Switch all active CI Docker Images to use `ci-runner` username for 1000 uid

Question

Switch all active CI Docker Images to use `ci-runner` username for 1000 uid

peterzhuamazon opened this issue a year ago · 3 comments

As of now, all opensearch build images are using opensearch user on /usr/share/opensearch, and opensearch-dashboards build images are using opensearch-dashboards user on /usr/share/opensearch-dashboards home.

In this two issues a problem has been exposed with this approach:

Both user on 1000 on separate images have clashed the home dir with deb/rpm installation directories. With @smortex PR to tighten the permissions on deb/rpm, it breaks all the integTest workflows.

The temp solution at the time in #4050 is to introduce a test-user. Now we should change all the CI images to a unified user ci-runner in 1000 uid on /usr/share/ci-runner so images are not having different username for uid 1000, and it is easier to manage and maintain over time, while avoiding above conflicts from the start.

Thanks.

Answer 1 · 2023-11-03T17:09:03.000Z

Now we should change all the CI images to a unified user ci-runner in 1000 uid on /usr/share/ci-runner so images are not having different username for uid 1000, and it is easier to manage and maintain over time, while avoiding above conflicts from the start.

All this looks reasonable, I would just expect the home directory of a user that is not owning a service and can basically run arbitrary commands to be in /home, event if it is a CI-user. For a service having the $HOME directory in its "datadir" (e.g. /var/lib/opensearch) looks common, but for a ci-user /home/ci-user seems more appropriate than /usr/share/ci-user.

While on this and for further unification, the future you may be happier if you give room for more "work UIDs" after the ci-user (1000) to accommodate new future usage of these containers; and use well-known UIDs for opensearch (e.g. 9200) and opensearch-dashboards (e.g. 5601).

Answer 2 · 2023-11-06T17:48:31.000Z

Now we should change all the CI images to a unified user ci-runner in 1000 uid on /usr/share/ci-runner so images are not having different username for uid 1000, and it is easier to manage and maintain over time, while avoiding above conflicts from the start.

All this looks reasonable, I would just expect the home directory of a user that is not owning a service and can basically run arbitrary commands to be in /home, event if it is a CI-user. For a service having the $HOME directory in its "datadir" (e.g. /var/lib/opensearch) looks common, but for a ci-user /home/ci-user seems more appropriate than /usr/share/ci-user.

While on this and for further unification, the future you may be happier if you give room for more "work UIDs" after the ci-user (1000) to accommodate new future usage of these containers; and use well-known UIDs for opensearch (e.g. 9200) and opensearch-dashboards (e.g. 5601).

That is a solid callout and I think /home is definitely great in this case.
The reason I just mention /usr/share/ci-runner is because previously we were locked on /usr/share/opensearch, so there is no reason to follow up now.

I am happy to just use /home/ci-runner for all the new images that I am cooking up now. Thanks.

Answer 3 · 2023-11-08T19:19:27.000Z

All image sync has been completed with new images built in both DockerHub and ECR.
Also sent opensearch-project/custom-codecs#81 to update the username from opensearch to ci-runner.

Thanks.