feat!: allow docker image use for non-root users #122
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The minimum supported CLI version is currently v3.8.0-rc2 and enough time has passed that CLI versions prior to v2.2.0 are no longer expected to exist in the wild. That is when the Phylum config and binary paths changed, to adhere to the XDG Base Directory Spec. This change removes support for use of these legacy CLI version paths. BREAKING CHANGE: CLI installs prior to v2.2.0 are no longer supported.
This change should make it easier to update the minimum supported CLI versions as they progress and make changes that require different minimum versions for both new and existing installations.
The Dockerfile has been updated to install the `phylum` package in a Python virtual environment, which is accessible by non-root users of the image. The `phylum-init` script was updated to provide a hidden option for installing the CLI in a globally accessible directory. That option is meant to be used in very limited circumstances, namely the Dockerfile for image creation. Closes #118
kylewillmon
approved these changes
Sep 14, 2022
kylewillmon
referenced
this pull request
Oct 17, 2023
Some tools get installed and used based on a home directory. This can cause trouble when using a container started from this image with a UID:GID that does not map to a user/group account in the container. Examples include: * The install directory is `/root` and the container user has no access * The tool relies on a $HOME directory, which may not exist * https://medium.com/redbubble/running-a-docker-container-as-a-non-root-user-7d2e00f8ee15 The following tools are susceptible to this issue and therefore have been provided with explicit install/home directories that allow them to be globally accessible: * Corepack, Yarn, and pnpm * Rust, Cargo, and rustup * Gradle This issue was first discovered by @marvin-hansen and documented here: #310 (comment) In that case, GitHub Actions was used and it was found that `HOME` is [overridden for containers](actions/runner#863) and set to `/github/home`, which is a directory that is unknown during image creation. Instead of attempting to create a custom solution for GitHub Actions specifically, the solution presented here is meant to be useful for any environment that starts a container from the `phylum-ci` image. Since there are many CI environments already supported, each with their own methods of running containers, this approach was deemed to be the most prudent. Tests have been added to ensure all the required tools can function when a container is started from the `phylum-ci` image with a user that is unknown to that image and therefore does not have a `$HOME` directory.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The Dockerfile has been updated to install the
phylumpackage in aPython virtual environment, which is accessible by non-root users of the
image. These changes were inspired by the Python
blackproject, whichdid basically the same thing: psf/black#3202
The
phylum-initscript was updated to provide a hidden optionfor installing the CLI in a globally accessible directory. That option
is meant to be used in very limited circumstances, namely the Dockerfile
for image creation.
The minimum supported CLI version is currently v3.8.0-rc2 and enough
time has passed that CLI versions prior to v2.2.0 are no longer expected
to exist in the wild. That is when the Phylum config and binary paths
changed, to adhere to the XDG Base Directory Spec. This change removes
support for use of these legacy CLI version paths.
Some refactoring was done to make it easier to update the minimum
supported CLI versions as they progress and make changes that require
different minimum versions for both new and existing installations.
BREAKING CHANGE: CLI installs prior to v2.2.0 are no longer supported.
Closes #118
Checklist
TestGHAHave you created sufficient tests?Screenshots
Both
rootand non-root users have access to thephylum-ciandphylumbinaries now:rootcan continue to usephylum-cibut non-root users must have an corresponding user account created in the container layer to work:Using this image in Azure Pipelines, where the user
vsts_azpcontaineris created during Job provisioning and used...successfully this time to runphylum-ci: