Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Run Docker container as current user #1985

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Run Docker container as current user #1985

wants to merge 2 commits into from

Conversation

Kurt-von-Laven
Copy link
Collaborator

Fixes #1975.

Previously, mega-linter-runner ran the MegaLinter Docker image as root. Users whose files became owned by root as a consequence of this behavior will need to chown them to be owned by the appropriate user. This change only affects POSIX platforms, because process.getuid and process.getgid are only available there.

Proposed Changes

  1. Instruct the MegaLinter Docker container to inherit the UID and GID of the mega-linter-runner process.

Readiness Checklist

Author/Contributor

  • Add entry to the CHANGELOG listing the change and linking to the corresponding issue (if appropriate)
  • If documentation is needed for this change, has that been included in this pull request

Reviewing Maintainer

  • Label as breaking if this is a large fundamental change
  • Label as either automation, bug, documentation, enhancement, infrastructure, or performance

@Kurt-von-Laven Kurt-von-Laven added the bug Something isn't working label Oct 20, 2022
@Kurt-von-Laven Kurt-von-Laven self-assigned this Oct 20, 2022
@Kurt-von-Laven Kurt-von-Laven changed the title Run Docker container as current user (#1975) Run Docker container as current user Oct 20, 2022
@nvuillam
Copy link
Member

nvuillam commented Oct 20, 2022
edited
Loading

🦙 MegaLinter status: ⚠️ WARNING

Descriptor Linter Files Fixed Errors Elapsed time
✅ BASH bash-exec 6 0 0.01s
✅ BASH shellcheck 6 0 0.15s
✅ BASH shfmt 6 0 0 0.3s
✅ COPYPASTE jscpd yes no 2.48s
✅ DOCKERFILE hadolint 116 0 14.84s
✅ JSON eslint-plugin-jsonc 21 0 0 2.09s
✅ JSON jsonlint 19 0 0.18s
✅ JSON v8r 21 0 13.23s
⚠️ MARKDOWN markdownlint 312 0 230 6.56s
✅ MARKDOWN markdown-link-check 312 0 5.39s
✅ MARKDOWN markdown-table-formatter 312 0 0 16.16s
✅ OPENAPI spectral 1 0 1.43s
⚠️ PYTHON bandit 185 54 2.02s
✅ PYTHON black 185 0 0 4.75s
✅ PYTHON flake8 185 0 2.92s
✅ PYTHON isort 185 0 0 0.66s
✅ PYTHON mypy 185 0 6.59s
✅ PYTHON pylint 185 0 10.69s
⚠️ PYTHON pyright 185 251 15.72s
✅ PYTHON ruff 185 0 0 0.36s
✅ REPOSITORY checkov yes no 29.94s
✅ REPOSITORY git_diff yes no 0.3s
✅ REPOSITORY secretlint yes no 11.95s
✅ REPOSITORY trivy yes no 27.5s
✅ SPELL cspell 753 0 19.3s
✅ SPELL misspell 572 0 0 0.69s
✅ XML xmllint 3 0 0 0.32s
✅ YAML prettier 81 0 0 2.79s
✅ YAML v8r 23 0 60.19s
✅ YAML yamllint 82 0 1.09s

See detailed report in MegaLinter reports

MegaLinter is graciously provided by OX Security

nvuillam
nvuillam approved these changes Oct 20, 2022
View reviewed changes
Copy link
Member

@nvuillam nvuillam left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm no docker expert but you seem to know what you are doing :)

@nvuillam
Copy link
Member

.... but CI seems to disagree ^^

@Kurt-von-Laven
Copy link
Collaborator Author

What sources of persistence between jobs are there (e.g., caching, artifacts, the Docker images themselves)? My instinct is that some files may still be owned by root that should never have been because of the bug this change seeks to fix.

@codecov-commenter
Copy link

codecov-commenter commented Oct 22, 2022
edited
Loading

Codecov Report

Merging #1985 (f5ea7e2) into main (fb2fe2e) will increase coverage by 0.02%.
The diff coverage is n/a.

