Uploaded image for project: 'Zeppelin'
  1. Zeppelin
  2. ZEPPELIN-5747

Docker image is missing a real zeppelin user when running on kubernetes

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Reopened
    • Minor
    • Resolution: Unresolved
    • 0.10.1
    • None
    • docker

    Description

      Problem

      The Docker image dont define a real user at build time. There is a small hack to create one at runtime, but according kubernetes security good practices, the file /etc/passwd is read-only.

      Run as "no root" is a best practice to run container, especially on kubernetes with securityContext, such as :

      podSecurityContext:  
  runAsNonRoot: true  
  runAsUser: 1000  
  runAsGroup: 1000  
  fsGroup: 1000

      Zeppelin will run fine, giving a small warning:

      Container ENTRYPOINT failed to add passwd entry for anonymous UID

      but spark will not:

      org.apache.hadoop.security.KerberosAuthException: failure to login: javax.security.auth.login.LoginException: java.lang.NullPointerException: invalid null input: name
	at com.sun.security.auth.UnixPrincipal.<init>(UnixPrincipal.java:71)

      Solution

      The Dockerfile should create a "zeppelin" user, with home = "/opt/zeppelin", uid = 1000

      Workaround

      On kubernetes, it's possible to share a volume mounted as /etc/passwd and use an initContainer to add the user.

       

      Attachments

        Activity

          People

            Unassigned Unassigned
            ebuildy Thomas Decaux
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: