Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: operate with non-root container user #519

Closed
wants to merge 1 commit into from
Closed

feat: operate with non-root container user #519

wants to merge 1 commit into from
+50 −0

Conversation

maxrake
Copy link
Contributor

@maxrake maxrake commented Dec 26, 2024
edited
Loading

This change updates the phylum-ci Docker images to operate with a non- root user. This works (assuming the changes from #518) for most of the CI environments but GitHub directly contradicts this course of action, specifying that:

Docker actions must be run by the default Docker user (root). Do not
use the USER instruction in your Dockerfile, because you won't be able
to access the GITHUB_WORKSPACE directory.

It is possible to work around this restriction albeit in a hacky manner. Creating an image with the same runner user, with the same UID, will satisfy GitHub and ensure the user information matches between the running container and the host OS (which is also in a container). This is not fool-proof because the UID for the runner user is different depending on the GitHub-hosted runner in use (e.g., standard vs. large) and there is no guarantee that the user name or ID will remain consistent. The docker group is used to further match the configuration from the actions-runner-dind image.

References:
https://support.atlassian.com/bitbucket-cloud/docs/use-docker-images-as-build-environments/ https://docs.github.com/en/actions/sharing-automations/creating-actions/dockerfile-support-for-github-actions#user https://github.com/orgs/community/discussions/26811 actions/runner-images#6930 actions/runner#2411
https://github.com/actions/actions-runner-controller/blob/1e10417be8341df564a11abc970fe8f41a3b102c/runner/actions-runner-dind.ubuntu-22.04.dockerfile#L36

Needs #518

BREAKING CHANGE: GitHub container jobs will not work until the container
options are updated to specify options: --user=root

BREAKING CHANGE: The GitHub action and GitHub container steps no longer support providing analysis results of just the newly added dependencies. The --all-deps flag must be specified for these CI environments.

Testing

Testing with an image created with the changes here showed that #518 is needed for some of the CI environments (e.g., Bitbucket). Testing with the GitHub options (action, container steps, and container jobs) revealed a number of limitations:

  • GitHub container job does not appear to work at all with the non-root user
    • It only works after specifying options: --user=root with the container options
  • Both GitHub action and container step options work with the image, but fail when only considering newly added dependencies (e.g., --all-deps NOT specified)
    • The git worktree can't be created due to not having permission to write/create .git/worktree directory
    • This limitation has not been addressed in this PR and would need to be before merging
image

@maxrake maxrake self-assigned this Dec 26, 2024
@maxrake maxrake requested a review from a team as a code owner December 26, 2024 20:37
@maxrake maxrake mentioned this pull request Dec 26, 2024
Closed
@maxrake
feat: operate with non-root container user
f534758 
This change updates the `phylum-ci` Docker images to operate with a non-
root user. This works (assuming the changes from #518) for most of the
CI environments but GitHub directly contradicts this course of actions,
specifying that:

> Docker actions must be run by the default Docker user (root). Do not
> use the USER instruction in your Dockerfile, because you won't be able
> to access the GITHUB_WORKSPACE directory.

It is possible to work around this restriction albeit in a hacky manner.
Creating an image with the same `runner` user, with the same UID, will
satisfy GitHub and ensure the user information matches between the
running container and the host OS (which is also in a container). This
is not fool-proof because the UID for the `runner` user is different
depending on the GitHub-hosted runner in use (e.g., standard vs. large)
and there is no guarantee that the user name or ID will remain
consistent. The `docker` group is used to further match the
configuration from the `actions-runner-dind` image.

References:
https://support.atlassian.com/bitbucket-cloud/docs/use-docker-images-as-build-environments/
https://docs.github.com/en/actions/sharing-automations/creating-actions/dockerfile-support-for-github-actions#user
https://github.com/orgs/community/discussions/26811
actions/runner-images#6930
actions/runner#2411
https://github.com/actions/actions-runner-controller/blob/1e10417be8341df564a11abc970fe8f41a3b102c/runner/actions-runner-dind.ubuntu-22.04.dockerfile#L36

Needs #518

BREAKING CHANGE: GitHub container jobs will not work until the container
options are updated to specify `options: --user=root`

BREAKING CHANGE: The GitHub action and GitHub container steps no longer
support providing analysis results of just the newly added dependencies.
The `--all-deps` flag must be specified for these CI environments.
@maxrake maxrake requested a review from louislang December 26, 2024 20:54
@maxrake
Copy link
Contributor Author

maxrake commented Dec 26, 2024

An offline discussion with @louislang resulted in the decision to abandon the effort to provide a phylum-ci Docker image with a non-root user. The reasons are documented in this PR, both in the description and the code changes/comments. This PR will serve as justification for the decision and also be available for resurrecting the effort should a future situation call for it.

@maxrake maxrake closed this Dec 26, 2024
@maxrake maxrake deleted the noroot branch December 26, 2024 20:55
@maxrake maxrake mentioned this pull request Dec 26, 2024
Merged
maxrake added a commit that referenced this pull request Jan 2, 2025
@maxrake
feat: ensure git repository access as prerequisite (#518)
5317fd9 
This change adds a new base prerequisite such that the user account
executing `git` has access to the repository. This is accomplished with
a new function, `ensure_git_repo_access`, that checks for the two likely
reasons to fail a git repo membership test:

1. Not actually in git repo, in which case nothing can be done.
2. The repository is owned by a different user and we don't have access
to it. This is detected and remedied with a configuration change.

References:

https://confluence.atlassian.com/pages/viewpage.action?pageId=1167744132
https://confluence.atlassian.com/pages/viewpage.action?pageId=1384121844
https://git-scm.com/docs/git-config/2.35.2#Documentation/git-config.txt-safedirectory

The second reason is encountered when the user account used to mount the
container created from the `phylum-ci` image does not match the one
owning the git repository. This happens for some CI environments and was
encountered while attempting to add a non-root user to the `phylum-ci`
image (#519). That effort was abandoned, but the feature here is still
worth adding now since it adds functionality for operating in more
environments.

Additional changes made include:

* Clarify command used to build from the `Dockerfile.slim` file
* Update `docker_tests.sh` script to include the most basic test command
* Fix typo: `git_curent_branch_name` --> `git_current_branch_name`
* Add `is_in_git_repo` predicate as helper function in `git` module
* Add more tests for the `git` module
* Add type hints to `tests/unit/test_git.py`
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mathew-horner mathew-horner Awaiting requested review from mathew-horner mathew-horner is a code owner automatically assigned from phylum-dev/user-components

@louislang louislang Awaiting requested review from louislang

Assignees

@maxrake maxrake

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@maxrake