Change zookeeper user id for kafka docker images

I have on-premise openshift container platform in organization on version 3.11. I am trying to run the POD with image confluentinc/cp-zookeeper. But due to restrictions added by Openshift admin, I am not allowed to run pod as a user whose id below 1000000000.

The pod logs are as follows -

===> User
uid=1001390000 gid=0(root) groups=0(root),1001390000
===> Configuring ...
[Errno 13] Permission denied: '/var/lib/zookeeper/data/myid'
Command [/usr/local/bin/dub template /etc/confluent/docker/myid.template /var/lib/zookeeper/data/myid] FAILED !

I was able to successfully run version 4.0.0 but its failing for newer version.

Hi,

there’s already a similiar issue logged in github (with kafka dir not zookeeper)

did you try to use the confluentinc/cp-zookeeper:6.0.2-1-ubi8 image?
I’ve did a short test in my local env and it was running fine with a non root user:

docker run -e ZOOKEEPER_CLIENT_PORT=2181 confluentinc/cp-zookeeper:6.0.2-1-ubi8
===> User
uid=1000(appuser) gid=1000(appuser) groups=1000(appuser)
===> Configuring ...
===> Running preflight checks ...
===> Check if /var/lib/zookeeper/data is writable ...
===> Check if /var/lib/zookeeper/log is writable ...
===> Launching ...
===> Launching zookeeper ...

HTH

Yeah. This is running fine on local where no security context is set. As defined earlier, According to openshift cluster policy, i cannot user user group below ~10000000,
and when i inspect try to run with user id in valid range, I can see every time /var/lib/zookeeper/data owned by appuser with user and grp id 1000. I even tried running chown on directory, but it fails due to permission issue.

So as in your example, container starts with appuser id 1000, but in my case, due to strict security policy pod always runs with user id far above it.
the one solution i can see is to create own dockerfiles and add some extra layers on top of it. But this is not a good solution always

what about building the docker image locally and adapt it to your needs?
eg. change user id or add a different user to run the zookeeper service?

Yes. That’s only way I can find. I checked with confluent version 5.5, I am able to start the pod. Seems like issue for 6.X.X

hmm
little strange as the zookeeper image confluentinc/cp-zookeeper:5.5.3-1-ubi8
is configured with the same user and userid

Same with other images as well, e.g confluent-enterprise-kakfa. I tried images from 4.X.X to 5.5.3, it works. But fails on 6.X.X.

unterstand but again:
did you check the userid of the appuser for the working images?

here are output for kafka-broker image and for zookeeper

PS kafka\cp-helm-charts-master> oc exec confluent-kafka-cp-kafka-0 -c cp-kafka-broker -- id -a
uid=1001390000 gid=0(root) groups=0(root),1001390000

PS kafka\cp-helm-charts-master> oc exec confluent-kafka-cp-kafka-0 -c cp-kafka-broker -- cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
cp-kafka:x:104:109::/var/run/kafka:/bin/false
cp-kafka-connect:x:105:109::/var/empty:/bin/false


PS kafka\cp-helm-charts-master> oc exec zookeeper-cp-zookeeper-0   -c cp-zookeeper-server -- id -a
uid=1001390000 gid=0(root) groups=0(root),1001390000
PS kafka\cp-helm-charts-master> oc exec zookeeper-cp-zookeeper-0   -c cp-zookeeper-server -- cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false

This does not have any appuser user.

I was able to run all images with 5.5.3 version tag, (schema registry and connect to) but failed for confluentinc/ksqldb-server, which gave same error as -

===> User
uid=1001390000 gid=0(root) groups=0(root),1001390000
===> Configuring ...
Command [/usr/local/bin/dub path /etc/ksql-server/ writable] FAILED !

And all logs data is owned by current pod user -

PS kafka\cp-helm-charts-master> oc exec confluent-kafka-cp-kafka-1 -c cp-kafka-broker -- ls -la /opt/kafka/data-0/logs
total 76
drwxr-sr-x. 272 1001390000 1001390000 24576 Mar 19 15:04 .
drwxrwsrwx.   3 root       1001390000    18 Mar 19 14:04 ..
-rw-r--r--.   1 1001390000 1001390000     0 Mar 19 14:04 .lock
drwxr-sr-x.   2 1001390000 1001390000   141 Mar 19 14:04 __confluent.support.metrics-0
drwxr-sr-x.   2 1001390000 1001390000   141 Mar 19 14:05 __consumer_offsets-1
drwxr-sr-x.   2 1001390000 1001390000   141 Mar 19 14:05 __consumer_offsets-11
drwxr-sr-x.   2 1001390000 1001390000   141 Mar 19 14:05 __consumer_offsets-13

understand
did you mount a directory to ksql-server pod?

Not for ksql. But I didn’t mount for schema registry and connect also. But they both are working fine with 5.5.3 image tag

Hi @here, are there any plans to support this change? Or only option is to use custom docker images

did you already try with newest versions?

Yes I tried 6.x versions and latest 7.0.0 versions too. Same error. The issue is here kafka-images/Dockerfile.ubi8 at 2900a61ed3bea0dfea2ba82cbd45ba669c7a036f · confluentinc/kafka-images · GitHub. Where only appuser owns the data dirs. The user which openshift runs the pod is always member of group root. Hence we can give permission to root group as well.

I am currently trying to create own version of docker image, but it’s taking some time due to multiple restrictions from organization. The required RPM files are hosted on confluent repo which is blocked by admin

PR merged. fix #53 chown/chmod order and permission issue by im-pratham · Pull Request #139 · confluentinc/kafka-images · GitHub, This solves the issue.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.