rstudio in kubernetes - runAsNonRoot context

[radhupr]

Container image name

rocker/rstudio:4.4.2

Container image digest

No response

What operating system are you seeing the problem on?

Linux

System information

Kubernetes cluster 1.30
Docker image : rocker/rstudio:4.4.2

Bug description

Hi Team,
I want to run rstudio server (free version) on kubernetes. If I'm taking wrong approach here, please guide me on how to do the setup in kubernetes.
I'm using the image rocker/rstudio:4.4.2 and trying to run it as nonRoot user. (same noted with image rocker/tidyverse:4.4.2)
The pod spec is as follows

spec:
      securityContext:
        runAsNonRoot: true
        runAsUser: 1001
        runAsGroup: 1001
        seccompProfile:
          type: RuntimeDefault
      containers:
      - name : rstudio
        image:  rocker/tidyverse:4.4.2
        env:
          - name: USERID
            value: "1001"
          - name: GROUPID
            value: "1001"
        securityContext:
          allowPrivilegeEscalation: false
        resources:  
          requests:
            memory: "200Mi"  
            cpu: "3000m"     
          limits:
            memory: "5000Mi"

The container is failing to start with below error
s6-overlay-preinit: fatal: unable to mkdir /var/run/s6: Permission denied

Reference to discussion forum on same issue: https://forum.posit.co/t/rstudio-server-in-kubernetes/195626/4

Can you help in addressing the issue.

How to reproduce this bug?

Run a pod with above mentioned spec. The container fail to startup.

[nathanweeks]

The approach described in the Rocker Singularity guide, which calls rserver directly, could be adapted to run RStudio Server on Kubernetes with a non-root user.

Minimal example using a Pod (though StatefulSet would probably be a better choice), disregarding Ingress (or Gateway, etc.), persistent volume for /home/rstudio, and storing the password in a Secret (assuming authentication isn't handled at the Ingress layer):

apiVersion: v1
kind: Pod
metadata:
  name: rstudio
spec:
  securityContext:
    runAsUser: 1000
    runAsGroup: 1000
  containers:
    - name: rstudio
      image: ghcr.io/rocker-org/rstudio:4.4.2
      ports:
        - containerPort: 8787
      env:
        - name: USER
          value: rstudio
        - name: PASSWORD
          value: my-password
      volumeMounts:
        - name: rstudio-home
          mountPath: /home/rstudio
        - name: run
          mountPath: /run
        - name: var-lib-rstudio-server
          mountPath: /var/lib/rstudio-server
      securityContext:
        allowPrivilegeEscalation: false
      resources:  
        requests:
          memory: "200Mi"  
          cpu: "3000m"     
        limits:
          memory: "5000Mi"
      command: ["rserver", "--auth-none=0", "--auth-pam-helper-path=pam-helper", 
                           "--auth-stay-signed-in-days=30", "--auth-timeout-minutes=0",
                           "--server-user=rstudio"]
  volumes:
    - name: rstudio-home
      emptyDir: {}
    - name: run
      emptyDir: {}
    - name: var-lib-rstudio-server
      emptyDir: {}

Example: create the pod in the default namespace, and use port-forwarding to access:

kubectl apply -f rstudio.yaml
kubectl port-forward rstudio 8787
... point your web browser to http://localhost:8787, and log in with user "rstudio" and password "my-password" ...

[radhupr]

@nathanweeks Is it not possible to have persistent volumes in the setup? When I try to mount /home with persistent volume, it doesnt go through.

[benz0li]

@radhupr Check out Zero to JupyterHub with Kubernetes + Authentication + JupyterLab R docker stack¹.
ℹ This allows you to mount the home directory (/home/<username>) on a per-user basis.

Reference deployment using Docker Swarm + GitHub OAuth + JupyterLab docker stacks: https://demo.jupyter.b-data.ch

Footnotes

1. Maybe the binder image of this repository works, too. ↩

[nathanweeks]

@nathanweeks Is it not possible to have persistent volumes in the setup? When I try to mount /home with persistent volume, it doesnt go through.

Using a PV for /home should work in this case assuming /home/rstudio exists & is writable by the rstudio user when the "rstudio" container starts. But if the goal is a multi-user setup as described in #893, then @benz0li 's suggestion looks like it could be a more automated solution (though I'm not sure if/how it handles non-root containers, if that is a security requirement)?

On a somewhat-related note: it's possible for users to create on-demand non-root rstudio server containers with persistent-volume-backed home directories on an OpenShift cluster (example referenced here: #747 (comment)).

[benz0li]

though I'm not sure if/how it handles non-root containers

b-data's/my JupyterLab docker stack containers – like the original Jupyter docker stacks ones – run as non-root (uid=1000(jovyan) gid=100(users)) by default.