megalinter icon indicating copy to clipboard operation
megalinter copied to clipboard
verified publisher icon oxsecurity

Run Docker container as current user

Open Kurt-von-Laven opened this issue 3 years ago β€’ 17 comments

Fixes #1975.

Previously, mega-linter-runner ran the MegaLinter Docker image as root. Users whose files became owned by root as a consequence of this behavior will need to chown them to be owned by the appropriate user. This change only affects POSIX platforms, because process.getuid and process.getgid are only available there.

Proposed Changes

  1. Instruct the MegaLinter Docker container to inherit the UID and GID of the mega-linter-runner process.

Readiness Checklist

Author/Contributor

  • [x] Add entry to the CHANGELOG listing the change and linking to the corresponding issue (if appropriate)
  • [x] If documentation is needed for this change, has that been included in this pull request

Reviewing Maintainer

  • [x] Label as breaking if this is a large fundamental change
  • [x] Label as either automation, bug, documentation, enhancement, infrastructure, or performance

Kurt-von-Laven avatar Oct 20 '22 07:10 Kurt-von-Laven

πŸ¦™ MegaLinter status: ⚠️ WARNING

Descriptor Linter Files Fixed Errors Elapsed time
βœ… BASH bash-exec 6 0 0.01s
βœ… BASH shellcheck 6 0 0.15s
βœ… BASH shfmt 6 0 0 0.3s
βœ… COPYPASTE jscpd yes no 2.48s
βœ… DOCKERFILE hadolint 116 0 14.84s
βœ… JSON eslint-plugin-jsonc 21 0 0 2.09s
βœ… JSON jsonlint 19 0 0.18s
βœ… JSON v8r 21 0 13.23s
⚠️ MARKDOWN markdownlint 312 0 230 6.56s
βœ… MARKDOWN markdown-link-check 312 0 5.39s
βœ… MARKDOWN markdown-table-formatter 312 0 0 16.16s
βœ… OPENAPI spectral 1 0 1.43s
⚠️ PYTHON bandit 185 54 2.02s
βœ… PYTHON black 185 0 0 4.75s
βœ… PYTHON flake8 185 0 2.92s
βœ… PYTHON isort 185 0 0 0.66s
βœ… PYTHON mypy 185 0 6.59s
βœ… PYTHON pylint 185 0 10.69s
⚠️ PYTHON pyright 185 251 15.72s
βœ… PYTHON ruff 185 0 0 0.36s
βœ… REPOSITORY checkov yes no 29.94s
βœ… REPOSITORY git_diff yes no 0.3s
βœ… REPOSITORY secretlint yes no 11.95s
βœ… REPOSITORY trivy yes no 27.5s
βœ… SPELL cspell 753 0 19.3s
βœ… SPELL misspell 572 0 0 0.69s
βœ… XML xmllint 3 0 0 0.32s
βœ… YAML prettier 81 0 0 2.79s
βœ… YAML v8r 23 0 60.19s
βœ… YAML yamllint 82 0 1.09s

See detailed report in MegaLinter reports

MegaLinter is graciously provided by OX Security

nvuillam avatar Oct 20 '22 07:10 nvuillam

.... but CI seems to disagree ^^

nvuillam avatar Oct 20 '22 08:10 nvuillam

What sources of persistence between jobs are there (e.g., caching, artifacts, the Docker images themselves)? My instinct is that some files may still be owned by root that should never have been because of the bug this change seeks to fix.

Kurt-von-Laven avatar Oct 20 '22 17:10 Kurt-von-Laven

Codecov Report

Merging #1985 (f5ea7e2) into main (fb2fe2e) will increase coverage by 0.02%. The diff coverage is n/a.

:mega: This organization is not using Codecov’s GitHub App Integration. We recommend you install it so Codecov can continue to function properly for your repositories. Learn more

@@            Coverage Diff             @@
##             main    #1985      +/-   ##
==========================================
+ Coverage   83.00%   83.03%   +0.02%     
==========================================
  Files         171      171              
  Lines        4514     4514              
==========================================
+ Hits         3747     3748       +1     
+ Misses        767      766       -1
Impacted Files Coverage Ξ”
megalinter/reporters/AzureCommentReporter.py 42.10% <ΓΈ> (ΓΈ)
megalinter/reporters/UpdatedSourcesReporter.py 89.74% <0.00%> (+2.56%) :arrow_up:

