Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

How to run Bitbucket Pipeline as non-root user

Janek Bogucki
Janek Bogucki November 30, 2017

I need to run my build as a non-root user.

 

This shows how to do it but it would be better if there was a simple configuration step I could. Is there?

 https://reformatcode.com/code/nodejs/is-there-an-easy-way-to-change-to-a-non-root-user-in-bitbucket-pipelines-docker-container

Answer
Watch
Like futurecorporation likes this
9930 views

3 answers

1 vote
Matt Ryall
Matt Ryall
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 4, 2017

You can override override the default user of your build container using the `run-as-user` parameter in your image configuration.

More details on this page: Use Docker images as build environments.

View More Comments
T. Klingenberg
T. Klingenberg February 13, 2018

@Matt Ryall I tried your suggestion, however CHMOD 777 fails, please see https://community.atlassian.com/t5/Bitbucket-questions/chmod-777-BUILD-DIR-fails/qaq-p/726868

Like
Reply
0 votes
Franko Ivašić
Franko Ivašić June 11, 2019

It is an old topic but, please, avoid chmod 777 unless really necessary.
Don't make potential security holes on your server. 

When non-root, during deployment, one shall use only available permission against own application or docker which shall be non root.

Reply
0 votes
Janek Bogucki
Janek Bogucki February 13, 2018

Using `run-as-user` did not work for me either. This is how I did it using gosu,

 

$ cat bitbucket-pipelines.yml

# https://confluence.atlassian.com/bitbucket/bitbucket-pipelines-beta-792496469.html
# You can use any Docker image from Docker Hub or your own container registry
image: maven:3.3.3

clone:
 depth: 50 # Need to clone more than 1 to allow builds to be rerun without requiring a rebase 
 
pipelines:
 default:
 - step:
 size: 2x
 caches:
 - maven
 script: # Modify the commands below to build and test your repository.
 - ./bitbucket-pipelines-gosu.sh
 - id -u build &>/dev/null || useradd --user-group --create-home --shell /bin/false build
 - gosu build mvn --version
 - gosu build mvn -B clean install

 

$ cat bitbucket-pipelines-gosu.sh 

#!/usr/bin/env bash
# https://github.com/tianon/gosu/issues/16
#add-apt-repository ppa:tianon/gosu
apt-get update
apt-get install -y --no-install-recommends gosu   
View More Comments
T. Klingenberg
T. Klingenberg February 13, 2018

So effectively the default user in your image still is root I guess and the user is created in script runtime. This won't work as my image has a different default user. I wonder what the application specifications say for the bitbucket pipeline service in this scenario. Is there a requirement to run an image as root? So to share the root user resource between the host system and the pipeline?

Like
StannousBaratheon
StannousBaratheon
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
February 13, 2018

Hi Janek,

Your docker image (in this case maven:3.3.3) has a default run-as-user directive (probably root) that is defined when the image was created and determines what user the build container is run as.

If you wish to run the build container as a different user you can do 2 things:

  1. Change the default run-as-user directive when creating the Docker image, i.e. the USER instruction in the Dockerfile (see https://docs.docker.com/engine/reference/builder/#user)
  2. Add the "run-as-user" attribute to your pipelines.yml file to instruct Pipelines to start the build container as a different user to the default.
    image:
      name: maven:3.3.3
      run-as-user: 1000

    Note that when you do this the alternate user (in this example a user with id 1000) must already exist in the image (maven:3.3.3). This requires creating the user (with a home directory) when the Docker image was created. If you don't own the Docker image you may create your own image based on the desired image (in which case you can also opt for option #1 as described above).

This feature simply allow you to instruct Pipelines to start the build container as a different user when more than 1 user exists in the image and the one you want to run as is not the default.

Like
T. Klingenberg
T. Klingenberg February 16, 2018

HI @StannousBaratheon when my Docker image has the USER directive (and non-root), the build is marked as failed within the build init step (before any pipeline step script command itself is actually run). Any idea?

Like fabian_kasper likes this
StannousBaratheon
StannousBaratheon
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
February 16, 2018

Please see response here https://community.atlassian.com/t5/Bitbucket-questions/Re-Re-chmod-777-BUILD-DIR-fails/qaq-p/730277/comment-id/23779#M23779

Like
Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
TAGS
AUG Leaders

Atlassian Community Events

    See all events