Add support for nonroot OCI images #1077
Comments
qwerty287
added
enhancement
|
Just ran into this issue while attempting to use a Kitten is designed to build/run in an unprivileged account and will actually fail if it isn’t. This feature would mean I could use Woodpecker on my project :) Thank you for making/sharing Woodpecker + I hope to be able to play with it in the future :) |
|
I tried my own unprivileged container images and ran into this as well. Dockerfile contents for the unprivileged user: # Create unprivileged user
ARG user_id=1000
ARG user_name=ci
RUN useradd -d /home/$user_name -m -u $user_id -s /bin/bash $user_name
# Create base directory for Drone/Woodpecker with correct owner
RUN install -d -o $user_name /drone /woodpecker
USER $user_name
# FIXME: overridden by woodpecker
ENV HOME=/home/$user_name
WORKDIR /home/$user_nameTo use such an image I added an initial command to reset HOME based on the user that is currently executing processes in the container: pipeline:
check:
image: debian-customized:bullseye-slim
commands:
- export HOME="$(getent passwd $(id -u) | cut '-d:' -f6)"
- env | sort |
|
#1032 is the groundwork to fix this ... and other stuff |
6543
added
feature
|
I recently also ran into this issue as well with a custom image that uses a non root user. The information from this comment was helpful in figuring out that I needed to update the HOME environment variable. I want to add that I found out the files and folders are also owned by root, so if you try to modify or create files it will give a If your user in the container doesn't have sudo access then you will need to use another image that defaults to root. The pipeline:
fix-ownership:
image: ubuntu
commands: chown -R 1000:1000 .
build:
image: my-non-root-image
commands:
- export HOME="$(getent passwd $(id -u) | cut '-d:' -f6)"
- make build |
|
Another report here: https://codeberg.org/Codeberg-CI/feedback/issues/141 |
|
It'd be great if a helm installation for k8s allows non root volumes too. Right now |
|
The file permissions on the volume(s) are the blocking issue here ... my thought: woud setting acls that just enforce similar to |
|
Whats the state here? I have also permission problems with this image cimg/android:2024.04.1 while writing a file. Will this be merged/fixed soon or should I search for a not rootless image? Or what is the recommended workaround? |
|
See the linked PR. You can already use it via tag Note that doing so will update your DB schema version (if you're still on 2.7.1) which means you can't go back afterwards. |
Clear and concise description of the problem
I want to build my software using pipelines that use nonroot images, as my builds do not require root.
But Woodpecker today is very much built around the assumption that builds are done as root, for example hardcoding
HOME=/rootin the environment, and setting the permissions of the workspace to require root.Suggested solution
Add something like
and then set up the permissions and home directory appropriately based on the image configuration.
Alternative
No response
Additional context
No response
Validations
The text was updated successfully, but these errors were encountered: