Skip to content
This repository has been archived by the owner on May 16, 2023. It is now read-only.

apm-server: Run as non-root user #785

Closed
caiconkhicon opened this issue Aug 17, 2020 · 8 comments · Fixed by #996
Closed

apm-server: Run as non-root user #785

caiconkhicon opened this issue Aug 17, 2020 · 8 comments · Fixed by #996
Labels
apm-server enhancement New feature or request

Comments

@caiconkhicon
Copy link
Contributor

caiconkhicon commented Aug 17, 2020
edited
Loading

Describe the feature:
I want to run apm-server as a non-root user, same as described here: helm/charts#18366

Currently, if I set podSecurityContext, the Pod fails with the error:

Exiting: error loading config file: open apm-server.yml: permission denied
@jmlrt
Copy link
Member

jmlrt commented Aug 25, 2020

Hi @caiconkhicon, thanks for submitting this issue.

Can you provide more details about your environment by answering to all the questions asked in the bug report template?

@jmlrt jmlrt added bug Something isn't working apm-server labels Aug 25, 2020
@caiconkhicon
Copy link
Contributor Author

Hi @jmlrt , thank you for your reply. I am happy to provide necessary information. However, IMO, my request here is a feature request.
What I expect is a change to make it possible to run as apm-server with a non-root user. My assumption is that the change should look like helm/charts#18366 in the official Helm chart repository.

@botelastic
Copy link

botelastic bot commented Nov 23, 2020

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@jmlrt jmlrt removed the bug Something isn't working label Nov 24, 2020
@botelastic botelastic bot removed the triage/stale label Nov 24, 2020
@jmlrt jmlrt added the enhancement New feature or request label Nov 24, 2020
@jmlrt
Copy link
Member

jmlrt commented Nov 24, 2020

This is still valid, however we won't be able to handle it in the short run.
Would you be interested by creating a PR?

@caiconkhicon
Copy link
Contributor Author

@jmlrt : I think I can. Give a one week, I will try to find a time when I can do it.

@caiconkhicon
Copy link
Contributor Author

@jmlrt : There is another problem to let apm-server run as root: the binary is owned by root and cannot be ran by others:

-rwxr-x--- 1 root root 102M Nov 28 07:07 /usr/share/apm-server/apm-server

Thus, when running it as non-root, this error appears:

/usr/local/bin/docker-entrypoint: line 8: /usr/share/apm-server/apm-server: Permission denied

I think the fix should be in the apm-server image. Can you do it? or where to do it? I don't see it looks quite like https://github.com/elastic/apm-server/blob/master/Dockerfile

@jmlrt
Copy link
Member

jmlrt commented Nov 30, 2020

@caiconkhicon,
Can you open an issue to apm-server repo for that?

@caiconkhicon caiconkhicon mentioned this issue Nov 30, 2020
Closed
@caiconkhicon
Copy link
Contributor Author

@jmlrt : I created an issue in https://github.com/elastic/apm-server and discussed with ppl there. It seems that this is not a bug/issue there but a security limitation. Thus, the apm-server pod must run with runAsGroup: 0. Should we fix it in the Helm chart or let users do it freely (like currently https://github.com/elastic/helm-charts/blob/master/apm-server/values.yaml#L78)

@jmlrt jmlrt mentioned this issue Dec 23, 2020
Merged
jmlrt added a commit to jmlrt/helm-charts that referenced this issue Dec 23, 2020
@jmlrt
[apm-server] run as non root user
441ddc4 
This commit update APM server pod to run with UID 1000 instead of 0 (root).

Note that GID 0 is still required due to apm-server binary default files
permissions.

Fix elastic#785
@jmlrt jmlrt closed this as completed in #996 Jan 6, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
apm-server enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[apm-server] run as non root user jmlrt/helm-charts
2 participants
@caiconkhicon @jmlrt