-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: run rook-operator and toolbox with non-root user #8734
Comments
All Ceph containers run as the From the ticket you linked, I can see that Seb "closed this in #2778", which is the PR that adds the feature. I believe this addresses your issue and is a duplicate of #2778, so I am closing this with the 'duplicate' label. |
Indeed if you describe specific pods, they run with user and group ceph
This is reflected at the process level as well
But most of the rook components run as root
These are the rook/ceph pods
Also in the feature request I wanted to know about configurable UID/GID as well. |
Can you please reopen this ticket since #2778 refers only for specific ceph components (mon, mgr, mds, osd) but all the other components run as root |
@adabuleanu All the ceph daemons are running as ceph. It's the CSI driver processes that are running as root, which don't support running as a different user. |
@travisn do you plan to support such a feature in the future? |
Please open an issue at https://github.com/ceph/ceph-csi/issues so ceph-csi maintainer can help. |
Will do. Thx. Also, rook-ceph-tools and rook-operator also run as root. Is this something you can address on your side? |
Opened ceph/ceph-csi#2519 on ceph-csi. Also, I want to know if there is any intention to make the ceph daemons run with configurable UID/GID, since ceph supports this. Right now, the ceph user is hardcoded. Thx. |
No plan to use a different user than |
Here a couple of arguments for configurable UID/GID:
Also, are there any plans to run rook-ceph-tools and rook-operator as non-root? |
I think running the rook-op and the toolbox has non-root is a reasonable target. I don't remember any reason to require root. I've rephrased the title of the issue and we will try to work on this. |
The rook operator as well as the toolbox pod run with the "rook" user with UID 2016. The UID was chosen based on the year of the initial commit in the rook/rook repository. No more root user running. Closes: rook#8734 Signed-off-by: Sébastien Han <seb@redhat.com>
The rook operator as well as the toolbox pod run with the "rook" user with UID 2016. The UID was chosen based on the year of the initial commit in the rook/rook repository. No more root user running. Closes: rook#8734 Signed-off-by: Sébastien Han <seb@redhat.com>
The rook operator as well as the toolbox pod run with the "rook" user with UID 2016. The UID was chosen based on the year of the initial commit in the rook/rook repository. No more root user running. Closes: rook#8734 Signed-off-by: Sébastien Han <seb@redhat.com>
The rook operator as well as the toolbox pod run with the "rook" user with UID 2016. The UID was chosen based on the year of the initial commit in the rook/rook repository. No more root user running. Closes: rook#8734 Signed-off-by: Sébastien Han <seb@redhat.com>
The rook operator as well as the toolbox pod run with the "rook" user with UID 2016. The UID was chosen based on the year of the initial commit in the rook/rook repository. No more root user running. Closes: rook#8734 Signed-off-by: Sébastien Han <seb@redhat.com>
The rook operator as well as the toolbox pod run with the "rook" user with UID 2016. The UID was chosen based on the year of the initial commit in the rook/rook repository. No more root user running. Closes: rook#8734 Signed-off-by: Sébastien Han <seb@redhat.com>
The rook operator as well as the toolbox pod run with the "rook" user with UID 2016. The UID was chosen based on the year of the initial commit in the rook/rook repository. No more root user running. Closes: rook#8734 Signed-off-by: Sébastien Han <seb@redhat.com>
The rook operator as well as the toolbox pod run with the "rook" user with UID 2016. The UID was chosen based on the year of the initial commit in the rook/rook repository. No more root user running. Closes: rook#8734 Signed-off-by: Sébastien Han <seb@redhat.com>
The rook operator as well as the toolbox pod run with the "rook" user with UID 2016. The UID was chosen based on the year of the initial commit in the rook/rook repository. No more root user running. Closes: rook#8734 Signed-off-by: Sébastien Han <seb@redhat.com>
The rook operator as well as the toolbox pod run with the "rook" user with UID 2016. The UID was chosen based on the year of the initial commit in the rook/rook repository. No more root user running. Closes: rook#8734 Signed-off-by: Sébastien Han <seb@redhat.com>
