New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update docker image to run as non-root #2265
Conversation
5203ae7
to
f6547f1
Compare
fe17af1
to
22a27e7
Compare
Needs a mention of the breaking change and an entry in the changelog. |
26ef6d8
to
c8f7675
Compare
Signed-off-by: Zach Leslie <zach.leslie@grafana.com>
Signed-off-by: Zach Leslie <zach.leslie@grafana.com>
Signed-off-by: Zach Leslie <zach.leslie@grafana.com>
Signed-off-by: Zach Leslie <zach.leslie@grafana.com>
c8f7675
to
d102622
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks good to me, nice work cleaning up some secuirty debt.
I'm fine with merging but I think @mdisibio was going to leave a comment too.
Thanks for the review folks. @mdisibio I pushed a commit for your feedback on the jsonnet. Feel free to call out anything else you'd like to see addressed here. |
I caught up with mdisibio earlier and we're good on the changes here. |
What this PR does:
BREAKING CHANGE
Here we make the image adjustment necessary to run Tempo as non-root in the
Docker container, as well as include some util jsonnet to allow statefulsets to
chown their data directories to match the new permissions.
With this new chown init contianer, both the ingester and metrics-generator
statefulsets start and function.
Note that the
securityContext.fsGroup(10001)
may be required for environmentsthat mount additional volumes which do not have read/write permissions for the
tempo
user. Users may also wish to recursivelychown
the/var/tempo
directory for the new ownership. This will need to be done only once.
Which issue(s) this PR fixes:
Fixes #334
Checklist
CHANGELOG.md
updated - the order of entries should be[CHANGE]
,[FEATURE]
,[ENHANCEMENT]
,[BUGFIX]