feature: Stop running container as root by default for vmselect, vmstorage, vmalert, vmagent and vminsert

[patrickdung]

Chart name and version, where you feel a lack of requested feature
chart: victoria-metrics-k8s-stack
version: v0.35.2

Is your feature request related to a problem? Please describe.
It is found that some components are running as root by default.
It is not a best practice

$ ps auxww | grep root | grep vm | grep prod
root       53641  101  0.1 2101092 247680 ?      Ssl  Jan31 290:53 /vminsert-prod -httpListenAddr=:8480 -insert.maxQueueDuration=3m -maxInsertRequestSize=3GB -memory.allowedPercent=65 -replicationFactor=2 -storageNode=vmstorage-vm-victoria-metrics-k8s-stack-0.vmstorage-vm-victoria-metrics-k8s-stack.vm:8400,vmstorage-vm-victoria-metrics-k8s-stack-1.vmstorage-vm-victoria-metrics-k8s-stack.vm:8400
root       73037  1.1  0.0 1323916 72048 ?       Ssl  Jan31   3:11 /vmselect-prod -cacheDataPath=/select-cache -dedup.minScrapeInterval=1ms -httpListenAddr=:8481 -replicationFactor=2 -search.disableCache=true -search.maxStalenessInterval=1m -search.minStalenessInterval=1m -search.resetRollupResultCacheOnStartup=true -selectNode=vmselect-vm-victoria-metrics-k8s-stack-0.vmselect-vm-victoria-metrics-k8s-stack.vm:8481 -storageNode=vmstorage-vm-victoria-metrics-k8s-stack-0.vmstorage-vm-victoria-metrics-k8s-stack.vm:8401,vmstorage-vm-victoria-metrics-k8s-stack-1.vmstorage-vm-victoria-metrics-k8s-stack.vm:8401 -vmalert.proxyURL=http://vmalert-vm-victoria-metrics-k8s-stack.vm.svc.cluster.local.:8080
root       73327 74.4  1.0 10830844 1413260 ?    Ssl  Jan31 211:47 /vmstorage-prod -dedup.minScrapeInterval=60s -httpListenAddr=:8482 -retentionPeriod=560d -storageDataPath=/vm-data -vminsertAddr=:8400 -vmselectAddr=:8401

another node:

root       11779  0.4  0.4 1244740 40080 ?       Ssl  13:28   1:27 /vmalert-prod -datasource.url=http://vmselect-vm-victoria-metrics-k8s-stack.vm.svc.cluster.local.:8481/select/0/prometheus -evaluationInterval=60s -http.pathPrefix=/ -httpListenAddr=:8080 -notifier.url=http://vmalertmanager-vm-victoria-metrics-k8s-stack-0.vmalertmanager-vm-victoria-metrics-k8s-stack.vm.svc.cluster.local.:9093 -remoteRead.url=http://vmselect-vm-victoria-metrics-k8s-stack.vm.svc.cluster.local.:8481/select/0/prometheus -remoteWrite.disablePathAppend=true -remoteWrite.url=http://vminsert-vm-victoria-metrics-k8s-stack.vm.svc.cluster.local.:8480/insert/0/prometheus/api/v1/write -rule="/etc/vmalert/config/vm-vm-victoria-metrics-k8s-stack-rulefiles-0/*.yaml"
root       12742  1.6  0.5 1308928 48056 ?       Ssl  13:29   5:39 /vmagent-prod -httpListenAddr=:8429 -promscrape.config=/etc/vmagent/config_out/vmagent.env.yaml -promscrape.dropOriginalLabels=true -promscrape.streamParse=true -remoteWrite.maxDiskUsagePerURL=1073741824 -remoteWrite.tmpDataPath=/tmp/vmagent-remotewrite-data -remoteWrite.url=http://vminsert-vm-victoria-metrics-k8s-stack.vm.svc.cluster.local.:8480/insert/0/prometheus/api/v1/write

Describe the solution you'd like
As best practice, they should not run as root inside a container

Describe alternatives you've considered

• Specify a user/userid in the helm chart for these components
• Add runAsRoot as false settings as default in the helm chart

[AndrewChubatiuk]

please set

operator:
  env:
    - name: VM_ENABLESTRICTSECURITY
       value: "true"

it will set a strict security context for all resources, that are managed by operator with defined here values

[patrickdung]

Thanks @AndrewChubatiuk . It solved my problem.

BTW, I think running non-root should be default setting.
For Docker/K8S, I rarely seen any containers is running as root nowadays. (except CSI in K8S that usually needs root)
So, it may be good to make it (run-as non-root) by default.

[AndrewChubatiuk]

before it was enabled by default, but then it was disabled to prevent upgrade issues for existing users like this one. enabling this by default will trigger a bunch of issues like this

[patrickdung]

Some suggestion/comments:

1. Maybe place this setting in the value of the helm chart, but commented out.

  # env:
  #   - name: VM_ENABLESTRICTSECURITY
  #      value: "true"

Also, mention it in the installation doc as reminder / recommendation for new installations.

2. Personally, I think this this setting should be the default, ideally.
   As more and more people use this project/product, there would more more and more installation using root in the long run.

3. 'Fixing it' later with initContainer may come with performance cost.

      - command: ["chown", "-R", "65534:65534", "/vm-data"] 

It runs chown recursively, it depends how many files are inside the /vm-data