chown in the entrypoint for PVC

[wernight]

Kubernetes PersistentVolumeClaim have root by default.

The way Prometheus could, and should, support those is by having a Docker entrypoint that does:

mkdir -p /prometheus && chown -R nobody:nogroup etc/prometheus /prometheus
exec su nobody -s /bin/sh -c '$*'

The issue here is that most container use environment variables instead of CLI which allows to support when users used a non-default directory.

See also fabric8io/fabric8-maven-plugin#533

Only hacky workaround for Kubernetes is:

- name: prometheus
  image: prom/prometheus:v2.0.0
  securityContext:
    runAsUser: 0
    allowPrivilegeEscalation: false
  command: ["/bin/sh"]
    args:
    - -c
    - chown -R nobody:nogroup /data
      && exec su -s /bin/sh nobody -c '
      /bin/prometheus
      --web.enable-lifecycle
      --config.file=/config/prometheus.yml
      --storage.tsdb.path=/data
      --storage.tsdb.retention=15d
      --web.console.libraries=/usr/share/prometheus/console_libraries
      --web.console.templates=/usr/share/prometheus/consoles
       '

[Misteur-Z]

Seems I am not the only one running prometheus v2+ with a Kubernetes PersistentVolume / PersistentVolumeClaim ... thanks for the fix, it's working out.

[brian-brazil]

This isn't really something Prometheus should be doing, especially as it shouldn't be run as root.

[wernight]

Until K8s PVC allow setting the default UID/GID that has permission on a new disk, this is an issue.

You're right, it shouldn't run as root. However it could start as root just for chown and then run as another user. This is pretty safe, especially nowadays.

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.