kubernetes non root #153
Comments
|
I've deployed Rocker containers on Kubernetes as non-root; the protocol is similar to that for running Rocker using Singularity on a (multi-user) HPC cluster: set the |
|
ill give this a try, can I use the normal rocker image? |
|
Yes. A couple caveats I forgot to mention:
This will cause any package installation by the user to fail unless they override it somehow. One possible fix might be to "overwrite" it at container launch time by bind-mounting a modified version of Renviron that excludes that line (in Kubernetes, this might be done via ConfigMap); another option (as illustrated in the Singularity example) is to create $HOME/.Renviron with R_LIBS_USER set to a path in the user's home directory (a user's .Renviron overrides the side Renviron). Thinking aloud, it seems Rocker could more conveniently facilitate R package installation in such environments where users cannot run it as root if it tweaked the site Renviron to at least allow R_LIBS_USER to be overridden via environment variable; e.g.: |
|
Sure. Note that that is The Debian packages generally do this: edd@rob:~$ grep R_LIBS_USER /etc/R/Renviron
R_LIBS_USER=${R_LIBS_USER-'~/R/x86_64-pc-linux-gnu-library/3.6'}
#R_LIBS_USER=${R_LIBS_USER-'~/Library/R/3.6/library'}
edd@rob:~$ |
|
@nathanweeks good suggestion, that does make sense and happy to take a PR for that! Though as you point out, we generally expect a user to override that with a @dshakey thanks for the issue and feel free to close this if it resolves the problem! |
|
It looks like the hardcoded-R_LIBS_USER issue was resolved in r-ver:3.6.1: |
|
👍 yup, thanks @nathanweeks for mentioning. (should also be propagated forward now) I haven't explored kubernetes use all that much, but it's something I'd like to include in our planned update to create more extensive community documentation. My current approach to deploy on kubernetes is just something like: kubectl run --image=rocker/rstudio rstudio-app --port=8787 --env="PASSWORD=cluster"
kubectl port-forward --address 0.0.0.0 deploy/rstudio-app 8777:8787 &which seems to be roughly the equivalent of our standard docker deploy for the image, docker run --name rstudio-app -p 8777:8787 -e "PASSWORD=cluster" rocker/rstudiobut I'm still a k8s newbie, there's probably much more elegant approaches. (I actually failed to figure out how to correctly expose the port to a public ip when using the perhaps more typical approach of writing an |
|
s6-mkdir: warning: unable to mkdir /var/run/s6: Permission denied if you try to add and Is anybody able to run rocker images on k8s with noroot/noprivilaged psp? |
|
@yug0slav Have you tried changing SecurityContext as root? runAsUser : 0 ? |
|
Running with root UID is not allowed in our clusters, it fails to validate against podsecuritypolicy. |
|
RStudio server expects to run as root. The server supports multi-user logins where user accounts are tied to the underlying host (container) users. Likewise, s6 init system, like most init systems, expects to run as root. In principle it should be possible to get an rsession to run without the rserver. (Typically the Unfortunately I haven't quite figured out how to set the environment appropriately so that |
is it possible to make the docker image not to run as root. kubernetes pod security policy does not allow pods to run as root.
The text was updated successfully, but these errors were encountered: