为什么不允许ElasticSearch以root身份运行? [英] Why is it ElasticSearch is not allowed to run as root?
问题描述
我正在将ElasticSearch部署在Docker容器内,该容器通常以root用户身份运行进程。我得到
I'm deploying ElasticSearch inside of a Docker container, which usually run processes as a root user. I get
"org.elasticsearch.bootstrap.StartupError: java.lang.RuntimeException: cannot run elasticsearch as root"
尝试启动ElasticSearch时出错。
error when trying to start ElasticSearch.
ElasticSearch无法以root身份运行的原因是什么?
在Docker容器内部,事物被隔离并且root进程被认为是安全的。我也许可以将映像配置为以非root用户身份运行,但是这需要大量的工作,并且与我们的部署模型相反。
Inside of the docker container, things are isolated and root processes are considered safe. I may be able to configure my image to run as non-root but it requires lots of heavy lifting and is anti-pattern to our deployment model.
我也尝试过
./ elasticsearch
./elasticsearch
Exception in thread "main" java.lang.RuntimeException: don't run elasticsearch as root.at
的身份运行elasticsearch org.elasticsearch.bootstrap.Bootstrap.initializeNatives(Bootstrap.java:93)
在org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:144)
在org。 elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:270)
在org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:35)
org.elasticsearch.bootstrap.Bootstrap.initializeNatives(Bootstrap.java:93)
at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:144)
at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:270)
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:35)
有关完整的错误详细信息,请参阅日志。
Refer to the log for complete error details.
推荐答案
这已经讨论了好几次了。从弹性维护的Docker映像中报价:
This has been discussed a few times already. Quoting from the Elastic maintained Docker images:
Elasticsearch具有不允许以root用户身份运行的检查。
已对此
进行了讨论 https://discuss.elastic.co/t/why-is-it-elasticsearch-is-notallowed-to-run-as-root/60413/2
并以root用户身份在docker容器中运行进程不是最佳的
做法。您可以在上述讨论中看到一些原因,即
中的
https://forums.docker.com/t/root-user-or-或-non-root-user-inside-container / 966/10 ,
http:/ /blog.dscpl.com.au/2015/12/don-run-as-root-inside-of-docker.html
和其他地方。对于像Elasticsearch这样的容器
来说,风险尤其巨大,因为用户经常使用写访问权限绑定装载主机目录
。
Elasticsearch has checks that will not allow running it as root. This has been discussed in https://discuss.elastic.co/t/why-is-it-elasticsearch-is-not-allowed-to-run-as-root/60413/2 and running processes as root inside a docker container is not a best practice. You can see some reasons in the aforementioned discussion, in https://forums.docker.com/t/root-user-or-non-root-user-inside-container/966/10, http://blog.dscpl.com.au/2015/12/don-run-as-root-inside-of-docker.html and other places. The risks are especially profound for containers like Elasticsearch where users frequently bind mount host directories with write access.
PS:如果您不想构建自己的映像,则有官方维护的映像: https:// www.docker.elastic.co
PS: In case you don't want to build your own images, there are officially maintained ones: https://www.docker.elastic.co
这篇关于为什么不允许ElasticSearch以root身份运行?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!