When pipeline step’s docker container is running with non-root user /bin/sh: can't create /root/.netrc: Permission denied error is returned. Are there any workarounds for this?
1 Like
This happens when you attempt to use a build image that uses a custom user
FROM ubuntu
USER foo
The problem is that Docker volumes, to which Drone writes files, are owned by root. Therefore all of your build images should use the default user (root).
1 Like
I ran into this today on v0.8.2 as I’m working with a container that uses a non-privileged user. Is the ability to run containers as a custom non-root user on the roadmap? I would think there are security benefits to having this ability. Thanks!
@jesselang this is not something I plan to allocate time towards. From a security perspective I think user namespacing is more interesting, since the container can run as the root user, mapped to an unprivileged user on the host machine.
To quickly summarize, the challenge with non-root users is that docker mounts the volumes as root and every container writes files and folders as root. This means introducing a non-root container into the pipeline would be unable to read the workspace. This has been discussed in the past, and we were never able to come up with a solid solution to this problem that would cover all use cases and corner cases.