Free database container requires allowPrivilegeEscalation: true in order to run

[nicleary]

When running container-registry.oracle.com/database/free:23.7.0.0-amd64 on Kubernetes, with the following manifest:

apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: oracle
spec:
  selector:
    matchLabels:
      app: "oracle" # has to match .spec.template.metadata.labels
  serviceName: "oracle"
  replicas: 1 # by default is 1
  minReadySeconds: 10 # by default is 0
  template:
    metadata:
      labels:
        app: "oracle" # has to match .spec.selector.matchLabels
    spec:
      terminationGracePeriodSeconds: 30
      securityContext:
        runAsNonRoot: true
        fsGroup: 54321
        seccompProfile:
          type: RuntimeDefault
      containers:
      - name: oracle-db
        securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: false
            runAsNonRoot: true
            runAsUser: 54321
            runAsGroup: 54321
        image: "container-registry.oracle.com/database/free:23.7.0.0-amd64"
        imagePullPolicy: "IfNotPresent"
        ports:
          - containerPort: 1521
          - containerPort: 5500
        volumeMounts:
        - name: datamount
          mountPath: /opt/oracle/oradata
        command: ["/bin/bash", "-c", "/opt/oracle/runOracle.sh"]
        lifecycle:
          preStop:
            exec:
              command: [ "/bin/sh", "-c", "/bin/echo -en 'shutdown abort;\n' | env ORACLE_SID=${ORACLE_SID^^} sqlplus -S / as sysdba" ]
        env:
          - name: ORACLE_SID
            value: "FREE"
          - name: ORACLE_PWD
            value: "password"
  volumeClaimTemplates:
  - metadata:
      name: datamount
    spec:
      accessModes: [ "ReadWriteOncePod" ]
      resources:
        requests:
          storage: "10Gi"

The container fails to start with the following error:

Password: su: Authentication failure.

Removing allowPrivilegeEscalation: false allows startup to complete, however this is a non-viable solution in the environment this image needs to run int. Is there anyway around the requirement for privilege escalation?

[yunus-qureshi]

We are not seeing this issue? Which K8s distribution is this? Is this working fine on dockers / podman?

[nicleary]

We are not seeing this issue? Which K8s distribution is this? Is this working fine on dockers / podman?

I'm able to reliably recreate this by using RKE2 v1.31.1 and AKS v1.31.5 using the above manifest.

A similar, but not exactly the same error can be recreated using docker compose, by specifying cap_drop: ['ALL'] in the docker compose manifest. I have not tested on podman.

This error can be seen in docker as:

