While developing Docker images for Icinga 2, Icinga Web 2 and Icinga DB we stumbled over OpenShift which doesn’t allow images to run as root by default. One has to enable that explicitly. Also admins of K8s environments being more permissive by default may decide not to allow running as the superuser.

So we’ve added a USER directive to our Dockerfiles to make our customers‘ compliance departments happy. But then we noticed that not all K8s environments make it easy enough for non-developers to adjust volume permissions respectively. And if a container doesn’t control its volumes…

Setuid to the rescue!

As always we’ve found a solution for this problem: Our container image ships a binary called docker-chown with the setuid and setgid bits set. Before starting the actual application, that binary is being run. Due to the setuid and setgid bits docker-chown can escalate its privileges and adjust the volume permissions as needed.

But if running as root is forbidden… ?

… docker-chown’s privilege escalation is rejected and our image’s init script just continues with the actual application. Without adjusting the permissions, of course.

[2020-11-03 11:29:18 +0000] information/DockerEntrypoint: Checking "/data/var/cache/icinga2"
[2020-11-03 11:29:18 +0000] information/DockerEntrypoint: Copying "/data-init/var/cache/icinga2" to "/data/var/cache/icinga2"
[2020-11-03 11:29:18 +0000] critical/DockerEntrypoint: mkdir /data/var/cache: permission denied 

So if you don’t allow the container to run as the superuser, you have to adjust the volume permissions by yourself.

Try it out!

On NWS K8s hosted in Germany.