Description
OpenShift (and it's open source variant OKD) run containers with an arbitrary user id which we've already added support for in elasticsearch-docker#125 (see also the old issue elasticsearch-docker#114).
However, USER needs to be additionally specified to a numeric value, according to the OpenShift guidelines.
The current Elasticsearch Dockerfile doesn't specifically set the USER, inherits 0 from the parent image (centos:7) and later inside the entrypoint script switches to user 1000 to start Elasticsearch.
Unfortunately this doesn't work in OpenShift. Unless the anyuid SCC property is set in OpenShift/OKD, the container won't be allowed to start.
In addition to that, Elastic Cloud on k8s sets the property runAsNonRoot: true which just won't work, without specifying a non privileged USER, on OpenShift/OKD.
@josgonza-rh raised a PR to set USER 1000 in the Dockerfile but we decided to close it and open this issue instead because explicitly setting USER 1000 requires a few changes tracked in this issue:
- Remove all user switching code in the entrypoint.
- Remove the TAKE_FILE_OWNERSHIP feature (code here). This feature was historically requested to assist with bind mount permission issues, but not sure how much usage it still has.
- Adjust docs as required, e.g. removing
TAKE_FILE_OWNERSHIP. - Add necessary tests to ensure the entrypoint changes don't break existing functionality.