0

I built a image use --builder paketobuildpacks/builder:base , but my app went wrong cause no permission.

> apt-get update
Reading package lists... Done
E: List directory /var/lib/apt/lists/partial is missing. - Acquire (13: Permission denied)

Then i found that the run image of paketobuildpacks stacks sets the default user:

ARG cnb_uid=1000
ARG cnb_gid=1000
RUN groupadd cnb --gid ${cnb_gid} && useradd --uid ${cnb_uid} --gid ${cnb_gid} -m -s /bin/bash cnb

As i use k8s , I tried set runAsUser: 0 or --allow-privileged=true force it to use root and it works, but this is not a good solution i thought.

How can i modify the default user group in pack build command?

sia
  • 21
  • 5

1 Answers1

0

Buildpacks do not run as root. That's intentional and part of the specification. You shouldn't run apps as root either, that's a bad practice.

https://buildpacks.io/docs/reference/spec/platform-api/#users

It's not clear what your ultimate goal is here, if it's purely to modify the group or if it's to modify the group so you can try to install packages. It's also not clear if you want to change the group at build or run or both. I'll try to cover all these cases.

  1. You can run a buildpack generated image as a different user. You just set the user at runtime, like docker run --user or runAsUser. My understanding is that you should not change the group though. You technically can, but if it works will probably depend on the individual buildpacks and what they attempt to do. My guess is you'll start to see file permission issues.

  2. To change the user/group at build time, you need to create a custom stack. This requires a non-trivial amount of work plus ongoing maintenance to keep your stack up-to-date. See this guide on how to create a stack. You cannot create a stack with the root user/group. That is forbidden.

  3. If you need to install additional packages, it's tricky because you can't run as root. You have a couple of options though.

    First, you can use the apt buildpack. This will let you install packages into non-standard locations. It tries to make this seamless by adjusting PATH & LD_LIBRARY_PATH and often works fine. You'd need to try it to see for your specific use case.

    Second, you can create a custom stack. Again, see the guide for creating a custom stack. When you create a custom stack, you can change the build image to an image you control that already has the packages you require installed. As mentioned above, this requires you to maintain and update the stack and images.

    Third, this is a known rough edge with buildpacks and probably one of the most requested features for buildpacks. "I have an app, it needs package XYZ installed. How do I install it?" There have been a couple of RFCs geared at solving this, but none have been implemented yet. At the time of writing, this is the most recent rfc that attempts to resolve this issue. It's not offering a solution, but perhaps provides some more context on the current state of things & something you can watch for progress. Hopefully, I'll be able to update this post in the near future and provide a definitive answer to this question.

Daniel Mikusa
  • 13,716
  • 1
  • 22
  • 28
  • Thanks. But sometime when i want to do some troubleshooting, i need to run certain programs as root , Do you know the passworld of `su` ? – sia Aug 12 '21 at 02:18
  • There is no password as far as I know. Using `sudo` or `su` in a buildpack generated image is just not possible. If you need elevated privileges, you'd need to enter the container as a different user from your host OS. See https://stackoverflow.com/questions/35734474/connect-to-docker-container-as-user-other-than-root – Daniel Mikusa Aug 13 '21 at 02:23