Can I run docker without root in github actions?-CodePudding

I don't want to use root, for safety, so I did as VSCode suggests, here's my Dockerfile:

FROM ubuntu:focal

# non root user (https://code.visualstudio.com/remote/advancedcontainers/add-nonroot-user)
ARG USERNAME=dev
ARG USER_UID=1000
ARG USER_GID=$USER_UID

# Create the user
RUN groupadd --gid $USER_GID $USERNAME \
    && useradd --uid $USER_UID --gid $USER_GID -m $USERNAME \
    && apt-get update \
    && apt-get install -y sudo \
    && echo $USERNAME ALL=\(root\) NOPASSWD:ALL > /etc/sudoers.d/$USERNAME \
    && chmod 0440 /etc/sudoers.d/$USERNAME

USER $USERNAME

I pass the current directory on github workflows:

 docker run -u dev -v $PWD:/home/dev/project project /bin/bash -c "./my_script.sh"

but my_script.sh fails to create a directory with permission problems. I also tried docker run -u $USER ... but it does not find the user runner inside the container.

One option is to run with root: docker run -u root ..., but is there a better way? I tried passing docker run -u dev ... but I get Permission Denied also.

CodePudding user response：

    && echo $USERNAME ALL=\(root\) NOPASSWD:ALL > /etc/sudoers.d/$USERNAME \
    && chmod 0440 /etc/sudoers.d/$USERNAME ```

Those two lines defeat the entire reason for not running your container as root. It's a passwordless escalation to root making the user effectively the same as having full root access.

docker run -u dev -v $PWD:/home/dev/project project /bin/bash -c
"./my_script.sh"
but my_script.sh fails to create a directory with permission problems.

Host volumes are mounted with the same uid/gid (unless using user namespaces). So you need the uid/gid of the user inside the container to match the host directory uid/gid permissions.

I also tried docker run -u $USER ... but it does not find the user runner inside the container.

If you specify a username, it looks for that username inside the container's /etc/passwd. You can instead specify the uid/gid like:

docker run -u "$(id -u):$(id -g)" ...

Make sure the directory already exists in the host (which will be the case for $PWD) and that the user has access to write to that directory (which it should if you haven't done anything unusual in GHA).