how to clone without root on gitlab-runner docker

Question

I'm trying to create a ci pipeline for my code. I have registered a runner with docker executor in my machine. I noticed it is cloning the repository with root privileges inside the docker container

$ ls -l
total 4
drwxrwxrwx 4 root root 4096 Jan  3 18:02 my-repo

Thus, to build the content on my repo I must run some commands with sudo from my .gitlab-ci.yml and I don't want that.

stages:
  - build

default:
  image: MyImage:latest

build:
  stage: build
  script: 
    # I don't want to use sudo here but as my repo is cloned with root privileges I must use sudo.
    - sudo ./build -j 1

Is there a way to tell gitlab-runner to clone the repository with user privileges?

edit

My dockerfile creates an image with a user

# Create a user of uid/gid 1000 to match user on most host machines
RUN apt-get update && apt-get -y install sudo && rm -rf /var/lib/apt/lists/*
RUN addgroup --gid 1000 myUser
RUN adduser --disabled-password --gecos "" --uid 1000 --gid 1000 myUser
RUN usermod -a -G sudo myUser
RUN echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
RUN usermod -a -G dialout myUser

USER myUser

RUN touch ~/.sudo_as_admin_successful

COPY --chown=1000:1000 export.sh .
RUN ./export.sh

WORKDIR /dev_folder/
CMD ["/bin/bash"]

mattia orsi · Answer 1 · 2022-01-03T19:16:34.300

0

If you need this in the build stage you have to handle the user privileges of your repo from your Dockerfile.

This is a classic example of a build stage from the gitlab-ci:

build:
  stage: build
  script:
    - docker build --pull -t $CONTAINER_TEST_IMAGE -f ./docker/Dockerfile .
    - docker logout
    - docker login -u gitlab-ci-token -p $CI_BUILD_TOKEN $REGISTRY_SERVER
    - docker push $CONTAINER_TEST_IMAGE
  only:
    - tags@group/project

So you can write you code into the dockerfile and then let gitlab to build it

In your case you have two way:

1 Handle the default entry user and permissions of your image
2 Add an entry point in you gitlab-ci file like this:

image:
  name: super/sql:experimental
  entrypoint: ["docker-entrypoint.sh"]

The last one override the default entry point of your container. I think the first point it's the clean and easy way

edited Jan 03 '22 at 19:16

answered Jan 03 '22 at 18:33

mattia orsi

11
1
6

So the repository is being clone as root inside the docker container because of the permissions of the user of the image? – afvmil Jan 03 '22 at 19:56
yes, let me know if it works – mattia orsi Jan 04 '22 at 09:06
My dockerfile has already an user (see question) but the repository is still cloned as root. – afvmil Jan 04 '22 at 15:26

how to clone without root on gitlab-runner docker

1 Answers1