-
Notifications
You must be signed in to change notification settings - Fork 487
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow for images to run as non-root #334
Comments
Agree that non root users would be preferred. The compactor doesn't actually need to write anything to disk. Maybe it just attempts to create a folder or something, but this is not necessary. Is the problem that writing to The querier only needs disk if you use the disk cache option which I don't think is configured in any of our examples. It sounds like there are similar problems here with Sadly the GRPC Go plugin system always throws an error if |
I did not have time to actually look into all the details and present an actual solution. Personally I would recommend adding strict limits and then test a deployment. With these limits I'm pointing towards forcing a pod to run as non-root. With that in place you can see the actual behaviour, errors, and logs which indicate the specific changes required to achieve running as non-root. |
I am in a similar situation where the organization policy disallows images with non-root or even a user/group set to If this helps, I would love to file a PR.
|
That roughly looks correct to me. A PR would be much appreciated! |
This issue has been automatically marked as stale because it has not had any activity in the past 60 days. |
@savishy To clarify, your organization requires non-root containers, correct? Are you interested in submitting a PR for this change? |
+1 for having this implemented. Running containers as non-root should be a standard. |
I'll put up a PR when I get a chance for this. |
This issue has been automatically marked as stale because it has not had any activity in the past 60 days. |
Is your feature request related to a problem? Please describe.
In the baseline: security. It could pose as a serious security concern.
Do we need to run as root? No.
Especially in enterprise environment, we are simply not even allowed to run images as root. Therefore I would like to see a fix.
Describe the solution you'd like
Add users to the docker images, perhaps change a few paths (i.e. placement of the executables).
Describe alternatives you've considered
The compactor can be used with the following workaround:
By adding an emptydir we override the /var/tempo folder as non-root.
For the querier we can do the same "trick" for the /var/tempo folder BUT it also wants to write and use files in the
/tmp
folder. This is an issue because we cannot mount an empty dir on the/tmp
folder. This is because the original/tmp
folder contains thetempo-query
executable.The real dodgy workaround is to build an image with
tempo-query
in a different place. I.e.:Then use an initcontainer:
while having the following emptydir mounts:
Additional context
The workaround is fine for a proof of concept, but not production usage :)
The text was updated successfully, but these errors were encountered: