[X] I have searched existing issues, it hasn't been reported yet
Use case description
In my usecase. I run jenkins in my K8s cluster (EKS).
And our pipeline should run in the jenkins with k8s environment, but EKS can't use Docker out of Docker usecase.
So I decided to use docker in docker in EKS cluster and it should be run docker without root privilege.
above lib/pip.js change files permission with current process's gid/uid
pipCmds.push([
'chown',
'-R',
`${process.getuid()}:${process.getgid()}`,
'/var/task',
]);
} else {
// Use same user so --cache-dir works
dockerCmd.push('-u', await getDockerUid(bindPath, pluginInstance));
}
In docker rootless environment it occurs unexpected gid/uid file ownership.
If this plugin was run in Docker with root privilege environment. Then above line do chown with current docker container process's gid/uid and its okay.
But in docker rootless environment, Docker engine(daemon) is running without root privilege (example uid/gid 1000:1000 / 1001:1001 ) and doing ${process.getuid()}:${process.getgid()} line change files ownership with strange gid/uid like 101000:101000
So it occurs side effects for any other CI/CD pipeline and its host machine file management because of wrong gid/uid.
Proposed solution (optional)
Add docker rootless feature flag and if it set then do not change file/directory ownership.
Is there an existing issue for this?
Use case description
In my usecase. I run jenkins in my K8s cluster (EKS). And our pipeline should run in the jenkins with k8s environment, but EKS can't use
Docker out of Docker
usecase.So I decided to use docker in docker in EKS cluster and it should be run docker without root privilege.
https://github.com/serverless/serverless-python-requirements/blob/1b0faaeb6aadd2bc4b1b53526e35298a98d00aca/lib/pip.js#L330-L340
above lib/pip.js change files permission with current process's gid/uid
In docker rootless environment it occurs unexpected gid/uid file ownership.
If this plugin was run in Docker with root privilege environment. Then above line do
chown
with current docker container process's gid/uid and its okay.But in docker rootless environment, Docker engine(daemon) is running without root privilege (example uid/gid
1000:1000
/1001:1001
) and doing${process.getuid()}:${process.getgid()}
line change files ownership with strange gid/uid like101000:101000
So it occurs side effects for any other CI/CD pipeline and its host machine file management because of wrong gid/uid.
Proposed solution (optional)
Add docker rootless feature flag and if it set then do not change file/directory ownership.