "file path to store temporary rule files for the prometheus rule managers") | |||
| f.StringVar(&cfg.RulePath, "ruler.rule-path", "./rules", "file path to store temporary rule files for the prometheus rule managers") | |||
There was a problem hiding this comment.
Not too sure why we use an absolute path there, but if we want to change that, we should mark it as a breaking change
There was a problem hiding this comment.
Unfortunately we can't change the default config value of a non-experimental config option. What we can do in this PR is rolling back this change and configuring differently -ruler.rule-path in NewRuler() in E2E tests if required. WDYT?
There was a problem hiding this comment.
That's the approach I went with
pkg/ruler/ruler.go
Outdated
| @@ -164,7 +164,7 @@ func (cfg *Config) RegisterFlags(f *flag.FlagSet) { | |||
| f.BoolVar(&cfg.EnableSharding, "ruler.enable-sharding", false, "Distribute rule evaluation using ring backend") | |||
| f.StringVar(&cfg.ShardingStrategy, "ruler.sharding-strategy", util.ShardingStrategyDefault, fmt.Sprintf("The sharding strategy to use. Supported values are: %s.", strings.Join(supportedShardingStrategies, ", "))) | |||
| f.DurationVar(&cfg.FlushCheckPeriod, "ruler.flush-period", 1*time.Minute, "Period with which to attempt to flush rule groups.") | |||
| f.StringVar(&cfg.RulePath, "ruler.rule-path", "/rules", "file path to store temporary rule files for the prometheus rule managers") | |||
| f.StringVar(&cfg.RulePath, "ruler.rule-path", "./rules", "file path to store temporary rule files for the prometheus rule managers") | |||
There was a problem hiding this comment.
Unfortunately we can't change the default config value of a non-experimental config option. What we can do in this PR is rolling back this change and configuring differently -ruler.rule-path in NewRuler() in E2E tests if required. WDYT?
| COPY migrations /migrations/ | ||
| COPY cortex /bin/cortex | ||
|
|
||
| # allow cortex to bind to port 80 as non-root | ||
| RUN setcap 'cap_net_bind_service=+ep' /bin/cortex |
There was a problem hiding this comment.
[question] Do you see any problem with this change when running the image in K8S?
There was a problem hiding this comment.
I think the way it should work is by specifying in the manifest:
securityContext:
capabilities:
add:
- NET_BIND_SERVICE
However it looks like this doesn't work: kubernetes/kubernetes#56374
There was a problem hiding this comment.
Would it be an idea to add a USER line, so it no longer defaults to root?
I guess this might cause trouble upgrading an installation, which has existing files in persistent volumes.
There was a problem hiding this comment.
That's what I eventually would like to get to, but in a first step, I want users of the docker image to opt in to not run as root. Otherwise we will need to ensure mounted in persistent volumes are chowned first.
securityContext: ...
I think if we rely on the container orchestration to set it up (k8s in that case), we will break users that are using bare docker. I think without that setcap we probably need to change the default port 80 to something > 1024
simonswine
force-pushed
the
20210423_enable-docker-image-for-non-root
branch
2 times, most recently
from
291e885
to
bfbc991
Compare
This allow uses to optionally choose to run the docker image as non-root user with: `--user cortex:cortex`. It also make sure we test using a non-root user during the integration tests Signed-off-by: Christian Simon <simon@swine.de>
During integration tests we are running older versions of Cortex to ensure backwards compatability. These need to still be run as root. Signed-off-by: Christian Simon <simon@swine.de>
simonswine
force-pushed
the
20210423_enable-docker-image-for-non-root
branch
from
bfbc991
to
f55e3e4
Compare
There was a problem hiding this comment.
This PR looks in a good shape. @simonswine do you have any plan to progress on it?
@pracucci thanks for the reminder, the outstanding work is to document the way to enable |
|
This issue has been automatically marked as stale because it has not had any activity in the past 60 days. It will be closed in 15 days if no further activity occurs. Thank you for your contributions. |
|
Is this PR now merged? |
What this PR does:
This allow uses to optionally choose to run the docker image as non-root user with:
--user cortex:cortex. It also make sure we test using a non-root user during the integration tests.Checklist
CHANGELOG.mdupdated - the order of entries should be[CHANGE],[FEATURE],[ENHANCEMENT],[BUGFIX]