Java root processes from kafka, controller and invoker

[fmaschler]

With the local deployment of openwhisk I noticed Java processes running as root that come from the docker containers of kafka, controller and invoker. Is this privilege level necessary or just an artifact from the default setup of docker? We want to minimize the root access in production environments.
Let me know if more details of the environment are required or the error lies in our setup.

Environment details:

• local deployment, native ubuntu
• docker 1.12.0, ubuntu 14.04

Steps to reproduce the issue:

1. Run ansible scripts for local deployment
2. a) pgrep -a -u root java
3. b) docker top CONTAINER_ID -u root

Provide the expected results and outputs:

N/A

Provide the actual results and outputs:

a)

4036 /opt/jdk/bin/java -Xmx512m -Xms512m -server -XX:+UseG1GC -XX:MaxGCPauseMillis=20 -XX:InitiatingHeapOccupancyPercent=35 -XX:+DisableExplicitGC -Djava.awt.headless=true -Xloggc:/opt/kafka/bin/../logs/kafkaServer-gc.log -verbose:gc -XX:+PrintGCDetails -XX:+PrintGCDateStamps -XX:+PrintGCTimeStamps -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=10 -XX:GCLogFileSize=100M -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false -Dkafka.logs.dir=/opt/kafka/bin/../logs -Dlog4j.configuration=file:/opt/kafka/bin/../config/log4j.properties -cp :/opt/kafka/bin/../libs/aopalliance-repackaged-2.5.0-b05.jar:/opt/kafka/bin/../libs/argparse4j-0.7.0.jar:/opt/kafka/bin/../libs/commons-lang3-3.5.jar:/opt/kafka/bin/../libs/connect-api-0.11.0.1.jar:/opt/kafka/bin/../libs/connect-file-0.11.0.1.jar:/opt/kafka/bin/../libs/connect-json-0.11.0.1.jar:/opt/kafka/bin/../libs/connect-runtime-0.11.0.1.jar:/opt/kafka/bin/../libs/connect-transforms-0.11.0.1.jar:/opt/kafka/bin/../libs/guava-20.0.jar:/opt/kafka/bin/../libs/hk2-api-2.5.0-b05.jar:/opt/kafka/bin/../libs/hk2-locator-2.5.0-b05.jar:/opt/kafka/bin/../libs/hk2-utils-2.5.0-b05.jar:/opt/kafka/bin/../libs/jackson-annotations-2.8.5.jar:/opt/kafka/bin/../libs/jackson-core-2.8.5.jar:/opt/kafka/bin/../libs/jackson-databind-2.8.5.jar:/opt/kafka/bin/../libs/jackson-jaxrs-base-2.8.5.jar:/opt/kafka/bin/../libs/jackson-jaxrs-json-provider-2.8.5.jar:/opt/kafka/bin/../libs/jackson-module-jaxb-annotations-2.8.5.jar:/opt/kafka/bin/../libs/javassist-3.21.0-GA.jar:/opt/kafka/bin/../libs/javax.annotation-api-1.2.jar:/opt/kafka/bin/../libs/javax.inject-1.jar:/opt/kafka/bin/../libs/javax.inject-2.5.0-b05.jar:/opt/kafka/bin/../libs/javax.servlet-api-3.1.0.jar:/opt/kafka/bin/../libs/javax.ws.rs-api-2.0.1.jar:/opt/kafka/bin/../libs/jersey-client-2.24.jar:/opt/kafka/bin/../libs/jersey-common-2.24.jar:/opt/kafka/bin/../libs/jersey-container-servlet-2.24.jar:/opt/kafka/bin/../libs/jersey-container-servlet-core-2.24.jar:/opt/kafka/bin/../libs/jersey-guava-2.24.jar:/opt/kafka/bin/../libs/jersey-media-jaxb-2.24.jar:/opt/kafka/bin/../libs/jersey-server-2.24.jar:/opt/kafka/bin/../libs/jetty-continuation-9.2.15.v20160210.jar:/opt/kafka/bin/../libs/jetty-http-9.2.15.v20160210.jar:/opt/kafka/bin/../libs/jetty-io-9.2.15.v20160210.jar:/opt/kafka/bin/../libs/jetty-security-9.2.15.v20160210.jar:/opt/kafka/bin/../libs/jetty-server-9.