Kafka and Zookeeper are not running with non-root user #5063
Unanswered
yogeshbidari
asked this question in
Q&A
Replies: 1 comment 6 replies
-
The containers do not run as root by default. So normally, you should not need to configure anything. But if you want, you can customize the security context as you want. However, you / your platform need to make sure that the storage is writable under such configuration. |
Beta Was this translation helpful? Give feedback.
6 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Please use this to only for bug reports. For questions or when you need help, you can use the GitHub Discussions, our #strimzi Slack channel or out user mailing list.
Describe the bug
While I am creating the cluster for kafka and zookeeper with not root user using runAsUser: 1001, the pods are failing with some permission issues.
I want to mount the voulme also as non root user, like fsGroup other then 0.
To Reproduce
Run the kafka CRD with below SecurityContext added to kafka and zookeeper section
securityContext: runAsUser: 1001 fsGroup: 1001
Expected behavior
Kafka and zookeeper should run with non root user and non root group.
The below code should work:
securityContext: runAsUser: 1001 fsGroup: 1001
Does it support runAsGroup ?
Environment (please complete the following information):
YAML files and logs
LOG
2021-06-01 06:22:42,378 INFO [ThrottledChannelReaper-Fetch]: Starting (kafka.server.ClientQuotaManager$ThrottledChannelReaper) [ThrottledChannelReaper-Fetch] 2021-06-01 06:22:42,379 INFO [ThrottledChannelReaper-Produce]: Starting (kafka.server.ClientQuotaManager$ThrottledChannelReaper) [ThrottledChannelReaper-Produce] 2021-06-01 06:22:42,383 INFO [ThrottledChannelReaper-Request]: Starting (kafka.server.ClientQuotaManager$ThrottledChannelReaper) [ThrottledChannelReaper-Request] 2021-06-01 06:22:42,448 INFO Log directory /var/lib/kafka/data/kafka-log0 not found, creating it. (kafka.log.LogManager) [main] 2021-06-01 06:22:42,450 ERROR Failed to create or validate data directory /var/lib/kafka/data/kafka-log0 (kafka.server.LogDirFailureChannel) [main] java.io.IOException: Failed to create data directory /var/lib/kafka/data/kafka-log0 at kafka.log.LogManager.$anonfun$createAndValidateLogDirs$1(LogManager.scala:155) at scala.collection.mutable.ResizableArray.foreach(ResizableArray.scala:62) at scala.collection.mutable.ResizableArray.foreach$(ResizableArray.scala:55) at scala.collection.mutable.ArrayBuffer.foreach(ArrayBuffer.scala:49) at kafka.log.LogManager.createAndValidateLogDirs(LogManager.scala:146) at kafka.log.LogManager.<init>(LogManager.scala:80) at kafka.log.LogManager$.apply(LogManager.scala:1084) at kafka.server.KafkaServer.startup(KafkaServer.scala:253) at kafka.server.KafkaServerStartable.startup(KafkaServerStartable.scala:44) at kafka.Kafka$.main(Kafka.scala:82) at kafka.Kafka.main(Kafka.scala)
Additional context
Additional documents on adding runAsGroup to kafka, zookeeper, exporter, entity-operator CRDs.
Beta Was this translation helpful? Give feedback.
All reactions