How to run Bitbucket Pipeline as non-root user

I need to run my build as a non-root user.

 

This shows how to do it but it would be better if there was a simple configuration step I could. Is there?

 https://reformatcode.com/code/nodejs/is-there-an-easy-way-to-change-to-a-non-root-user-in-bitbucket-pipelines-docker-container

2 answers

0 votes

You can override override the default user of your build container using the `run-as-user` parameter in your image configuration.

More details on this page: Use Docker images as build environments.

Using `run-as-user` did not work for me either. This is how I did it using gosu,

 

$ cat bitbucket-pipelines.yml

# https://confluence.atlassian.com/bitbucket/bitbucket-pipelines-beta-792496469.html
# You can use any Docker image from Docker Hub or your own container registry
image: maven:3.3.3

clone:
depth: 50 # Need to clone more than 1 to allow builds to be rerun without requiring a rebase

pipelines:
default:
- step:
size: 2x
caches:
- maven
script: # Modify the commands below to build and test your repository.
- ./bitbucket-pipelines-gosu.sh
- id -u build &>/dev/null || useradd --user-group --create-home --shell /bin/false build
- gosu build mvn --version
- gosu build mvn -B clean install

 

$ cat bitbucket-pipelines-gosu.sh 

#!/usr/bin/env bash
# https://github.com/tianon/gosu/issues/16
#add-apt-repository ppa:tianon/gosu
apt-get update
apt-get install -y --no-install-recommends gosu   

So effectively the default user in your image still is root I guess and the user is created in script runtime. This won't work as my image has a different default user. I wonder what the application specifications say for the bitbucket pipeline service in this scenario. Is there a requirement to run an image as root? So to share the root user resource between the host system and the pipeline?

Samuel Tannous Atlassian Team Tuesday

Hi Janek,

Your docker image (in this case maven:3.3.3) has a default run-as-user directive (probably root) that is defined when the image was created and determines what user the build container is run as.

If you wish to run the build container as a different user you can do 2 things:

  1. Change the default run-as-user directive when creating the Docker image, i.e. the USER instruction in the Dockerfile (see https://docs.docker.com/engine/reference/builder/#user)
  2. Add the "run-as-user" attribute to your pipelines.yml file to instruct Pipelines to start the build container as a different user to the default.
    image:
    name: maven:3.3.3
    run-as-user: 1000

    Note that when you do this the alternate user (in this example a user with id 1000) must already exist in the image (maven:3.3.3). This requires creating the user (with a home directory) when the Docker image was created. If you don't own the Docker image you may create your own image based on the desired image (in which case you can also opt for option #1 as described above).

This feature simply allow you to instruct Pipelines to start the build container as a different user when more than 1 user exists in the image and the one you want to run as is not the default.

HI @Samuel Tannous when my Docker image has the USER directive (and non-root), the build is marked as failed within the build init step (before any pipeline step script command itself is actually run). Any idea?

Suggest an answer

Log in or Join to answer
Community showcase
Piotr Plewa
Published Dec 27, 2017 in Bitbucket

Recipe: Deploying AWS Lambda functions with Bitbucket Pipelines

Bitbucket Pipelines helps me manage and automate a number of serverless deployments to AWS Lambda and this is how I do it. I'm building Node.js Lambda functions using node-lambda&nbsp...

635 views 0 4
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you
Atlassian Team Tour

Join us on the Team Tour

We're bringing product updates and pro tips on teamwork to ten cities around the world.

Save your spot