I have a mvn project which must be build as an non-root user
but by default gitlab-ci allows runners to run as root user.
I'm using gitlab.com runners by setting up gitlab-ci.yml file.
I tried creating a user and switching to it like this:
$ useradd ***
$ su -***
$ whoami
root
It still says I'm root. How can I solve this?
You can easily achieve this with sudo, e.g.,
excerpt from my .gitlab-ci.yml:
script:
- useradd -d /builds/{GITLAB_USER} -g users -M -N builder
- chown -R builder:users ..
- |
sudo -H -i -u builder sh -e -x << EOS
umask 0077
export CONTINUOUS_INTEGRATION_SYSTEM="gitlab" TIMESTAMP=`date +%Y%m%d%H%M%S` DEFAULT_TARGET="debug"
export PREFIX="\${HOME}/usr" SYSCONFDIR="\${HOME}/etc/conf" LOCALSTATEDIR="\${HOME}/var"
cd my-project
make install
make -C _deploy/debian clean package bundle BUILD_ID="-0{other}\${TIMESTAMP}"
EOS
Where {GITLAB_USER} is your actual gitlab user. Remember to escape $ in your script
${GITLAB_USER_LOGIN} instead of doing the username substitution manually - this makes it work across forks. You may also wish to replace the actual project name with ${CI_PROJECT_NAME} (note you should not escape this $), which makes it work across even forks that adopt a different project name. –
Microhenry EOS as 'EOS' as per How to avoid heredoc expanding variables?, to avoid potentially confusing issues with variable expansion. –
Upstairs --preserve-env=PATH for using the same PATH. This is handy if you wanted to do a sudo --preserve-env=PATH sh < EOS mvn build EOS instead of a sudo env "PATH=$PATH" mvn build –
Lithograph Just install the gitlab-runner service for the right user:
gitlab-runner install --working-directory /home/ubuntu --user ubuntu
Here, ubuntu is an arbitrary non-root user.
sudo gitlab-runner install --working-directory /home/username --user username
You need to be root to install with the --user flag so you can run gitlab-runner as an unprivileged user.
In the end I built a base image with Dockerfile that included allowing the new user to use sudo:
RUN yum makecache \
&& yum -y install shadow-utils sudo \
&& /usr/sbin/useradd -d /builds -g users -M -N builder \
&& echo 'builder ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
USER builder
Then fix the /builds permissions in the before_script section in the pipeline file: .gitlab-cy.yml
before_script:
- sudo /bin/chown -R builder:users /builds
script:
- ...
Here's how I set up gitlab-runner for a non-root user inside a Vagrant VM (should work for non-VM machines as well):
ps aux | grep gitlab
/usr/bin/gitlab-runner run --config /etc/gitlab/runner/config.toml --service gitlab-runner
gitlab-runner systemd service:sudo systemctl stop gitlab-runner
The process should no longer appear if you type ps aux | grep gitlab again.
Uninstall the existing user's 'gitlab-runner' service:
sudo gitlab-runner uninstall
sudo gitlab-runner install \
--service gitlab-runner \
--user $USER \
--working-directory /home/$USER
sudo systemctl daemon-reload
gitlab-runner systemd service:sudo systemctl start gitlab-runner
sudo systemctl enable gitlab-runner
ps aux | grep gitlab
vagrant):/usr/bin/gitlab-runner run --working-directory /home/vagrant --config /home/vagrant/.config/gitlab-runner/config.toml --service gitlab-runner --user vagrant
gitlab-runner as your new user:gitlab-runner exec shell some_job
There are several ways to accomplish this. Since gitlab-ci jobs are simply docker containers running processes, one way to achieve this would be to use gosu where you can run a process as a non-root user. Some links which show how to use gosu:
© 2022 - 2024 — McMap. All rights reserved.