#899  Run rootless docker image in jobs steps
Open
matias blanco opened 1 year ago

Hi Robin,

i configure pipelines and see that if I use a docker image rootless, the jobs fail

it's possible to add the options to use rootless docker image (for security reasons)?

imagen.png

Robin Shen commented 1 year ago

OneDev does not support rootless mode yet. I am changing this as an improvement request.

Robin Shen changed fields 1 year ago
Name Previous Value Current Value
Type
Discussion
Improvement
Robin Shen changed state to 'Closed' 9 months ago
Previous Value Current Value
Open
Closed
Robin Shen commented 9 months ago

This is now possible in build #3680 by specifying appropriate docker sock path in more settings of a docker executor.

Daniel Kollmannsberger commented 9 months ago

I have the same problem while using a kubernetes executor. Is there any advice?

Robin Shen commented 9 months ago

This feature is not available for k8s executor. Does k8s even has the rootless option to run pod?

Daniel Kollmannsberger commented 8 months ago

Yes, kubernetes does provide functionality for this. Im im not wrong, just change the /root/auth-info/ dir to the current user & change the working directory to /tmp or the user home with rwx perms. Alternatively you can add another functionality where your init container modifies the rwx permissions in the original container.

But first option is way better & more secure. Tell me if you need some help on the kubernetes site ;)

Daniel Kollmannsberger changed state to 'Open' 8 months ago
Previous Value Current Value
Closed
Open
Daniel Kollmannsberger commented 8 months ago

Im missing all the time to open this issue, in this one.

Robin Shen commented 8 months ago

Thanks for the info. Running as normal user inside container needs some substantial change to OneDev CI process.

My understanding is that as long as docker daemon itself runs as normal user, it is safe even if OneDev runs as root inside container (and all files it creates/touches will be under normal user at host machine).

Daniel Kollmannsberger commented 8 months ago

Yes, but host and container are sharing the same kernel. As an example for a simple database. It mounts persistent folders into the hostsystem. Writing is on both sites allowed. The container runs inside with user root ( postgres process) and modifies data. Hostsystem sees: GID/UID 0:0 (typical root) modified data in this mounted dir. If you now spin this backwards:

You mounted a folder from host to container. The folder you mounted is as example /etc. This folder is by default for root only 0rw:0rw Your process inside the container is run as a nonroot user. Then the process is not permitted to read this file.

--> Permission denied.

Alwas run with the lowest required privileges ;)

Robin Shen commented 8 months ago

Thanks for detailed info. Will investigate more on this.

Daniel Kollmannsberger commented 8 months ago

Big appreciate! I can give you more details if you need them

Robin Shen referenced from other issue 2 months ago
issue 1 of 1
Type
Improvement
Priority
Normal
Assignee
Issue Votes (0)
Watchers (5)
Reference
onedev/server#899
Please wait...
Page is in error, reload to recover