0

Linux users and groups create in kubernetes containers (with groupadd and useradd) are lost when the pods get restarted. (In my use case I need to dynamically create these linux users for the apache mpm-itk module.)

Is there a way in kubernetes to make these linux users persitant and surive pod restarts?

Roberto
  • 33
  • 3

2 Answers2

1

A pod is completely thrown away. If you need specific settings (like extra users) you can create a derived docker image that has those modifications (or scripts that do them).

Niels Basjes
  • 2,196
  • 3
  • 19
  • 26
  • Creating the users in the image itself is not a satisfying solution. The users are not known at the time of image creation. They need to be created dynamically at runtime, everything else would be extremely cumbersome. Furthermore, consider what this means if you need to patch the image once... – Roberto Mar 21 '20 at 15:29
  • 1
    How about the second otion I mentioned: A startup script that recreates the required users at startup every time a new instance is started? – Niels Basjes Mar 21 '20 at 15:45
  • The second option is also very cumbersome, if you consider the permission handling. You would need to dynamically store all users and their uids and gids and then create them again when a new pod gets started. – Roberto Mar 21 '20 at 16:07
  • However, I could consider storing the /etc/passwd - file in a secret (or configmap) and then hooking into the postStart - event and recreating the users again, everytime the container gets started. But to be honest, I would prefer a more out of the box solution if available?? – Roberto Mar 21 '20 at 16:15
  • FYI, the second option does not work for my use case, since apache mpm-itk requires the users on startup yet, even before the postStart hook fires where I could create the users. I've tested this and it produces the error "AH00544: apache2: bad group name ...". – Roberto Mar 22 '20 at 19:03
  • You can have a custom entrypoint script that crwates the users and starts your application. – Niels Basjes Mar 22 '20 at 19:06
  • I've tried it now with a custom entrypoint and realizes that it did not work either. So I looked into my script again and realized that I had a silly issue which created the group with the wrong name. I fixed this and now it works even without a custom entypoint, but with the sole kubernetes approach I described before. – Roberto Mar 23 '20 at 11:02
1

I've now built a fully Kubernetes based custom syncing solution, which dynamically recreates custom linux users whenever a pod gets restarted. It relies on Kubernetes resources and does not require to modify existing Docker images. In case someone else needs it, too, feel free to find my detailed steps with code snippets in my post Syncing Linux Users to survive Kubernetes Pod restarts.

Roberto
  • 33
  • 3