Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to execute Chaos Exporter when using a non-root user that is part of a non-root user group #116

Open
chirangaalwis opened this issue Feb 1, 2022 · 1 comment
Open

Unable to execute Chaos Exporter when using a non-root user that is part of a non-root user group #116

chirangaalwis opened this issue Feb 1, 2022 · 1 comment

Comments

@chirangaalwis
Copy link

chirangaalwis commented Feb 1, 2022
edited
Loading

Is this a BUG REPORT or FEATURE REQUEST?

Choose one: BUG REPORT or FEATURE REQUEST

A BUG REPORT

What happened:
When attempting to set the Kubernetes PodSecurityContext's runAsGroup property at container level, to a non-root user (e.g., attempted both group IDs 1000 and 100001 as shown below)

    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
        - ALL
      privileged: false
      readOnlyRootFilesystem: true
      runAsNonRoot: true
      runAsUser: 10001
      runAsGroup: 10001

we encountered the following container entrypoint error.

Error: failed to create containerd task: OCI runtime create failed: container_linux.go:380: starting container process caused: exec: "./chaos-exporter": stat ./chaos-exporter: permission denied: unknown

Upon further investigation, it was noticed that the Chaos Exporter binary possessed the following file ownership and permissions.

-rwxr-xr-x    1 root     root      40740790 Jan 27 14:10 chaos-exporter

What you expected to happen:
The Chaos Exporter binary to execute without requiring the executing Linux user to be root or be a part of root user group.

How to reproduce it (as minimally and precisely as possible):
Use the following PodSecurityContext at Chaos Exporter container level.

    securityContext:
      ...
      runAsUser: 10001
      runAsGroup: 10001

Anything else we need to know?:
This works fine when we only set the user ID to the non-root user's ID (in other words, when you only set runAsUser).

Options:

  • Add to PATH for execution.

    You can add the Exporter binary to a directory set in the PATH such as, /usr/local/bin as in the case of Chaos Operator.

  • Create and use a non-root user who is not attached to the root user group when building the Docker image.

    Provide it necessary ownership and permissions to execute the Chaos Exporter binary.

    Sample for creating a user with the non-root group attached.

    RUN \
    addgroup -S -g 10001 litmus \
    && adduser -S -u 10001 -h ${USER_HOME} -G 10001 10001

    And provide ownership and execution permissions for the Chaos Exporter binary, to this user.

    This user and group could be used in Kubernetes based deployments.
@uditgaurav
Copy link
Member

It is a part of non-root user and group now! Can you confirm

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@chirangaalwis @uditgaurav