I use drone since 1 year on an enterprise onpremise kubernetes environment, it works very well, I love the possibility to have all my CICD pipeline calling some containerized images. I understand that all images have to be used as root user. The master, the runner and the images called within steps. ~I did some tries to use non-root but I noticed that when drone call an image, all folders appears as “root” property, even if they are not (if I lauch same docker image not using drone but docker, I see my folders for example as git in my alpine-git image, in my /home/git folder)
I have some security considerations, regarding the root usage. My droneCI solution has to pass Clair CVE scanners and I must to use non-root user to validate it.
So I have a big question for you, and I’m scared I know the answer, Is it possible to lauch drone-master, drone-runner and all images called in pipeline with non-root user?
Thank you for attention.
Drone clones all source code to a volume that is shared by all pipeline containers. Docker does not support mounting volumes as non-root which causes significant issues when trying to use non-root users with Drone (they cannot read or write volumes, and therefore cannot access the cloned code) which is the reason Drone runs as root by default. See https://github.com/moby/moby/issues/2259
However, the good news is that Docker has a setting that allows you to globally map root users to non-root users at the docker daemon level with userns remapping. This is your best (and only) option. You can read more about this here:
Thank you for your quick reply, I apologize for my slow one
I understand that It is not impossible to launch the drone bin using non-root user and if it works, docker images spawned by drone should not be mount/run as root but using the user I used to exec the drone bin. Am I right?
First step I have to test the drone-master behaviour when using a non-root user. I will add user called “drone” in the docker image and give it full rights chmod/chown on /bin
Second step, I will load this image in my Kubernetes environment and watch what happen.
I succedeed to use a non-root user if I disable default clone step and make a custom one, using
updated dron/git image:
$ docker build -t docker.company.net/drone/git_testuser_app:1.0.0 - << 'EOF'
RUN adduser -s /bin/sh -D -u 1500 testuser
RUN install -d -o testuser -g testuser /app
And to updating the .drone.yml like that:
- name: clone
- name: build
- pip install -e .
In this case the
/app folder is owned by testuser and every step can use it with non-root user having id = 1500.
IMHO it is a good option, too.