为什么不允许ElasticSearch以root身份运行？ [英] Why is it ElasticSearch is not allowed to run as root?

问题描述

我正在将ElasticSearch部署在Docker容器内，该容器通常以root用户身份运行进程。我得到

I'm deploying ElasticSearch inside of a Docker container, which usually run processes as a root user. I get

"org.elasticsearch.bootstrap.StartupError: java.lang.RuntimeException: cannot run elasticsearch as root"

尝试启动ElasticSearch时出错。

error when trying to start ElasticSearch.

ElasticSearch无法以root身份运行的原因是什么？

在Docker容器内部，事物被隔离并且root进程被认为是安全的。我也许可以将映像配置为以非root用户身份运行，但是这需要大量的工作，并且与我们的部署模型相反。

Inside of the docker container, things are isolated and root processes are considered safe. I may be able to configure my image to run as non-root but it requires lots of heavy lifting and is anti-pattern to our deployment model.

我也尝试过

./ elasticsearch

./elasticsearch

Exception in thread "main" java.lang.RuntimeException: don't run elasticsearch as root.at

的身份运行elasticsearch org.elasticsearch.bootstrap.Bootstrap.initializeNatives（Bootstrap.java:93）
在org.elasticsearch.bootstrap.Bootstrap.setup（Bootstrap.java:144）
在org。 elasticsearch.bootstrap.Bootstrap.init（Bootstrap.java:270）
在org.elasticsearch.bootstrap.Elasticsearch.main（Elasticsearch.java:35）

org.elasticsearch.bootstrap.Bootstrap.initializeNatives(Bootstrap.java:93) at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:144) at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:270) at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:35)

有关完整的错误详细信息，请参阅日志。

Refer to the log for complete error details.

推荐答案

这已经讨论了好几次了。从弹性维护的Docker映像中报价：

This has been discussed a few times already. Quoting from the Elastic maintained Docker images:

Elasticsearch具有不允许以root用户身份运行的检查。
已对此
进行了讨论 https://discuss.elastic.co/t/why-is-it-elasticsearch-is-notallowed-to-run-as-root/60413/2
并以root用户身份在docker容器中运行进程不是最佳的
做法。您可以在上述讨论中看到一些原因，即
中的
https://forums.docker.com/t/root-user-or-或-non-root-user-inside-container / 966/10 ，
http：/ /blog.dscpl.com.au/2015/12/don-run-as-root-inside-of-docker.html
和其他地方。对于像Elasticsearch这样的容器
来说，风险尤其巨大，因为用户经常使用写访问权限绑定装载主机目录
。

Elasticsearch has checks that will not allow running it as root. This has been discussed in https://discuss.elastic.co/t/why-is-it-elasticsearch-is-not-allowed-to-run-as-root/60413/2 and running processes as root inside a docker container is not a best practice. You can see some reasons in the aforementioned discussion, in https://forums.docker.com/t/root-user-or-non-root-user-inside-container/966/10, http://blog.dscpl.com.au/2015/12/don-run-as-root-inside-of-docker.html and other places. The risks are especially profound for containers like Elasticsearch where users frequently bind mount host directories with write access.

PS：如果您不想构建自己的映像，则有官方维护的映像： https：// www.docker.elastic.co

PS: In case you don't want to build your own images, there are officially maintained ones: https://www.docker.elastic.co

这篇关于为什么不允许ElasticSearch以root身份运行？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！