Is it possible to run the teamcity-agent Docker container as non-root?

Avatar
Chris Laplante
Created

Hello,

Just as the title says. Naively adding "--user 1000" to my docker run command gives the following errors:

 

/run-services.sh
/services/run-docker.sh
chmod: changing permissions of '/services/run-docker.sh': Operation not permitted
/run-services.sh: line 10: /services/run-docker.sh: Permission denied
/run-agent.sh
chmod: changing permissions of '/opt/buildagent/bin/agent.sh': Operation not permitted
chmod: changing permissions of '/opt/buildagent/bin/findJava.sh': Operation not permitted
chmod: changing permissions of '/opt/buildagent/bin/install.sh': Operation not permitted
chmod: changing permissions of '/opt/buildagent/bin/mac.launchd.sh': Operation not permitted
Error! Stopping the script.

 

 

The motivation behind using non-root is so that I can use the "SSH Agent" build feature along with an inner Docker container (as part of a build configuration). I need for the inner container to be able to use the outer container's SSH agent, but since the outer container runs as root, the inner container is unable to use the socket unless it also runs as root (which is not possible with my build).

Votes

0

Share

2 comments
Avatar
Denis Lapuente
Created

Hi Chris,

As you have experienced, a large amount of the files inside are configured for root only. It won't be possible to use the default images we provide with a non-root user. If you really want to try that, you will need to create your own image that provides the required tools and handles the needed parameters and permissions.

This said, docker-in-docker has traditionally been problematic, not just for us, but for the guys at docker themselves: https://jpetazzo.github.io/2015/09/03/do-not-use-docker-in-docker-for-ci/, so please, before trying to hack your way around this, consider using the approach that docker themselves recommend in this scenario.

0
Avatar
Chris Laplante
Created

Hi Denis,

I should have specified - I am using the workaround of mounting the Docker socket as a volume. The trouble is that when using SSH Agent, the agent's container (running as root) is unable to share the SSH authentication socket with an inner container, unless as I mentioned the inner container also runs as root. So regardless of whether I use the workaround, I still have the same problem. 

Shortly after my post, I did actually hack around it with a Dockerfile like so:

 

FROM jetbrains/teamcity-agent

RUN chown -R buildagent:buildagent /opt /services /data

USER buildagent

 

and it does work, except for some warnings about the "/root/anchor" thing. 

Thanks,

Chris

0

Please sign in to leave a comment.