How to specify a user for a given build stage in drone?

Question

I'm attempting to use a very "lambda-like" image for running some tests, but it is so lambda-like that the user has no real permissions (including those needed to install my test engine).

Is there a way to specify the user the image executes as?

pipeline:
    test_lambda:
        image: lambci/lambda:python3.6
        user: root
        resources:
            limits:
                memory: 128M
        commands:
            - whoami
            - pip install pytest
            - py.test

The output. Note that the username is sbx_user1051, not root

$ drone exec
[test_lambda:L0:0s] + whoami
[test_lambda:L1:0s] sbx_user1051
[test_lambda:L2:0s] + pip install pytest
[test_lambda:L3:0s] The directory '/root/.cache/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
[test_lambda:L4:0s] The directory '/root/.cache/pip' or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
[test_lambda:L5:0s] Collecting pytest
[test_lambda:L6:0s]   Downloading https://files.pythonhosted.org/packages/62/59/950a805f90587d6e2f3692cf43700becb7cdf6c16b06d84e7516b199236b/pytest-3.6.0-py2.py3-none-any.whl (194kB)
[test_lambda:L7:0s] Collecting pluggy<0.7,>=0.5 (from pytest)
[test_lambda:L8:0s]   Downloading https://files.pythonhosted.org/packages/ba/65/ded3bc40bbf8d887f262f150fbe1ae6637765b5c9534bd55690ed2c0b0f7/pluggy-0.6.0-py3-none-any.whl
[test_lambda:L9:1s] Collecting attrs>=17.4.0 (from pytest)
[test_lambda:L10:1s]   Downloading https://files.pythonhosted.org/packages/41/59/cedf87e91ed541be7957c501a92102f9cc6363c623a7666d69d51c78ac5b/attrs-18.1.0-py2.py3-none-any.whl
[test_lambda:L11:1s] Collecting atomicwrites>=1.0 (from pytest)
[test_lambda:L12:1s]   Downloading https://files.pythonhosted.org/packages/0a/e8/cd6375e7a59664eeea9e1c77a766eeac0fc3083bb958c2b41ec46b95f29c/atomicwrites-1.1.5-py2.py3-none-any.whl
[test_lambda:L13:1s] Collecting py>=1.5.0 (from pytest)
[test_lambda:L14:1s]   Downloading https://files.pythonhosted.org/packages/67/a5/f77982214dd4c8fd104b066f249adea2c49e25e8703d284382eb5e9ab35a/py-1.5.3-py2.py3-none-any.whl (84kB)
[test_lambda:L15:1s] Requirement already satisfied: six>=1.10.0 in /var/runtime (from pytest)
[test_lambda:L16:1s] Collecting more-itertools>=4.0.0 (from pytest)
[test_lambda:L17:1s]   Downloading https://files.pythonhosted.org/packages/85/40/90c3b0393e12b9827381004224de8814686e3d7182f9d4182477f600826d/more_itertools-4.2.0-py3-none-any.whl (45kB)
[test_lambda:L18:1s] Requirement already satisfied: setuptools in /var/lang/lib/python3.6/site-packages (from pytest)
[test_lambda:L19:1s] Installing collected packages: pluggy, attrs, atomicwrites, py, more-itertools, pytest
[test_lambda:L20:1s] Exception:
[test_lambda:L21:1s] Traceback (most recent call last):
[test_lambda:L22:1s]   File "/var/lang/lib/python3.6/site-packages/pip/basecommand.py", line 215, in main
[test_lambda:L23:1s]     status = self.run(options, args)
[test_lambda:L24:1s]   File "/var/lang/lib/python3.6/site-packages/pip/commands/install.py", line 342, in run
[test_lambda:L25:1s]     prefix=options.prefix_path,
[test_lambda:L26:1s]   File "/var/lang/lib/python3.6/site-packages/pip/req/req_set.py", line 784, in install
[test_lambda:L27:1s]     **kwargs
[test_lambda:L28:1s]   File "/var/lang/lib/python3.6/site-packages/pip/req/req_install.py", line 851, in install
[test_lambda:L29:1s]     self.move_wheel_files(self.source_dir, root=root, prefix=prefix)
[test_lambda:L30:1s]   File "/var/lang/lib/python3.6/site-packages/pip/req/req_install.py", line 1064, in move_wheel_files
[test_lambda:L31:1s]     isolated=self.isolated,
[test_lambda:L32:1s]   File "/var/lang/lib/python3.6/site-packages/pip/wheel.py", line 345, in move_wheel_files
[test_lambda:L33:1s]     clobber(source, lib_dir, True)
[test_lambda:L34:1s]   File "/var/lang/lib/python3.6/site-packages/pip/wheel.py", line 316, in clobber
[test_lambda:L35:1s]     ensure_dir(destdir)
[test_lambda:L36:1s]   File "/var/lang/lib/python3.6/site-packages/pip/utils/__init__.py", line 83, in ensure_dir
[test_lambda:L37:1s]     os.makedirs(path)
[test_lambda:L38:1s]   File "/var/lang/lib/python3.6/os.py", line 220, in makedirs
[test_lambda:L39:1s]     mkdir(name, mode)
[test_lambda:L40:1s] PermissionError: [Errno 13] Permission denied: '/var/lang/lib/python3.6/site-packages/pluggy-0.6.0.dist-info'
[test_lambda:L41:1s] You are using pip version 9.0.1, however version 10.0.1 is available.
[test_lambda:L42:1s] You should consider upgrading via the 'pip install --upgrade pip' command.
2018/05/29 15:06:16 drone_step_0 : exit code 2

Answer 1

The challenge is that Docker volumes are root by default. So in order to write to the workspace volume, the default working directory to which your code is cloned, the container user needs to be root.

There is an experimental version of the git clone plugin that attempts to chown the directory to an unprivileged user. This will allow containers with unprivileged users to access the workspace, however, there are definitely some edge cases.

You can use the experimental git plugin with the following syntax:

clone:
  git:
    image: plugins/git:next

pipeline:
    test_lambda:
        image: lambci/lambda:python3.6
        commands:
            - pip install pytest
            - py.test

As a reminder there are still some edge cases and non-root containers are still not officially supported (as of version 0.8) however, this is probably enough to get your example working.