New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for running cortex through docker image without root uid #4107
Add support for running cortex through docker image without root uid #4107
Conversation
pkg/ruler/ruler.go
Outdated
@@ -164,7 +164,7 @@ func (cfg *Config) RegisterFlags(f *flag.FlagSet) { | |||
f.BoolVar(&cfg.EnableSharding, "ruler.enable-sharding", false, "Distribute rule evaluation using ring backend") | |||
f.StringVar(&cfg.ShardingStrategy, "ruler.sharding-strategy", util.ShardingStrategyDefault, fmt.Sprintf("The sharding strategy to use. Supported values are: %s.", strings.Join(supportedShardingStrategies, ", "))) | |||
f.DurationVar(&cfg.FlushCheckPeriod, "ruler.flush-period", 1*time.Minute, "Period with which to attempt to flush rule groups.") | |||
f.StringVar(&cfg.RulePath, "ruler.rule-path", "/rules", "file path to store temporary rule files for the prometheus rule managers") | |||
f.StringVar(&cfg.RulePath, "ruler.rule-path", "./rules", "file path to store temporary rule files for the prometheus rule managers") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not too sure why we use an absolute path there, but if we want to change that, we should mark it as a breaking change
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unfortunately we can't change the default config value of a non-experimental config option. What we can do in this PR is rolling back this change and configuring differently -ruler.rule-path
in NewRuler()
in E2E tests if required. WDYT?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's the approach I went with
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for working on it! LGTM modulo a comment about the change to default config (and few questions). Could you also take a look at the failing E2E test, please?
pkg/ruler/ruler.go
Outdated
@@ -164,7 +164,7 @@ func (cfg *Config) RegisterFlags(f *flag.FlagSet) { | |||
f.BoolVar(&cfg.EnableSharding, "ruler.enable-sharding", false, "Distribute rule evaluation using ring backend") | |||
f.StringVar(&cfg.ShardingStrategy, "ruler.sharding-strategy", util.ShardingStrategyDefault, fmt.Sprintf("The sharding strategy to use. Supported values are: %s.", strings.Join(supportedShardingStrategies, ", "))) | |||
f.DurationVar(&cfg.FlushCheckPeriod, "ruler.flush-period", 1*time.Minute, "Period with which to attempt to flush rule groups.") | |||
f.StringVar(&cfg.RulePath, "ruler.rule-path", "/rules", "file path to store temporary rule files for the prometheus rule managers") | |||
f.StringVar(&cfg.RulePath, "ruler.rule-path", "./rules", "file path to store temporary rule files for the prometheus rule managers") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unfortunately we can't change the default config value of a non-experimental config option. What we can do in this PR is rolling back this change and configuring differently -ruler.rule-path
in NewRuler()
in E2E tests if required. WDYT?
COPY migrations /migrations/ | ||
COPY cortex /bin/cortex | ||
|
||
# allow cortex to bind to port 80 as non-root | ||
RUN setcap 'cap_net_bind_service=+ep' /bin/cortex |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[question] Do you see any problem with this change when running the image in K8S?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the way it should work is by specifying in the manifest:
securityContext:
capabilities:
add:
- NET_BIND_SERVICE
However it looks like this doesn't work: kubernetes/kubernetes#56374
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would it be an idea to add a USER
line, so it no longer defaults to root?
I guess this might cause trouble upgrading an installation, which has existing files in persistent volumes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's what I eventually would like to get to, but in a first step, I want users of the docker image to opt in to not run as root. Otherwise we will need to ensure mounted in persistent volumes are chown
ed first.
securityContext: ...
I think if we rely on the container orchestration to set it up (k8s in that case), we will break users that are using bare docker. I think without that setcap we probably need to change the default port 80 to something > 1024
291e885
to
bfbc991
Compare
This allow uses to optionally choose to run the docker image as non-root user with: `--user cortex:cortex`. It also make sure we test using a non-root user during the integration tests Signed-off-by: Christian Simon <simon@swine.de>
During integration tests we are running older versions of Cortex to ensure backwards compatability. These need to still be run as root. Signed-off-by: Christian Simon <simon@swine.de>
bfbc991
to
f55e3e4
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This PR looks in a good shape. @simonswine do you have any plan to progress on it?
@pracucci thanks for the reminder, the outstanding work is to document the way to enable |
This issue has been automatically marked as stale because it has not had any activity in the past 60 days. It will be closed in 15 days if no further activity occurs. Thank you for your contributions. |
Is this PR now merged? |
What this PR does:
This allow uses to optionally choose to run the docker image as non-root user with:
--user cortex:cortex
. It also make sure we test using a non-root user during the integration tests.Checklist
CHANGELOG.md
updated - the order of entries should be[CHANGE]
,[FEATURE]
,[ENHANCEMENT]
,[BUGFIX]