Run rootless docker image in jobs steps (OD-899)

matias blanco opened 3 years ago

Hi Robin,

i configure pipelines and see that if I use a docker image rootless, the jobs fail

it's possible to add the options to use rootless docker image (for security reasons)?

Robin Shen commented 3 years ago

OneDev does not support rootless mode yet. I am changing this as an improvement request.
Robin Shen changed fields 3 years ago
Name Previous Value Current Value
Type

Discussion

Improvement
Robin Shen changed state to 'Closed' 3 years ago
Previous Value Current Value
Open

Closed
Robin Shen commented 3 years ago

This is now possible in build #3680 by specifying appropriate docker sock path in more settings of a docker executor.
Daniel Kollmannsberger commented 3 years ago

I have the same problem while using a kubernetes executor. Is there any advice?
Robin Shen commented 3 years ago

This feature is not available for k8s executor. Does k8s even has the rootless option to run pod?
Daniel Kollmannsberger commented 3 years ago

Yes, kubernetes does provide functionality for this. Im im not wrong, just change the /root/auth-info/ dir to the current user & change the working directory to /tmp or the user home with rwx perms. Alternatively you can add another functionality where your init container modifies the rwx permissions in the original container.

But first option is way better & more secure. Tell me if you need some help on the kubernetes site ;)
Daniel Kollmannsberger changed state to 'Open' 3 years ago
Previous Value Current Value
Closed

Open
Daniel Kollmannsberger commented 3 years ago

Im missing all the time to open this issue, in this one.
Robin Shen commented 3 years ago

Thanks for the info. Running as normal user inside container needs some substantial change to OneDev CI process.

My understanding is that as long as docker daemon itself runs as normal user, it is safe even if OneDev runs as root inside container (and all files it creates/touches will be under normal user at host machine).
Daniel Kollmannsberger commented 3 years ago

Yes, but host and container are sharing the same kernel. As an example for a simple database. It mounts persistent folders into the hostsystem. Writing is on both sites allowed. The container runs inside with user root ( postgres process) and modifies data. Hostsystem sees: GID/UID 0:0 (typical root) modified data in this mounted dir. If you now spin this backwards:

You mounted a folder from host to container. The folder you mounted is as example /etc. This folder is by default for root only 0rw:0rw Your process inside the container is run as a nonroot user. Then the process is not permitted to read this file.

--> Permission denied.

Alwas run with the lowest required privileges ;)
Robin Shen commented 3 years ago

Thanks for detailed info. Will investigate more on this.
Daniel Kollmannsberger commented 3 years ago

Big appreciate! I can give you more details if you need them
Robin Shen referenced from other issue 2 years ago

Running non OneDev Docker image in CI fails (OD-1708)

Closed
OneDev changed state to 'Closed' 2 years ago
Previous Value Current Value
Open

Closed
OneDev commented 2 years ago

State changed as code fixing the issue is committed (6ff40b2c)
OneDev changed state to 'Released' 2 years ago
Previous Value Current Value
Closed

Released
OneDev commented 2 years ago

State changed as build #4781 is successful
Login to comment

Name	Previous Value	Current Value
Type	Discussion	Improvement

Previous Value	Current Value
Open	Closed

Previous Value	Current Value
Closed	Open

Previous Value	Current Value
Open	Closed

Previous Value	Current Value
Closed	Released

Type	Improvement
Priority	Normal
Assignee	Robin Shen

Issue Votes (0)

Watchers (5)

Reference

OD-899