Run Consul Docker image in kubernetes as non root

Question

I want to run consul in kubernetes but I am not allowed to run it as user root.

Therefore I added

RUN addgroup consul root

to the Dockerfile (derived FROM consul:1.0.3)

and start the deployment in kubernetes with

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  labels:
    xyz.service: consul-deployment
  name: consul-deployment
spec:
  template:
    spec:
      securityContext:
        runAsUser: 100

Now I expect kubernetes to start consul with user 100 (who used to be the user consul when I started it locally in Docker and now should be member in the group root).

But now I get the following the error when the pod is started

chown: /consul/data: Operation not permitted

The chown is executed in Consuls docker-entrypoint.sh and I guess it (still) fails because user 100 is not root.

Can anybody explain me how to start a container with a non root user when the container has an entrypoint script expecting to be executed as root?

Answer 1

I ended up in fixing Consuls docker-entrypoint.sh to check if the user is root before executing the chown command by adding some if [ "$(id -u)" = "0" ] tests.

You can find the patch on GitHub.