Using drone as non-root user

Drone Support
1

Hello,
I use drone since 1 year on an enterprise onpremise kubernetes environment, it works very well, I love the possibility to have all my CICD pipeline calling some containerized images. I understand that all images have to be used as root user. The master, the runner and the images called within steps. ~I did some tries to use non-root but I noticed that when drone call an image, all folders appears as “root” property, even if they are not (if I lauch same docker image not using drone but docker, I see my folders for example as git in my alpine-git image, in my /home/git folder)

I have some security considerations, regarding the root usage. My droneCI solution has to pass Clair CVE scanners and I must to use non-root user to validate it.
So I have a big question for you, and I’m scared I know the answer, Is it possible to lauch drone-master, drone-runner and all images called in pipeline with non-root user?

Thank you for attention.

2

Drone clones all source code to a volume that is shared by all pipeline containers. Docker does not support mounting volumes as non-root which causes significant issues when trying to use non-root users with Drone (they cannot read or write volumes, and therefore cannot access the cloned code) which is the reason Drone runs as root by default. See https://github.com/moby/moby/issues/2259

However, the good news is that Docker has a setting that allows you to globally map root users to non-root users at the docker daemon level with userns remapping. This is your best (and only) option. You can read more about this here:

3

Hi,

Thank you for your quick reply, I apologize for my slow one :wink:
I understand that It is not impossible to launch the drone bin using non-root user and if it works, docker images spawned by drone should not be mount/run as root but using the user I used to exec the drone bin. Am I right?

My plan:
First step I have to test the drone-master behaviour when using a non-root user. I will add user called “drone” in the docker image and give it full rights chmod/chown on /bin
Second step, I will load this image in my Kubernetes environment and watch what happen.

Best regards

4

Hi,

I succedeed to use a non-root user if I disable default clone step and make a custom one, using updated dron/git image:

$ docker build -t docker.company.net/drone/git_testuser_app:1.0.0 - << 'EOF'
FROM drone/git:linux-amd64

RUN adduser -s /bin/sh -D -u 1500 testuser
RUN install -d -o testuser -g testuser /app

USER testuser:testuser
EOF

And to updating the .drone.yml like that:

---
kind: pipeline
name: backend3

workspace:
  base: /app

clone:
  disable: true

steps:
  - name: clone
    image: docker.company.net/drone/git_testuser_app:1.0.0
    environment:
      # https://github.com/drone-runners/drone-runner-docker/blob/master/engine/compiler/clone.go#L32
      PLUGIN_DEPTH: 1
      #GIT_SSL_NO_VERIFY: true
      #PLUGIN_SKIP_VERIFY: true

  - name: build
    image: docker.company.net/backend/py3_tester:1.0.2
    commands:
      - build/install-test-reqs.sh
      - pip install -e .
      - build/lint-and-test.sh

In this case the /app folder is owned by testuser and every step can use it with non-root user having id = 1500.

IMHO it is a good option, too.