OpenShift (and it's open source variant OKD) run containers with an arbitrary user id which we've already added support for in elasticsearch-docker#125 (see also the old issue elasticsearch-docker#114).
However, USER needs to be additionally specified to a numeric value, according to the OpenShift guidelines.
The current Elasticsearch Dockerfile doesn't specifically set the USER, inherits 0 from the parent image (centos:7) and later inside the entrypoint script switches to user 1000 to start Elasticsearch.
Unfortunately this doesn't work in OpenShift. Unless the anyuid SCC property is set in OpenShift/OKD, the container won't be allowed to start.
In addition to that, Elastic Cloud on k8s sets the property runAsNonRoot: true which just won't work, without specifying a non privileged USER, on OpenShift/OKD.
@josgonza-rh raised a PR to set USER 1000 in the Dockerfile but we decided to close it and open this issue instead because explicitly setting USER 1000 requires a few changes tracked in this issue:
OpenShift (and it's open source variant OKD) run containers with an arbitrary user id which we've already added support for in elasticsearch-docker#125 (see also the old issue elasticsearch-docker#114).
However,
USERneeds to be additionally specified to a numeric value, according to the OpenShift guidelines.The current Elasticsearch Dockerfile doesn't specifically set the
USER, inherits0from the parent image (centos:7) and later inside the entrypoint script switches to user1000to start Elasticsearch.Unfortunately this doesn't work in OpenShift. Unless the anyuid SCC property is set in OpenShift/OKD, the container won't be allowed to start.
In addition to that, Elastic Cloud on k8s sets the property runAsNonRoot: true which just won't work, without specifying a non privileged
USER, on OpenShift/OKD.@josgonza-rh raised a PR to set
USER 1000in the Dockerfile but we decided to close it and open this issue instead because explicitly settingUSER 1000requires a few changes tracked in this issue:TAKE_FILE_OWNERSHIP.