📣 This organization is not using Codecov’s GitHub App Integration. We recommend you install it so Codecov can continue to function properly for your repositories. Learn more

@@            Coverage Diff             @@
##             main    #1985      +/-   ##
==========================================
+ Coverage   83.00%   83.03%   +0.02%     
==========================================
  Files         171      171              
  Lines        4514     4514              
==========================================
+ Hits         3747     3748       +1     
+ Misses        767      766       -1
Impacted Files Coverage Δ
megalinter/reporters/AzureCommentReporter.py 42.10% <ø> (ø)
megalinter/reporters/UpdatedSourcesReporter.py 89.74% <0.00%> (+2.56%) ⬆️

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

@nvuillam
Copy link
Member

nvuillam commented Oct 22, 2022
edited
Loading

🦙 MegaLinter status: ⚠️ WARNING

Descriptor Linter Files Fixed Errors Elapsed time
✅ BASH bash-exec 6 0 0.01s
✅ BASH shellcheck 6 0 0.14s
✅ BASH shfmt 6 0 0 0.04s
✅ COPYPASTE jscpd yes no 2.65s
✅ DOCKERFILE hadolint 116 0 16.7s
✅ JSON eslint-plugin-jsonc 21 0 0 1.8s
✅ JSON jsonlint 19 0 0.18s
✅ JSON npm-package-json-lint yes no 0.64s
✅ JSON v8r 21 0 13.94s
⚠️ MARKDOWN markdownlint 312 2 230 6.22s
✅ MARKDOWN markdown-link-check 312 0 5.23s
✅ MARKDOWN markdown-table-formatter 312 2 0 16.68s
✅ OPENAPI spectral 1 0 1.48s
⚠️ PYTHON bandit 185 54 2.18s
✅ PYTHON black 185 0 0 4.06s
✅ PYTHON flake8 185 0 1.96s
✅ PYTHON isort 185 0 0 0.45s
✅ PYTHON mypy 185 0 7.36s
✅ PYTHON pylint 185 0 11.39s
⚠️ PYTHON pyright 185 251 16.34s
✅ PYTHON ruff 185 0 0 0.15s
✅ REPOSITORY checkov yes no 32.43s
⚠️ REPOSITORY devskim yes 61 1.26s
✅ REPOSITORY dustilock yes no 2.08s
✅ REPOSITORY git_diff yes no 0.07s
✅ REPOSITORY secretlint yes no 7.64s
✅ REPOSITORY syft yes no 0.87s
✅ REPOSITORY trivy yes no 23.6s
✅ SPELL cspell 753 0 19.04s
✅ SPELL misspell 572 2 0 0.52s
✅ XML xmllint 3 0 0 0.03s
✅ YAML prettier 81 0 0 2.72s
✅ YAML v8r 23 0 65.29s
✅ YAML yamllint 82 0 1.33s

See detailed report in MegaLinter reports

You could have same capabilities but better runtime performances if you request a new MegaLinter flavor.

MegaLinter is graciously provided by OX Security

@github-actions
Copy link
Contributor

This pull request has been automatically marked as stale because it has not had recent activity.
It will be closed in 14 days if no further activity occurs.
Thank you for your contributions.

If you think this pull request should stay open, please remove the O: stale 🤖 label or comment on the pull request.

@github-actions github-actions bot added the O: stale 🤖 This issue or pull request is stale, it will be closed if there is no activity label Nov 22, 2022
@Kurt-von-Laven Kurt-von-Laven removed the O: stale 🤖 This issue or pull request is stale, it will be closed if there is no activity label Nov 25, 2022
@Kurt-von-Laven Kurt-von-Laven mentioned this pull request Nov 25, 2022
Closed
@github-actions
Copy link
Contributor

This pull request has been automatically marked as stale because it has not had recent activity.
It will be closed in 14 days if no further activity occurs.
Thank you for your contributions.

If you think this pull request should stay open, please remove the O: stale 🤖 label or comment on the pull request.

