starred/cloudbeaver
1
0
Fork 0
mirror of https://github.com/dbeaver/cloudbeaver.git synced 2026-04-25 13:46:02 +03:00
Code Issues 212 Projects Releases Packages Wiki Activity

[GH-ISSUE #349] Non-root container #95

New issue
Closed
opened 2026-03-07 20:44:46 +03:00 by kerem · 10 comments
kerem commented 2026-03-07 20:44:46 +03:00
Owner
Copy link

Originally created by @gdkx6432 on GitHub (Apr 15, 2021).
Original GitHub issue: https://github.com/dbeaver/cloudbeaver/issues/349

Hello,
I would like to run this container in enterprise plateforme kubernetes but the security office don’t let me because this container is running in root user.

So I would like to ask you to configure this container to run in non-root user. Thanks very much.
I have already try this action but there’s another command needing root action so I don’t want to bug it

Best regards,
Niaina Rand

Originally created by @gdkx6432 on GitHub (Apr 15, 2021). Original GitHub issue: https://github.com/dbeaver/cloudbeaver/issues/349 Hello, I would like to run this container in enterprise plateforme kubernetes but the security office don’t let me because this container is running in root user. So I would like to ask you to configure this container to run in non-root user. Thanks very much. I have already try this action but there’s another command needing root action so I don’t want to bug it Best regards, Niaina Rand
kerem 2026-03-07 20:44:46 +03:00
kerem commented 2026-03-07 20:44:47 +03:00
Author
Owner
Copy link

@kseniiaguzeeva commented on GitHub (Jun 1, 2021):

With regards to your question about our container, it does not require a root user. In addition, if you meant the CloudBeaver documentation, it is written for a standalone docker, not for the kubernetes.

If you have experienced any problems when you tried to run CloudBeaver, could you please provide me with more details? I will then be able to assess the situation and be able to better help you.

<!-- gh-comment-id:852090347 --> @kseniiaguzeeva commented on GitHub (Jun 1, 2021): With regards to your question about our container, it does not require a root user. In addition, if you meant the CloudBeaver documentation, it is written for a standalone docker, not for the kubernetes. If you have experienced any problems when you tried to run CloudBeaver, could you please provide me with more details? I will then be able to assess the situation and be able to better help you.
kerem commented 2026-03-07 20:44:48 +03:00
Author
Owner
Copy link

@MartijnVanAndel commented on GitHub (Jun 9, 2021):

I have the same issue: running CloudBeaver on enterprise kubernetes has the following error message:
Error: container has runAsNonRoot and image will run as root

What are UID and PID used to run the container?
Or where can I find the Dockerfile to build the container?

<!-- gh-comment-id:857786342 --> @MartijnVanAndel commented on GitHub (Jun 9, 2021): I have the same issue: running CloudBeaver on enterprise kubernetes has the following error message: _Error: container has runAsNonRoot and image will run as root_ What are UID and PID used to run the container? Or where can I find the Dockerfile to build the container?
kerem commented 2026-03-07 20:44:48 +03:00
Author
Owner
Copy link

@MartijnVanAndel commented on GitHub (Jun 9, 2021):

I got Cloudbeaver running in enterprise kubernetes, only without persistant storage.
The yaml to run it, looks like this:

---
apiVersion: v1
kind: Service
metadata:
  name: cloudbeaver
  labels:
    app: cloudbeaver
spec:
  ports:
    - name: cbeaver-http
      protocol: TCP
      port: 8978
      targetPort: 8978  
  selector:
    app: cloudbeaver

---
apiVersion: v1
kind: Pod
metadata:
  name: cloudbeaver
  labels:
    app: cloudbeaver
spec:
  containers:
  - name: cloudbeaver
    image: dbeaver/cloudbeaver:latest
    ports:
    - containerPort: 8978 
      name: cbeaver-http
    resources:
      limits:
        cpu: "500m"
        memory: "1024Mi"
      requests:
        cpu: "500m"
        memory: "1024Mi"
<!-- gh-comment-id:857819768 --> @MartijnVanAndel commented on GitHub (Jun 9, 2021): I got Cloudbeaver running in enterprise kubernetes, only without persistant storage. The yaml to run it, looks like this: ``` --- apiVersion: v1 kind: Service metadata: name: cloudbeaver labels: app: cloudbeaver spec: ports: - name: cbeaver-http protocol: TCP port: 8978 targetPort: 8978 selector: app: cloudbeaver --- apiVersion: v1 kind: Pod metadata: name: cloudbeaver labels: app: cloudbeaver spec: containers: - name: cloudbeaver image: dbeaver/cloudbeaver:latest ports: - containerPort: 8978 name: cbeaver-http resources: limits: cpu: "500m" memory: "1024Mi" requests: cpu: "500m" memory: "1024Mi" ```
kerem commented 2026-03-07 20:44:48 +03:00
Author
Owner
Copy link

