Skip to content

Security Hardening: run DataNode fully non-root#109

Open
monrax wants to merge 1 commit into
mainfrom
datanode-sec-ctx
Open

Security Hardening: run DataNode fully non-root#109
monrax wants to merge 1 commit into
mainfrom
datanode-sec-ctx

Conversation

@monrax

@monrax monrax commented Jul 10, 2026

Copy link
Copy Markdown
Collaborator

Important

⚠️ Depends on a released image
Depends on Graylog2/graylog-docker#306 being merged. It adds support for optionally running the datanode container as non-root. Once merged, this requires a DataNode image whose entrypoint supports GDN_RUN_AS_NONROOT. On older images the container must still start as root and override datanode.podSecurityContext / datanode.containerSecurityContext accordingly.

Do not merge until graylog-docker #306 has landed in a released image, and confirm the 7.1 version reference (in the README and commit) matches the actual release.

Summary

Locks the DataNode down to the same restricted posture as the Graylog application: fully non-root, all capabilities dropped. This builds on the security hardening merged in #100.

Details

  • datanode.podSecurityContext``: adds runAsUser: 999, runAsGroup: 999, runAsNonRoot: true(keepsfsGroup: 999+OnRootMismatch+seccompProfile`).
  • datanode.containerSecurityContext: drops the entire capability add list (CHOWN, DAC_OVERRIDE, FOWNER, SETUID, SETGID) so it's now drop: [ALL] only, plus runAsNonRoot: true.
  • set GDN_RUN_AS_NONROOT=true so the entrypoint skips its root-only chown/setpriv path and relies on fsGroup for volume ownership.
  • Updates the DataNode unit tests and the README Hardened Environments section.

PR Checklist

Please check the items that apply to your change.

  • Tests added/updated
  • Documentation updated
  • This PR includes a new feature
  • This PR includes a bugfix
  • This PR includes a refactor

Testing Checklist

Static Validation

  • Linter check passes: helm lint ./charts/graylog
  • Helm renders local template sucessfully: helm template graylog ./charts/graylog --validate
  • All unit tests pass: helm unittest ./charts/graylog

Installation

  • Fresh installation completes successfully: helm install graylog ./charts/graylog
  • All pods reach Running state: kubectl rollout status statefulset/graylog
  • Helm tests pass: helm test graylog

Functional (if applicable)

  • Web UI accessible and login works
  • DataNodes visible in System > Cluster Configuration
  • Inputs can be created and receive data

Upgrade (if applicable)

  • Upgrade from previous release succeeds
  • Scaling up/down works correctly
  • Configuration changes apply correctly

Specific to this PR

  • Fresh installation completes successfully with new image and default datanode securityContext
  • DataNode pods reach Running state as non-root (uid 999)
  • DataNodes visible in System > Data Nodes
  • Installation still completes successfully with old image and previously-required datanode securityContext (add CHOWN, DAC_OVERRIDE, FOWNER, SETUID, SETGID capabilities, allow running as root)

Notes for reviewers

  • Verify all applicable tests above pass
  • Validate that the linked issues are no longer reproducible, if applicable
  • Sync up with the author before merging
  • The commit history should be preserved - use rebase-merge or standard merge options when applicable

Now that the data-chown init container is gone and the entrypoint can
take a non-root startup path (graylog-docker #306), lock the datanode
down to the same posture as the Graylog app:

- podSecurityContext: runAsUser/runAsGroup 999 + runAsNonRoot
- containerSecurityContext: drop ALL capabilities (no more CHOWN,
  DAC_OVERRIDE, FOWNER, SETUID, SETGID) and runAsNonRoot
- set GDN_RUN_AS_NONROOT=true so the entrypoint skips its root-only
  chown/setpriv path and relies on fsGroup for volume ownership

Requires a datanode image whose entrypoint supports GDN_RUN_AS_NONROOT
(graylog-datanode 7.1+); older images must still run as root.

Updates the datanode unit tests and the README "Hardened Environments"
section accordingly.

Co-Authored-By: Claude Opus 4.8 (1M context) <[EMAIL_ADDRESS_REDACTED]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant