Monday, February 12, 2024

[389-users] Re: Fwd: dscontainer as non root

On Mon, Feb 12, 2024 at 5:37 PM Antony Jose <> wrote:
Thanks Viktor for the response. Appreciate it. 
 I have provided an attachment with the details. Dockerfile, kubectl error log and security context construct has been provided.

I am using sles15 bci as base os.  Do we need add 389 user in Dockerfile? 
Please let me know if you want any further information. 

The error:
KeyError: 'getpwuid(): uid not found: 389'
indicates that there is no 389 uid found inside the container.

When the 389-ds package is installed, dirsrv user is created by using systemd-sysusers configuration.
But in SUSE it has no preference and takes the first available uid/gid:

a28855ee79c7:/ # cat /etc/passwd
dirsrv:x:499:486:User for 389 directory server:/var/lib/dirsrv:/sbin/nologin

So in your case dirsrv user has 499 as the uid and 486 as gid.
I don't know how stable these mappings are.
And securityContext accepts these values as int64 only, so it's not possible to specify 'dirsrv' user:

You can add dirsrv user and group with 389 uid/gid before installing 389-ds. And then use 389 as runAsUser and fsGroup values.


On Mon, Feb 12, 2024 at 9:38 PM Viktor Ashirov <> wrote:
Hi Antony,

On Mon, Feb 12, 2024 at 3:37 PM Mark Reynolds <> wrote:

Forwarding to the correct list....

-------- Forwarded Message --------
Subject: dscontainer as non root
Date: Mon, 12 Feb 2024 20:01:09 +0530
From: Antony Jose <>

Can we run dscontainer as non root process. I have deployed dscontainer on k8s cluster as root user. However running as root user is not the best security practice. Is there a tested way we can reliably run ds389 as non root user. I tried tweaking security policies to use a non root user. However, I get errors during dscontainer start up. 
dscontainer certainly can run as non-root user, in the doc that you linked there is a securityContext section with runAsUser and fsGroup values that are set to 389, which is dirsrv user.

Can you share errors that you get?
389-users mailing list --
To unsubscribe send an email to
Fedora Code of Conduct:
List Guidelines:
List Archives:
Do not reply to spam, report it:



No comments:

Post a Comment