megalinter icon indicating copy to clipboard operation
megalinter copied to clipboard

Published 20 hours ago • verified publisher icon oxsecurity

Run Docker In Rootless Mode On Linux in GitHub Action

Open Kurt-von-Laven opened this issue 3 years ago • 15 comments

Is your feature request related to a problem? Please describe. In all GitHub-hosted runners, Docker is installed in rootful mode, so the report directory Mega-Linter creates ends up owned by root.

GitHub-hosted (and many self-hosted) runners use rootful Docker, but the runner itself does not run as root. As described in actions/runner#434, files created by Docker containers are hence owned by root, resulting in permission errors when the runner attempts to clean up checked out repositories. ~ ScribeMD/rootless-docker

Describe the solution you'd like On Linux, Docker can be configured to use rootless mode. We can use the rootless-docker GitHub Action if Docker isn't already in rootless mode:

This action efficiently prevents those permission errors by running Docker in rootless mode so that all files are owned by the runner user. This approach has many benefits as it is:

  • safer than elevating the runner to root
  • less brittle than changing the ownership/permissions of or deleting files
  • simpler than other ways of running rootless Docker
  • and fast (~15 seconds on GitHub-hosted runner ubuntu-20.04)

~ ScribeMD/rootless-docker

We should also document that users can configure Docker to use rootless mode locally.

Describe alternatives you've considered A clear and concise description of any alternative solutions or features you've considered.

Additional context Disclosure: I am the author of the rootless-docker GitHub Action, so I am quoting myself above. Discussion moved from #802.

Kurt-von-Laven avatar Nov 07 '21 19:11 Kurt-von-Laven

I already tried to build MegaLinter without user root user... and I failed , but if you find a way, that can be nice :)

nvuillam avatar Nov 07 '21 20:11 nvuillam

I haven't considered build-time, but at least for using Mega-Linter, I already run it without root on Linux both locally and in CI. Do we run rootful Docker in order to build Mega-Linter as well?

Kurt-von-Laven avatar Nov 07 '21 21:11 Kurt-von-Laven

The dockerfile is full of references to root folder, so I think default user is root yes

https://github.com/megalinter/megalinter/blob/2dac18c05aee04d0d2282f52fb724648e61fca64/Dockerfile#L247

nvuillam avatar Nov 07 '21 22:11 nvuillam

Good point; starting to think there are two separate issues here. I suspect that building without the root user only impacts those of us who build locally as opposed to those who consume the Docker image. Does that seem plausible? Otherwise, I would expect to have run into some issue using rootless Docker as a consumer of Mega-Linter by now.

Kurt-von-Laven avatar Nov 08 '21 04:11 Kurt-von-Laven

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

If you think this issue should stay open, please remove the O: stale 🤖 label or comment on the issue.

github-actions[bot] avatar Dec 09 '21 00:12 github-actions[bot]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

If you think this issue should stay open, please remove the O: stale 🤖 label or comment on the issue.

github-actions[bot] avatar Mar 22 '22 00:03 github-actions[bot]

@nvuillam, I wonder if this would help with the CI failures you mentioned if git config --global --add safe.directory "$GITHUB_WORKSPACE" alone is not sufficient? I can give it a try if you like.

Kurt-von-Laven avatar Apr 15 '22 22:04 Kurt-von-Laven

@Kurt-von-Laven i struggle since yesterday with new git patch... if you find a solution you're my hero :)

nvuillam avatar Apr 15 '22 23:04 nvuillam

I will finally have some time to look at this in a few days. Happy to take it over if we can afford to wait.

Kurt-von-Laven avatar Apr 18 '22 05:04 Kurt-von-Laven

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

If you think this issue should stay open, please remove the O: stale 🤖 label or comment on the issue.

github-actions[bot] avatar May 19 '22 01:05 github-actions[bot]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

If you think this issue should stay open, please remove the O: stale 🤖 label or comment on the issue.

github-actions[bot] avatar Jun 19 '22 01:06 github-actions[bot]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

If you think this issue should stay open, please remove the O: stale 🤖 label or comment on the issue.

github-actions[bot] avatar Jul 24 '22 01:07 github-actions[bot]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

If you think this issue should stay open, please remove the O: stale 🤖 label or comment on the issue.

github-actions[bot] avatar Aug 24 '22 01:08 github-actions[bot]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

If you think this issue should stay open, please remove the O: stale 🤖 label or comment on the issue.

github-actions[bot] avatar Sep 24 '22 01:09 github-actions[bot]

@Kurt-von-Laven Also relevant is how to run MegaLinter with another container engine, like Podman.

sanmai-NL avatar Jun 02 '23 13:06 sanmai-NL