I want to run consul in kubernetes but I am not allowed to run it as user root.
Therefore I added
RUN addgroup consul rootto the Dockerfile (derived FROM consul:1.0.3)
and start the deployment in kubernetes with
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
xyz.service: consul-deployment
name: consul-deployment
spec:
template:
spec:
securityContext:
runAsUser: 100Now I expect kubernetes to start consul with user 100 (who used to be the user consul when I started it locally in Docker and now should be member in the group root).
But now I get the following the error when the pod is started
chown: /consul/data: Operation not permittedThe chown is executed in Consuls docker-entrypoint.sh and I guess it (still) fails because user 100 is not root.
Can anybody explain me how to start a container with a non root user when the container has an entrypoint script expecting to be executed as root?
In case if someone looking for the solution. You can also use Consul image from Bitnami. They provide non-root images of popular apps.
docker pull bitnami/consul:1.4.4 If /consul is an nfs mount, it might be that root_squash and all_squash are set at the server. That will result in chown operations to fail, because new files/folders will automatically be given to nobody/nogroup.
If you can change the share (temporarily) to use no_root_squash and no_all_squash until all files have been setup, you should be fine. As that filesystem typically is persisted, that should be only necessary once, so afterwards you can reset it to root_squash and all_squash again.
I ended up in fixing Consuls docker-entrypoint.sh to check if the user is root before executing the chown command by adding some if [ "$(id -u)" = "0" ] tests.