Details
-
Improvement
-
Status: Reopened
-
Minor
-
Resolution: Unresolved
-
0.10.1
-
None
Description
Problem
The Docker image dont define a real user at build time. There is a small hack to create one at runtime, but according kubernetes security good practices, the file /etc/passwd is read-only.
Run as "no root" is a best practice to run container, especially on kubernetes with securityContext, such as :
podSecurityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
Zeppelin will run fine, giving a small warning:
Container ENTRYPOINT failed to add passwd entry for anonymous UID
but spark will not:
org.apache.hadoop.security.KerberosAuthException: failure to login: javax.security.auth.login.LoginException: java.lang.NullPointerException: invalid null input: name
at com.sun.security.auth.UnixPrincipal.<init>(UnixPrincipal.java:71)
Solution
The Dockerfile should create a "zeppelin" user, with home = "/opt/zeppelin", uid = 1000
Workaround
On kubernetes, it's possible to share a volume mounted as /etc/passwd and use an initContainer to add the user.