How to start Dropwizzard microservice as a non root user.

[Kuttaiah Robin]

Hello,

I did created a dropwizzard microservice as per the documentation in the k8's cluster.

When I get into that k8's pod I see it runs as root user.  Basically, I did, whoami within that terminal. This is a security concern for our production. 

For this reason, I changed the as below;

    DefaultServerFactory defaultServerFactory = (DefaultServerFactory) getServerFactory();

    defaultServerFactory.setStartsAsRoot(false);

 

With this I get;

ERROR [2020-03-10 06:29:59,267] io.dropwizard.cli.ServerCommand: Unable to start server, shutting down

! java.net.SocketException: Permission denied

! at sun.nio.ch.Net.bind0(Native Method)

! at sun.nio.ch.Net.bind(Net.java:433)

! at sun.nio.ch.Net.bind(Net.java:425)

! at sun.nio.ch.ServerSocketChannelImpl.bind(ServerSocketChannelImpl.java:220)

! at sun.nio.ch.ServerSocketAdaptor.bind(ServerSocketAdaptor.java:85)

! at org.eclipse.jetty.server.ServerConnector.openAcceptChannel(ServerConnector.java:342)

! at org.eclipse.jetty.server.ServerConnector.open(ServerConnector.java:307)

! at org.eclipse.jetty.setuid.SetUIDListener.lifeCycleStarting(SetUIDListener.java:200)

! ... 15 common frames omitted

! Causing: java.lang.RuntimeException: java.net.SocketException: Permission denied

! at org.eclipse.jetty.setuid.SetUIDListener.lifeCycleStarting(SetUIDListener.java:213)

! at org.eclipse.jetty.util.component.AbstractLifeCycle.setStarting(AbstractLifeCycle.java:204)

! at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:71)

! at io.dropwizard.cli.ServerCommand.run(ServerCommand.java:53)

! at io.dropwizard.cli.EnvironmentCommand.run(EnvironmentCommand.java:45)

! at io.dropwizard.cli.ConfiguredCommand.run(ConfiguredCommand.java:87)

! at io.dropwizard.cli.Cli.run(Cli.java:79)

! at io.dropwizard.Application.run(Application.java:94)

! at com.oracle.insight.dropwizzard.DWMicroservice$DWStartable.start(DWMicroservice.java:80)

! at java.util.concurrent.CompletableFuture.uniComposeStage(CompletableFuture.java:995)

! at java.util.concurrent.CompletableFuture.thenCompose(CompletableFuture.java:2137)

! at oracle.mtms.infra.services.bootstrap.lifecycle.LifecycleServiceImpl.startAdminServer(LifecycleServiceImpl.java:85)

Any help?

regards,

Robin Kuttaiah

[Jochen Schalanda]

Hi Robin,

I think you're approaching this from the wrong direction.

Try setting an appropriate security context for your Kubernetes pod [1] and make sure to not bind the Dropwizard application to a privileged port (anything <1024),

then you should be fine.

The Dropwizard application will run within the configured security context of the pod and won't have root privileges.

[1]: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod

Best regards,

Jochen

--
You received this message because you are subscribed to the Google Groups "dropwizard-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dropwizard-us...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dropwizard-user/2e5562f9-977f-4c34-8c2a-77c0316ba29e%40googlegroups.com.

[Kuttaiah Robin]

Hello Jochen,

Perfect. 

Thanks very much pointing this. It worked.

regards,

Kuttaiah

To view this discussion on the web visit https://groups.google.com/d/msgid/dropwizard-user/F91EF470-D4E7-473F-B9B3-94D85DFBF34A%40schalanda.name.