-
Notifications
You must be signed in to change notification settings - Fork 47
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot run inside of docker due to user permissions #72
Comments
As stated in #68 , I believe implementing this is not going to address the root cause. |
It would take a little bit of re-work if you're looking at things that use community based images (e.g. https://hub.docker.com/_/maven/). While there are options to run as non-root, it makes needing to maintain extra utility images that much more of a pain, rather than just being able to plug an play. I definitely understand the choice made, but I'm wondering if there's ways the plugin can work around it, or at least introduce flags to work around it. |
Given the common use of the use case you described, I thought of taking another stab at this problem. Could you provide details on the docker based build process you tried to use? If running as root is only needed to support the docker use case, then I could disregard some of the concerns (ie. restoring the ES directory ownership, dealing with errors in that case, etc). |
@alexcojocaru sure thing, and appreciate picking this up :D We have an integration test that is run inside of our CI pipeline which runs as a docker container. In our
This docker container has maven installed and simply invokes the integration tests via:
Since this runs as the root user inside the container, the cluster fails to start, resulting in our tests failing. |
Can you link me to the public base image for your CI pipeline image? |
Sure: https://hub.docker.com/_/maven/ (specifically |
I set up a very simple maven project which run ES during the integration-test phase and I could build it with: Note the |
Ah, sorry, missed out on that detail from my end -- We're using Gitlab CI runners which are executing in Kubernetes. I'd need to do some more heavy digging, but I don't think we can easily specify the user this runs as without baking a user into the image which is less than ideal. |
A quick search shows that it would be doable though config only, without modifying the image. I also did some research on how the plugin could run ES as root: it would have to create a user in the container, then use the |
We are hitting the same problem with Jenkins/Kubernetes and I do not manage to get the plugin working. In particular I struggle to evade the bootstrap checks:
Even with this configuration (with
|
@AndreaGiardini |
@alexcojocaru I actually managed to workaround the problem. I don't know the details of GitLab CI since I have never used it but maybe it might be useful to @Joeskyyy too In my case we are running Jenkins on Kubernetes, using the kubernetes-plugin to spawn Jenkins slaves. In order to solve the problem I had to specify the following podSpec:
The magic is done by the securityContext section. The number
|
Thanks for that, @AndreaGiardini . I hope it will help others which run into similar issues. |
Hello, specifying the image in your gitlab-ci file as follow |
Thanks for the details, @treilhes . |
added a note to this in the README |
Semi related to #68
When attempting to run inside of a docker container, the following is returned from a
maven verify
:While elasticsearch surely shouldn't run as root in a typical environment, is it not possible to override the user attribute for this to account for things like containers where the typical POSIX model is not necessarily at play, at the very least for unit/integration tests?
The text was updated successfully, but these errors were encountered: