[Enhancement] Running release docker image as non-opensearch(1000) user

[Raniz85]

Describe the bug
If trying to execute the docker image as someone other than UID 1000 (for example on OpenShift), startup fails with permission denied

To Reproduce
Run docker image as an unprivileged user e.g.

$ podman run --rm -it --user 176000 docker.io/opensearchproject/opensearch:2.7.0@sha256:55f1f67e7d3645aa838b63a589bce5645154ba275814e52d4638d371ca0f8cb5
{"msg":"exec container process `/usr/share/opensearch/./opensearch-docker-entrypoint.sh`: Permission denied","level":"error","time":"2023-06-12T06:02:50.000600385Z"}

Expected behavior
OpenSearch starts successfully

Host/Environment (please complete the following information):
OpenSearch 2.7.0 (sha256:55f1f67e7d3645aa838b63a589bce5645154ba275814e52d4638d371ca0f8cb5)

Tested on:

• OKD 4.12.0-0.okd-2023-02-18-033438
• Linux raniz-darter-pro 6.2.6-76060206-generic #202303130630168547333822.04~995127e SMP PREEMPT_DYNAMIC Tue M x86_64 x86_64 x86_64 GNU/Linux
  podman version 3.4.4

Additional Information
This is due to /usr/share/openshift having permission 0700:

$ podman run --rm -it --user 176000 docker.io/opensearchproject/opensearch:2.7.0 bash -c 'stat $(pwd)'
  File: '/usr/share/opensearch'
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: 68h/104d        Inode: 16810690    Links: 1
Access: (0700/drwx------)  Uid: ( 1000/opensearch)   Gid: ( 1000/opensearch)
Access: 1970-01-01 00:00:00.000000000 +0000
Modify: 2023-04-27 23:13:41.000000000 +0000
Change: 2023-06-09 12:00:31.588927632 +0000
 Birth: -

There are likely more ownership issues to iron out when running as an unprivileged user.

[gaiksaya]

@peterzhuamazon @prudhvigodithi
Can you take a look at this? Looks like we had a similar issue with helm opensearch-project/helm-charts#384

[peterzhuamazon]

Hi @Raniz85 we switch the user to 1000 here:
https://github.com/opensearch-project/opensearch-build/blob/main/docker/release/dockerfiles/opensearch.al2.dockerfile#L82-L84

In your command, you have --user 176000 specified, so the docker container will run as --user 176000.

Is there a reason you cannot run as 1000 user here?
(Edit: I am not familiar with OpenShift usages, so not sure if they have function to override this)

Thanks.

[peterzhuamazon]

This is not a bug but a feature request, which we are not having at the moment.
Tho user can either modify the existing image or build a custom one with our docker scripts and files:
https://github.com/opensearch-project/opensearch-build/tree/main/docker/release

Allowing non-opensearch(1000) user can potential change the structure of the docker image that we designed on.
Need more research as we need to proceed on such feature.

cc: @bbarani to comment on this one.

Thanks.