@kseniiaguzeeva commented on GitHub (Jul 8, 2021):

Sorry for the long answer and thank you for the report. We will investigate it to assess the issue.

<!-- gh-comment-id:876244147 --> @kseniiaguzeeva commented on GitHub (Jul 8, 2021): Sorry for the long answer and thank you for the report. We will investigate it to assess the issue.
kerem commented 2026-03-07 20:44:48 +03:00
Author
Owner
Copy link

@pha91 commented on GitHub (Aug 18, 2021):

@MartijnVanAndel
Have you tried to add a new user and run the container as this one?
Just have a look at our fix ;)

FROM dbeaver/cloudbeaver:21.1.2
RUN addgroup --gid 6000 --system cloudbeaver && adduser --disabled-password --uid 6000 --gid 6000 --gecos '' cloudbeaver
USER 6000

after that, we've configured the security context to run as this user:

podSecurityContext 
  fsGroup: 6000
  runAsUser: 6000
  runAsGroup: 6000
<!-- gh-comment-id:900882039 --> @pha91 commented on GitHub (Aug 18, 2021): @MartijnVanAndel Have you tried to add a new user and run the container as this one? Just have a look at our fix ;) ```docker FROM dbeaver/cloudbeaver:21.1.2 RUN addgroup --gid 6000 --system cloudbeaver && adduser --disabled-password --uid 6000 --gid 6000 --gecos '' cloudbeaver USER 6000 ```` after that, we've configured the security context to run as this user: ``` podSecurityContext fsGroup: 6000 runAsUser: 6000 runAsGroup: 6000 ```
kerem commented 2026-03-07 20:44:48 +03:00
Author
Owner
Copy link

@MartijnVanAndel commented on GitHub (Aug 23, 2021):

@MartijnVanAndel
Have you tried to add a new user and run the container as this one?
Just have a look at our fix ;)

Hi @pha91,

The fix is working out. I got cloudbeaver running with persistant storage as a statefulset.
I had to make small adjustments in the image to fix CVE-2021-33910.

FROM dbeaver/cloudbeaver:21.1.2
RUN addgroup --gid 6000 --system cloudbeaver && adduser --disabled-password --uid 6000 --gid 6000 --gecos '' cloudbeaver
RUN apt-get update && apt-get install -yq --no-install-recommends \
  libsystemd0 \
  libudev1
USER 6000

after this I could successfully run cloudbeaver as statefulset on port 8080:

---
apiVersion: v1
kind: Service
metadata:
  name: cloudbeaver
  labels:
    app: cloudbeaver
spec:
  ports:
    - name: cbeaver-http
      protocol: TCP
      port: 8080
      targetPort: 8978  
  selector:
    app: cloudbeaver
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: cloudbeaver
  labels:
    app: cloudbeaver
spec:
  selector:
    matchLabels:
      app: cloudbeaver
  serviceName: cloudbeaver
  volumeClaimTemplates:
    - metadata:
        name: cloudbeaver-data
        labels:
          app: cloudbeaver
      spec:
          accessModes:
            - ReadWriteOnce
          resources:
            requests:
              storage: 1Gi
  template:
    metadata:
      labels:
        app: cloudbeaver
    spec:
      containers:
      - name: cloudbeaver
        image: _{built_image_from_container_repository}_:latest
        ports:
        - containerPort: 8978
          name: cbeaver-http
        volumeMounts:
        - name: cloudbeaver-data
          mountPath: /opt/cloudbeaver/workspace
        resources:
          limits:
            cpu: "500m"
            memory: "1024Mi"
          requests:
            cpu: "500m"
            memory: "1024Mi"
        securityContext:        
          runAsUser: 6000
          runAsGroup: 6000
<!-- gh-comment-id:903716506 --> @MartijnVanAndel commented on GitHub (Aug 23, 2021): > @MartijnVanAndel > Have you tried to add a new user and run the container as this one? > Just have a look at our fix ;) Hi @pha91, The fix is working out. I got cloudbeaver running with persistant storage as a statefulset. I had to make small adjustments in the image to fix [CVE-2021-33910](https://avd.aquasec.com/nvd/cve-2021-33910). ``` FROM dbeaver/cloudbeaver:21.1.2 RUN addgroup --gid 6000 --system cloudbeaver && adduser --disabled-password --uid 6000 --gid 6000 --gecos '' cloudbeaver RUN apt-get update && apt-get install -yq --no-install-recommends \ libsystemd0 \ libudev1 USER 6000 ``` after this I could successfully run cloudbeaver as statefulset on port 8080: ``` --- apiVersion: v1 kind: Service metadata: name: cloudbeaver labels: app: cloudbeaver spec: ports: - name: cbeaver-http protocol: TCP port: 8080 targetPort: 8978 selector: app: cloudbeaver --- apiVersion: apps/v1 kind: StatefulSet metadata: name: cloudbeaver labels: app: cloudbeaver spec: selector: matchLabels: app: cloudbeaver serviceName: cloudbeaver volumeClaimTemplates: - metadata: name: cloudbeaver-data labels: app: cloudbeaver spec: accessModes: - ReadWriteOnce resources: requests: storage: 1Gi template: metadata: labels: app: cloudbeaver spec: containers: - name: cloudbeaver image: _{built_image_from_container_repository}_:latest ports: - containerPort: 8978 name: cbeaver-http volumeMounts: - name: cloudbeaver-data mountPath: /opt/cloudbeaver/workspace resources: limits: cpu: "500m" memory: "1024Mi" requests: cpu: "500m" memory: "1024Mi" securityContext: runAsUser: 6000 runAsGroup: 6000 ```
kerem commented 2026-03-07 20:44:48 +03:00
Author
Owner
Copy link

@kseniiaguzeeva commented on GitHub (Apr 13, 2022):

I have noticed that you have not updated your ticket for a long time. If you wish to reopen this ticket, please feel free to contact me.

<!-- gh-comment-id:1097958646 --> @kseniiaguzeeva commented on GitHub (Apr 13, 2022): I have noticed that you have not updated your ticket for a long time. If you wish to reopen this ticket, please feel free to contact me.
kerem commented 2026-03-07 20:44:48 +03:00
Author
Owner
Copy link

@DashrathMundkar commented on GitHub (Feb 12, 2024):

Hi I tried above solution but when I start the deplyoment on kubernetes I got below error

cannot create regular file 'workspace/GlobalConfiguration/.dbeaver/data-sources.json': Read-only file system and Parent of resource: /opt/cloudbeaver/workspace/GlobalConfiguration/.project is marked as read-only anyone faced this issue?

<!-- gh-comment-id:1939035288 --> @DashrathMundkar commented on GitHub (Feb 12, 2024): Hi I tried above solution but when I start the deplyoment on kubernetes I got below error `cannot create regular file 'workspace/GlobalConfiguration/.dbeaver/data-sources.json': Read-only file system` and `Parent of resource: /opt/cloudbeaver/workspace/GlobalConfiguration/.project is marked as read-only` anyone faced this issue?
kerem commented 2026-03-07 20:44:48 +03:00
Author
Owner
Copy link

@EvgeniaBzzz commented on GitHub (Feb 12, 2024):

Hi @DashrathMundkar!
To ensure proper functionality of CloudBeaver, it requires write access to the /opt/cloudbeaver/workspace folder and to all child files/folders.

<!-- gh-comment-id:1939227508 --> @EvgeniaBzzz commented on GitHub (Feb 12, 2024): Hi @DashrathMundkar! To ensure proper functionality of CloudBeaver, it requires write access to the /opt/cloudbeaver/workspace folder and to all child files/folders.
kerem commented 2026-03-07 20:44:48 +03:00
Author
Owner
Copy link

@DashrathMundkar commented on GitHub (Feb 12, 2024):

Hi @DashrathMundkar! To ensure proper functionality of CloudBeaver, it requires write access to the /opt/cloudbeaver/workspace folder and to all child files/folders.

