feat(alloy): Run as non-root user inside the container (!2527) · Merge requests · histalek.de / Infrastructure

histalek requested to merge feat/alloy-user into next Jul 21, 2024

We now run alloy usernamespaced and as 473:473 inside the container.

The biggest hurdle to this was being able to read the host journal. This is because systemd ignores every request which is not coming from the root user or a user in the systemd-journal or adm group.

This would result in the following error message from alloy (on a host that was running alloy as root before):

{
    "ts": "2024-07-21T12:07:03.068862843Z",
    "level": "error",
    "msg": "received error reading saved journal position",
    "component_path": "/",
    "component_id": "loki.source.journal.default",
    "err": "failed to get realtime timestamp: cannot assign requested address"
}

By adding systemd-journal as a supplementary group to the service definition and then retaining this group through podman we can now read the journal of the container host without being root. (The retaining of groups might be a crun exclusive feature AFAIK)

feat(alloy): Run as non-root user inside the container

Merge request reports