serverless/serverless-python-requirements

Add docker rootless feature flag for using this plugin in docker rootless environment

kimsehwan96 opened this issue · 0 comments

Is there an existing issue for this?

  • I have searched existing issues, it hasn't been reported yet

Use case description

In my usecase. I run jenkins in my K8s cluster (EKS).
And our pipeline should run in the jenkins with k8s environment, but EKS can't use Docker out of Docker usecase.

So I decided to use docker in docker in EKS cluster and it should be run docker without root privilege.

pipCmds.push([
'chown',
'-R',
`${process.getuid()}:${process.getgid()}`,
'/var/task',
]);
} else {
// Use same user so --cache-dir works
dockerCmd.push('-u', await getDockerUid(bindPath, pluginInstance));
}

above lib/pip.js change files permission with current process's gid/uid

        pipCmds.push([
          'chown',
          '-R',
          `${process.getuid()}:${process.getgid()}`,
          '/var/task',
        ]);
      } else {
        // Use same user so --cache-dir works
        dockerCmd.push('-u', await getDockerUid(bindPath, pluginInstance));
      }

In docker rootless environment it occurs unexpected gid/uid file ownership.

If this plugin was run in Docker with root privilege environment. Then above line do chown with current docker container process's gid/uid and its okay.

But in docker rootless environment, Docker engine(daemon) is running without root privilege (example uid/gid 1000:1000 / 1001:1001 ) and doing ${process.getuid()}:${process.getgid()} line change files ownership with strange gid/uid like 101000:101000

So it occurs side effects for any other CI/CD pipeline and its host machine file management because of wrong gid/uid.

Proposed solution (optional)

Add docker rootless feature flag and if it set then do not change file/directory ownership.