2.15.v20160210.jar:/opt/kafka/bin/../libs/jetty-servlet-9.2.15.v20160210.jar:/opt/kafka/bin/../libs/jetty-servlets-9.2.15.v20160210.jar:/opt/kafka/bin/../libs/jetty-util-9.2.15.v20160210.jar:/opt/kafka/bin/../libs/jopt-simple-5.0.3.jar:/opt/kafka/bin/../libs/kafka-clients-0.11.0.1.jar:/opt/kafka/bin/../libs/kafka-log4j-appender-0.11.0.1.jar:/opt/kafka/bin/../libs/kafka-streams-0.11.0.1.jar:/opt/kafka/bin/../libs/kafka-streams-examples-0.11.0.1.jar:/opt/kafka/bin/../libs/kafka-tools-0.11.0.1.jar:/opt/kafka/bin/../libs/kafka_2.12-0.11.0.1-sources.jar:/opt/kafka/bin/../libs/kafka_2.12-0.11.0.1-test-sources.jar:/opt/kafka/bin/../libs/kafka_2.12-0.11.0.1.jar:/opt/kafka/bin/../libs/log4j-1.2.17.jar:/opt/kafka/bin/../libs/lz4-1.3.0.jar:/opt/kafka/bin/../libs/maven-artifact-3.5.0.jar:/opt/kafka/bin/../libs/metrics-core-2.2.0.jar:/opt/kafka/bin/../libs/osgi-resource-locator-1.0.1.jar:/opt/kafka/bin/../libs/plexus-utils-3.0.24.jar:/opt/kafka/bin/../libs/reflections-0.9.11.jar:/opt/kafka/bin/../libs/rocksdbjni-5.0.1.jar:/opt/kafka/bin/../libs/scala-library-2.12.2.jar:/opt/kafka/bin/../libs/scala-parser-combinators_2.12-1.0.4.jar:/opt/kafka/bin/../libs/slf4j-api-1.7.25.jar:/opt/kafka/bin/../libs/slf4j-log4j12-1.7.25.jar:/opt/kafka/bin/../libs/snappy-java-1.1.2.6.jar:/opt/kafka/bin/../libs/validation-api-1.1.0.Final.jar:/opt/kafka/bin/../libs/zkclient-0.10.jar:/opt/kafka/bin/../libs/zookeeper-3.4.10.jar kafka.Kafka /opt/kafka/config/server.properties
4906 /usr/lib/jvm/java-8-oracle/bin/java -Djava.security.egd=file:/dev/./urandom -Xmx2g -XX:+CrashOnOutOfMemoryError -XX:+UseGCOverheadLimit -XX:ErrorFile=/logs/java_error.log -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/logs -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.local.only=false -Dcom.sun.management.jmxremote.authenticate=true -Dcom.sun.management.jmxremote.password.file=/root/jmxremote.password -Dcom.sun.management.jmxremote.access.file=/root/jmxremote.access -Djava.rmi.server.hostname=controller0 -Dcom.sun.management.jmxremote.rmi.port=16000 -Dcom.sun.management.jmxremote.port=15000 -Dakka.remote.netty.tcp.bind-hostname=172.17.0.7 -Dakka.actor.provider=cluster -Dakka.remote.netty.tcp.bind-port=2551 -Dakka.remote.netty.tcp.hostname=172.17.0.1 -Dakka.remote.netty.tcp.port=8000 -Dkamon.statsd.port=8125 -Dlogback.log.level=INFO -Dwhisk.kafka.replication-factor=1 -Dwhisk.kafka.topics.completed.retention-bytes=104857600 -Dwhisk.kafka.topics.completed.retention-ms=300000 -Dwhisk.kafka.topics.health.retention-bytes=104857600 -Dwhisk.kafka.topics.health.retention-ms=300000 -Dwhisk.loadbalancer.blackbox-fraction=0.1 -Dwhisk.loadbalancer.invoker-busy-threshold=16 -Dwhisk.runtimes.bypass-pull-for-local-images=True -Dwhisk.spi.LogStoreProvider=whisk.core.containerpool.logging.DockerToActivationLogStoreProvider -Dwhisk.transactions.stride=1 -classpath /controller/lib/akka-slf4j_2.11-2.5.6.jar:/controller/lib/snakeyaml-1.15.jar:/controller/lib/akka-cluster_2.11-2.5.4.jar:/controller/lib/agrona-0.9.5.jar:/controller/lib/reactive-streams-1.0.1.jar:/controller/lib/kubernetes-client-2.5.7.jar:/controller/lib/scala-parser-combinators_2.11-1.0.4.jar:/controller/lib/okio-1.13.0.jar:/controller/lib/jackson-annotations-2.7.0.jar:/controller/lib/commons-io-2.6.jar:/controller/lib/jnr-ffi-2.1.2.jar:/controller/lib/automaton-1.11-8.jar:/controller/lib/config-1.3.1.jar:/controller/lib/zjsonpatch-0.3.0.jar:/controller/lib/generex-1.0.1.jar:/controller/lib/kafka-clients-0.11.0.1.jar:/controller/lib/scala-library-2.11.11.jar:/controller/lib/akka-http_2.11-10.0.10.jar:/controller/lib/jnr-x86asm-1.0.2.jar:/controller/lib/akka-actor_2.11-2.5.6.jar:/controller/lib/log4j-over-slf4j-1.7.25.jar:/controller/lib/slf4j-api-1.7.25.jar:/controller/lib/akka-stream-alpakka-file_2.11-0.15.jar:/controller/lib/jul-to-slf4j-1.7.13.jar:/controller/lib/netty-3.10.6.Final.jar:/controller/lib/httpclient-4.4.1.jar:/controller/lib/asm-5.0.3.jar:/controller/lib/akka-stream_2.11-2.5.6.jar:/controller/lib/HdrHistogram-2.1.9.jar:/controller/lib/akka-http-core_2.11-10.0.10.jar:/controller/lib/openwhisk-controller-1.0.0-SNAPSHOT.jar:/controller/lib/logback-classic-1.2.3.jar:/controller/lib/jackson-dataformat-yaml-2.7.7.jar:/controller/lib/validation-api-1.1.0.Final.jar:/controller/lib/akka-distributed-data_2.11-2.5.4.jar:/controller/lib/openwhisk-common-1.0.0-SNAPSHOT.jar:/controller/lib/pureconfig-macros_2.11-0.9.0.jar:/controller/lib/asm-tree-5.0.3.jar:/controller/lib/commons-codec-1.9.jar:/controller/lib/pureconfig_2.11-0.9.0.jar:/controller/lib/macro-compat_2.11-1.1.1.jar:/controller/lib/java-uuid-generator-3.1.3.jar:/controller/lib/kamon-statsd_2.11-0.6.7.jar:/controller/lib/jcl-over-slf4j-1.7.25.jar:/controller/lib/scala-xml_2.11-1.0.5.jar:/controller/lib/kubernetes-model-1.1.0.jar:/controller/lib/asm-commons-5.0.3.jar:/controller/lib/logging-interceptor-3.8.1.jar:/controller/lib/scala-reflect-2.11.11.jar:/controller/lib/kamon-core_2.11-0.6.7.jar:/controller/lib/akka-protobuf_2.11-2.5.4.jar:/controller/lib/ssl-config-core_2.11-0.2.2.jar:/controller/lib/jnr-constants-0.9.6.jar:/controller/lib/commons-collections-3.2.2.jar:/controller/lib/lmdbjava-0.0.5.jar:/controller/lib/snappy-java-1.1.2.6.jar:/controller/lib/lz4-1.3.0.jar:/controller/lib/jsr305-3.0.2.jar:/controller/lib/okhttp-3.8.1.jar:/controller/lib/akka-remote_2.11-2.5.4.jar:/controller/lib/akka-parsing_2.11-10.0.10.jar:/controller/lib/caffeine-2.4.0.jar:/controller/lib/logback-core-1.2.3.jar:/controller/lib/akka-http-spray-json_2.11-10.0.10.jar:/cont
5767 /usr/lib/jvm/java-8-oracle/bin/java -Xmx2g -XX:+CrashOnOutOfMemoryError -XX:+UseGCOverheadLimit -XX:ErrorFile=/logs/java_error.log -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.local.only=false -Dcom.sun.management.jmxremote.authenticate=true -Dcom.sun.management.jmxremote.password.file=/root/jmxremote.password -Dcom.sun.management.jmxremote.access.file=/root/jmxremote.access -Djava.rmi.server.hostname=172.17.0.1 -Dcom.sun.management.jmxremote.rmi.port=18000 -Dcom.sun.management.jmxremote.port=17000 -Dkamon.statsd.port=8125 -Dlogback.log.level=INFO -Dwhisk.container-factory.container-args.network=bridge -Dwhisk.kafka.replication-factor=1 -Dwhisk.kafka.topics.invoker.retention-bytes=104857600 -Dwhisk.kafka.topics.invoker.retention-ms=300000 -Dwhisk.runtimes.bypass-pull-for-local-images=True -Dwhisk.spi.LogStoreProvider=whisk.core.containerpool.logging.DockerToActivationLogStoreProvider -classpath /invoker/lib/akka-slf4j_2.11-2.5.6.jar:/invoker/lib/snakeyaml-1.15.jar:/invoker/lib/reactive-streams-1.0.1.jar:/invoker/lib/kubernetes-client-2.5.7.jar:/invoker/lib/scala-parser-combinators_2.11-1.0.4.jar:/invoker/lib/okio-1.13.0.jar:/invoker/lib/jackson-annotations-2.7.0.jar:/invoker/lib/zookeeper-3.4.11.jar:/invoker/lib/commons-io-2.6.jar:/invoker/lib/curator-client-4.0.0.jar:/invoker/lib/automaton-1.11-8.jar:/invoker/lib/config-1.3.1.jar:/invoker/lib/zjsonpatch-0.3.0.jar:/invoker/lib/generex-1.0.1.jar:/invoker/lib/kafka-clients-0.11.0.1.jar:/invoker/lib/scala-library-2.11.11.jar:/invoker/lib/akka-http_2.11-10.0.10.jar:/invoker/lib/akka-actor_2.11-2.5.6.jar:/invoker/lib/log4j-over-slf4j-1.7.25.jar:/invoker/lib/slf4j-api-1.7.25.jar:/invoker/lib/akka-stream-alpakka-file_2.11-0.15.jar:/invoker/lib/jul-to-slf4j-1.7.13.jar:/invoker/lib/httpclient-4.4.1.jar:/invoker/lib/guava-20.0.jar:/invoker/lib/akka-stream_2.11-2.5.6.jar:/invoker/lib/HdrHistogram-2.1.9.jar:/invoker/lib/akka-http-core_2.11-10.0.10.jar:/invoker/lib/logback-classic-1.2.3.jar:/invoker/lib/jackson-dataformat-yaml-2.7.7.jar:/invoker/lib/validation-api-1.1.0.Final.jar:/invoker/lib/openwhisk-common-1.0.0-SNAPSHOT.jar:/invoker/lib/pureconfig-macros_2.11-0.9.0.jar:/invoker/lib/openwhisk-invoker-1.0.0-SNAPSHOT.jar:/invoker/lib/commons-codec-1.9.jar:/invoker/lib/pureconfig_2.11-0.9.0.jar:/invoker/lib/macro-compat_2.11-1.1.1.jar:/invoker/lib/java-uuid-generator-3.1.3.jar:/invoker/lib/kamon-statsd_2.11-0.6.7.jar:/invoker/lib/jcl-over-slf4j-1.7.25.jar:/invoker/lib/scala-xml_2.11-1.0.5.jar:/invoker/lib/kubernetes-model-1.1.0.jar:/invoker/lib/logging-interceptor-3.8.1.jar:/invoker/lib/netty-3.10.5.Final.jar:/invoker/lib/scala-reflect-2.11.11.jar:/invoker/lib/kamon-core_2.11-0.6.7.jar:/invoker/lib/ssl-config-core_2.11-0.2.2.jar:/invoker/lib/audience-annotations-0.5.0.jar:/invoker/lib/commons-collections-3.2.2.jar:/invoker/lib/snappy-java-1.1.2.6.jar:/invoker/lib/lz4-1.3.0.jar:/invoker/lib/jsr305-3.0.2.jar:/invoker/lib/okhttp-3.8.1.jar:/invoker/lib/akka-parsing_2.11-10.0.10.jar:/invoker/lib/caffeine-2.4.0.jar:/invoker/lib/logback-core-1.2.3.jar:/invoker/lib/akka-http-spray-json_2.11-10.0.10.jar:/invoker/lib/curator-framework-4.0.0.jar:/invoker/lib/shapeless_2.11-2.3.2.jar:/invoker/lib/scala-java8-compat_2.11-0.7.0.jar:/invoker/lib/curator-recipes-4.0.0.jar:/invoker/lib/jackson-module-jaxb-annotations-2.7.5.jar:/invoker/lib/spray-json_2.11-1.3.3.jar:/invoker/lib/scala-compiler-2.11.11.jar:/invoker/lib/jackson-databind-2.7.7.jar:/invoker/lib/jackson-core-2.7.7.jar:/invoker/lib/httpcore-4.4.1.jar:/invoker/ext-lib/*:/invoker/config whisk.core.invoker.Invoker 0

b)

PID                 TTY                 TIME                CMD
4906                ?                   12:24:48            java

[rabbah]

See #3579 (comment)

EDIT: related to #3746.

[fmaschler]

This is exactly what I was looking for! I searched the issues before but not PR's... I will follow the discussion. Though it's not a duplicate as the same applies to invoker and kafka.