Run Consul Docker image in kubernetes as non root

5/2/2018

I want to run consul in kubernetes but I am not allowed to run it as user root.

Therefore I added

RUN addgroup consul root

to the Dockerfile (derived FROM consul:1.0.3)

and start the deployment in kubernetes with

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  labels:
    xyz.service: consul-deployment
  name: consul-deployment
spec:
  template:
    spec:
      securityContext:
        runAsUser: 100

Now I expect kubernetes to start consul with user 100 (who used to be the user consul when I started it locally in Docker and now should be member in the group root).

But now I get the following the error when the pod is started

chown: /consul/data: Operation not permitted

The chown is executed in Consuls docker-entrypoint.sh and I guess it (still) fails because user 100 is not root.

Can anybody explain me how to start a container with a non root user when the container has an entrypoint script expecting to be executed as root?

-- Datz
consul
docker
kubernetes

3 Answers

4/17/2019

In case if someone looking for the solution. You can also use Consul image from Bitnami. They provide non-root images of popular apps.

docker pull bitnami/consul:1.4.4 
-- Alexander
Source: StackOverflow

10/21/2018

If /consul is an nfs mount, it might be that root_squash and all_squash are set at the server. That will result in chown operations to fail, because new files/folders will automatically be given to nobody/nogroup.

If you can change the share (temporarily) to use no_root_squash and no_all_squash until all files have been setup, you should be fine. As that filesystem typically is persisted, that should be only necessary once, so afterwards you can reset it to root_squash and all_squash again.

-- lilalinux
Source: StackOverflow

5/15/2018

I ended up in fixing Consuls docker-entrypoint.sh to check if the user is root before executing the chown command by adding some if [ "$(id -u)" = "0" ] tests.

You can find the patch on GitHub.

-- Datz
Source: StackOverflow