K
Q

K8S: Pass the runAsUser permission to files created inside container

6/4/2020

Let's say I have the below yaml:

spec:
  securityContext:
    fsGroup: 5678
  serviceAccountName: some-account
  volumes:
    - name: secrets
      secret:
        secretName: data-secrets
    - name: secrets-sftp-passwd-key
      secret:
        secretName: sftp-passwd-key
  containers:
    - name: sftp
      securityContext:
        runAsUser: 1234
        runAsGroup: 5678
      image: "some/some"
      imagePullPolicy: always
      ports:
        - name: tcp-sftp
          containerPort: 22
      volumeMounts:
      - name: secrets-sftp-passwd-key
        mountPath: /etc/sftp/secret/
      - name: data
        mountPath: "/var/data"
      env:
        - name: "SFTP_USER"
          value: "some_user"
        - name: "SFTP_PASSWD"
          value: "password-1"

I'm trying to run the container sftp with runAsUser and runAsGroup. The image's entrypoint script is supposed to take the SFTP_USER, SFTP_PASSWD and create certain password and group files using this input. These files are supposed to be created in /var/data folder. After this, a proftpd process is supposed to be started using these password and group files as the 1234 user. The container starts as 1234 user. But the files have a permission of root:5678. And I get the below error:

unable to set UID to 0, current UID: 1234

The entry point script of the image is as below:

echo "Starting to create password file"
PASSWORD=123456
echo $PASSWORD | /usr/bin/ftpasswd --passwd --file=/var/data/ftpd.passwd --name=virtual --uid=1234 --gid=5678 --home=/var/data/ --shell=/bin/bash --stdin
echo "Password file created"
/usr/bin/ftpasswd --group --name=--group --name=virtual --file=/var/data/ftpd.group --gid=5678 --member=1234
proftpd -n  -4 -c /var/data/proftpd.conf --> This line is throwing the above error.

What is going wrong here? Why is it trying to set UID to 0?? I was under the impression that giving runAsUser, runAsGroup and fsGroup will make sure that the /var/data folder has the correct ownership of 1234.

-- user1452759
kubernetes
kubernetes-statefulset
security-context

Similar Questions

Why go-micro Kubernetes plugin requires to register the pod to registry?
What is the difference between flannel (network layer) and ingress in kubernetes ?
Re-attach volume claim on deployment update
docker journald logging driver cause huge amount of logging also to /var/log/syslog and /var/log/kern.log
Registering Zuul on Eureka in Kubernetes cluster

1 Answer

6/5/2020

The error you're encountered is being being printed by following code: 

if (geteuid() != daemon_uid) {
    pr_log_pri(PR_LOG_ERR, "unable to set UID to %s, current UID: %s",
    pr_uid2str(permanent_pool, daemon_uid),
    pr_uid2str(permanent_pool, geteuid()));
    exit(1);
}

You're seeing this because your container userID is not equal to the daemon_uid. If you keep looking for daemon_uid you will find following line: 

uid_t *uid = (uid_t *) get_param_ptr(main_server->conf, "UserID", FALSE);
daemon_uid = (uid != NULL ? *uid : PR_ROOT_UID);

This means that if the UserID is not provided in config the code assignsPR_ROOT_UID value to the daemon_uid which appears to be 0 (root id). This is why the earlier mentioned if statement is generating this error message.

Take a look at the example config how to provide userID.

-- acid_fuji
Source: StackOverflow