-
Notifications
You must be signed in to change notification settings - Fork 14
Run the buildkite daemon as a non-root user, buildkite-agent #18
Conversation
OT but should https://buildkite.com/buildkite/docker-buildkite-agent/ be publicly visible? |
@lox did you mean to commit changes to Also, as a test I ran |
&& rm -rf /tmp/* | ||
&& rm -rf /tmp/* \ | ||
&& adduser -D -g '' buildkite \ | ||
&& chown -R buildkite /buildkite |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When I run ./scripts/build.sh
locally the alpine edge container fails on this line. If I change it to something like && (chown -R buildkite /buildkite || true)
the build passes, but I'm pretty sure this isn't what we want.
I assume the /tmp/install_buildkite.sh
script should create this directory but for some reason it's not with edge alpine. Is this a correct assumption?
EDIT: after a bit more digging it looks like the edge agent no longer relies on /buildkite
existing? Is this true? If that's the case then maybe my fix is warranted until the edge agent become stable?
I found another problem with this docker container. Specifically the buildkite user's $ ls -al /home/buildkite/
total 12
drwxr-sr-x 3 buildkit buildkit 4096 Jan 15 19:53 .
drwxr-xr-x 4 root root 4096 Jan 15 19:53 ..
drw------- 2 buildkit buildkit 4096 Jan 15 19:53 .ssh It looks like this is cause by the ssh-env-config.sh script setting the directory explicitly to This probably never caused any issues before when running everything as root, but it would affect the |
I created a pull request to fix this at: buildkite/docker-ssh-env-config#1 |
fbea07c
to
cb2008a
Compare
Ooops, I didn't mean to commit the build.sh changes, no. RE: shellcheck, I get those in my IDE, and AFAIK I've deal with any that aren't spurious (like unquoted $@). |
82e8641
to
3d1e478
Compare
428f2eb
to
5049404
Compare
Hrm. I wonder how this should work with docker-in-docker, as the buildkite-agent user would need to be in the docker group, which is effectively root. Thoughts @dkubb? |
This is ready to go pending review @toolmantim |
👍 Looks good, let's do it. Thanks for figuring out the magic |
@dkubb any feedback on this? |
is this still a thing? |
It is, yeah, I'm a bit nervous about what effect it will have though. I'll rebase and get it perhaps into some experimental images. |
Dropping privileges of the buildkite-agent provides some extra level of protection against third-party code being executed by the agent.