Does datasource-syncer require root?

[ethanmdavidson]

We recently received a GCP advisory notification titled "Cloud Run jobs and worker pools losing root access due to a security update". For us, the only affected resource is a cloud run job for datasource-syncer. Based on my understanding of datasource-syncer, I think it is probably not impacted by this change, but I was hoping this could be confirmed by maintainers.

Please confirm that datasource-syncer is not impacted by this change.

Notification ID f5c62031-465e-45b7-9852-0a89b8b36c77, reference issue number 462760403. Here is more info about the change, copied from the notification:

What is happening

On January 5, 2026, we will begin rolling out the security update that will move Cloud Run jobs and worker pools to run inside a Linux user namespace and thus remove true root access by your container to the underlying execution environment. This will be a breaking change for applications that use Cloud Run in the following ways:

• Mount a network file system in any way other than by using Cloud Run's fully-managed volume mounts feature. This includes running a mount process inside the container to mount any of the following: NFS, Cloud Filestore, SMB/CIFS, or any other network file system.

• Use nested volume mounts - mounting a volume inside another volume.

• Change the system time using adjtimex and adjtime syscalls.

• Use sudo or other setuid binaries.

• Use eBPF and other kernel-level security features.

• Write to /proc/, /sys/, or other pseudo filesystems.

• Use of other system calls or access system files that require root privileges on the Cloud Run instance's VM.

[bernot-dev]

datasource-syncer does not require root access, and the binary itself should not be impacted by these changes to Cloud Run. I will make a note for our team to review the relevant documentation and see if there are any other changes needed to the Cloud Run configuration instructions.

Thanks for raising this!