kube-plex runs transcode as root, not plex UID/GID.

Question

kube-plex runs transcode as root, not plex UID/GID.

Opened this issue 6 years ago · 6 comments

As far as I can figure out, the elastic-transcoding pod gets started by the kube-plex shim with the entrypoint overidden as the call to the transcoder, not the normal PMS entrypoint. 0 This makes sense, as we don't want to run the whole server, just the transcode job. Additionally, the plex user in the transcode pod is the default, not whatever's been passed via PLEX_UID/PLEX_GID to the PMS pod. (The plex user is altered to match these variables during the first-time setup of the PMS container 1)

This means that the transcoder is running as root, while plex might be running as some other user.

This breaks using remote NFS PVs for persistent transcode storage, as the transcode pod attempts to access the mount using the root user, which might be (for the sake of security) mapped to another user/nobody on the NFS server side.

Somehow, we need to modify the plex user and group within the transcode pod to match the values the server is running, and start the transcode job running as that user.

I have some experimental code 2 to do this, by modifying the entrypoint of the transcode pod to usermod/groupmod the plex user to the provided values, and su the transcode command to be run as that user, but it seems mildly prone to breakage, since in order to run multiple commands as the entrypoint I had to set bash as the entrypoint.

I'm happy to work on a solution, if anyone has any recommendations for a less brittle way to implement this. (Init containers?

Answer 1 · 2019-01-03T16:08:52.000Z

Hi JSteeleIR,

Did you manage to make this work? I applied your commit to mine. A transcode pod get spun up but it shows loads of connections errors.

NAME READY STATUS RESTARTS AGE
plex-kube-plex-865dcfc6b9-87c2d 1/1 Running 0 26m
pms-elastic-transcoder-7k5t9 1/1 Running 0 7m27s

For example:

[http @ 0x7f7ad0002840] Setting default whitelist 'http,https,tls,rtp,tcp,udp,crypto,httpproxy'
[tcp @ 0x7f7ad01685a0] Connection to tcp://127.0.0.1:32400 failed: Connection refused
Clipping frame in rate conversion by 0.022346
[http @ 0x1f1d6e0] Setting default whitelist 'http,https,tls,rtp,tcp,udp,crypto,httpproxy'
[tcp @ 0x1f0cb20] Connection to tcp://127.0.0.1:32400 failed: Connection refused
[libx264 @ 0x20f9ba0] frame=30324 QP=22.18 NAL=2 Slice:P Poc:38  I:266  P:562  SKIP:27   size=15659 bytes
[http @ 0x202e1e0] Setting default whitelist 'http,https,tls,rtp,tcp,udp,crypto,httpproxy'
[tcp @ 0x1f4f880] Connection to tcp://127.0.0.1:32400 failed: Connection refused
[hevc @ 0x211a5a0] nal_unit_type: 1(TRAIL_R), nuh_layer_id: 0, temporal_id: 0
[http @ 0x7f7ae002b5c0] Setting default whitelist 'http,https,tls,rtp,tcp,udp,crypto,httpproxy'
[tcp @ 0x7f7ae0003160] Connection to tcp://127.0.0.1:32400 failed: Connection refused
[hevc @ 0x211a5a0] Output frame with POC 30349.
[http @ 0x7f7ae017a7a0] Setting default whitelist 'http,https,tls,rtp,tcp,udp,crypto,httpproxy'
[tcp @ 0x7f7ae00022e0] Connection to tcp://127.0.0.1:32400 failed: Connection refused

I am using this NFS-client in hopes to use my existing library on my NAS.

EDIT: Fixed the above problem. I had to do I had the wrong IP subnet in the "List of IP addresses and networks that are allowed without auth". It seems my set-up is working now with NFS.

Answer 2 · 2019-01-04T02:52:55.000Z

Hey zenety,

Glad to hear you got it working!

Those logs initially make me think that maybe the arg rewrite in [0] isn't replacing the localhost parameter with the pmsInternalAddress. But you say that setting the 'allowed without auth' subnet fixed the problem?