oracle_db-1     | Password: su: Authentication failure
oracle_db-1     | The Oracle base remains unchanged with value /opt/oracle
oracle_db-1     |
oracle_db-1     | SQL*Plus: Release 23.0.0.0.0 - Production on Mon Mar 24 12:43:13 2025
oracle_db-1     | Version 23.6.0.24.10
oracle_db-1     |
oracle_db-1     | Copyright (c) 1982, 2024, Oracle.  All rights reserved.
oracle_db-1     |
oracle_db-1     | Connected to an idle instance.
oracle_db-1     |
oracle_db-1     | SQL>       ALTER USER SYS IDENTIFIED BY "testing"
oracle_db-1     | *
oracle_db-1     | ERROR at line 1:
oracle_db-1     | ORA-01034: The Oracle instance is not available for use. Start the instance.
oracle_db-1     | Process ID: 0
oracle_db-1     | Session ID: 0 Serial number: 0
oracle_db-1     | Help: https://docs.oracle.com/error-help/db/ora-01034/
oracle_db-1     |
oracle_db-1     |
oracle_db-1     | SQL>       ALTER USER SYSTEM IDENTIFIED BY "testing"
oracle_db-1     | *
oracle_db-1     | ERROR at line 1:
oracle_db-1     | ORA-01034: The Oracle instance is not available for use. Start the instance.
oracle_db-1     | Process ID: 0
oracle_db-1     | Session ID: 0 Serial number: 0
oracle_db-1     | Help: https://docs.oracle.com/error-help/db/ora-01034/
oracle_db-1     |
oracle_db-1     |
oracle_db-1     | SQL>       ALTER SESSION SET CONTAINER=FREEPDB1
oracle_db-1     | *
oracle_db-1     | ERROR at line 1:
oracle_db-1     | ORA-01034: The Oracle instance is not available for use. Start the instance.
oracle_db-1     | Process ID: 0
oracle_db-1     | Session ID: 0 Serial number: 0
oracle_db-1     | Help: https://docs.oracle.com/error-help/db/ora-01034/
oracle_db-1     |
oracle_db-1     |
oracle_db-1     | SQL>       ALTER USER PDBADMIN IDENTIFIED BY "testing"
oracle_db-1     | *
oracle_db-1     | ERROR at line 1:
oracle_db-1     | ORA-01034: The Oracle instance is not available for use. Start the instance.
oracle_db-1     | Process ID: 0
oracle_db-1     | Session ID: 0 Serial number: 0
oracle_db-1     | Help: https://docs.oracle.com/error-help/db/ora-01034/
oracle_db-1     |
oracle_db-1     |
oracle_db-1     | SQL> Disconnected
oracle_db-1     | The Oracle base remains unchanged with value /opt/oracle
oracle_db-1     | #####################################
oracle_db-1     | ########### E R R O R ###############
oracle_db-1     | DATABASE SETUP WAS NOT SUCCESSFUL!
oracle_db-1     | Please check output for further info!
oracle_db-1     | ########### E R R O R ###############
oracle_db-1     | #####################################
oracle_db-1     | The following output is now a tail of the alert.log:
oracle_db-1     | FREEPDB1(3):Opening pdb with Resource Manager plan: DEFAULT_PLAN
oracle_db-1     | 2024-12-16T05:55:51.260880+00:00
oracle_db-1     | Completed: Pluggable database FREEPDB1 opened read write
oracle_db-1     | Completed: ALTER DATABASE OPEN
oracle_db-1     | 2024-12-16T05:55:52.985787+00:00
oracle_db-1     | ===========================================================
oracle_db-1     | Dumping current patch information
oracle_db-1     | ===========================================================
oracle_db-1     | No patches have been applied
oracle_db-1     | ===========================================================

I'm assuming this is the result of this line or the line above it.

Do we have any way around this?

[carlosmartinezmoller]

Hi, I am hitting the same issue:

[root@myhost 23aifree]# kubectl logs oracle23ai-0 --namespace databases-oracle

Password: su: Authentication failure

In my case setting allowPrivilegeEscalation dooes not help either.

Starting with podman from user "root" it fails with the same error. Starting with podman from an end-user on my host it works fine.

Thanks

[yunus-qureshi]

Can we try by removing runAsNonRoot: true

I think this is preventing the su to root for certain operations needed in the container

[carlosmartinezmoller]

Hi,

I don't know if those may be two separate issues or the same one. But I believe both may be the same.

Adding this example in case it helps, because as commented with podman it fails with the same error.

Here is the error and file used:

Error:

[root@myhost test]# podman-compose up
5732932e549078b93908fdc460b82ac500b6520e17d892e40fed198d4a602854
[oracle] | Password: su: Authentication failure

And as you can see the file used is very simple:

[root@myhost test]# cat docker-compose.yml 
version: '3.0'

services:
  oracle:
    image: container-registry.oracle.com/database/free:latest
    container_name: oracle23aifree
    # Format: container_uid:from_uid:amount
    #x-podman.uidmaps: [0:@10000:10000,54321:@54321:1000]
    #x-podman.gidmaps: [0:@10000:10000,54321:@54321:1000]
    volumes:
      - ./data:/opt/oracle/oradata
    ports:
      - "1521:1521"
      - "5500:5500" # OEM Express
    environment:
      ORACLE_SID: FREE
      ORACLE_PDB: FREEPDB1
      ORACLE_PWD: welcome1
      ENABLE_ARCHIVELOG: false
      ENABLE_FORCE_LOGGING: false
      ORACLE_CHARACTERSET: AL32UTF8

Thanks
Carlos

[nicleary]

Can we try by removing runAsNonRoot: true

I think this is preventing the su to root for certain operations needed in the container

That is the core of the issue: the container needs to be able to run with runAsNonRoot: true in this environment. It is not possible for us to enable that.