Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Cannot run image running with container generated by jib as non-root in k8s

See original GitHub issue

Description of the issue: I cannot run the image generated via jib-maven-plugin as nonroot. When attempting to set the securitycontext runasuser as a custom one, it errors as the app cannot find the main class. Only root seems to work, but this is a security issue and I’d rather run the container as a unpriviledged user.

Expected behavior: set the security context in the k8s deployment as uid 10000 (just an example), and the app thats generated has /app folders owned or at least executable by this uid.

Steps to reproduce: create a k8s deployment, set securitycontext: runasUser: to custom uid. use a custom jdk image and use that USER uid in the from block of the maven-jib-plugin section in the pom.xml

Environment:

jdk image utilized by pom to generate the new image for the java app:

FROM openjdk:8-jdk-alpine

RUN set -x && \
	sed -i -e "s/\#networkaddress.cache.ttl=-1/networkaddress.cache.ttl=300/g" -e "s/securerandom.source=file\:\/dev\/random/securerandom.source=file\:\/dev\/\.\/urandom/g" /usr/lib/jvm/java-1.8-openjdk/jre/lib/security/java.security

ENV JAVA_OPTS="-XX:+UnlockExperimentalVMOptions -XX:+UseCGroupMemoryLimitForHeap"

RUN addgroup -g 10000 runner && \
    adduser -G runner -D -H -u 10000 runner

USER 10000

jib-maven-plugin Configuration:

<plugin>
	        <groupId>com.google.cloud.tools</groupId>
	        <artifactId>jib-maven-plugin</artifactId>
	        <version>0.9.7</version>
	        <configuration>
	          <from>
	          	<image>XXXXXXX.dkr.ecr.us-east-1.amazonaws.com/foo:custom-jdk</image>
	          </from>
	          <to>
	            <image>XXXXXXX.dkr.ecr.us-east-1.amazonaws.com/foo:java-app</image>
	            <credHelper>ecr-login</credHelper>
	          </to>
	          <container>
	          	<ports>
	          		<port>8080</port>
	          	</ports>
	          </container>
	          <imageFormat>Docker</imageFormat>
	        </configuration>
	      </plugin>

Log output: Error: Could not find or load main class com.test.hello.HelloApplication

Additional Information: the folders that are generated in /app are owned by root. resources is available to all users, but the other 2 are root write and executable only.

k8s deployment container:

- name: hello-app
        imagePullPolicy: Always
        securityContext:
          runAsUser: 10000
          allowPrivilegeEscalation: false
        image: XXXXXXX.dkr.ecr.us-east-1.amazonaws.com/foo:java-app

Issue Analytics

State:
Created 5 years ago
Comments:34 (22 by maintainers)

Top GitHub Comments

1reaction

coollogcommented, Aug 31, 2018

@JamesWojewoda @GuustavoPaiva We have released version 0.9.10!

1reaction

paivagustavocommented, Aug 29, 2018

@coollog I had the same problem as @JamesWojewoda and can confirm that after the recent changes, the image was successfully loaded and the permissions was right as you can see:

$ ls -lah app total 16K drwxr-xr-x. 5 root root 50 Jan 1 1970 . drwxr-xr-x. 1 root root 57 Aug 29 13:58 … drwxr-xr-x. 3 root root 16 Jan 1 1970 classes drwxr-xr-x. 2 root root 12K Aug 29 13:58 libs drwxr-xr-x. 3 root root 50 Aug 29 13:58 resources

Much appreciated those changes 👍