search

serverless / serverless-python-requirements

⚡️🐍📦 Serverless plugin to bundle Python packages
MIT License
1.09k stars 289 forks source link

Add docker rootless feature flag for using this plugin in docker rootless environment #817

Closed kimsehwan96 closed 4 months ago

kimsehwan96 commented 5 months ago

Is there an existing issue for this?

Use case description

In my usecase. I run jenkins in my K8s cluster (EKS). And our pipeline should run in the jenkins with k8s environment, but EKS can't use Docker out of Docker usecase.

So I decided to use docker in docker in EKS cluster and it should be run docker without root privilege.

https://github.com/serverless/serverless-python-requirements/blob/1b0faaeb6aadd2bc4b1b53526e35298a98d00aca/lib/pip.js#L330-L340

above lib/pip.js change files permission with current process's gid/uid

        pipCmds.push([
          'chown',
          '-R',
          `${process.getuid()}:${process.getgid()}`,
          '/var/task',
        ]);
      } else {
        // Use same user so --cache-dir works
        dockerCmd.push('-u', await getDockerUid(bindPath, pluginInstance));
      }

In docker rootless environment it occurs unexpected gid/uid file ownership.

If this plugin was run in Docker with root privilege environment. Then above line do chown with current docker container process's gid/uid and its okay.

But in docker rootless environment, Docker engine(daemon) is running without root privilege (example uid/gid 1000:1000 / 1001:1001 ) and doing ${process.getuid()}:${process.getgid()} line change files ownership with strange gid/uid like 101000:101000

So it occurs side effects for any other CI/CD pipeline and its host machine file management because of wrong gid/uid.

Proposed solution (optional)

Add docker rootless feature flag and if it set then do not change file/directory ownership.