Skip to content

Dockerfile: Run as nobody#2859

Merged
fabxc merged 2 commits intoprometheus:dev-2.0from
gouthamve:docker-nobody
Jul 5, 2017
Merged

Dockerfile: Run as nobody#2859
fabxc merged 2 commits intoprometheus:dev-2.0from
gouthamve:docker-nobody

Conversation

@gouthamve
Copy link
Copy Markdown
Member

@gouthamve gouthamve commented Jun 19, 2017
edited
Loading

This needs the mounted directory to be owned by 99:99

@sdurrheimer @grobie @jimmidyson @devx @brian-brazil @brancz @fabxc

This change is Reviewable

devx and others added 2 commits October 18, 2016 10:49
@devx
run as prometheus user insted of root
721ed3f
@gouthamve
Use user nobody in Dockerfile
b2f7c8d 
Signed-off-by: Goutham Veeramachaneni <cs14btech11014@iith.ac.in>
@brancz
Copy link
Copy Markdown
Member

brancz commented Jun 19, 2017

I think in the previous PR it was discussed that this is a breaking change and thus must be deferred until 2.0. But you can just change the target branch from master to dev-2.0.

@gouthamve gouthamve changed the base branch from master to dev-2.0 June 19, 2017 09:41
@gouthamve
Copy link
Copy Markdown
Member Author

gouthamve commented Jun 19, 2017

My bad, fixed it. Thanks @brancz

@andrewhowdencom
Copy link
Copy Markdown

andrewhowdencom commented Jun 19, 2017
edited
Loading

Just a stub as I'll forget about this, but it might be worth noting the fsGroup spec in Kubernetes in docs somewhere to fix the perms. https://kubernetes.io/docs/concepts/policy/pod-security-policy/

@fabxc
Copy link
Copy Markdown
Contributor

fabxc commented Jul 3, 2017

Anything further speaking against merging this?

@fabxc fabxc merged commit 24e9dea into prometheus:dev-2.0 Jul 5, 2017
@gouthamve gouthamve mentioned this pull request Jul 5, 2017
Closed
@gouthamve gouthamve deleted the docker-nobody branch July 5, 2017 14:31
@gouthamve gouthamve mentioned this pull request Jul 5, 2017
Closed
@jcollie jcollie mentioned this pull request Nov 8, 2017
Closed
@2color
Copy link
Copy Markdown

2color commented Dec 5, 2017

To anyone who comes across this:

The correct UID would be 65534

$ docker run -it --rm --entrypoint sh prom/prometheus:v2.0.0

/prometheus $ id
uid=65534(nobody) gid=65534(nogroup)

@cliang57
Copy link
Copy Markdown

cliang57 commented Mar 19, 2018

Yep for me it is also 65534.
/prometheus $ id
uid=65534(nobody) gid=65534(nogroup)

@ahoka
Copy link
Copy Markdown

ahoka commented Mar 26, 2018

Nobody is a very bad choice. To mount the data directory as a volume I have to give write permissions on my host to nobody, which is 'nomen est omen' should not have write permissions to any directory.

@brancz
Copy link
Copy Markdown
Member

brancz commented Mar 26, 2018

It doesn't mean you should run it as that user, but that you can run it as any user/group combination, giving you the possibility to choose permissions rather than the image forcing you into some seemingly random UID/GID combination.

@idavidmcdonald idavidmcdonald mentioned this pull request May 29, 2018
Merged
@untoldone
Copy link
Copy Markdown

untoldone commented Aug 3, 2018

Isn't it a pretty standard practice to run a docker container processes as root? In this configuration, using attached volumes becomes tricky compared to most every other docker container I've worked with. Basically, I need a startup script to make sure Prometheus has write access to its data volume

@nickelozz nickelozz mentioned this pull request Apr 28, 2020
Merged
1 task
sijie pushed a commit to apache/pulsar-helm-chart that referenced this pull request Apr 29, 2020
@nickelozz
Update grafana & prometheus docker images (#8)
4009c04 
### Motivation

As seen below, there is a fix for one of the Grafana dashboards that are currently broken in this project (available since version 0.0.5):
- [The Pulsar-topics metrics can't load in Grafana](streamnative/charts#49)

Additionally, upgrading Prometheus to the latest version improves performance as seen here: https://prometheus.io/blog/2017/11/08/announcing-prometheus-2-0

### Modifications

Bring Docker images to their most up-to-date version (streamnative/apache-pulsar-grafana-dashboard-k8s:0.0.6, prom/prometheus:v2.17.2) to fix the following issues:
- streamnative/charts#49 <- fixes Pulsar-topics metrics failure to load
- prometheus/prometheus#2859 <- prevent escalation vulnerabilities by defaulting to the ```nobody``` user

**Note**: upgrading to the latest version of Prometheus (currently v2.17.2) caused the pod to fail with the following error: ```open /prometheus/queries.active: permission denied```. In order to fix this issue I followed the instructions from these 2 comments:

- [Permission denied UID/GID solution](prometheus/prometheus#5976 (comment))
- [Unable to create mmap-ed active query log securityContext fix](aws/eks-charts#21 (comment))

### Verifying this change

- [x] Make sure that the change passes the CI checks.
This was referenced May 24, 2020
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

9 participants

@gouthamve @brancz @andrewhowdencom @fabxc @2color @cliang57 @ahoka @untoldone @devx