Permission required to run java under non-root user in Google Container Engine
I don’t have problem to run Java with root user.
/usr/java/jre1.8.0_101/bin/java -jar /app/ts.jar
Because the application is deployed into docker container, so I need run it with non-root user.
First I create a user in the docker container
useradd --user-group -m --shell /bin/false ts2_app; chown -R ts2_app:ts2_app /app; chown -R ts2_app:ts2_app /usr/java/jre1.8.0_101; chmod -R +r /app; chmod -R +r /usr/java/jre1.8.0_101;
Then try to launch it with
runuser -l ts2_app -c "/usr/java/jre1.8.0_101/bin/java -jar /app/ts.jar"
su - ts2_app -c "/usr/java/jre1.8.0_101/bin/java -jar /app/ts.jar"
I don’t have any problem in my local environment, but if I deploy the docker container to GCE, it can’t be started.
Then I inspect into the docker container, try to execute the above command.
Here is the summary
- No problem to run as root in my local docker container
- No problem to run as non-root in my local docker container
- No problem to run as root in Google Container Engine’s container.
- Problem occurs when run it as non-root in Google Container Engine’s container.
su command just quits right after execution, there is no error. And I can’t see the java process in
I have many other containers which run the processes with non-root account, I don’t know why this one fails. Does anyone know any other minimal permission required by java?