Closed ag-TJNII closed 7 months ago
@ag-TJNII - Could you please try running your builds without the privileged mode being enabled? CodeBuild now supports docker.sock, rather than docker in docker. This is only applicable if aren't using privileged mode or require VPC configuration for your project.
srw-rw---- 1 root 994 0 /var/run/docker.sock
Do let us know if this didn't address the issue you were facing. Assuming you aren't using VPC configuration for your builds.
Sorry for the delay. Due to internal changes unrelated to codebuild we've migrated to another CI/CD system, so I am unable to test. We can close this.
Describe the issue This is a feature request.
We have several builds that use a docker-in-docker pattern for container tests, volume mounting in the Docker socket to a control container. The purpose of driving the Docker socket is that the component under test is another Docker test built earlier in the pipeline.
The general flow is:
docker build
directly in the build environmentdocker build
directly in the build environmentdocker run -v /var/run/docker.sock:/var/run/docker.sock
As general best practice we try and avoid running things as root. In order to make this work the general pattern we use is to add an entrypoint to the test control container that inspects the group of the Docker socket and ensures the test runner user is a member of that group before dropping privileges to a non-root user for test. Basic Linux permissions stuff.
However, in the build environment /var/run/docker.sock is owned root:root:
srw-rw---- 1 root root 0 Aug 9 15:02 /var/run/docker.sock
This requires our user to be UID 0 or GID 0, which means we can't run as non-root and still access the socket.
This seems to be a variance from vanilla Docker installs where there is a Docker group, and the socket is owned root:docker.
It would be useful docker-in-docker users to have the socket be owned by a group other than root, as that will allow access to the socket by non-root users.
To Reproduce
ls -l /var/run/docker.sock
in a Codebuild pipeline script. Seen onaws/codebuild/standard:4.0
andaws/codebuild/standard:7.0
.Expected behavior The socket should have a non-root Docker group, instead of being owned root:root.
Platform (please complete the following information):