Permission denied - /usr/share/opensearch/

[lindeberg25]

Hello...

I'm deploying an opensearch cluster on Openshift and I'm getting the permission denied error: ./opensearch-docker-entrypoint.sh: permission denied"

I've created an opensearch-sa service account and added it to master.yaml:

     serviceAccountName: "opensearch-sa"

I've set opensearch-sa to privileged.

I believe the user created in the opensearch image doesn't have permission on /usr/share/opensearch/opensearch-docker-entrypoint.sh, which is a little weird. (I think the image user should already have permission to access that folder)

Could someone tell me what I'm missing?

Thanks in advance

[bbarani]

@lindeberg25 Can you please pull in updated Docker image and let us know if you are still facing this issue? You can find more info tracked in the below issues

Issue 1
Issue 2

[bbarani]

@lindeberg25 Closing this issue as we couldn't replicate it on the latest Docker image. Please feel free to re-open in if you are still facing this issue.

[ElhamAhmadlou]

Hi
I also have same error . i have also changed the image version to the latest one , but it did't help.

level=error msg="container_linux.go:367: starting container process caused: exec: \"./opensearch-docker-entrypoint.sh\": stat ./opensearch-docker-entrypoint.sh: permission denied"

[dion-dodgen]

+1 error persists on :latest

[dblock]

I'll reopen and move this to opensearch-devops.

[Ismo900123213]

Had the same issue. Fix: at the container level, define the securityContext of runAsUser and runAsGroup to:
securityContext:
runAsUser: 1000
runAsGroup: 1000

[peterzhuamazon]

Echo @Ismo900123213, In our docker the user we user to run is having 1000 id.
And the default user should be them as well.

If you are having another user trying to access the folder then it will error out. Thanks.

[marcosox]

as reported by another user in opensearch-project/docker-images#35:

Since the script itself is set with these permissions: -rwxr-xr-x (allow other to read and execute) it would be logical for the previous directories to have the same permissions

I have user namespace remapping enabled, and when starting the container the opensearch-owned files become owned by root:

bash-5.2# ls -al /usr/share/opensearch/opensearch-docker-entrypoint.sh 
-rwxr-xr-x 1 root opensearch 4876 Oct 13 03:45 /usr/share/opensearch/opensearch-docker-entrypoint.sh

the parent folder (/usr/share/opensearch) is not group readable:

bash-5.2$ ls -al /usr/share/
total 192
drwxr-xr-x  1 root root       4096 Oct 13 03:45 .
drwxr-xr-x  1 root root       4096 Oct 10 22:51 ..
drwxr-xr-x  2 root root       4096 Jan 30  2023 X11
drwxr-xr-x  2 root root       4096 Jan 30  2023 aclocal
drwxr-xr-x  2 root root       4096 Jan 30  2023 appdata
drwxr-xr-x  2 root root       4096 Jan 30  2023 applications
drwxr-xr-x  3 root root       4096 Oct 10 22:51 augeas
drwxr-xr-x  2 root root       4096 Oct 10 22:51 awk
drwxr-xr-x  2 root root       4096 Jan 30  2023 backgrounds
drwxr-xr-x  4 root root       4096 Jan 31  2023 bash-completion
drwxr-xr-x 11 root root       4096 Oct 10 22:51 crypto-policies
drwxr-xr-x  2 root root       4096 Jan 30  2023 desktop-directories
drwxr-xr-x  2 root root       4096 Jan 30  2023 dict
drwxr-xr-x  1 root root       4096 Oct 13 03:45 doc
dr-xr-xr-x  2 root root       4096 Jan 30  2023 empty
drwxr-xr-x  2 root root       4096 Oct 10 22:51 file
drwxr-xr-x  2 root root       4096 Jan 30  2023 games
lrwxrwxrwx  1 root root         14 Aug 14 20:55 gawk -> /usr/share/awk
drwxr-xr-x  3 root root       4096 Oct 10 22:51 gcc-11
drwxr-xr-x  3 root root       4096 Oct 10 22:51 gdb
drwxr-xr-x  3 root root       4096 Oct 10 22:51 glib-2.0
drwxr-xr-x  2 root root       4096 Jan 30  2023 gnome
drwxr-xr-x  2 root root       4096 Jan 30  2023 help
drwxr-xr-x  4 root root       4096 Oct 10 22:51 i18n
drwxr-xr-x  2 root root       4096 Jan 30  2023 icons
drwxr-xr-x  2 root root       4096 Jan 30  2023 idl
drwxr-xr-x  1 root root       4096 Oct 13 03:45 info
drwxr-xr-x  2 root root       4096 Oct 10 22:51 libgpg-error
drwxr-xr-x  5 root root       4096 Oct 10 22:51 libreport
drwxr-xr-x  1 root root       4096 Oct 13 03:45 licenses
drwxr-xr-x  1 root root       4096 Oct 13 03:45 locale
drwxr-xr-x  4 root root       4096 Oct 10 22:51 lua
lrwxrwxrwx  1 root root         10 Aug 30 20:17 magic -> misc/magic
drwxr-xr-x  1 root root       4096 Oct 13 03:45 man
drwxr-xr-x  2 root root       4096 Jan 30  2023 metainfo
drwxr-xr-x  2 root root       4096 Jan 30  2023 mime-info
drwxr-xr-x  2 root root       4096 Oct 10 22:51 misc
drwxr-xr-x  2 root root       4096 Jan 30  2023 omf
drwx------  1 root opensearch 4096 Oct 13 03:45 opensearch
drwxr-xr-x  3 root root       4096 Oct 10 22:51 p11-kit
drwxr-xr-x  2 root root       4096 Jan 30  2023 pixmaps
drwxr-xr-x  4 root root       4096 Oct 10 22:51 pki
lrwxrwxrwx  1 root root         25 Jan 29  2023 python-wheels -> /usr/share/python3-wheels
drwxr-xr-x  2 root root       4096 Oct 10 22:51 python3-wheels
drwxr-xr-x  2 root root       4096 Jan 30  2023 sounds
drwxr-xr-x  2 root root       4096 Oct 10 22:51 tabset
drwxr-xr-x 23 root root       4096 Oct 10 22:51 terminfo
drwxr-xr-x  2 root root       4096 Jan 30  2023 themes
drwxr-xr-x  2 root root       4096 Jan 30  2023 wayland-sessions
drwxr-xr-x  2 root root       4096 Jan 30  2023 xsessions
drwxr-xr-x 20 root root       4096 Oct 10 22:51 zoneinfo

So I end up with permission denied and can't use the image.

Is the rwx------ permission crucial for /usr/share/opensearch/? could it be rwxr-xr-x like the files it contains? This would allow the image to be compatible with the typical setup for users which have namespace remapping enabled.

[midprasanta]

Is there any plan to fix the issue. Error happens in openshift only.