search

oxsecurity / megalinter

🦙 MegaLinter analyzes 50 languages, 22 formats, 21 tooling formats, excessive copy-pastes, spelling mistakes and security issues in your repository sources with a GitHub Action, other CI tools or locally.
https://megalinter.io
GNU Affero General Public License v3.0
1.88k stars 223 forks source link

Run Docker In Rootless Mode On Linux in GitHub Action #939

Open Kurt-von-Laven opened 2 years ago

Kurt-von-Laven commented 2 years ago

Is your feature request related to a problem? Please describe. In all GitHub-hosted runners, Docker is installed in rootful mode, so the report directory Mega-Linter creates ends up owned by root.

GitHub-hosted (and many self-hosted) runners use rootful Docker, but the runner itself does not run as root. As described in actions/runner#434, files created by Docker containers are hence owned by root, resulting in permission errors when the runner attempts to clean up checked out repositories. ~ ScribeMD/rootless-docker

Describe the solution you'd like On Linux, Docker can be configured to use rootless mode. We can use the rootless-docker GitHub Action if Docker isn't already in rootless mode:

This action efficiently prevents those permission errors by running Docker in rootless mode so that all files are owned by the runner user. This approach has many benefits as it is:

  • safer than elevating the runner to root
  • less brittle than changing the ownership/permissions of or deleting files
  • simpler than other ways of running rootless Docker
  • and fast (~15 seconds on GitHub-hosted runner ubuntu-20.04)

~ ScribeMD/rootless-docker

We should also document that users can configure Docker to use rootless mode locally.

Describe alternatives you've considered A clear and concise description of any alternative solutions or features you've considered.

Additional context Disclosure: I am the author of the rootless-docker GitHub Action, so I am quoting myself above. Discussion moved from #802.

nvuillam commented 2 years ago

I already tried to build MegaLinter without user root user... and I failed , but if you find a way, that can be nice :)

Kurt-von-Laven commented 2 years ago

I haven't considered build-time, but at least for using Mega-Linter, I already run it without root on Linux both locally and in CI. Do we run rootful Docker in order to build Mega-Linter as well?

nvuillam commented 2 years ago

The dockerfile is full of references to root folder, so I think default user is root yes

https://github.com/megalinter/megalinter/blob/2dac18c05aee04d0d2282f52fb724648e61fca64/Dockerfile#L247

Kurt-von-Laven commented 2 years ago

Good point; starting to think there are two separate issues here. I suspect that building without the root user only impacts those of us who build locally as opposed to those who consume the Docker image. Does that seem plausible? Otherwise, I would expect to have run into some issue using rootless Docker as a consumer of Mega-Linter by now.

github-actions[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

If you think this issue should stay open, please remove the O: stale 🤖 label or comment on the issue.

github-actions[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

If you think this issue should stay open, please remove the O: stale 🤖 label or comment on the issue.

Kurt-von-Laven commented 2 years ago

@nvuillam, I wonder if this would help with the CI failures you mentioned if git config --global --add safe.directory "$GITHUB_WORKSPACE" alone is not sufficient? I can give it a try if you like.

nvuillam commented 2 years ago

@Kurt-von-Laven i struggle since yesterday with new git patch... if you find a solution you're my hero :)

Kurt-von-Laven commented 2 years ago

I will finally have some time to look at this in a few days. Happy to take it over if we can afford to wait.

github-actions[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

If you think this issue should stay open, please remove the O: stale 🤖 label or comment on the issue.

github-actions[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

If you think this issue should stay open, please remove the O: stale 🤖 label or comment on the issue.

github-actions[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

If you think this issue should stay open, please remove the O: stale 🤖 label or comment on the issue.

github-actions[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

If you think this issue should stay open, please remove the O: stale 🤖 label or comment on the issue.

github-actions[bot] commented 1 year ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

If you think this issue should stay open, please remove the O: stale 🤖 label or comment on the issue.

sanmai-NL commented 1 year ago

@Kurt-von-Laven Also relevant is how to run MegaLinter with another container engine, like Podman.