[Feature]: Enable milvus containers to run as a non-root user #25565
Comments
|
Hi, Looks like I am having a same issue. Can you please tell what is the status of this. I opened a new issue. See this. zilliztech/milvus-helm#43 |
|
/assign @LoveEachDay |
|
+1 for this feature. It seems the only reason it is running as root are wrong file permissions, which can be easily fixed with a proper Dockerfile. |
|
Coming back to check if there are any updates or plan to fix this. |
|
Has anyone started working on this? Otherwise I'll take a stab at it to enrich the ecosystem around OpenShift AI. |
|
I can just explain the procedure how to fix it. It seems it is a simple file/folder permission issue which means should be straight forward to fix it by modifying the Dockerfile of the images of problematic components to include chmod g+rwx and chgrp root on the affected folders. OpenShift requires the root group to have the necessary permissions as all containers by default start with a random UID but each user is in the root group. Hope this helps |
|
Yeah, this is what I may do on the short term, this is quite standard procedure to fix ownership/permissions on those types of container. |
OpenShift runs Pods with a random uid and gid 0. As Milvus needs to write into the /milvus directory, this fix modifies the group permissions to allow the root group (gid 0) to write into it. This is a simple solution that allows to run Milvus on OpenShift without adding security constraints, use special ServiceAccounts or whatever. This should also not impact any other kubernetes platform as it's a simple group permission change, nothing regarding the userid. Note: Other actions are necessary to properly deploy the full stack (Minio, Pulsar,...) on OpenShift. I will document them in the helm chart project. Fixes #25565 Signed-off-by: Guillaume Moutier <guillaume.moutier@gmail.com>
…o#30775) OpenShift runs Pods with a random uid and gid 0. As Milvus needs to write into the /milvus directory, this fix modifies the group permissions to allow the root group (gid 0) to write into it. This is a simple solution that allows to run Milvus on OpenShift without adding security constraints, use special ServiceAccounts or whatever. This should also not impact any other kubernetes platform as it's a simple group permission change, nothing regarding the userid. Note: Other actions are necessary to properly deploy the full stack (Minio, Pulsar,...) on OpenShift. I will document them in the helm chart project. Fixes milvus-io#25565 Signed-off-by: Guillaume Moutier <guillaume.moutier@gmail.com>
…o#30775) OpenShift runs Pods with a random uid and gid 0. As Milvus needs to write into the /milvus directory, this fix modifies the group permissions to allow the root group (gid 0) to write into it. This is a simple solution that allows to run Milvus on OpenShift without adding security constraints, use special ServiceAccounts or whatever. This should also not impact any other kubernetes platform as it's a simple group permission change, nothing regarding the userid. Note: Other actions are necessary to properly deploy the full stack (Minio, Pulsar,...) on OpenShift. I will document them in the helm chart project. Fixes milvus-io#25565 Signed-off-by: Guillaume Moutier <guillaume.moutier@gmail.com>
…o#30775) OpenShift runs Pods with a random uid and gid 0. As Milvus needs to write into the /milvus directory, this fix modifies the group permissions to allow the root group (gid 0) to write into it. This is a simple solution that allows to run Milvus on OpenShift without adding security constraints, use special ServiceAccounts or whatever. This should also not impact any other kubernetes platform as it's a simple group permission change, nothing regarding the userid. Note: Other actions are necessary to properly deploy the full stack (Minio, Pulsar,...) on OpenShift. I will document them in the helm chart project. Fixes milvus-io#25565 Signed-off-by: Guillaume Moutier <guillaume.moutier@gmail.com> Signed-off-by: shaoyue.chen <shaoyue.chen@zilliz.com>
…o#30775) OpenShift runs Pods with a random uid and gid 0. As Milvus needs to write into the /milvus directory, this fix modifies the group permissions to allow the root group (gid 0) to write into it. This is a simple solution that allows to run Milvus on OpenShift without adding security constraints, use special ServiceAccounts or whatever. This should also not impact any other kubernetes platform as it's a simple group permission change, nothing regarding the userid. Note: Other actions are necessary to properly deploy the full stack (Minio, Pulsar,...) on OpenShift. I will document them in the helm chart project. Fixes milvus-io#25565 Signed-off-by: Guillaume Moutier <guillaume.moutier@gmail.com> Signed-off-by: shaoyue.chen <shaoyue.chen@zilliz.com>
Is there an existing issue for this?
Is your feature request related to a problem? Please describe.
Referencing this: #22516 (comment)
Running containers as root can pose a security risk and is generally not recommended, in certain environment running of container as root is strictly prohibited and prevents milvus from being deployed.
In addition, certain flavors of Kubernetes e.g openshift by default, runs containers with a non-root user (for security reasons) which causes milvus container pods to fail with "write failed: open /milvus/configs/milvus.yaml: permission denied error
Describe the solution you'd like.
Enable milvus containers to be able to run as a non-root user.
Describe an alternate solution.
No response
Anything else? (Additional Context)
No response
The text was updated successfully, but these errors were encountered: