Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

none: minikube should be able to be run by a non-root user (use sudo when necessary) #3760

Closed
sourabh1031 opened this issue Feb 26, 2019 · 38 comments
Labels
co/none-driver good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/feature Categorizes issue or PR as related to a new feature. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. r/2019q2 Issue was last reviewed 2019q2

Comments

@sourabh1031
Copy link

If this is a bug report, please include:

I tried starting minikube with the following command
minikube start --vm-driver=none

after downloading minikube v0.34.1 from this command
curl -Lo minikube https://storage.googleapis.com/minikube/releases/v0.34.1/minikube-linux-amd64 && chmod +x minikube && sudo cp minikube /usr/local/bin/ && rm minikube

I got the output that minikube crashed

I am on ubuntu 18.04LTS machine

@hpandeycodeit
Copy link

@sourabh1031 can you provide the full output/error that you got when it crashed?

@sourabh1031
Copy link
Author

minikube start --vm-driver=none
😄 minikube v0.34.1 on linux (amd64)
🤹 Configuring local host environment ...

⚠️ The 'none' driver provides limited isolation and may reduce system security and reliability.
⚠️ For more information, see:
👉 https://github.com/kubernetes/minikube/blob/master/docs/vmdriver-none.md

💡 Tip: Use 'minikube start -p ' to create a new cluster, or 'minikube delete' to delete this one.
🔄 Restarting existing none VM for "minikube" ...
⌛ Waiting for SSH access ...
📶 "minikube" IP address is 192.168.43.56
🐳 Configuring Docker as the container runtime ...
[sudo] password for sourabh:
✨ Preparing Kubernetes environment ...
💣 Failed to update cluster: downloading binaries: copy: error removing file /usr/bin/kubelet: remove /usr/bin/kubelet: permission denied

😿 Sorry that minikube crashed. If this was unexpected, we would love to hear from you:
👉 https://github.com/kubernetes/minikube/issues/new

@sourabh1031
Copy link
Author

when i ran command using sudo i got this
[sudo] password for sourabh:
😄 minikube v0.34.1 on linux (amd64)
🤹 Configuring local host environment ...

⚠️ The 'none' driver provides limited isolation and may reduce system security and reliability.
⚠️ For more information, see:
👉 https://github.com/kubernetes/minikube/blob/master/docs/vmdriver-none.md

⚠️ kubectl and minikube configuration will be stored in /home/sourabh
⚠️ To use kubectl or minikube commands as your own user, you may
⚠️ need to relocate them. For example, to overwrite your own settings:

▪ sudo mv /home/sourabh/.kube /home/sourabh/.minikube $HOME
▪ sudo chown -R $USER /home/sourabh/.kube /home/sourabh/.minikube

💡 This can also be done automatically by setting the env var CHANGE_MINIKUBE_NONE_USER=true
💡 Tip: Use 'minikube start -p ' to create a new cluster, or 'minikube delete' to delete this one.
🔄 Restarting existing none VM for "minikube" ...
⌛ Waiting for SSH access ...
📶 "minikube" IP address is 192.168.43.56
🐳 Configuring Docker as the container runtime ...
✨ Preparing Kubernetes environment ...
🚜 Pulling images required by Kubernetes v1.13.3 ...
🔄 Relaunching Kubernetes v1.13.3 using kubeadm ...
💣 Error restarting cluster: running cmd: sudo kubeadm init phase certs all --config /var/lib/kubeadm.yaml: running command: sudo kubeadm init phase certs all --config /var/lib/kubeadm.yaml: exit status 1

😿 Sorry that minikube crashed. If this was unexpected, we would love to hear from you:
👉 https://github.com/kubernetes/minikube/issues/new

@hpandeycodeit
Copy link

@sourabh1031 can you try by setting CHANGE_MINIKUBE_NONE_USER=true or

sudo mv /home/sourabh/.kube /home/sourabh/.minikube $HOME

sudo chown -R $USER /home/sourabh/.kube /home/sourabh/.minikube

@tstromberg tstromberg changed the title minikube fails to start none: minikube should be able to be run by a non-root user Mar 8, 2019
@tstromberg tstromberg added priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. kind/bug Categorizes issue or PR as related to a bug. labels Mar 8, 2019
@tstromberg tstromberg changed the title none: minikube should be able to be run by a non-root user none: minikube should be able to be run by a non-root user (use sudo when necessary) Mar 8, 2019
@tstromberg tstromberg added the r/2019q2 Issue was last reviewed 2019q2 label Apr 4, 2019
@tstromberg tstromberg added good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. labels May 16, 2019
@tstromberg tstromberg self-assigned this May 24, 2019
@evanspiatt
Copy link

Resolved #4349 by running as:
sudo /usr/local/bin/minikube start -p Dan1 --vm-driver=none

From curl install command minikube was installed in /usr/local/bin but root does not have that in PATH.

@alisianoi
Copy link

Hi, this is referenced by

https://github.com/kubernetes/minikube/blob/master/docs/vmdriver-none.md

Since this issue was closed, it gives the impression that the none driver could be run as non-root. However, I believe root is still required for it.

@orodbhen
Copy link

orodbhen commented May 30, 2019

@alisianoi may be correct. Although both of these posts claim to have run as non-root:

After following the instructions there (which are the same printed by the minikube installer), I still get:

[user@host ~]$ kubectl version
Error in configuration: 
* unable to read client-cert /root/.minikube/client.crt for minikube due to open /root/.minikube/client.crt: permission denied
* unable to read client-key /root/.minikube/client.key for minikube due to open /root/.minikube/client.key: permission denied
* unable to read certificate-authority /root/.minikube/ca.crt for minikube due to open /root/.minikube/ca.crt: permission denied

kubectl refused, it seems, to look in my user home for the configuration files.

