Question: InitContainer runAsNonRoot user?

[husira]

Hey, first of all I want to say thank you for this cool project.

Our OPA-Gatekeeper does not allow containers running as root user. The InitContainer argocd-lovely-plugin:0.4.1 is running as root user. I tried to create my own Dockerfile, but always getting the following InitContainer error as soon as I deploy with ArgoCD:

mv: can't remove 'argocd-lovely-plugin': Permission denied

With the Dockerfile, I tried to create my own user and change the owner of the /argocd-lovely-plugin file:

FROM ghcr.io/crumbhole/argocd-lovely-plugin:0.4.1

USER root

# Create a group and user
RUN addgroup -S app -g 1000 && adduser -S app -u 1000 -G app \
 && chown -R 1000:1000 /argocd-lovely-plugin

# Tell docker that all future commands should run as the appuser user
USER 1000

# the following commands are only for traceability
RUN id
RUN ls -l /
RUN ls -ln /argocd-lovely-plugin
RUN rm -rf /argocd-lovely-plugin

If I build the image and try to remove (rm) the "argocd-lovely-plugin" file, then I have the same problem:

Step 1/7 : FROM ghcr.io/crumbhole/argocd-lovely-plugin:0.4.1
 ---> 3256ecbe39ac
Step 2/7 : USER root
 ---> Running in cd434b201efe
Removing intermediate container cd434b201efe
 ---> c196c3018099
Step 3/7 : RUN addgroup -S app -g 1000 && adduser -S app -u 1000 -G app  && chown -R 1000:1000 /argocd-lovely-plugin
 ---> Running in c4d323e9e69c
Removing intermediate container c4d323e9e69c
 ---> 56dd65b7905e
Step 4/7 : USER 1000
 ---> Running in 8e9f994b894c
Removing intermediate container 8e9f994b894c
 ---> 114c8b9d36d9
Step 5/7 : RUN ls -l /
 ---> Running in 2866727819fe
total 14532
-rwxr-xr-x    1 app      app       14822201 Jul  5 10:44 argocd-lovely-plugin
drwxr-xr-x    2 root     root          4096 May 23 16:51 bin
drwxr-xr-x    5 root     root           320 Jul 22 23:20 dev
drwxr-xr-x    1 root     root          4096 Jul 22 23:20 etc
drwxr-xr-x    1 root     root          4096 Jul 22 23:20 home
drwxr-xr-x    7 root     root          4096 May 23 16:51 lib
drwxr-xr-x    5 root     root          4096 May 23 16:51 media
drwxr-xr-x    2 root     root          4096 May 23 16:51 mnt
drwxr-xr-x    2 root     root          4096 May 23 16:51 opt
dr-xr-xr-x  167 root     root             0 Jul 22 23:20 proc
drwx------    2 root     root          4096 May 23 16:51 root
drwxr-xr-x    2 root     root          4096 May 23 16:51 run
drwxr-xr-x    2 root     root          4096 May 23 16:51 sbin
drwxr-xr-x    2 root     root          4096 May 23 16:51 srv
dr-xr-xr-x   13 root     root             0 Jul 22 23:20 sys
drwxrwxrwt    2 root     root          4096 May 23 16:51 tmp
drwxr-xr-x    7 root     root          4096 May 23 16:51 usr
drwxr-xr-x   12 root     root          4096 May 23 16:51 var
Removing intermediate container 2866727819fe
 ---> 6f09a2a7cb8c
Step 6/7 : RUN ls -ln /argocd-lovely-plugin
 ---> Running in e17004972a4b
-rwxr-xr-x    1 1000     1000      14822201 Jul  5 10:44 /argocd-lovely-plugin
Removing intermediate container e17004972a4b
 ---> 25de8bbf2028
Step 7/7 : RUN rm -rf /argocd-lovely-plugin
 ---> Running in 8f9d8cfb7001
rm: can't remove '/argocd-lovely-plugin': Permission denied
The command '/bin/sh -c rm -rf /argocd-lovely-plugin' returned a non-zero code: 1

Adjusting the file permissions (e.g. 777) leads to the same behavior.

Do you have any idea what I'm doing wrong or is there a plan on the roadmap for a container that is "runAsNonRoot" compatible?

[Joibel]

We can adjust our container to run as non-root. I need to verify the user the user that argocd-repo-server runs at, but for now I'll change it to user id 999, and (the actual fix you need) is to do a cp rather than an mv.

[Joibel]

Didn't mean to close this. Can you try :latest once the latest build has run, it should just work for you.

[Joibel]

I'll assume this is fixed for you.

[husira]

Hey @Joibel

Shame on me, sorry I forgot to answer you! Yes the issue is fixed for me. Thank you again for the quick implementation.

[Joibel]

Great, thanks!