Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Permissions error while running fluentd with non-root user #420

Open
prashantcsutar opened this issue Mar 8, 2020 · 4 comments
Open

Permissions error while running fluentd with non-root user #420

prashantcsutar opened this issue Mar 8, 2020 · 4 comments
Labels
enhancement

Comments

@prashantcsutar
Copy link

I created a customized image for my project.

Dockerfile:

FROM fluent/fluentd:v1.4.2-debian-2.0

USER root

WORKDIR /home/fluent
ENV PATH /fluentd/vendor/bundle/ruby/2.6.0/bin:$PATH
ENV GEM_PATH /fluentd/vendor/bundle/ruby/2.6.0
ENV GEM_HOME /fluentd/vendor/bundle/ruby/2.6.0

ENV FLUENTD_DISABLE_BUNDLER_INJECTION 1

COPY Gemfile* /fluentd/
RUN buildDeps="sudo make gcc g++ libc-dev libffi-dev"
&& apt-get update
&& apt-get upgrade -y
&& apt-get install
-y --no-install-recommends
$buildDeps net-tools
&& gem install bundler --version 1.16.2
&& bundle config silence_root_warning true
&& bundle install --gemfile=/fluentd/Gemfile --path=/fluentd/vendor/bundle
&& SUDO_FORCE_REMOVE=yes
apt-get purge -y --auto-remove
-o APT::AutoRemove::RecommendsImportant=false
$buildDeps
&& rm -rf /var/lib/apt/lists/*
&& gem sources --clear-all
&& rm -rf /tmp/* /var/tmp/* /usr/lib/ruby/gems//cache/.gem

COPY ./conf/fluent.conf /fluentd/etc/
COPY ./conf/systemd.conf /fluentd/etc/
COPY ./conf/kubernetes.conf /fluentd/etc/
COPY ./conf/prometheus.conf /fluentd/etc/
RUN touch /fluentd/etc/disable.conf

COPY plugins /fluentd/plugins/
COPY entrypoint.sh /fluentd/entrypoint.sh

ENV FLUENTD_OPT=""
ENV FLUENTD_CONF="fluent.conf"

RUN chmod -R 666 /var/log/
RUN chown -R fluent:fluent /var/log/
RUN chmod -R 777 /fluentd/
RUN chown -R fluent:fluent /fluentd/
RUN chmod -R 777 /home/fluent
RUN chown -R fluent:fluent /home/fluent

USER fluent
ENTRYPOINT ["tini", "--", "/fluentd/entrypoint.sh"]
CMD ["fluentd"]

But getting below error in fluentd pod.
Permission denied @ rb_sysopen - /var/log/containers.pos

Solutions tried so far:

  1. Init containers to change permissions of /var/log. But new log files are getting added with root user.
  2. Creating pos file inside pod at location /home/fluent/containers.pos but in this approach log files are not readable.

Please help!
@davidcmitchell
Copy link

I have the same problem

@Ankitnaudiyal
Copy link

@prashantcsutar @davidcmitchell Have you guys been able to find a solution to this problem?
I want to solve it without having to interfere with the host level user permissions.

@windingroad100hf
Copy link

Our team ran into this as well - we are still looking for a workaround, but have not found any.

@cosmo0920
Copy link
Contributor

cosmo0920 commented Nov 6, 2020
edited
Loading

I'm planning to support Linux capability on Fluentd.
On /var/log case, we can attach cap_dac_override into /usr/local/bin/ruby and then Fluentd can write position file destination without root user.
ref: https://man7.org/linux/man-pages/man7/capabilities.7.html

$ sudo setcap cap_dac_override=+eip /usr/local/bin/ruby

For tailing files, I'd registered a PR to handle bypass file permission checking in in_tail with non-root user and cap_dac_read_search or cap_dac_override:
fluent/fluentd#3155

Linux capability on Fluentd documentation:
fluent/fluentd-docs-gitbook#248

Any feedback is appreciated. Thank you!

@rishavsharma9802 rishavsharma9802 mentioned this issue Apr 26, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@cosmo0920 @Ankitnaudiyal @prashantcsutar @windingroad100hf @davidcmitchell