@tstromberg
Copy link
Contributor

This issue was unintentionally closed.

@afbjorklund
Copy link
Collaborator

I think we should make this the default (run none with sudo), and fix it as a part of #3718

@tstromberg
Copy link
Contributor

This is still on our radar.

I encourage that users of --driver=none consider using the newer --driver=docker, which does not require root access.

That said, we still plan to support --driver=none for users with use cases that are incompatible with --driver=docker, though it's unclear what those use cases are.

@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jun 19, 2020
@AlekSi
Copy link

AlekSi commented Jul 2, 2020

That said, we still plan to support --driver=none for users with use cases that are incompatible with --driver=docker, though it's unclear what those use cases are.

We encountered a problem with minikube and Docker driver on GitHub Actions CI – there is some networking or firewall problem (?), and several pods can't connect to each other. It works with none driver. Please keep it supported :)

And yeah, "automatic" sudo would be nice.

@medyagh
Copy link
Member

medyagh commented Jul 7, 2020

@AlekSi for running minikube in githbhub action we have a tutorial here
https://minikube.sigs.k8s.io/docs/tutorials/setup_minikube_in_github_actions/

have you tried that ?

@medyagh
Copy link
Member

medyagh commented Jul 7, 2020

meanwhile this feature is till available for anyone who wants to pick it up ! i would happily review a PR for this

@claflico
Copy link

Want to chime in on our use case. We're trying to move towards K8s from Rancher 1.6 Cattle/Traefik 1.7 running in VMware & Active Directory DNS. Management wants to transition from developers running docker-compose on their Macbooks to standalone K8s running on CentOS VMs in the VMware datacenter. Http microservices, databases, etc need to still be accessible remotely via each developer's wildcard DNS url. Would like for K8s API/dashboard to be remotely accessible as well.

Started off with minikube using none driver and couldn't solve the non-root permissions issue. Tried using the docker driver and couldn't figure out how to have K8s use the host IP address instead of a 172.x.x.x address.

Moved on to kubeadm and have K8s standalone working without root access but can't find/figure out an ingress-conroller that works on port 80. Would like to stick with Traefik if possible

Per management, cloud solutions and services are not an allowed option.

@claflico
Copy link

claflico commented Jul 18, 2020

Not sure what's changed from 1.11.0 and 12.1 but tonight when I nuked the kubeadm cluster and setup minikube again it mostly worked:

curl -Ss -L https://github.com/kubernetes/minikube/releases/download/v1.12.1/minikube-linux-amd64 > minikube
chmod +x minikube
sudo mv minikube /usr/local/bin/
sudo -i env CHANGE_MINIKUBE_NONE_USER=true MINIKUBE_HOME=$HOME KUBECONFIG=$HOME/.kube/config /usr/local/bin/minikube start --driver=none

kubectl cluster-info Kubernetes master is running at https://10.xx.xx.xx:8443 KubeDNS is running at https://10.xx.xx.xx:8443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy

That hadn't worked before because it was trying to read the certs in the /root/ directory.

However, now when I try to enable the dashboard I am getting access denied:

minikube addons enable dashboard enable failed: run callbacks: running callbacks: [create: open /etc/kubernetes/addons/dashboard-ns.yaml: permission denied]

To enable the dashboard I have to run
sudo -i env CHANGE_MINIKUBE_NONE_USER=true MINIKUBE_HOME=$HOME KUBECONFIG=$HOME/.kube/config /usr/local/bin/minikube addons enable dashboard

@AlekSi
Copy link

AlekSi commented Jul 18, 2020

@AlekSi for running minikube in githbhub action we have a tutorial here
https://minikube.sigs.k8s.io/docs/tutorials/setup_minikube_in_github_actions/
have you tried that ?

Of course. My issue is much harder than covered by that guide :) For example, it can't be reproduced locally.

I left this comment to remove lifecycle/stale label. That did not help.

@fejta-bot
Copy link

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Aug 17, 2020
@AlekSi
Copy link

AlekSi commented Aug 17, 2020

/remove-lifecycle rotten

@k8s-ci-robot k8s-ci-robot removed the lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. label Aug 17, 2020
@Git-Jiro
Copy link
Contributor

Git-Jiro commented Oct 2, 2020

Hi!
I want to start tackling this issue and got stuck pretty soon:
If you run "minikube" as a regular user, how do you "sudo" when trying to 'copy' a file out of 'pkg/minikube/assets/assets.go' ?

I am stuck at 'pkg/minikube/bootstrapper/bsutil/files.go' line 56

The only idea i have at the moment would be to do it like this:
"Copy" the file into a temporary directory and then "sudo cp" from there.
Is there a better way to do this?

@tstromberg
Copy link
Contributor

@Git-Jiro - That's the best idea I have as well, unfortunately. I would start with that approach.

@Git-Jiro
Copy link
Contributor

Git-Jiro commented Oct 2, 2020

@tstromberg related question, since some automated tests are failing:
How should I detect when to use "sudo" and when to keep using the native golang functions so I do not break the non Linux use cases?

@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
co/none-driver good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/feature Categorizes issue or PR as related to a new feature. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. r/2019q2 Issue was last reviewed 2019q2
Projects
None yet
Development

No branches or pull requests