Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

etcd fails to start as non-root #219

Closed
ncopa opened this issue Oct 2, 2020 · 2 comments
Closed

etcd fails to start as non-root #219

ncopa opened this issue Oct 2, 2020 · 2 comments
Milestone

Comments

@ncopa
Copy link
Collaborator

ncopa commented Oct 2, 2020

etcd fails to start if there is a system user etcd on system, due to wrong permissions:

WARN[2020-10-02 13:26:11] Failed to start: fork/exec /var/lib/mke/bin/etcd: permission denied  component=etcd

I think the perms are wron on both the directory and the binary:

# ls -ld /var/lib/mke/bin /var/lib/mke/bin/etcd 
drwxr-x--- 2 root root     4096 Oct  2 13:31 /var/lib/mke/bin
-r-xr-x--- 1 root root 22999040 Oct  2 13:31 /var/lib/mke/bin/etcd
@ncopa
Copy link
Collaborator Author

ncopa commented Oct 2, 2020

also /var/lib/mke needs to be readable by etcd user

@trawler
Copy link
Contributor

trawler commented Oct 2, 2020

makes sense, according to this security guidance: https://docs.datadoghq.com/security_monitoring/default_rules/cis-kubernetes-1.5.1-1.1.12/

@ncopa ncopa self-assigned this Oct 8, 2020
@jnummelin jnummelin added this to the 0.7.0 milestone Oct 23, 2020
ncopa added a commit that referenced this issue Oct 26, 2020
We need to create the /var/lib/mke directory early with the correct
permissions. Otherwise will the directory be created while creating the
etcd datadir with the etcd data dir permissions, will make the directory
unreadable by etcd user.

Also set the correct owner of etcd user.

Fixes #219

Signed-off-by: Natanael Copa <ncopa@mirantis.com>
ncopa added a commit that referenced this issue Oct 28, 2020
We need to create the /var/lib/mke directory early with the correct
permissions. Otherwise will the directory be created while creating the
etcd datadir with the etcd data dir permissions, will make the directory
unreadable by etcd user.

Set the correct owner of etcd directories and files.

Use mode 0751 for certificate root dir. This certificates in this
directory needs to be accessible from all mke processes, but they dont
need to read the contents of the directory.

Fixes #219

Signed-off-by: Natanael Copa <ncopa@mirantis.com>
@ncopa ncopa closed this as completed in 517ed54 Oct 29, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants