I use drone since 1 year on an enterprise onpremise kubernetes environment, it works very well, I love the possibility to have all my CICD pipeline calling some containerized images. I understand that all images have to be used as root user. The master, the runner and the images called within steps. ~I did some tries to use non-root but I noticed that when drone call an image, all folders appears as “root” property, even if they are not (if I lauch same docker image not using drone but docker, I see my folders for example as git in my alpine-git image, in my /home/git folder)
I have some security considerations, regarding the root usage. My droneCI solution has to pass Clair CVE scanners and I must to use non-root user to validate it.
So I have a big question for you, and I’m scared I know the answer, Is it possible to lauch drone-master, drone-runner and all images called in pipeline with non-root user?
Thank you for attention.
Drone clones all source code to a volume that is shared by all pipeline containers. Docker does not support mounting volumes as non-root which causes significant issues when trying to use non-root users with Drone (they cannot read or write volumes, and therefore cannot access the cloned code) which is the reason Drone runs as root by default. See https://github.com/moby/moby/issues/2259
However, the good news is that Docker has a setting that allows you to globally map root users to non-root users at the docker daemon level with userns remapping. This is your best (and only) option. You can read more about this here:
Thank you for your quick reply, I apologize for my slow one
I understand that It is not impossible to launch the drone bin using non-root user and if it works, docker images spawned by drone should not be mount/run as root but using the user I used to exec the drone bin. Am I right?
First step I have to test the drone-master behaviour when using a non-root user. I will add user called “drone” in the docker image and give it full rights chmod/chown on /bin
Second step, I will load this image in my Kubernetes environment and watch what happen.