Do you have any example ? I tried this but no success

FROM dbeaver/cloudbeaver:23.3.4
USER root
RUN groupadd cloudbeaver
RUN useradd -ms /bin/bash -g cloudbeaver cloudbeaver
RUN chown -R cloudbeaver ./
RUN chmod 777 /
RUN chown -R cloudbeaver /opt/cloudbeaver
RUN chmod 777 /opt/cloudbeaver/workspace
USER cloudbeaver

Then in deployment file

securityContext:
  runAsUser: 1001

still no success

<!-- gh-comment-id:1939276588 --> @DashrathMundkar commented on GitHub (Feb 12, 2024): > Hi @DashrathMundkar! To ensure proper functionality of CloudBeaver, it requires write access to the /opt/cloudbeaver/workspace folder and to all child files/folders. Do you have any example ? I tried this but no success ``` FROM dbeaver/cloudbeaver:23.3.4 USER root RUN groupadd cloudbeaver RUN useradd -ms /bin/bash -g cloudbeaver cloudbeaver RUN chown -R cloudbeaver ./ RUN chmod 777 / RUN chown -R cloudbeaver /opt/cloudbeaver RUN chmod 777 /opt/cloudbeaver/workspace USER cloudbeaver ``` Then in deployment file ``` securityContext: runAsUser: 1001 ``` still no success
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
devel
dbeaver/cloudbeaver#4120-support-token-header
dbeaver/pro#8978-advanced-paste
dbeaver/pro#5680-add-generation-rest-api-for-te
8961-cb-checkboxes-are-not-clickable-in-main-toolbar-dropdown-menu
dbeaver/pro#9047-cb-explain-execution-plan-ai
8328-cb-sql-query-generation-add-settings-for-the-generated-sql-window
8473-ai-confirmation
8107-cb-increase-the-contrast-of-some-elements
dbeaver/cloudbeaver#4249-session-id-rotation
dbeaver/pro#8234-udbt-only-for-admins
dbeaver/pro#9061-NPE-on-starting-RM-and-QM-applications
dbeaver/pro#8707-remove-folder-feature
dbeaver/pro#8766-migrate-to-junit5
dbeaver/pro#8711-sql-executation-plan-improvments
9048-cb-deadlock
release_26_0_3
dbeaver/pro#8044-add-api-for-database-user-preference
8839-entraid-not-working-from-within-myappsmicrosoftcom
8559-te-launch-redesign
8670-cb-multi-paste-support-in-data-editor-3
8943-cb-bump-npm-dependencies
dbeaver/pro#8655-cb-ai-functions-support
dbeaver/pro#8746-oauth
dbeaver/pro#8824-Unify-file-lock-handling-for-local-and-shared-fs
7912-db-oauth-in-te
dbeaver/pro#4158-tree-advanced-filter
dbeaver/dbeaver-devops#1604-non-root-user-25-2
dbeaver/pro#5124-fix-case-insensetive-username-in-import
3815-ctrl-z-is-unstable-lib-523-version
8894-ai-assistant-cache
dbeaver/pro#8896-Remove-added-h2_server_v3
release_26_0_2
dbeaver/pro#8392-Add-H2-driver-with-the-newest-version
8065-lsp-front-end
release_26_0_1
dbeaver/pro#7844-cb-lsp-server
dbeaver/pro#7530-csp-protection
release_26_0_0
release_25_3_5
release_25_3_4
release_25_3_3
7953-cb-ability-to-pin-rows-in-the-data-editor
devops-2221-base-java-repo
7923-cb-ws-events-are-misconfigured
release_25_3_2
release_25_3_1
release_25_3_0
release_25_2_5
dbeaver/pro#5267/auth-providers-refactoring
dbeaver/pro#6364-add-option-to-set-default-view-for-project
release_25_2_4
dbeaver/pro#5476-task-scheduler-refactor
release_25_2_3
7128-remove-deprecated-api
release_25_2_0
release_25_2_1
release_25_2_2
4569-cb-3681-use-something-better-than-md5-hash-to-pass-local-user-passwords
dbeaver/dbeaver-devops#1604-non-root-user-without-user-in-image
dbeaver/pro#6976-logging-poc
dbeaver/pro#6324-cursor-sync
dbeaver/pro#5630-add-cache-for-queries
dbeaver/pro#5574/fix/multi-query-vqb
dbeaver/pro#5802/feat/table-api
5664-cb-vscode-value-panel-support-text-format
CB-6291-build-local-script-do-not-clone-all-required-repos-for-successful-build
4288-core-fix-critical-cve-2022-0839-and-cve-2022-0839-in-liquibase-bundle
3944-model-data
4207-core-duplicate-cb-session-id-in-dc-side
chore/update-vite-assets-plugin
25.1.5
25.1.4
25.1.3
25.1.2
25.1.1
25.1.0
25.0.5
25.0.4
25.0.3
25.0.2
25.0.1
25.0.0
24.3.5
24.3.4
24.3.3
24.3.2
24.3.0
24.3.1
24.2.5
24.2.4
24.2.3
24.2.2
24.2.1
24.2.0
24.1.5
24.1.4
24.1.3
24.1.2
24.1.0
24.1.1
24.0.5
24.0.4
24.0.3
24.0.2
24.0.1
24.0.0
23.3.5
23.3.4
23.3.3
23.3.2
23.3.1
23.3.0
23.2.5
23.2.4
23.2.3
23.2.2
23.2.1
23.2.0
23.1.5
23.1.4
23.1.3
23.1.2
23.1.1
v23.1.0
v23_0_5
21.3.3
21.2.4
1.2.0
1.1.0
1.0.4
1.0.3
1.0.1b
1.0.2
1.0.1
1.0.0
Labels
Clear labels   
AS

