Allow to run as root / different user

[pazoozooCH]

Is there a compelling reason not to run Logstash in the container as root?

The problem is that the logstash user 999 will not be able to run most logs (like /log/syslog). I think it's better to run root in a Docker container and mount the volume as read-only as to change file permission in the host to allow a non-root docker user to read the logs.

I would suggest just skipping the gosu or add the functionality to specify a user ID to run as when starting the container (through an env variable)...

[yosifkit]

The reasoning is security. Root in a container is equal to root on the host. If there was a vulnerability that allowed a breakout from the docker "container" that would give an attacker root access to the host. There is a similar discussion to adding a way to specify the running user for elasticsearch (docker-library/elasticsearch#14).

[pazoozooCH]

Hm, seems partially contradictory: "root in a container is equal to root on the host" and "if there WAS a vulnerability..." ;-) I guess if that vulneratiblity isn't there, it's not at all equal, is it?

Anyway, would you be willing to support a RUN_AS_ROOT or RUN_AS env variable for those willing to accept the security risk and opt in to run as root (or another user/group)?

[ei-grad]

Isn't the docker run --user option made for this?.. Using gosu to drop priveledges is absolutely useless ugly hack.

[tianon]

"Useless" is a bit far 😉. We use gosu so that we can fix permissions before we drop privileges, which is impossible with just "-u".

[pazoozooCH]

Is there currently a workaround or a best practice to actually just read logs on a volume that do not have read permissions set for everybody? If not, I think we definitely need a way to change the user logstash runs with, otherwise we lose the ability to perform a lot of file based use-cases without making changes to permissions on the host which is not really desirable.

[yosifkit]

@pazoozooCH, how are file permissions for logstash handled normally outside docker? Does logstash just run as root to see all the logs?

And, yes container root does equal host root: alias sudo='docker run -it --rm -v /:/host --privileged --net=host --pid=host debian chroot /host /bin/bash'.

[ei-grad]

so that we can fix permissions

That is even more awful, btw.

[pazoozooCH]

@yosifkit, in this case, I'd probably add the logstash user to the adm group so it could read the system logs without me having to change default permissions of Ubuntu. In this case, I'd require an option to specify a "run-as group".

Well, your example is not really that realistic. Obviously, I wouldn't just mount / into my container and run it as root. I would mount /var/log as readonly into the container and trust docker to actually run it in a container/sandbox that is not escapable... If that actually works (and if it doesn't, Docker would have a BIG problem), I don't see that much of a problem running root INSIDE the container.

[pazoozooCH]

btw, as I've indicated in #10, $HOME for the logstash user currently stays /root, causing problems with Logstash's default settings INSIDE the container. I think the whole user management should be improved on anyway...

[viranch]

I found a workaround after reading the entrypoint script: give anything other than logstash as first argument to the docker run command, e.g. full path to it :)

Run as root:

$ docker run -d --name logstash logstash /opt/logstash/bin/logstash agent -e 'input { stdin { } } output { stdout { } }'
$ docker exec logstash ps aux
USER     PID
root     1

Run as user foo:

docker run -d --name logstash --user foo logstash /opt/logstash/bin/logstash agent -e 'input { stdin { } } output { stdout { } }'

[yosifkit]

Would something like docker-library/elasticsearch#77 be helpful to allow you to specify any non-root user and group to run as, using the --user flag on docker run? It seems like @viranch's trick would allow you to run as root.

[EamonZhang]

Hi , how to run , with user logstash
input {
file{ path => "/var/log/nginx/access.log" }
}

,
even chmod 777 access.log

Thanks.

[yosifkit]

@EamonZhang, what about the permissions on the directory /var/log/nginx/?

[EamonZhang]

@yosifkit drw-rw-rw-

It say no permissions at first, then I change it to drw-rw-rw- with command chmod 666 /var/log/nginx -R

It does not show permissions problem.

but can use , echo "some thing " > /var/log/nginx/access.log . logstash is not responding.

I notice docker-entrypoint.sh change the user.

I start logstash bypass docker-entrypoint.sh, use root user. It seems ok.

[mattupstate]

One side effect of this is that the S3 output plugin will cause the Logstash process to fail to start because during the plugin's registration phase it attempts to write a temporary file to /tmp/logstash/s3/logstash-programmatic-access-test-object-<a short uid> and the logstash user does not have permission to write to this location. As a result one can't run a container with this image without overriding the entrypoint and you'll experience the following error:

{:timestamp=>"2016-07-25T03:42:16.635000+0000", :message=>"Pipeline aborted due to error", :exception=>#<Errno::EACCES: Permission denied - /tmp/logstash/s3/logstash-programmatic-access-test-object-1469418136>, :backtrace=>["org/jruby/RubyFile.java:370:in `initialize'", "org/jruby/RubyIO.java:1197:in `open'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-s3-3.0.1/lib/logstash/outputs/s3.rb:259:in `test_s3_write'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-s3-3.0.1/lib/logstash/outputs/s3.rb:236:in `register'", "/usr/share/logstash/logstash-core/lib/logstash/output_delegator.rb:86:in `register'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:184:in `start_workers'", "org/jruby/RubyArray.java:1613:in `each'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:184:in `start_workers'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:139:in `run'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:240:in `start_pipeline'"], :level=>:error}

[tukiyo]

docker run  \
 -it --rm -v "$PWD":/config-dir \
 -v /var/log/apache2/:/var/log/apache2/:ro \
 logstash:5 \
- logstash -f /config-dir/logstash.conf

according to the 5.0/docker-entrypoint.sh, to run as root: replace line whitch you like

+ /usr/share/logstash/bin/logstash -f /config-dir/logstash.conf
+ gosu root logstash -f /config-dir/logstash.conf
+ sh -c "logstash -f /config-dir/logstash.conf"

[mi-hol]

@pazoozooCH @tianon looks like this could be closed too, right?

[pazoozooCH]

@mi-hol , didn't have time to look at it recently - I guess yes...

[tianon]

Right now, the easiest way to run as non-root is to use --entrypoint -- I've filed a PR to simplify this a little further (#70):

$ docker run --name logstash --user 1000:1000 --entrypoint logstash logstash:5.0 -e '...'

[tianon]

As noted in #70, I had to also specify --tmpfs /var/lib/logstash so that user 1000 could write to that directory in the container, but it was successful. 👍