Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Operation not permitted /var/run/s6 on non-root user #198

Open
iiidddaaannn102 opened this issue Apr 30, 2021 · 9 comments
Open

Operation not permitted /var/run/s6 on non-root user #198

iiidddaaannn102 opened this issue Apr 30, 2021 · 9 comments

Comments

@iiidddaaannn102
Copy link

hi,
because i can not use a root user in my company, i tried to run docker image with other users (librenms user and more).
I'm having issues when the container is on init(running /init) and there is a lot of "Operation not permitted" on /var/run/s6 directory.
i tried to use PUID and PGID env, and to give the user permissions to s6 recursively and to commit the image but every time the base librenms image is on init, it runs the /init and the issue is happened again.
in the documents write about the feature "non-root user" - so how i do it?

thanks all
@murrant
Copy link
Member

murrant commented May 1, 2021

LibreNMS has nothing to do with s6 and will work perfectly fine despite these errors. I'm unsure if it is even used in the image. Probably can be resolved in the docker image though.

@iiidddaaannn102
Copy link
Author

LibreNMS has nothing to do with s6 and will work perfectly fine despite these errors. I'm unsure if it is even used in the image. Probably can be resolved in the docker image though.

Cool..so how i do it? You have best practice for that?

@crazy-max
Copy link
Member

@murrant

LibreNMS has nothing to do with s6 and will work perfectly fine despite these errors. I'm unsure if it is even used in the image. Probably can be resolved in the docker image though.

s6 is used in this image through s6-overlay to be able to manage services.

I'm having issues when the container is on init(running /init) and there is a lot of "Operation not permitted" on /var/run/s6 directory.

If you have a read-only root fs you might need to follow these steps.

@trif666
Copy link

trif666 commented Aug 24, 2021
edited

Hello @crazy-max,

I have the same issue as @iiidddaaannn102 about permissions to s6.

I try to deploy libreNMS into my company EKS cluster with same problematic about the non-root user restriction.
Even with the use of the variable "S6_READ_ONLY_ROOT", container encounters an error concerning s6 :
s6-overlay-preinit: fatal: unable to mkdir /var/run/s6: Permission denied

Here is my deployment manifest :

kind: Deployment
metadata:
  name: librenms-deployment
  namespace: nms
spec:
  selector:
    matchLabels:
      app: nms_webui
  replicas: 1
  template:
    metadata:
      labels:
        app: nms_webui
    spec:
      containers:
      - name: librenms
        image: librenms/librenms:21.4.0
        ports:
        - containerPort: 8000
        env:
        - name: S6_READ_ONLY_ROOT
          value: '1'
        resources:
          requests:
            memory: "250Mi"
            cpu: "500m"
          limits:
            memory: "250Mi"
            cpu: "500m"
        securityContext:
          runAsNonRoot: true
          runAsUser: 1000
          runAsGroup: 1000
        volumeMounts:
        - name: application-volume
          mountPath: /opt/librenms
        - name: application-socket
          mountPath: /sock
        - name: application-volume
          mountPath: /var
      volumes:
      - name: application-volume
        emptyDir: {}
      - name: application-socket
        emptyDir:
          medium: Memory

I suspect variable "S6_READ_ONLY_ROOT" is not being taken into account...
Could you confirm that set this variable is enough to a non-root environnment or if something else is required ?

Thanks to you

@trif666
Copy link

trif666 commented Sep 7, 2021

Hello,

Has anyone an idea of how docker stack can be start with no root rights ?

If more information is needed, don't hesitate and ask me ;)

Thanks to you !

@matthewpomeryssq
Copy link

I'm running into this same issue which given our organizational policies makes this a blocker for us. Can someone please advise if this is a configuration problem, requires development, or won't fix issue?

To summarize the problem when forcing pod to run as non-root user using:
securityContext:
runAsNonRoot: true

The pod crashes with : s6-overlay-preinit: fatal: unable to mkdir /var/run/s6: Read-only file system

@murrant
Copy link
Member

murrant commented Jul 18, 2022

What does runAsNonRoot do? LibreNMS always runs without root priveledges. Or does that mean S6 runs without root? Not sure how that would work.

@murrant
Copy link
Member

murrant commented Jul 18, 2022
edited

Perhaps if /run is writable (mounted to tmpfs), /var/run is linked, and S6_READ_ONLY_ROOT is set, that would be enough.

https://github.com/just-containers/s6-overlay#read-only-root-filesystem

Probably not though as s6 sets up the other services. Perhaps this could be distilled down to a feature request to run with a read-only file system.

@matthewpomeryssq
Copy link

What does runAsNonRoot do? LibreNMS always runs without root priveledges. Or does that mean S6 runs without root? Not sure how that would work.

Basically, it requires that the pod be submitted with a non-zero runAsUser or have the USER directive defined (using a numeric UID) in the image. This ensures container is not running as 0.

@kjoe kjoe mentioned this issue Mar 24, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@murrant @crazy-max @iiidddaaannn102 @trif666 @matthewpomeryssq