Auto-instrumentation docker images run as root

[andrewdinunzio]

I'm using the nodejs autoinstrumentation image, which uses busybox as its base image. Because it's not set to run as a different user (a non-zero integer, specifically) in the Dockerfile, Kubernetes rejects it and I get:

container has runAsNonRoot and image will run as root

for the auto-instrumentation init container.

I suggest some kind of distroless base image that has some nonroot user (or add one) and adding an explicit "USER #" line in the autoinstrumentation dockerfiles.

I'm using opentelemetry helm chart version 0.36.0. After downgrading back to 0.24.x it appears to work again. From what I can tell, at some point the OTel operator started copying the security context of the app container, which doesn't work if the security context has runAsNonroot and the autoinstrumentation image runs as root.

[iblancasa]

I think this should be fixed if you use a securityContext. Except for Apache #2050

[andrewdinunzio]

Sorry could you explain a bit more? We are using a securityContext in our main app container, which looks like:

    securityContext:
      allowPrivilegeEscalation: false
      privileged: false
      runAsNonRoot: true

the autoinstrumentation container seems to copy this security context which doesn't work because runAsNonRoot only works if the docker image has a "USER #" line.

[iblancasa]

Maybe I'm wrong but, if you set the user like in https://github.com/open-telemetry/opentelemetry-operator/blob/8d3000e/tests/e2e-instrumentation/instrumentation-python/01-install-app.yaml, it should be fine.

I understand that just setting the runAsNonRoot: true would be more desirable but I'm providing a workaround.

[frzifus]

@iblancasa could a perma link instead? 🦝

Thats what I get:

[iblancasa]

@iblancasa could a perma link instead? 🦝

Thats what I get:

The tests were moved to a different folder. I corrected the link.

[andrewdinunzio]

We don't always have control over whether the docker images have users and if their application permissions depend on running as a certain user. So it's hard for us to enforce everyone to run as a particular user/group.

The k8s-sidecar container image runs as "nobody":
https://github.com/kiwigrid/k8s-sidecar/blob/master/Dockerfile#L23
Would this be possible for the autoinstrumentation containers?

[openJT]

Looking into this now. Did anyone find a solution without specifying a user and using runAsNonRoot: true in the deployment? I am using the nodejs instrumentation.

[iblancasa]

Maybe the solution proposed by @andrewdinunzio can work. @andrewdinunzio, did you try to build the instrumentation images with that change?

[andrewdinunzio]

Sorry we moved away from auto-instrumentation at the k8s level towards using the autoinstrumentation offered in opentelemetry sdks in the source itself, so I haven't tested that.

[openJT]

Thanks, but I would also like to not have to rebuild the image!

[iblancasa]

Thanks, but I would also like to not have to rebuild the image!

It is not the solution. It would be to test if that solves your issue. Later, we can discuss if include or not as part of the published images.

[openJT]

Ok cool! And.... It works!! :) I only added
USER 65534:65534
to the end of the Dockerfile in autoinstrumentation/nodejs/Dockerfile

Well it starts, I still have other things to iron out the comply with the policy

[matthenry87]

Ok cool! And.... It works!! :) I only added USER 65534:65534 to the end of the Dockerfile in autoinstrumentation/nodejs/Dockerfile

Well it starts, I still have other things to iron out the comply with the policy

This also worked for me. Why run as root if not needed??