Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chown in the entrypoint for PVC #3677

Closed
wernight opened this Issue Jan 11, 2018 · 4 comments

Comments

Projects
None yet
3 participants
@wernight
Copy link

wernight commented Jan 11, 2018

Kubernetes PersistentVolumeClaim have root by default.

The way Prometheus could, and should, support those is by having a Docker entrypoint that does:

mkdir -p /prometheus && chown -R nobody:nogroup etc/prometheus /prometheus
exec su nobody -s /bin/sh -c '$*'

The issue here is that most container use environment variables instead of CLI which allows to support when users used a non-default directory.

See also fabric8io/fabric8-maven-plugin#533

Only hacky workaround for Kubernetes is:

- name: prometheus
  image: prom/prometheus:v2.0.0
  securityContext:
    runAsUser: 0
    allowPrivilegeEscalation: false
  command: ["/bin/sh"]
    args:
    - -c
    - chown -R nobody:nogroup /data
      && exec su -s /bin/sh nobody -c '
      /bin/prometheus
      --web.enable-lifecycle
      --config.file=/config/prometheus.yml
      --storage.tsdb.path=/data
      --storage.tsdb.retention=15d
      --web.console.libraries=/usr/share/prometheus/console_libraries
      --web.console.templates=/usr/share/prometheus/consoles
       '
@Misteur-Z

This comment has been minimized.

Copy link

Misteur-Z commented Mar 28, 2018

Seems I am not the only one running prometheus v2+ with a Kubernetes PersistentVolume / PersistentVolumeClaim ... thanks for the fix, it's working out.

@brian-brazil

This comment has been minimized.

Copy link
Member

brian-brazil commented Apr 18, 2018

This isn't really something Prometheus should be doing, especially as it shouldn't be run as root.

@wernight

This comment has been minimized.

Copy link
Author

wernight commented May 18, 2018

Until K8s PVC allow setting the default UID/GID that has permission on a new disk, this is an issue.

You're right, it shouldn't run as root. However it could start as root just for chown and then run as another user. This is pretty safe, especially nowadays.

@lock

This comment has been minimized.

Copy link

lock bot commented Mar 22, 2019

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot locked and limited conversation to collaborators Mar 22, 2019

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.