kaniko icon indicating copy to clipboard operation
kaniko copied to clipboard

Published 20 hours ago verified publisher icon GoogleContainerTools

Is there a way to run /kaniko/executor as non-root user inside container to build an image?

Open karthiravich opened this issue 2 years ago • 14 comments

I am trying to run /kaniko/executor in corporate OKD cluster to build docker images as part of CI process using Jenkins. This is the first time we are trying to introduce kaniko in our OKD cluster .

The Jenkins agent workload runs as pod inside the OKD cluster and kaniko runs as a container within the pod.

I could see the kaniko file system is root owned. The current CI process in the org requires the runner pods to execute as non root in the OKD cluster.

Is there a way I can execute the /kaniko/executor as non-root user instead of root?

Kaniko image - gcr.io/kaniko-project/executor:v1.5.1-debug

PS: I tried to build the /kaniko/executor from source and tried adding full permissions (chmod -R 777) to /kaniko and /workspace directories in the Dockerfile and built the new image.

When tried to execute the /kaniko/executor command, got the below error.

Error: error resolving dockerfile path: copying dockerfile: chown /kaniko/Dockerfile: operation not permitted

Any suggestions to get this work?

karthiravich avatar Jun 24 '22 14:06 karthiravich

Just to add more info - Similar issue reported here - https://github.com/GoogleContainerTools/kaniko/issues/2122

But the fix recommended to use runAsUser: 0 for securityContext would not work in my case. Would like to know if there is any other alternative to make it work?

karthiravich avatar Jun 24 '22 14:06 karthiravich

Kaniko currently relies on being run as root. Rootless execution is currently not implemented since it would need executing inside user namespace and map uids/gids.

hown3d avatar Jun 24 '22 15:06 hown3d

@hown3d Thanks for the information. Do you know if that feature of running kaniko as non-root user is being considered and if it is planned for some release version?

karthiravich avatar Jun 28 '22 07:06 karthiravich

I don't think that running as non-root is currently on the roadmap. If you really need rootless execution for builds of dockerfiles, I would use buildah.

hown3d avatar Jun 28 '22 08:06 hown3d

I tried executing the buildah inside OKD 3.11, but could not proceed with that option as well . That's why thought of using kaniko.

Kept getting the below error

Storing signatures DEBU[0003] Start untar layer ERRO[0003] Error while applying layer: ApplyLayer exit status 1 stdout: stderr: potentially insufficient UIDs or GIDs available in user namespace (requested 0:42 for /etc/gshadow): Check /etc/subuid and /etc/subgid: lchown /etc/gshadow: invalid argument DEBU[0003] Error pulling candidate docker-registry/ci/baseimage:latest: Error committing the finished image: error adding layer with blob "sha256:35807b77a593c1147d13dc926a91dcc3015616ff7307cc30442c5a8e07546283": ApplyLayer exit status 1 stdout: stderr: potentially insufficient UIDs or GIDs available in user namespace (requested 0:42 for /etc/gshadow): Check /etc/subuid and /etc/subgid: lchown /etc/gshadow: invalid argument error creating build container: Error committing the finished image: error adding layer with blob "sha256:35807b77a593c1147d13dc926a91dcc3015616ff7307cc30442c5a8e07546283": ApplyLayer exit status 1 stdout: stderr: potentially insufficient UIDs or GIDs available in user namespace (requested 0:42 for /etc/gshadow): Check /etc/subuid and /etc/subgid: lchown /etc/gshadow: invalid argument

karthiravich avatar Jun 28 '22 10:06 karthiravich

Sounds alot like this issue: https://github.com/containers/buildah/issues/4049

hown3d avatar Jun 28 '22 11:06 hown3d

Thanks for sharing . I will take a look at it and come back!

karthiravich avatar Jun 30 '22 06:06 karthiravich

Hello. Thank you for sharing the previous link related to buildah issue. I was able to build the latest buildah image from RH catalog, and used it inside the OKD cluster and it worked :).

karthiravich avatar Jul 15 '22 11:07 karthiravich

Neither buildah, nor executor will perform root user build operations for me on OCP without runAsUser:0. This is horseshit.

mpeaton-ng avatar Nov 16 '22 02:11 mpeaton-ng

It's enough to add --cap-drop=all to drop all capabilities in the official docker run example from here to reproduce the problem, causing an error when kaniko executor tries to copy the Dockerfile to a root-owned location inside the container: Error: error resolving dockerfile path: copying dockerfile: chown /kaniko/Dockerfile: operation not permitted

But this issue was raised 4 years ago and tagged "wontfix" here: https://github.com/GoogleContainerTools/kaniko/issues/681

mirekphd avatar Apr 22 '23 19:04 mirekphd

Just so you know, I reproduce the issue recently :

Screenshot 2023-07-19 at 15 21 20

With this pipeline: https://github.com/idrissneumann/action-kaniko/actions/runs/5600342381/jobs/10242584402

And this pr (that tries to change the user that is running the process): https://github.com/idrissneumann/action-kaniko/pull/4/files

idrissneumann avatar Jul 19 '23 14:07 idrissneumann

Hi guys, i'm facing this issue also, do i need to keep this on track or i must to forget about running kaniko container as non root user to build images ?

mmohamed avatar Oct 20 '23 07:10 mmohamed

Hey, I'm also running into this issue. Running as non root is sadly required for me as well as using a stricter securityContext for the Kaniko container. If there are any updates on this topic, I would be happy to hear about it.

Tahedah avatar Mar 18 '24 13:03 Tahedah