   
can't reproduce

   
can't reproduce

   
deployment

   
development

   
documentation

   
duplicate

   
duplicate

   
ee

   
enhancement

   
external

   
new driver

   
performance

   
pull-request

Mirrored from GitHub Pull Request

  
third party issue

   
wait for response

   
wait for review

   
wontfix

   
x:Oracle

   
x:cassandra

   
x:clickhouse

   
x:db2

   
x:duckdb

   
x:greenplum

   
x:h2

   
x:h2gis

   
x:hana

   
x:hive

   
x:intersystems

   
x:kyuubi

   
x:maria

   
x:mongo

   
x:mysql

   
x:postgresql

   
x:presto

   
x:sql server

   
x:sqlite

   
x:teradata

   
x:trino

   
xf:accessibility

   
xf:administration

   
xf:ai

   
xf:authentication

   
xf:aws

   
xf:commit-mode

   
xf:connection

   
xf:dark theme

   
xf:data editor

   
xf:datatransfer

   
xf:dba

   
xf:driver management

   
xf:erd

   
xf:filters

   
xf:i18n

   
xf:i18n

   
xf:installer

   
xf:json

   
xf:kerberos

   
xf:ldap

   
xf:local config

   
xf:log viewer

   
xf:metadata

   
xf:metadata editor

   
xf:navigator

   
xf:okta

   
xf:query manager

   
xf:resource manager

   
xf:scripts

   
xf:sql editor

   
xf:tasks

   
xf:ui/uix

   
xo: Firefox

   
xo:eclipse

   
xo:internet explorer

   
xo:macos

   
xp:major

   
xrn:internal
No labels
AS
can't reproduce
can't reproduce
deployment
development
documentation
duplicate
duplicate
ee
enhancement
external
new driver
performance
pull-request
third party issue
wait for response
wait for review
wontfix
x:Oracle
x:cassandra
x:clickhouse
x:db2
x:duckdb
x:greenplum
x:h2
x:h2gis
x:hana
x:hive
x:intersystems
x:kyuubi
x:maria
x:mongo
x:mysql
x:postgresql
x:presto
x:sql server
x:sqlite
x:teradata
x:trino
xf:accessibility
xf:administration
xf:ai
xf:authentication
xf:aws
xf:commit-mode
xf:connection
xf:dark theme
xf:data editor
xf:datatransfer
xf:dba
xf:driver management
xf:erd
xf:filters
xf:i18n
xf:i18n
xf:installer
xf:json
xf:kerberos
xf:ldap
xf:local config
xf:log viewer
xf:metadata
xf:metadata editor
xf:navigator
xf:okta
xf:query manager
xf:resource manager
xf:scripts
xf:sql editor
xf:tasks
xf:ui/uix
xo: Firefox
xo:eclipse
xo:internet explorer
xo:macos
xp:major
xrn:internal
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/cloudbeaver#95
No description provided.