docker runner assumes root

My container was built to start with a non root user instead of root. However the runner wants to access /builds in the container and the container's user doesn't have access. Not sure what to do as I don't want to rebuild my image with root access only.

[[runners]]
  name = "puppet38"
  url = "https://ci.gitlab.com/"
  token = "supersecrettoken"
  limit = 0
  executor = "docker"
  [runners.docker]
    image = "logicminds/centos-puppetdev:latest3.8.x"
    privileged = false
    volumes = ["/cache"]

gitlab-ci-multi-runner 0.4.2 (1e86428)
Using Docker executor with image logicminds/centos-puppetdev:latest3.8.x ...
mkdir: cannot create directory '/builds/logicminds/profiles': Permission denied
bash: line 5: /builds/logicminds/profiles.sh: Permission denied

Build failed with exit code 1

How do you change the user to non-root in build container?

You just put USER username in the dockerfile.

https://docs.docker.com/reference/run/#user

Below is my dockerfile https://registry.hub.docker.com/u/logicminds/centos-puppetdev/dockerfile/

Thanks. I'll look into. Give me some time.

I would be great if I had the ability to specify where the /builds directory is created.

More info about what I am doing can be found here:

http://logicminds.github.io/blog/2015/05/28/leveraging-docker-for-puppet-development/

We really need to change this. We had several issues running npm, bower, grunt as root. actually i change the user manually in my .gitlab-ci.yml file, because otherwise i need to add some parameters --allow_root, ...

Milestone changed to v0.5.0

switching user also kills all the set env variables, which is also very bad. so for allowing non-root containers

@cosman2001 It's possible, by specifying the builds_dir parameter: https://gitlab.com/gitlab-org/gitlab-ci-multi-runner/blob/master/docs/configuration/advanced-configuration.md#the-runners-section

@cosman2001 Did you use git clone or git fetch setting in CI configuration?

I did not use git clone or git fetch in my CI config.
However, my rake spec task does use git clone to pull down a bunch of repositories for testing, which some of these repositories are private and require a key.

Here is where the rake task comes from. https://github.com/puppetlabs/puppetlabs_spec_helper#fixtures-examples

@cosman2001 Can you check this: https://gitlab.com/gitlab-org/gitlab-ci-multi-runner/issues/75#note_1624319?

I'm looking into user permission problem.

@cosman2001 This is hard thing to do with docker, unfortunately.

What you can do is to add this to your Dockerfile:

RUN mkdir -p /builds && chown nobody /builds
USER nobody

This basically will create directory with proper permission and build will work OK.

i created a new docker image with a /build folder as you suggested. Even if i give this folder the permission of chmod 777 /build it fails with the error:

gitlab-ci-multi-runner 0.4.2 (1e86428)
Using Docker executor with image my-centos:7 ...
mkdir: cannot create directory '/builds/daniel.widerin/my.project': Permission denied
bash: line 5: /builds/daniel.widerin/my.project.sh: Permission denied

Build failed with exit code 1

@widerin /build => /builds

ah, you're right, was a typo, the directory is called /builds, but issue is still there.

It's strange. Can you share Dockerfile that allows to reproduce the issue?

Ok. It can also be that VOLUME for git fetch is created for /builds/daniel.widerin/my.project.

What do you mean with VOLUME, is the checkout volume linked? can you guide me to the code fragment which instanciates the docker container, maybe i can find the exact issue easier.

BTW, starting a docker container of the given image succeeds, and since i assign 777 as permission i have no clue how this error can happen:

[gitlab_ci_multi_runner@runner ~]$ docker run -it my-centos:7
[somebody@f0ea2cf20dd8 ~]$ pwd
/builds
[somebody@f0ea2cf20dd8 ~]$ ls -la .
total 24
drwxrwxrwx  3 somebody somebody 4096 Jul 16 12:34 .
drwxr-xr-x 18 root     root     4096 Jul 16 12:49 ..
-rwxrwxrwx  1 somebody somebody   18 Mar  5 22:06 .bash_logout
-rwxrwxrwx  1 somebody somebody  193 Mar  5 22:06 .bash_profile
-rwxrwxrwx  1 somebody somebody  231 Mar  5 22:06 .bashrc
drwx------  2 somebody root     4096 Jul 16 12:34 .ssh

Dockerfile is here: https://gist.github.com/saily/4943db90ec12ab20a5f5

I think part of the problem is that you placed USER somebody at the bottom of the dockerfile. You need to place it around line 56 and then all the chowning and chmoding is not necessary because it is created under the user.

https://docs.docker.com/reference/builder/#user

@widerin Thanks for posting that. I'll test it and try to resolve your issue before releasing 0.5.0.

@ayufan where exactly is the ci code that checksout the repo under /builds. I could probably figure out the issue as well if I knew where to look.

It's not problem of checkout, it's problem with running docker container and adding volumes: https://gitlab.com/gitlab-org/gitlab-ci-multi-runner/blob/master/executors/docker/executor_docker.go#L162

@cosman2001 @widerin I did it! No more hacks are required in Dockerfile. The /builds/group-name will have chmod 777 when creating cache container, that cache container is then attached to build container. Please upgrade to bleeding edge and test if it works ok. It effectively resolves the issue for me.

This applies to all cache containers.

@ayufan The chmod 777 doesn't happen if your project is set up to use git clone. So I did this in my dockerfile:

RUN useradd -ms /bin/bash cirunner
RUN mkdir /builds && chown cirunner:cirunner /builds
USER cirunner

This way git clone works, but it did not work when I switched back to git fetch. I think that's because the cache container already had the project build directory and it belonged to root. I cleared the cache containers like this, and now it works.

@nkovacs Yes, it happens. Did you install latest bleeding edge release?

Ah. Yes, clearing cache is required. It's done automatically with .deb/.rpm package.

I made a test script which shows the permissions of the directories, and tried it out with the git clone and git fetch setting on CI. This was the result:

git fetch

Fetching changes...
Checking out a2ae6440 as master...

$ ./run_tests.sh
root
/builds/n.kovacs/ci_test
drwxr-xr-x 3 root root 4096 Jul 17 13:45 /builds
total 4
drwxrwxrwx 3 root root 4096 Jul 17 13:33 n.kovacs

git clone

Cloning repository...
Cloning into '/builds/n.kovacs/ci_test'...
Checking out a2ae6440 as master...

$ ./run_tests.sh
root
/builds/n.kovacs/ci_test
drwxr-xr-x 3 root root 4096 Jul 17 13:45 /builds
total 4
drwxr-xr-x 3 root root 4096 Jul 17 13:45 n.kovacs

Does it even mount the cache volume if you select git clone? It doesn't make sense to mount it, since you want to start with an empty directory.

After the change to the dockerfile, it looks like this in case of git fetch:

drwxr-xr-x 3 cirunner cirunner 4096 Jul 17 14:39 /builds
drwxrwxrwx 3 root root 4096 Jul 17 14:24 n.kovacs

And like this in case of git clone:

drwxr-xr-x 3 cirunner cirunner 4096 Jul 17 14:38 /builds
drwxr-xr-x 3 cirunner cirunner 4096 Jul 17 14:38 n.kovacs

So this suggests that it only mounts the cache volume if you use git fetch, and it becomes root:root because of that (/builds is still cirunner:cirunner).

Ok. I see the problem.

Thanks, it's fixed and will be deployed to bleeding edge within a few minutes.

So I can remove the mkdir + chown from the dockerfile? If I just leave USER cirunner in there, will it be able to write to /builds?

@cosman2001 the complexity of my Dockerfile comes from ADD command of docker, because all added files are owned by root by default, even if you add them after setting a user by a USER command.

So if you want to copy a key inside your image, i did not found a simpler way to do so than chown and chmod the keyfile, any suggestions?

@nkovacs Yes, but you still need to point to existing user. So you may require to run useradd.

@widerin You could inject it into build scripts:

before_script:
- echo $SSH_PRIVATE_KEY > ~/.ssh/id_rsa
- chmod 0600 ~/.ssh/id_rsa

Currently there's no other way around this :(

Status changed to closed

mentioned in issue #263 (closed)

Is there a way yet to change the user outside of the Dockerfile? I'm using an official Dockerfile from the registry, and I don't have the ability to change it.

@DaAwesomeP if this Dockerfile gives you root permissions you can switch to any user you want in your test script by using su - <username>. Anyway, this is not related to this issue.

@widerin that doesn't seem to work. This:

 - id -u "ci" &>/dev/null || useradd "ci" 
 - su - ci
 - whoami

Results in:

$ id -u "ci" &>/dev/null || useradd "ci"
$ su - ci
$ whoami
root

I think that the su instance simply ends.

While it is clunky, this worked:

  - id -u "ci" &>/dev/null || useradd "ci"
  - mkdir /home/ci && chown ci /home/ci
  - su "ci" -c "npm i --loglevel warn"

mentioned in issue #2330