:mega: We’re building smart automated test selection to slash your CI/CD build times. Learn more

codecov-commenter avatar Oct 22 '22 17:10 codecov-commenter

πŸ¦™ MegaLinter status: ⚠️ WARNING

Descriptor Linter Files Fixed Errors Elapsed time
βœ… BASH bash-exec 6 0 0.01s
βœ… BASH shellcheck 6 0 0.14s
βœ… BASH shfmt 6 0 0 0.04s
βœ… COPYPASTE jscpd yes no 2.65s
βœ… DOCKERFILE hadolint 116 0 16.7s
βœ… JSON eslint-plugin-jsonc 21 0 0 1.8s
βœ… JSON jsonlint 19 0 0.18s
βœ… JSON npm-package-json-lint yes no 0.64s
βœ… JSON v8r 21 0 13.94s
⚠️ MARKDOWN markdownlint 312 2 230 6.22s
βœ… MARKDOWN markdown-link-check 312 0 5.23s
βœ… MARKDOWN markdown-table-formatter 312 2 0 16.68s
βœ… OPENAPI spectral 1 0 1.48s
⚠️ PYTHON bandit 185 54 2.18s
βœ… PYTHON black 185 0 0 4.06s
βœ… PYTHON flake8 185 0 1.96s
βœ… PYTHON isort 185 0 0 0.45s
βœ… PYTHON mypy 185 0 7.36s
βœ… PYTHON pylint 185 0 11.39s
⚠️ PYTHON pyright 185 251 16.34s
βœ… PYTHON ruff 185 0 0 0.15s
βœ… REPOSITORY checkov yes no 32.43s
⚠️ REPOSITORY devskim yes 61 1.26s
βœ… REPOSITORY dustilock yes no 2.08s
βœ… REPOSITORY git_diff yes no 0.07s
βœ… REPOSITORY secretlint yes no 7.64s
βœ… REPOSITORY syft yes no 0.87s
βœ… REPOSITORY trivy yes no 23.6s
βœ… SPELL cspell 753 0 19.04s
βœ… SPELL misspell 572 2 0 0.52s
βœ… XML xmllint 3 0 0 0.03s
βœ… YAML prettier 81 0 0 2.72s
βœ… YAML v8r 23 0 65.29s
βœ… YAML yamllint 82 0 1.33s

See detailed report in MegaLinter reports

You could have same capabilities but better runtime performances if you request a new MegaLinter flavor.

MegaLinter is graciously provided by OX Security

nvuillam avatar Oct 22 '22 17:10 nvuillam

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

If you think this pull request should stay open, please remove the O: stale πŸ€– label or comment on the pull request.

github-actions[bot] avatar Nov 22 '22 01:11 github-actions[bot]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

If you think this pull request should stay open, please remove the O: stale πŸ€– label or comment on the pull request.

github-actions[bot] avatar Dec 26 '22 00:12 github-actions[bot]

/build

Command run output Build command workflow started. Installing dependencies Running script ./build.sh Build command workflow completed updating files.

Kurt-von-Laven avatar Apr 03 '23 04:04 Kurt-von-Laven

/build

Command run output Build command workflow started. Installing dependencies Running script ./build.sh Build command workflow completed without updating files.

Kurt-von-Laven avatar Apr 04 '23 22:04 Kurt-von-Laven

/build ref=docker-user

Command run output Build command workflow started. Installing dependencies Running script ./build.sh Build command workflow completed updating files.

echoix avatar Apr 04 '23 22:04 echoix

/build ref=docker-user

Command run output Build command workflow started. Installing dependencies Running script ./build.sh Build command workflow completed updating files.

Kurt-von-Laven avatar Apr 07 '23 20:04 Kurt-von-Laven

/build ref=docker-user

Command run output Build command workflow started. Installing dependencies Running script ./build.sh Build command workflow completed updating files.

Kurt-von-Laven avatar Apr 07 '23 23:04 Kurt-von-Laven

Would love to see this merged as there seems to be no way to run megalinter without it trashing the current file permissions.

stevenh avatar Oct 21 '23 14:10 stevenh

I was never able to figure out why the tests where failing, but would love to get this wrapped up if anybody understands what is going on. We use rootless-docker both for improved security and to avoid modifying file ownership.

Kurt-von-Laven avatar Oct 21 '23 19:10 Kurt-von-Laven

Any news on this?

reixd avatar Jan 30 '24 09:01 reixd

If @Kurt-von-Laven (or any motivated contributor like you ?) finds some available time, it could move again :)

On my side, my docker level is not advanced enough to handle the task :/

nvuillam avatar Feb 07 '24 21:02 nvuillam