Skip to content
This repository has been archived by the owner on Aug 2, 2022. It is now read-only.

Could not run Elastic Search conatiner as non-root #790

Open
vijeswari opened this issue Dec 6, 2021 · 3 comments
Open

Could not run Elastic Search conatiner as non-root #790

vijeswari opened this issue Dec 6, 2021 · 3 comments
Labels
bug Something isn't working

Comments

@vijeswari
Copy link

Describe the bug
A clear and concise description of what the bug is.
As mentioned in the enhancement #703, we tried creating ODFE pods running as non-root user using ODFE 1.13.2 docker image and helm chart. The pod creation fails with the following error:

xxxx]$ kubectl logs -f test-opendistro-es-client-6bbb7dd9fd-przsc elasticsearch
OpenDistro for Elasticsearch Security Demo Installer
** Warning: Do not use on production or public reachable systems **
Basedir: /usr/share/elasticsearch
Elasticsearch install type: rpm/deb on CentOS Linux release 7.9.2009 (Core)
Elasticsearch config dir: /usr/share/elasticsearch/config
Elasticsearch config file: /usr/share/elasticsearch/config/elasticsearch.yml
Elasticsearch bin dir: /usr/share/elasticsearch/bin
Elasticsearch plugins dir: /usr/share/elasticsearch/plugins
Elasticsearch lib dir: /usr/share/elasticsearch/lib
Detected Elasticsearch Version: x-content-7.10.2
Detected Open Distro Security Version: 1.13.1.0
Success
Execute this script now on all your nodes and then start all nodes

tee: securityadmin_demo.sh: Permission denied

To Reproduce
Steps to reproduce the behavior:

  1. Download ODFE helm 1.13.2
  2. Run 'helm install test . -f values-nonroot.yaml'
  3. Pod creation fails

Expected behavior
A clear and concise description of what you expected to happen.
ES container should be up and running as non root

Configuration (please complete the following information):

  • ODFE/Kibana version 1.13.2
  • Distribution: NA
  • Host Machine:NA

Relevant information
Please include any relevant log snippets or files here.

xxxx]$ kubectl logs -f test-opendistro-es-client-6bbb7dd9fd-przsc elasticsearch
OpenDistro for Elasticsearch Security Demo Installer
** Warning: Do not use on production or public reachable systems **
Basedir: /usr/share/elasticsearch
Elasticsearch install type: rpm/deb on CentOS Linux release 7.9.2009 (Core)
Elasticsearch config dir: /usr/share/elasticsearch/config
Elasticsearch config file: /usr/share/elasticsearch/config/elasticsearch.yml
Elasticsearch bin dir: /usr/share/elasticsearch/bin
Elasticsearch plugins dir: /usr/share/elasticsearch/plugins
Elasticsearch lib dir: /usr/share/elasticsearch/lib
Detected Elasticsearch Version: x-content-7.10.2
Detected Open Distro Security Version: 1.13.1.0
Success
Execute this script now on all your nodes and then start all nodes

tee: securityadmin_demo.sh: Permission denied
@vijeswari vijeswari added the bug Something isn't working label Dec 6, 2021
@oomichi
Copy link

oomichi commented Jan 27, 2022

@vijeswari
Hello, I am facing the same issue.
Do you find some solution for this issue?

/cc @oomichi

@oomichi
Copy link

oomichi commented Feb 1, 2022

@vijeswari Hello, I am facing the same issue. Do you find some solution for this issue?

/cc @oomichi

I found a solution for this issue.
By specifying

  extraEnvs:
    - name: DISABLE_INSTALL_DEMO_CONFIG
      value: "true"

in values.yaml, the demo mode is disabled and it solves this issue on my side.

@vijeswari
Copy link
Author

@oomichi
This solution did not work for us. We are relying on demo certificates for time being so disabling the demo config scripts has impact on the internal node communication on port 9300. Have you configured certificates post disabling demo config script?

Thank you

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@oomichi @vijeswari