-
Notifications
You must be signed in to change notification settings - Fork 267
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Run docker as buildkite agent with userns-remap #341
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't know enough to really approve this. I'll let you merge as you need, or get someone else to put some eyeballs on it.
039285c
to
908a1ea
Compare
I'm going to merge this after I put out a point release. I'm thinking of doing it as |
The release plan sounds good, testing aside! |
Possibly an rc1 so we can test if before it hits 2.3.0. |
What happens to other user ids in the container? eg nobody writing doctrine cache files out to a volume mount? I think will land in following user ids so there will be stuff owned by 501+$uid in that directory, so you probably still need the permission fixing scripts. but I'm not sure how mapping that to a range of 1 works. maybe it just flat out breaks? 👍 for an RC, this is a whole lot of change. The list of breaks from #32:
|
Yeah, that is a pretty epic list huh. |
I might try and make this opt-in. |
Maybe a v3.0 milestone feature? |
0886af6
to
22e5929
Compare
templates/buildkite-elastic.yml
Outdated
@@ -237,6 +237,14 @@ Parameters: | |||
- false | |||
Default: "true" | |||
|
|||
EnableDockerUserNamespaceRemap: | |||
Type: String | |||
Description: Enables experimental feature to run docker as buildkite-agent |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What if we let this feature be turned on using an ENV var?
If we do add it as another option on the stack setup screen, might need to make it clear that it's not "buildkite-agent" the binary we're taking about here in the description?
If it's a "this could be buggy, so you better know what you're doing" then perhaps we just say:
Enables experimental Docker userns-remap support
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The issue is that it needs to have the system docker daemon started with the setting
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah of course! 🙃
If this is an optional setting, are you ok with a 2.3.0 release @toolmantim? |
This uses the
--userns-remap
feature in recent docker daemons to remap the uid of root in docker containers to the buildkite-agent users on the host.