@github-actions github-actions bot added the O: stale 🤖 This issue or pull request is stale, it will be closed if there is no activity label Dec 26, 2022
@Kurt-von-Laven Kurt-von-Laven added nostale This issue or pull request is not stale, keep it open and removed O: stale 🤖 This issue or pull request is stale, it will be closed if there is no activity labels Dec 27, 2022
@Kurt-von-Laven Kurt-von-Laven mentioned this pull request Jan 10, 2023
Open
@nvuillam nvuillam mentioned this pull request Jan 11, 2023
Closed
@Kurt-von-Laven Kurt-von-Laven force-pushed the docker-user branch 2 times, most recently from 50c5d58 to f5ea7e2 Compare January 31, 2023 07:16
@Kurt-von-Laven Kurt-von-Laven force-pushed the docker-user branch 3 times, most recently from 3fbfe10 to c31b5a2 Compare February 19, 2023 09:18
@Kurt-von-Laven
Copy link
Collaborator Author

Kurt-von-Laven commented Apr 3, 2023
edited by github-actions bot
Loading

/build

Command run output
Build command workflow started.
Installing dependencies
Running script ./build.sh
Build command workflow completed updating files.

@Kurt-von-Laven Kurt-von-Laven force-pushed the docker-user branch 4 times, most recently from 41a56a8 to e41d895 Compare April 4, 2023 21:04
@Kurt-von-Laven
Copy link
Collaborator Author

Kurt-von-Laven commented Apr 4, 2023
edited by github-actions bot
Loading

/build

Command run output
Build command workflow started.
Installing dependencies
Running script ./build.sh
Build command workflow completed without updating files.

@echoix
Copy link
Collaborator

echoix commented Apr 4, 2023
edited by github-actions bot
Loading

/build ref=docker-user

Command run output
Build command workflow started.
Installing dependencies
Running script ./build.sh
Build command workflow completed updating files.

@Kurt-von-Laven
Copy link
Collaborator Author

Kurt-von-Laven commented Apr 7, 2023
edited by github-actions bot
Loading

/build ref=docker-user

Command run output
Build command workflow started.
Installing dependencies
Running script ./build.sh
Build command workflow completed updating files.

@Kurt-von-Laven
Copy link
Collaborator Author

Kurt-von-Laven commented Apr 7, 2023
edited by github-actions bot
Loading

/build ref=docker-user

Command run output
Build command workflow started.
Installing dependencies
Running script ./build.sh
Build command workflow completed updating files.

@Kurt-von-Laven Kurt-von-Laven force-pushed the docker-user branch 2 times, most recently from be505f1 to 8599f5c Compare April 9, 2023 07:54
@Kurt-von-Laven
Run Docker container as user 1000 (#1975)
05d9d00 
Previously, mega-linter-runner ran the MegaLinter Docker image as root.
In the Docker image, chown the /megalinter, /megalinter-descriptors, and
/action/lib/.automation directories to be owned by user and group 1000.
Users whose files became owned by root as a consequence of having run a
previous version of MegaLinter will need to chown them to be owned by
user 1000 when upgrading MegaLinter.
@Kurt-von-Laven
Do NOT merge.
5a89f3a 
Isolate test suites and increase log level for debugging.
@Kurt-von-Laven Kurt-von-Laven mentioned this pull request Apr 10, 2023
Draft
@nvuillam nvuillam mentioned this pull request Apr 24, 2023
Closed
@stevenh
Copy link

stevenh commented Oct 21, 2023

Would love to see this merged as there seems to be no way to run megalinter without it trashing the current file permissions.

@Kurt-von-Laven
Copy link
Collaborator Author

I was never able to figure out why the tests where failing, but would love to get this wrapped up if anybody understands what is going on. We use rootless-docker both for improved security and to avoid modifying file ownership.

@reixd
Copy link

reixd commented Jan 30, 2024

Any news on this?

@nvuillam
Copy link
Member

nvuillam commented Feb 7, 2024

If @Kurt-von-Laven (or any motivated contributor like you ?) finds some available time, it could move again :)

On my side, my docker level is not advanced enough to handle the task :/

@sanmai-NL
Copy link
Contributor

It's less relevant nowadays: https://docs.docker.com/engine/security/userns-remap/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nvuillam nvuillam nvuillam approved these changes

Assignees

@Kurt-von-Laven Kurt-von-Laven

Labels
bug Something isn't working nostale This issue or pull request is not stale, keep it open
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

MegaLinter applying fixes sets root:root as the file owner
7 participants
@Kurt-von-Laven @nvuillam @codecov-commenter @echoix @stevenh @reixd @sanmai-NL