I want to run consul in kubernetes but I am not allowed to run it as user root.
Therefore I added
RUN addgroup consul root
to the Dockerfile (derived FROM consul:1.0.3
)
and start the deployment in kubernetes with
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
xyz.service: consul-deployment
name: consul-deployment
spec:
template:
spec:
securityContext:
runAsUser: 100
Now I expect kubernetes to start consul with user 100
(who used to be the user consul
when I started it locally in Docker and now should be member in the group root
).
But now I get the following the error when the pod is started
chown: /consul/data: Operation not permitted
The chown
is executed in Consuls docker-entrypoint.sh
and I guess it (still) fails because user 100
is not root.
Can anybody explain me how to start a container with a non root user when the container has an entrypoint script expecting to be executed as root?
In case if someone looking for the solution. You can also use Consul image from Bitnami. They provide non-root images of popular apps.
docker pull bitnami/consul:1.4.4
If /consul is an nfs mount, it might be that root_squash
and all_squash
are set at the server. That will result in chown operations to fail, because new files/folders will automatically be given to nobody/nogroup.
If you can change the share (temporarily) to use no_root_squash
and no_all_squash
until all files have been setup, you should be fine. As that filesystem typically is persisted, that should be only necessary once, so afterwards you can reset it to root_squash
and all_squash
again.
I ended up in fixing Consuls docker-entrypoint.sh
to check if the user is root before executing the chown command by adding some if [ "$(id -u)" = "0" ]
tests.