Allow arbitrary user to run atlantis #346
Conversation
Codecov Report
@@ Coverage Diff @@
## master #346 +/- ##
==========================================
+ Coverage 70.6% 70.72% +0.12%
==========================================
Files 61 61
Lines 3681 3676 -5
==========================================
+ Hits 2599 2600 +1
+ Misses 901 895 -6
Partials 181 181
Continue to review full report at Codecov.
|
jocelynthode
changed the title
|
@lkysow I removed the fsGroup from the helm chart is there something else to consider as well ? |
jocelynthode
force-pushed
the
allow_arbitrary_user
branch
from
e26e71f
to
7f42e7d
Compare
docker-base/Dockerfile
Outdated
|
|
||
| ENV ATLANTIS_HOME_DIR=/home/atlantis | ||
| ENV HOME=/home/atlantis |
There was a problem hiding this comment.
I have removed the HOME environment variable.
However in the docker-entrypoint.sh I have changed the line added to /etc/passwd to:
echo "${USER_NAME:-default}:x:$(id -u):0:${USER_NAME:-default} user:/home/atlantis:/sbin/nologin" >> /etc/passwd
This way a user running the image on an openshift cluster won't have to set the HOME variable in their deployment to "/home/atlantis" and this way the shell is still setting it.
Is this ok with you ?
|
I won't be able to test the image incorporating your changes and mine before monday. Could we wait until this to confirm everything is working as expected ? |
|
@jocelynthode sounds good. Please squash your commits into one if everything works. |
jocelynthode
force-pushed
the
allow_arbitrary_user
branch
from
a8d4b68
to
176bbd8
Compare
|
@lkysow I was able to test and everything works. However as expected the user has to specify the data dir or specify a HOME environment variable otherwise atlantis tries to clone in /. I think we should maybe specify somewhere in the doc that the docker image expects either the HOME variable to be "/home/atlantis" or the data-dir variable to be set to "/home/atlantis" as this is currently the only folder that has the correct permissions |
|
Thanks for all your hard work! Yes I think I'll add an OpenShift section to the deployment docs. |
- Upon merging #346 I manually built and pushed a new version of runatlantis/atlantis-base and tagged it as runatlantis/atlantis-base:v2.0. This change uses that new tag. Before it was using :latest which isn't good if other people see that and use atlantis-base:latest because we could break it for them. - I've also put back the fsContext to 1000 because the atlantis user is still in that group so we need that for kubernetes.
After merging #346, we now support OpenShift however users need an additional flag to atlantis server for it to work.
This PR should allow atlantis to run with an arbitrary uid.
This is particularly useful when running on Openshift for example where by default the uid is arbitrary.
Fixes issue #345