Could not run Elastic Search conatiner as non-root

[vijeswari]

Describe the bug
A clear and concise description of what the bug is.
As mentioned in the enhancement #703, we tried creating ODFE pods running as non-root user using ODFE 1.13.2 docker image and helm chart. The pod creation fails with the following error:

xxxx]$ kubectl logs -f test-opendistro-es-client-6bbb7dd9fd-przsc elasticsearch
OpenDistro for Elasticsearch Security Demo Installer
** Warning: Do not use on production or public reachable systems **
Basedir: /usr/share/elasticsearch
Elasticsearch install type: rpm/deb on CentOS Linux release 7.9.2009 (Core)
Elasticsearch config dir: /usr/share/elasticsearch/config
Elasticsearch config file: /usr/share/elasticsearch/config/elasticsearch.yml
Elasticsearch bin dir: /usr/share/elasticsearch/bin
Elasticsearch plugins dir: /usr/share/elasticsearch/plugins
Elasticsearch lib dir: /usr/share/elasticsearch/lib
Detected Elasticsearch Version: x-content-7.10.2
Detected Open Distro Security Version: 1.13.1.0
Success
Execute this script now on all your nodes and then start all nodes

tee: securityadmin_demo.sh: Permission denied

To Reproduce
Steps to reproduce the behavior:

1. Download ODFE helm 1.13.2
2. Run 'helm install test . -f values-nonroot.yaml'
3. Pod creation fails

Expected behavior
A clear and concise description of what you expected to happen.
ES container should be up and running as non root

Configuration (please complete the following information):

• ODFE/Kibana version 1.13.2
• Distribution: NA
• Host Machine:NA

Relevant information
Please include any relevant log snippets or files here.

xxxx]$ kubectl logs -f test-opendistro-es-client-6bbb7dd9fd-przsc elasticsearch
OpenDistro for Elasticsearch Security Demo Installer
** Warning: Do not use on production or public reachable systems **
Basedir: /usr/share/elasticsearch
Elasticsearch install type: rpm/deb on CentOS Linux release 7.9.2009 (Core)
Elasticsearch config dir: /usr/share/elasticsearch/config
Elasticsearch config file: /usr/share/elasticsearch/config/elasticsearch.yml
Elasticsearch bin dir: /usr/share/elasticsearch/bin
Elasticsearch plugins dir: /usr/share/elasticsearch/plugins
Elasticsearch lib dir: /usr/share/elasticsearch/lib
Detected Elasticsearch Version: x-content-7.10.2
Detected Open Distro Security Version: 1.13.1.0
Success
Execute this script now on all your nodes and then start all nodes

tee: securityadmin_demo.sh: Permission denied

[oomichi]

@vijeswari
Hello, I am facing the same issue.
Do you find some solution for this issue?

/cc @oomichi

[oomichi]

@vijeswari Hello, I am facing the same issue. Do you find some solution for this issue?

/cc @oomichi

I found a solution for this issue.
By specifying

  extraEnvs:
    - name: DISABLE_INSTALL_DEMO_CONFIG
      value: "true"

in values.yaml, the demo mode is disabled and it solves this issue on my side.

[vijeswari]

@oomichi
This solution did not work for us. We are relying on demo certificates for time being so disabling the demo config scripts has impact on the internal node communication on port 9300. Have you configured certificates post disabling demo config script?

Thank you