The rook operator as well as the toolbox pod run with the "rook" user with UID 2016. The UID was chosen based on the year of the initial commit in the rook/rook repository. No more root user running. Closes: rook#8734 Signed-off-by: Sébastien Han <seb@redhat.com>
The rook operator as well as the toolbox pod run with the "rook" user with UID 2016. The UID was chosen based on the year of the initial commit in the rook/rook repository. No more root user running. Closes: rook#8734 Signed-off-by: Sébastien Han <seb@redhat.com>
The rook operator as well as the toolbox pod run with the "rook" user with UID 2016. The UID was chosen based on the year of the initial commit in the rook/rook repository. No more root user running. Closes: rook#8734 Signed-off-by: Sébastien Han <seb@redhat.com>
The rook operator as well as the toolbox pod run with the "rook" user with UID 2016. The UID was chosen based on the year of the initial commit in the rook/rook repository. No more root user running. Closes: rook#8734 Signed-off-by: Sébastien Han <seb@redhat.com>
The rook operator as well as the toolbox pod run with the "rook" user with UID 2016. The UID was chosen based on the year of the initial commit in the rook/rook repository. No more root user running. Closes: rook#8734 Signed-off-by: Sébastien Han <seb@redhat.com>
The rook operator as well as the toolbox pod run with the "rook" user with UID 2016. The UID was chosen based on the year of the initial commit in the rook/rook repository. No more root user running. Closes: rook#8734 Signed-off-by: Sébastien Han <seb@redhat.com>
The rook operator as well as the toolbox pod run with the "rook" user with UID 2016. The UID was chosen based on the year of the initial commit in the rook/rook repository. No more root user running. Closes: rook#8734 Signed-off-by: Sébastien Han <seb@redhat.com>
The rook operator as well as the toolbox pod run with the "rook" user with UID 2016. The UID was chosen based on the year of the initial commit in the rook/rook repository. No more root user running. Closes: rook#8734 Signed-off-by: Sébastien Han <seb@redhat.com>
The rook operator as well as the toolbox pod run with the "rook" user with UID 2016. The UID was chosen based on the year of the initial commit in the rook/rook repository. No more root user running. Closes: rook#8734 Signed-off-by: Sébastien Han <seb@redhat.com>
The rook operator as well as the toolbox pod run with the "rook" user with UID 2016. The UID was chosen based on the year of the initial commit in the rook/rook repository. No more root user running. Closes: rook#8734 Signed-off-by: Sébastien Han <seb@redhat.com>
The rook operator as well as the toolbox pod run with the "rook" user with UID 2016. The UID was chosen based on the year of the initial commit in the rook/rook repository. No more root user running. Closes: rook#8734 Signed-off-by: Sébastien Han <seb@redhat.com>
The rook operator as well as the toolbox pod run with the "rook" user with UID 2016. The UID was chosen based on the year of the initial commit in the rook/rook repository. No more root user running. Closes: rook#8734 Signed-off-by: Sébastien Han <seb@redhat.com>
The rook operator as well as the toolbox pod run with the "rook" user with UID 2016. The UID was chosen based on the year of the initial commit in the rook/rook repository. No more root user running. Closes: rook#8734 Signed-off-by: Sébastien Han <seb@redhat.com>
The rook operator as well as the toolbox pod run with the "rook" user with UID 2016. The UID was chosen based on the year of the initial commit in the rook/rook repository. No more root user running. Closes: rook#8734 Signed-off-by: Sébastien Han <seb@redhat.com>
The rook operator as well as the toolbox pod run with the "rook" user with UID 2016. The UID was chosen based on the year of the initial commit in the rook/rook repository. No more root user running. Closes: rook#8734 Signed-off-by: Sébastien Han <seb@redhat.com>
Is this a bug report or feature request?
What should the feature do:
Run rook with ceph storage provider as non-root and with configurable UID/GID.
I want to know if this feature is already implement for all ceph components and how (I did not find any docs on it).
From my findings:
https://docs.ceph.com/en/pacific/man/8/ceph/?highlight=setuser#cmdoption-ceph-setuser
What is use case behind this feature:
In an enterprise environment, running containers as root is a security concern.
Environment:
rook with ceph on top of k8s
The text was updated successfully, but these errors were encountered: