I have a mvn project which must be build as an non-root user
but by default gitlab-ci allows runners to run as root user.
I'm using gitlab.com runners by setting up gitlab-ci.yml file.
I tried creating a user and switching to it like this:
$ useradd ***
$ su -***
$ whoami
root
It still says I'm root. How can I solve this?
You can easily achieve this with sudo, e.g.,
excerpt from my .gitlab-ci.yml:
script:
- useradd -d /builds/{GITLAB_USER} -g users -M -N builder
- chown -R builder:users ..
- |
sudo -H -i -u builder sh -e -x << EOS
umask 0077
export CONTINUOUS_INTEGRATION_SYSTEM="gitlab" TIMESTAMP=`date +%Y%m%d%H%M%S` DEFAULT_TARGET="debug"
export PREFIX="\${HOME}/usr" SYSCONFDIR="\${HOME}/etc/conf" LOCALSTATEDIR="\${HOME}/var"
cd my-project
make install
make -C _deploy/debian clean package bundle BUILD_ID="-0{other}\${TIMESTAMP}"
EOS
Where {GITLAB_USER} is your actual gitlab user. Remember to escape $ in your script
Just install the gitlab-runner service for the right user:
gitlab-runner install --working-directory /home/ubuntu --user ubuntu
Here, ubuntu is an arbitrary non-root user.
sudo gitlab-runner install --working-directory /home/username --user username
You need to be root to install with the --user flag so you can run gitlab-runner as an unprivileged user.
There are several ways to accomplish this. Since gitlab-ci jobs are simply docker containers running processes, one way to achieve this would be to use gosu where you can run a process as a non-root user. Some links which show how to use gosu:
