Permissions error while running fluentd with non-root user

[prashantcsutar]

I created a customized image for my project.

Dockerfile:

---

FROM fluent/fluentd:v1.4.2-debian-2.0

USER root

WORKDIR /home/fluent
ENV PATH /fluentd/vendor/bundle/ruby/2.6.0/bin:$PATH
ENV GEM_PATH /fluentd/vendor/bundle/ruby/2.6.0
ENV GEM_HOME /fluentd/vendor/bundle/ruby/2.6.0

ENV FLUENTD_DISABLE_BUNDLER_INJECTION 1

COPY Gemfile* /fluentd/
RUN buildDeps="sudo make gcc g++ libc-dev libffi-dev"
&& apt-get update
&& apt-get upgrade -y
&& apt-get install
-y --no-install-recommends
$buildDeps net-tools
&& gem install bundler --version 1.16.2
&& bundle config silence_root_warning true
&& bundle install --gemfile=/fluentd/Gemfile --path=/fluentd/vendor/bundle
&& SUDO_FORCE_REMOVE=yes
apt-get purge -y --auto-remove
-o APT::AutoRemove::RecommendsImportant=false
$buildDeps
&& rm -rf /var/lib/apt/lists/*
&& gem sources --clear-all
&& rm -rf /tmp/* /var/tmp/* /usr/lib/ruby/gems//cache/.gem

COPY ./conf/fluent.conf /fluentd/etc/
COPY ./conf/systemd.conf /fluentd/etc/
COPY ./conf/kubernetes.conf /fluentd/etc/
COPY ./conf/prometheus.conf /fluentd/etc/
RUN touch /fluentd/etc/disable.conf

COPY plugins /fluentd/plugins/
COPY entrypoint.sh /fluentd/entrypoint.sh

ENV FLUENTD_OPT=""
ENV FLUENTD_CONF="fluent.conf"

RUN chmod -R 666 /var/log/
RUN chown -R fluent:fluent /var/log/
RUN chmod -R 777 /fluentd/
RUN chown -R fluent:fluent /fluentd/
RUN chmod -R 777 /home/fluent
RUN chown -R fluent:fluent /home/fluent

USER fluent
ENTRYPOINT ["tini", "--", "/fluentd/entrypoint.sh"]
CMD ["fluentd"]

---

But getting below error in fluentd pod.
Permission denied @ rb_sysopen - /var/log/containers.pos

Solutions tried so far:

1. Init containers to change permissions of /var/log. But new log files are getting added with root user.
2. Creating pos file inside pod at location /home/fluent/containers.pos but in this approach log files are not readable.

Please help!

[davidcmitchell]

I have the same problem

[Ankitnaudiyal]

@prashantcsutar @davidcmitchell Have you guys been able to find a solution to this problem?
I want to solve it without having to interfere with the host level user permissions.

[windingroad100hf]

Our team ran into this as well - we are still looking for a workaround, but have not found any.

[cosmo0920]

I'm planning to support Linux capability on Fluentd.
On /var/log case, we can attach cap_dac_override into /usr/local/bin/ruby and then Fluentd can write position file destination without root user.
ref: https://man7.org/linux/man-pages/man7/capabilities.7.html

$ sudo setcap cap_dac_override=+eip /usr/local/bin/ruby

For tailing files, I'd registered a PR to handle bypass file permission checking in in_tail with non-root user and cap_dac_read_search or cap_dac_override:
fluent/fluentd#3155

Linux capability on Fluentd documentation:
fluent/fluentd-docs-gitbook#248

Any feedback is appreciated. Thank you!