Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Warning: Container Image Default User Change - Important consideration for awscontainerinsightreceiver #2317

Closed
PaurushGarg opened this issue Sep 6, 2023 · 2 comments
Closed

Warning: Container Image Default User Change - Important consideration for awscontainerinsightreceiver #2317

PaurushGarg opened this issue Sep 6, 2023 · 2 comments
Labels
stale

Comments

@PaurushGarg
Copy link
Member

What is changing?

In v0.35.0 of the ADOT Collector the default user will change from root to aoc in the container image.
This change is necessary to implement best practices when running workload in containers, especially Least Privileges in Processes.

What Collector Configurations Could Be Affected?

If you are using awscontainerinsightreceiver in your collector configuration, then you are impacted by this change.
Running the collector as root is a pre-requirement of the awscontainerinsightreceiver , as mentioned in the component’s description here.

Migration - What do I need to do if I’m using awscontainerinsightreceiver?

To use the awscontainerinsightreceiver with version of the ADOT collector v0.35.0 and up, you will need to run the collector process as the root user. This can be accomplished in different ways, depending on the platform:

  • Collector running in EKS - Use the Security context to specify the root user as owner of the collector process.
containers:
    - name: aws-otel-collector
        image: public.ecr.aws/aws-observability/aws-otel-collector:latest
        securityContext:
        runAsUser: 0
        runAsGroup: 0
  • Collector running in ECS: Collector running in ECS - Use container definition to specify the User owner of the collector process.
{
  "name": "aoc-collector",
  "image": "public.ecr.aws/aws-observability/aws-otel-collector:latest",
  "user": "0:0",
  "cpu": 10,
  "memory": 256,
  ...
 }

If you have further questions on how to determine if you are affected or how to configure container user permissions with privileged access, or any other question relating to this rollout please don’t hesitate in asking!
@rapphil rapphil pinned this issue Sep 6, 2023
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Nov 5, 2023

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days.

@github-actions github-actions bot added the stale label Nov 5, 2023
@vasireddy99 vasireddy99 mentioned this issue Nov 16, 2023
Closed
@github-actions GitHub Actions
Copy link
Contributor

This issue was closed because it has been marked as stale for 30 days with no activity.

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Dec 10, 2023
@bryan-aguilar bryan-aguilar unpinned this issue Jan 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@PaurushGarg