Answer 3 · 2019-02-02T22:12:18.000Z

Hi,

I have the same error in output but the transcoding works. Output:

http @ 0x2d9fe80] Setting default whitelist 'http,https,tls,rtp,tcp,udp,crypto,httpproxy'
[tcp @ 0x2e971c0] Connection to tcp://127.0.0.1:32400 failed: Connection refused
[http @ 0x2ef1c60] Setting default whitelist 'http,https,tls,rtp,tcp,udp,crypto,httpproxy'
[http @ 0x1b35f40] Setting default whitelist 'http,https,tls,rtp,tcp,udp,crypto,httpproxy'
[tcp @ 0x2eb4780] Connection to tcp://127.0.0.1:32400 failed: Connection refused
[http @ 0x2ef1c60] request: PUT /video/:/transcode/session/xxxxxxxxxxxxxxxxxx/c379054f-2297-4aa2-95a8-28b5fcf652d0/progress?progress=0.8&size=-22&remaining=156&vdec_packets=246&vdec_sw_ok=236&speed=7.1&vdec_hw_status=0 HTTP/1.1
User-Agent: Lavf/57.72.100
Accept: */*
Range: bytes=0-
Connection: close
Host: plex-kube-plex:32400
Icy-MetaData: 1
X-Plex-Token: XXXXXXXXXXXXXXXXX

[http @ 0x2062960] Setting default whitelist 'http,https,tls,rtp,tcp,udp,crypto,httpproxy'
[tcp @ 0x2064340] Connection to tcp://127.0.0.1:32400 failed: Connection refused
[AVIOContext @ 0x2ea45c0] Statistics: 83 bytes read, 0 seeks
[http @ 0x2eadee0] Setting default whitelist 'http,https,tls,rtp,tcp,udp,crypto,httpproxy'
[tcp @ 0x1b2ad60] Connection to tcp://127.0.0.1:32400 failed: Connection refused
[h264 @ 0x1d36dc0] nal_unit_type: 1, nal_ref_idc: 0
[http @ 0x7f7cc02d4980] Setting default whitelist 'http,https,tls,rtp,tcp,udp,crypto,httpproxy'
[tcp @ 0x7f7cc004d920] Connection to tcp://127.0.0.1:32400 failed: Connection refused
[libx264 @ 0x1aa5600] frame= 200 QP=18.73 NAL=3 Slice:I Poc:0   I:1170 P:0    SKIP:0    size=27319 bytes
[http @ 0x30449a0] Setting default whitelist 'http,https,tls,rtp,tcp,udp,crypto,httpproxy'
[tcp @ 0x2f84400] Connection to tcp://127.0.0.1:32400 failed: Connection refused
[AVIOContext @ 0x2d86000] Statistics: 0 seeks, 1 writeouts

If you have an idea?

Edit: not related with your changes, I have the same error from original code

Answer 4 · 2019-02-10T15:16:39.000Z

I'm getting this same error from the original code and the patched commit you did. I exec'ed in to the container and was able to curl my machine's address, but 127.0.0.1 doesn't seem to respond.

Answer 5 · 2019-02-20T04:13:57.000Z

Haven't had a whole lot of time to loop back to this lately, but hoping to get back to it sometime soon.

@djerfy Any chance that setting the "list of IP addresses and networks that are allowed without auth" that @zenety mentioned above solves the problem? It's interesting that transcoding works, even with the error messages. I wonder if this loopback connection might just be used for debug logging or something, though that definitely also occurs as part of the "transcode status" conversation that 0 sets up for by rewriting the args passed to the transcode binary.

@Stackout Which container did you exec into? The PMS one or the transcode-generated one? .

Answer 6 · 2019-03-10T22:18:46.000Z

Hi! Im also having some of the same issues as some of you have. Curling 127.0.0.1:32400 from the kube-plex gives me an unauthorized error, the transcoder however, gets a connection refused at 127.0.0.1:32400. Curling the node IP of the kube-plex from the transcoder works fine with no authorization errors.

My helm setup looks like this:
helm install ./charts/kube-plex --name plex --set claimToken=claim-XXXX --set service.type=LoadBalancer --set persistence.data.claimName=nfs-pvc-movies --set persistence.transcode.claimName=nfs-pvc-transcode --set persistence.transcode.enabled=true --namespace default

Ive tried setting the plex authorized networks to 0.0.0.0/0 with no luck.

Transcoding was working yesterday, but i think the last plex update broke something. I used the same exact helm command.

This is with JSteeleIRs fork of the repo as i am using NFS mounts.
Hope i can help in some way.