What happened: When running, docker sbom as root, the command works fine. When su-ing over to our 'gitlab-runner' user, installing the plugin for that user, docker reports it as an an "invalid plugin" with a "permission denied":
What you expected to happen: docker sbom to work for my 'gitlab-runner' user so I can integrate it into our CI/CD processes.
How to reproduce it (as minimally and precisely as possible): Run the install script for docker-sbom as the gitlab-runner user and once installed, just run docker [enter] to see the error.
Anything else we need to know?: Things I've tried or additional outputs:
verified permissions on docker-sbom between working instance (root) and non-working instance (gitlab-runner)
verified owner was properly set as root for root and gitlab-runner for gitlab-runner
but also tried changing gitlab-runner's docker-sbom's owner to 'root' and received the same error
all of these tests were run with SELinux off (for testing)
/var/log/audit/audit.log was additionally not showing any block/deny actions for docker sbom or sbom prior to being disabled for testing (setenforce 0)
output of id as gitlab-runner: uid=1002(gitlab-runner) gid=1002(gitlab-runner) groups=1002(gitlab-runner),979(docker) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
gitlab-runner can successfully run other docker commands, e.g.: build, tag, push, images, ps, etc. (all other commands we use in our pipeline)
Environment:
OS: RHEL 8.9
Output of docker version: Docker version 24.0.7, build afdd53b
Output of docker sbom version: sbom-cli-plugin 0.6.1, build 02cf1c888ad6662109ac6e3be618392514a56316
What happened: When running,
docker sbomas root, the command works fine. When su-ing over to our 'gitlab-runner' user, installing the plugin for that user, docker reports it as an an "invalid plugin" with a "permission denied":Invalid Plugins: sbom failed to fetch metadata: fork/exec /home/gitlab-runner/.docker/cli-plugins/docker-sbom: permission denied
What you expected to happen:
docker sbomto work for my 'gitlab-runner' user so I can integrate it into our CI/CD processes.How to reproduce it (as minimally and precisely as possible): Run the install script for docker-sbom as the gitlab-runner user and once installed, just run
docker [enter]to see the error.Anything else we need to know?: Things I've tried or additional outputs:
docker sbomorsbomprior to being disabled for testing (setenforce 0)idas gitlab-runner: uid=1002(gitlab-runner) gid=1002(gitlab-runner) groups=1002(gitlab-runner),979(docker) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023Environment:
docker version: Docker version 24.0.7, build afdd53bdocker sbom version: sbom-cli-plugin 0.6.1, build 02cf1c888ad6662109ac6e3be618392514a56316