K
Q

How to run dotnet-counters as non root in Openshift?

4/10/2020

This is my dockerfile

FROM my-private-docker-repo.net/dotnet/core/aspnet:3.0 AS base
FROM my-private-docker-repo.net/dotnet/core/sdk:3.0 AS build
WORKDIR /src

RUN dotnet tool install --global dotnet-trace 
RUN dotnet tool install --global dotnet-counters
RUN dotnet tool install -g dotnet-dump

# build the app
FROM build AS publish
# publish the app

FROM base AS final
WORKDIR /app
COPY --from=publish /app .
COPY --from=build /root/.dotnet/tools/ /app/tools
ENV PATH="/app/tools:${PATH}"

ENTRYPOINT ["dotnet", "something.dll"]

The image is built using docker and ran in private on-premises Openshift cluster. Now, when I open container terminal in Openshift and type
dotnet-counters ps says "Permission denied".
whoami says whoami: cannot find name for user ID 1025960000

When I run this image locally (docker run something) and then docker exec -it 53c /bin/bash it works as expected:
dotnet-counters ps displays the output
whoami says root

Documentation says

To attach to a process, dotnet-counters requires that you are the same user as the target process or the root user.

So I am assuming it doesn't work in Openshift because the terminal user is not root or target process user.

What I tried so far (please keep in mind I am not exactly good at linux systems):
Asked the Openshift team if I can run as root inside container. They just said no because security.
Then I tried modifying Dockerfile by adding this just before the ENTRYPOINT line.

USER 1025960000

I wanted to make the target process run under same user that I get when opening terminal. Because as far as I see terminal always opens with the same user. My assumtion was that if I run the application under same user as the terminal opens, then it would be allowed to run counters. But after trying this new image, dotnet-counters ps says 'Permission denied' both locally in Docker and in Openshift. When I remote into local docker container however, whoami says whoami: cannot find name for user ID 1025960000.

Then I tried modifying Dockerfile to create a custom user with known password and run the process using it

RUN useradd -m -p <hashed password> -s /bin/bash runtimeuser 
USER runtimeuser

And then I wanted to change user from default to this runtimeuser inside openshift terminal

$ su runtimeuser
Password: 
su: cannot set groups: Operation not permitted

... I have exhaused my ideas on how to approach this.

-- evictednoise
.net-core
debian
docker
kubernetes
openshift

Similar Questions

Kubernetes RBAC - user has access to get pods but it says 'Unauthorized'
Can't install keycloak by helm on kubernetes
Kubernetes container VolumeMounts not found?
How to run/deploy Spring Boot Microservice from IntelliJ into local Kubernetes cluster?

0 Answers