Its a followup to Non-root install of RStudio server?
I want to install Rstudio server on kubernetes (not the enterprise version) in our kubernetes cluster. Since there are restrictions on host filesystem and root permissions , I need to set runAsNonRoot , disabling privilege escalation and eetc.
I couldnt find which hel chart / docker image to use for this purpose. Can you help?
Hi @radhupr
at Rocker Project - rstudio, tidyverse, verse, geospatial you have the 4 paragraph Rocker Project - rstudio, tidyverse, verse, geospatial is dedicated to that topic.
Hi @vedoa I'm failing to understand what setting under section 4 helps to enable to run the container as nonroot.
I'm using below spec for the pod for example
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
# runAsNonRoot: true
containers:
- name : rstudio
image: rocker/tidyverse:4.4.2
env:
- name: USERID
value: "1001"
- name: GROUPID
value: "1001"
- name: ROOT
value: "true"
securityContext:
capabilities:
drop:
- ALL
allowPrivilegeEscalation: false
runAsNonRoot: true
The pod wouldnt start if I have the securitycontext set as above. Am I missing something?
If I set ROOT env variable to false, the container still runs as root user.
My cluster has restriction on user workloads that it need to have below security contexts set
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
If I set container security context or pod security context to run as non-root, the container fail to start.
Failed to load logs: container "rstudio" in pod "rstudio-deployment-777cc89c9-m5c8f" is waiting to start: CreateContainerConfigError
Hi @radhupr ,
sorry it didn't work - the idea was to set the env variables as you did (USERID, GROUPID) and set the securityContext to
runAsNonRoot: true
runAsUser: 1001
runAsGroup: 1001
and that should have started the pod as non root.
Could you post the logs when running with he above security context and completely ignoring the ROOT env variable (just set USERID and GROUPID)
@vedoa
The log just says:
s6-overlay-preinit: fatal: unable to mkdir /var/run/s6: Permission denied
Pod Spec:
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1001
runAsGroup: 1001
seccompProfile:
type: RuntimeDefault
containers:
- name : rstudio
image: rocker/tidyverse:4.4.2
env:
- name: USERID
value: "1001"
- name: GROUPID
value: "1001"
securityContext:
allowPrivilegeEscalation: false
resources:
requests:
memory: "200Mi"
cpu: "3000m"
limits:
memory: "5000Mi"
@radhupr
at least it starts as non root - this is now a permission issue for the user 1001.
So this exact issue has already been seen bump s6 overlay to v2.1.0.2 in R <= 4.0.2 images by eitsupi · Pull Request #247 · rocker-org/rocker-versioned2 · GitHub which links to [Singularity] RStudio 1.4 and S6 v2.1.0.2 permissions error · Issue #105 · rocker-org/rocker-versioned2 · GitHub.
The problem seemed to be resolved - maybe opening an issue there helps the Rocker project take your specific kubernetes deployment into account.
Also cross link to How can I give my rocker/shiny base image the permissions it requires on OpenShift? - Stack Overflow
@vedoa Thanks for the response. I raised a github issue rstudio in kubernetes - runAsNonRoot context · Issue #888 · rocker-org/rocker-versioned2 · GitHub