Open gtirloni opened 1 year ago
Doesnt this chart default to alpine?
Doesnt this chart default to alpine?
That's a good point but the project offers Debian images. Would some documentation change be enough in this case?
This is because the alpine user is added as a system user (note the -S
):
while the debian user is added as a regular user (missing --system
):
This needs to be fixed on the Dockerfile and tested to ensure that users currently using the debian image won't have permission issues after upgrading.
I'm running the Debian image, and use only the following:
securityContext:
fsGroup: 1000
I am not setting runAsUser
at all, which should now work just fine for Alpine as well. (afaik we don't need any of the k8s magical permission fixups)
Just stumble upon this myself. It's true that users on alpine
and debian
containers don't share the same uid
, and this is troublesome.
Not only because it breaks when you use debian
, but also if you switch from alpine
to debian
(like in our case), all atlantis-data
is owned by uid
100 and the debian
user cannot access it.
I suggest we use the same uid
on both images, to avoid issues such as this.
As uid
100 is already used on Debian by sshd
, it doesn't seem possible to continue using that one going forward.
Using uid
1000 would work on both alpine
and debian
.
Not sure why on alpine
the Dockerfile is creating a system
user on alpine
, and a regular user on debian
, TBH.
This should be fixed initially on the Dockerfile, here https://github.com/runatlantis/atlantis/blob/main/Dockerfile#L143
And once this is sorted out, then the Helm Chart should be updated.
I can gladly prepare PRs if some existing maintainer agrees with this approach.
Hi @ferpizza, thanks for the offer but we already have https://github.com/runatlantis/atlantis/pull/4304 waiting to be merged.
While deploying Atlantis, I noticed it failed to start whenever I enabled
--write-git-creds
:Upon removing that option, I noticed that Atlantis was running as the
_apt
user in the Debian image:The chart has
runAsUser: 100
, which works with the Alpine image because theatlantis
user there hasuid=100
:But not in the Debian image:
The workaround is to set this in
values.yaml
: