Bringing together the Apache Cassandra experts from the community and DataStax.

Want to learn? Have a question? Want to share your expertise? You are in the right place!

Not sure where to begin? Getting Started

 

question

mzv avatar image
mzv asked mzv commented

How do I start processes as cassandra user instead of root with the cass-operator securityContext?

Hi!

I would like to start cassandra pod as well as all processes as cassandra user, not root. I've tried both combinations below in my dc1.yaml, no luck. StatefulSet has securityContext set as "{}".

1.

spec:
  template:
    spec:
      securityContext:
        runAsUser: 999

2.

spec:
  securityContext:
    runAsUser: 999

But if I patch StatefulSet, it works fine. How do I predefine the setting on a pod level?

Thanks,

Vladimir

cass-operator
10 |1000
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

2 Answers

john.sanda_194109 avatar image
john.sanda_194109 answered mzv commented

In you CassandraDatacenter spec add the following,

dockerImageRunsAsCassandra: true

That will cause cass-operator to use a SecurityContext like you are trying to do.

Do you know what Cassandra image you are using? If not what version are you specifying in your CassandraDatacenter manifest? The reason I ask is that the default images are not built to run as a non-root user.

I work on the k8ssandra project which uses cass-operator. In k8ssandra we are using non-root images. They can be used directly with cass-operator as well. See here for the images we use in k8ssandra.

Good luck!

John

1 comment Share
10 |1000
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

mzv avatar image mzv ·

@john.sanda_194109 Thanks, this option works just fine! I'm using cassandra-mgmtapi-3_11_10:v0.1.23. Also thanks for mentioning k8ssandra, I will take a look.

0 Likes 0 ·
Erick Ramirez avatar image
Erick Ramirez answered mzv commented

If you're provisioning a Cassandra cluster with the cass-operator, the image is already configured to run as the cassandra user.

It would be great if you could provide some background information on why you think processes are running as root instead so we could look into it. Cheers!

[UPDATE] I'm going to defer to John on this one. :)

1 comment Share
10 |1000
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

mzv avatar image mzv ·

Some of processes run as root by default. That's what I meant.

kubectl exec -n cass-operator -it cluster1-dc1-rack2-sts-0 -c server-system-logger -- ps -ef | grep root
    1 root      0:00 tail -n+1 -F /var/log/cassandra/system.log
   36 root      0:00 ps -ef


kubectl exec -n cass-operator -it cluster1-dc1-rack2-sts-0 -c cassandra -- ps -ef | grep root
root           1       0  0 22:04 ?        00:00:00 /tini -g -- gosu cassandra j


0 Likes 0 ·