-
Notifications
You must be signed in to change notification settings - Fork 983
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Access denied to /var/log unless FLUENT_UID is set to 0 #173
Comments
This is same with #172 . |
Would that be equivalent to running fluentd as root within the container? If so, that has some security implications (some explanation here, but there are probably better references out there: https://medium.com/@mccode/processes-in-containers-should-not-run-as-root-2feae3f0df3b) because it makes the kubernetes node as a whole a lot less secure. |
same problem, solved with |
I'm not sure which is the best. |
Setting the env var FLUENT_UID to "0" fixed it for me too |
@repeatedly IMHO if a linux process (or container) have to read from |
FLUENT_UID is actually only a partial solution it seems. In the /bin/entrypoint.sh:
So if FLUENT_UID is set to 0, fluent user doesn't actually get created since the container starts with this:
and then continues running everything as root :) |
FLUENT_UID is not helping... |
@dimm0 any additional info? This seems to work for me but by breaking not working around the issue :) |
I'm hitting this error #172, pods are crashlooping, setting FLUENT_UID to 0 is not helping, running pod as user 0 is not helping either. Not sure what other info to provide |
@dimm0 What is you
Are you using alpine or debian image? |
Here's my yaml: https://gitlab.com/ucsd-prp/prp_k8s_config/blob/master/fluentd/fluentd-daemonset-elasticsearch.yaml I saw a PR with pos_file, which was denied. And there's no such setting in examples. What should I set one to? |
@dimm0 I think you are using the image from #180 (which is fluentd-0.12.33) that doesn't need the FLUENT_UID workaround as the fluentd in the container is running as root. |
Solved by adding |
This issue has been automatically marked as stale because it has been open 90 days with no activity. Remove stale label or comment or this issue will be closed in 30 days |
This issue was automatically closed because of stale in 30 days |
When I deployed fluent/fluentd-kubernetes-daemonset:v0.12.43-debian-cloudwatch to an EKS cluster, I was constantly getting access denied errors in /var/log. It was resolved when FLUENT_UID environment variable is set to 0. In the DockerFile i do see that USER is set to ROOT and when I exec into the daemonset pod, I am able to create/read files in /var/log but however the fluentd process (or the child process?) is not able to create files under /var/log UNLESS I set this environment variable FLUENT_UID to "0". If this is required, should it not be default? what is the significance of this environment variable?
The text was updated successfully, but these errors were encountered: