Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix: container tools broken without a home
Some tools get installed and used based on a home directory. This can cause trouble when using a container started from this image with a UID:GID that does not map to a user/group account in the container. Examples include: * The install directory is `/root` and the container user has no access * The tool relies on a $HOME directory, which may not exist * https://medium.com/redbubble/running-a-docker-container-as-a-non-root-user-7d2e00f8ee15 The following tools are susceptible to this issue and therefore have been provided with explicit install/home directories that allow them to be globally accessible: * Corepack, Yarn, and pnpm * Rust, Cargo, and rustup * Gradle This issue was first discovered by @marvin-hansen and documented here: #310 (comment) In that case, GitHub Actions was used and it was found that `HOME` is [overridden for containers](actions/runner#863) and set to `/github/home`, which is a directory that is unknown during image creation. Instead of attempting to create a custom solution for GitHub Actions specifically, the solution presented here is meant to be useful for any environment that starts a container from the `phylum-ci` image. Since there are many CI environments already supported, each with their own methods of running containers, this approach was deemed to be the most prudent. Tests have been added to ensure all the required tools can function when a container is started from the `phylum-ci` image with a user that is unknown to that image and therefore does not have a `$HOME` directory.
- Loading branch information
91627e7
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@maxrake I think the officially accepted solution is to add a non-root user during the build stage, copy the guid/uuis to the final stage, and switch to the non-root user for binary execution.
At least that's what we did for production Kubernetes deployments.
Docker docs
https://www.geeksforgeeks.org/docker-user-instruction/
Example docker file
https://github.com/bjornmolin/rust-minimal-docker/blob/master/Dockerfile
Note, the user is added in line 5
RUN groupadd -g 10001 -r dockergrp && useradd -r -g dockergrp -u 10001 dockeruser
and the config is copied over in line 29 with the user switch in line 30.
COPY --from=0 /etc/passwd /etc/passwd
USER dockeruser
That way, you prevent the problem of missing guuid/uuid altogether while running the final binary as non-root.
91627e7
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This unfortunately does not completely solve the problem for our usage. Because we support things like Azure pipelines which creates a new user in the container at runtime (an annoying design decision... but we cannot change it). See #122 and related for some history.
For this reason,
phylum-ci
attempts to support running as any arbitrary user.91627e7
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.