Reputation: 141
Running gitlab-ci pipeline jobs as non-root user
I have a mvn project which must be build as an non-root user
but by default gitlab-ci allows runners to run as root user.
I'm using gitlab.com runners by setting up gitlab-ci.yml file.
I tried creating a user and switching to it like this:
$ useradd ***
$ su -***
$ whoami
root
It still says I'm root. How can I solve this?
Upvotes: 13
Views: 24110
Answers (6)
Reputation: 720
Here's how I set up gitlab-runner for a non-root user inside a Vagrant VM (should work for non-VM machines as well):
- Check to see if the process is running for the existing user:
ps aux | grep gitlab
- If the process is running, it will look something like this after you run the previous command:
/usr/bin/gitlab-runner run --config /etc/gitlab/runner/config.toml --service gitlab-runner
- Stop the existing
gitlab-runnersystemd service:
sudo systemctl stop gitlab-runner
The process should no longer appear if you type
ps aux | grep gitlabagain.Uninstall the existing user's 'gitlab-runner' service:
sudo gitlab-runner uninstall
- Reinstall the service for the new user:
sudo gitlab-runner install \
--service gitlab-runner \
--user $USER \
--working-directory /home/$USER
- Reload systemd daemons:
sudo systemctl daemon-reload
- Start the new user's
gitlab-runnersystemd service:
sudo systemctl start gitlab-runner
- To ensure the service runs on boot:
sudo systemctl enable gitlab-runner
- Check to see if the process is running for the new user:
ps aux | grep gitlab
- The new process should look something like this (I used Vagrant for this, so my user is
vagrant):
/usr/bin/gitlab-runner run --working-directory /home/vagrant --config /home/vagrant/.config/gitlab-runner/config.toml --service gitlab-runner --user vagrant
- Run
gitlab-runneras your new user:
gitlab-runner exec shell some_job
Upvotes: 0
Reputation: 5515
In the end I built a base image with Dockerfile that included allowing the new user to use sudo:
RUN yum makecache \
&& yum -y install shadow-utils sudo \
&& /usr/sbin/useradd -d /builds -g users -M -N builder \
&& echo 'builder ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
USER builder
Then fix the /builds permissions in the before_script section in the pipeline file: .gitlab-cy.yml
before_script:
- sudo /bin/chown -R builder:users /builds
script:
- ...
Upvotes: 1
Reputation: 86
sudo gitlab-runner install --working-directory /home/username --user username
You need to be root to install with the --user flag so you can run gitlab-runner as an unprivileged user.
Upvotes: 0
Reputation: 1214
You can easily achieve this with sudo, e.g.,
excerpt from my .gitlab-ci.yml:
script:
- useradd -d /builds/{GITLAB_USER} -g users -M -N builder
- chown -R builder:users ..
- |
sudo -H -i -u builder sh -e -x << EOS
umask 0077
export CONTINUOUS_INTEGRATION_SYSTEM="gitlab" TIMESTAMP=`date +%Y%m%d%H%M%S` DEFAULT_TARGET="debug"
export PREFIX="\${HOME}/usr" SYSCONFDIR="\${HOME}/etc/conf" LOCALSTATEDIR="\${HOME}/var"
cd my-project
make install
make -C _deploy/debian clean package bundle BUILD_ID="-0{other}\${TIMESTAMP}"
EOS
Where {GITLAB_USER} is your actual gitlab user. Remember to escape $ in your script
Upvotes: 5
Reputation: 35
Just install the gitlab-runner service for the right user:
gitlab-runner install --working-directory /home/ubuntu --user ubuntu
Here, ubuntu is an arbitrary non-root user.
Upvotes: 1
Reputation: 7885
There are several ways to accomplish this. Since gitlab-ci jobs are simply docker containers running processes, one way to achieve this would be to use gosu where you can run a process as a non-root user. Some links which show how to use gosu:
Upvotes: -2
Related Questions
- 'gitlab-runner' unexpectedly runs as root
- gitlab-ci docker | using sudo inside container
- Gitlab Shell Script Permission Denied
- Running "sudo su" within a gitlab pipeline
- How can I create manually-run GitLab pipeline jobs?
- GitLab Runner not running privileged
- Permission denied when executing docker commands from Gitlab CI/CD pipeline
- Gitlab-runner permissions
- GitLab Pipeline: perform job except user (Runner machine)
- Maven credentials in gitlab CI