feat: non root user container

[ChristopherHX]

What is changed

• Call the id posix tool after starting any container to get the current container uid / gid, otherwise assume root without failing, fails for docker actions
• Try to chown the workingdir to fix the owner of the folders, fails for docker actions
• Add the uid and gid to the tar archive sent to docker, docker will write the files with the correct uid and gid
• Finally try to chown the dstdir to fix the owner of the folders

Closes #398
Closes #935

[github-actions]

MegaLinter status: ✅ SUCCESS

Descriptor	Linter	Files	Fixed	Errors	Elapsed time
✅ CREDENTIALS	secretlint	yes		no	1.05s
✅ EDITORCONFIG	editorconfig-checker	4		0	0.03s
✅ GIT	git_diff	yes		no	0.0s

See errors details in artifact MegaLinter reports on CI Job page
Set VALIDATE_ALL_CODEBASE: true in mega-linter.yml to validate all sources, not only the diff

[codecov]

Codecov Report

Merging #1202 (a382cb8) into master (4f8da0a) will increase coverage by 3.95%.
The diff coverage is 74.06%.

@@            Coverage Diff             @@
##           master    #1202      +/-   ##
==========================================
+ Coverage   57.50%   61.46%   +3.95%     
==========================================
  Files          32       40       +8     
  Lines        4594     5484     +890     
==========================================
+ Hits         2642     3371     +729     
- Misses       1729     1843     +114     
- Partials      223      270      +47     

Impacted Files	Coverage Δ
pkg/model/action.go	0.00% <0.00%> (ø)
pkg/model/step_result.go	0.00% <ø> (ø)
pkg/container/docker_run.go	14.08% <15.06%> (+8.53%)	⬆️
pkg/container/docker_pull.go	33.33% <33.33%> (ø)
pkg/container/file_collector.go	45.87% <45.87%> (ø)
pkg/common/git/git.go	50.00% <47.91%> (ø)
pkg/container/docker_auth.go	47.61% <50.00%> (+2.61%)	⬆️
pkg/model/workflow.go	54.32% <50.00%> (+3.40%)	⬆️
pkg/exprparser/interpreter.go	73.37% <53.48%> (-0.02%)	⬇️
pkg/model/planner.go	50.73% <60.00%> (+0.32%)	⬆️
... and 30 more

📣 Codecov can now indicate which changes are the most critical in Pull Requests. Learn more

[ChristopherHX]

Test added, ready for testing

[catthehacker]

• Call the id posix tool after starting any container to get the current container uid / gid, otherwise assume root without failing, fails for docker actions

Why. You can inspect image straight from API

[ChristopherHX]

Why. You can inspect image straight from API

Good point.
I can't use the result of the api for creating the tar archive, it only accepts user/group id's. User and group names are ignored.
If we only do chown -R we don't need it, since it resolves the username. I added chown -R after I noticed docker ignores folder permissions of the tar

[ChristopherHX]

You can decide wether we want to go with my current approuch id tool and permissions in the tar or use docker inpect and call chown -R with the username:username instead of uid:gid. Maybe different ideas?

[KnisterPeter]

You can decide wether we want to go with my current approuch id tool and permissions in the tar or use docker inpect and call chown -R with the username:username instead of uid:gid. Maybe different ideas?

Just a note here, the id tool might not be available in the container, but we can define it as an required API.
It might be possible to read /etc/passwd outside of docker, but that will break on non unix systems which would also not be an option I think. Not sure if there is a OS independent API to resolve uid/gid.

Other than that I'd like your approach.

[catthehacker]

Just a note here, the id tool might not be available in the container

The only images that could not have it would be distroless images.

It might be possible to read /etc/passwd outside of docker, but that will break on non unix systems which would also not be an option I think. Not sure if there is a OS independent API to resolve uid/gid.

Not sure I understand. If you mean reading /etc/passwd from host, you can't. It's not the same thing that is in image.
If you mean one in image, you can just copy it to host.

As for the PR, I'm unsure about it.
I didn't had enough time to think through that problem yet.

[KnisterPeter]

Just a note here, the id tool might not be available in the container

The only images that could not have it would be distroless images.

Right, but that is currently possible (not sure if that will work on github.com with custom runners).
If it does not work on github.com I would say it's safe for act as well.

It might be possible to read /etc/passwd outside of docker, but that will break on non unix systems which would also not be an option I think. Not sure if there is a OS independent API to resolve uid/gid.

Not sure I understand. If you mean reading /etc/passwd from host, you can't. It's not the same thing that is in image. If you mean one in image, you can just copy it to host.

Nevermind. I thought it might be an option for users to define the user to run act with (e.g. --container-user) and read that uid/gid from the system before starting act.

[catthehacker]

Right, but that is currently possible (not sure if that will work on github.com with custom runners).
If it does not work on github.com I would say it's safe for act as well.

It is also possible that I can deliberately break my OS ony my PC. I don't think supporting distroless-like images as GitHub runners would be ever a good idea.
Just because it works doesn't warrant for being supported. If someone cares for small size, busybox (or MIT toybox) exists.

Nevermind. I thought it might be an option for users to define the user to run act with (e.g. --container-user) and read that uid/gid from the system before starting act.

Possible but as I mentioned, I've tried for a long time to not open that can of worms which is different UIDs/GIDs as it needs to be well thought through and tested or it will bring more pain due to containers/host permissions being not fun to work with.

[ChristopherHX]

I don't think supporting distroless-like images as GitHub runners would be ever a good idea.

I don't think that this change will prevent any currently working container distroless / broken from beeing used in act.
Windows container wouldn't have posix tools mkdir -p ..., chown -R ..., id ..., but they never worked in act
I implemented calling id and chown in a failsafe way, any kind of error => return nil and proceed.

• images worked before this change should continue to work in act
• images without mkdir will now works too, I think rm /bin/mkdir or rm /usr/bin/mkdir will do it for non busybox / toybox.

[mergify]

@ChristopherHX this pull request has failed checks 🛠