If container running as non-root don't use gosu. #358
Conversation
Codecov Report
@@ Coverage Diff @@
## master #358 +/- ##
=======================================
Coverage 70.72% 70.72%
=======================================
Files 61 61
Lines 3676 3676
=======================================
Hits 2600 2600
Misses 895 895
Partials 181 181Continue to review full report at Codecov.
|
|
@jocelynthode I think this is all that is needed for you to run Atlantis on OpenShift. I've pushed an image built using these changes to |
|
|
||
| ENV ATLANTIS_HOME_DIR=/home/atlantis |
There was a problem hiding this comment.
I'd prefer if we'd replace this variable by ENV HOME as I did in #346. Because when not running as the user atlantis, we still need to find the $HOME for atlantis
There was a problem hiding this comment.
I don't think it's a good idea to set the HOME env because that's set by the shell.
There was a problem hiding this comment.
I think in this case it is a good idea because atlantis expects it to be in /home/atlantis but when running with a random user this variable would not be set and thus failing when trying to create in / (the default when there is no $HOME set)
There was a problem hiding this comment.
It doesn't expect to be in /home/atlantis though. The code just defaults to using ~/.atlantis for the data directory.
If you're running as a user that doesn't have write access to your home directory then you need to specify a different directory to store the data in.
There was a problem hiding this comment.
However the only two possible scenarios are either we run with the atlantis user which has the HOME=/home/atlantis or a random uid which won't have any home by default. Thus setting HOME=/home/atlantis ensures our user will always use this as its home which is a good guarantee for us as we have changed the permission on /home/atlantis to work with any random uid (setting the group permissions correctly on it)
| # If we're running as root and we're trying to execute atlantis then we use | ||
| # gosu to step down from root and run as the atlantis user. | ||
| # In OpenShift, containers are run as a random users so we don't need to use gosu. | ||
| if [[ $(id -u) == 0 ]] && [[ "$1" = 'atlantis' ]]; then |
There was a problem hiding this comment.
I also needed to add a user in /etc/passwd as you can see in #346. Otherwise terraform was not able to clone a module by git.
There was a problem hiding this comment.
oh interesting. okay I've added that as well.
If we specify the $HOME in the base image this won't be a problem. Furthermore I would like not to be forced to mount a data dir on the home directory |
|
@jocelynthode why do you need to mount a data dir? |
In OpenShift containers are run as a random user id. In this case, we don't need to use gosu. Fixes #345
lkysow
force-pushed
the
openshift-dockeruser
branch
from
f07cd7e to
9532e93
Compare
|
@lkysow Sorry I misunderstood and thought you were talking about a Persistent Volume |
|
@lkysow As an aside I want it a bit disheartening that we're discontinuing my PR and working on a new one that basically implements what mine tried to achieve :( |
|
Fair enough, I thought the changes were big enough to warrant a new PR but now the two are converging again. If you'd like to make the same changes in yours then I'm happy to close this one. |
|
Closing in favour of #346 |
In OpenShift containers are run as a random user id. In this case, we
don't need to use gosu to step down from root since we're already not root.
This PR also makes the atlantis home directory owned by the root group and
puts atlantis in that group. This will allow OpenShift users to use
/home/atlantisas their data dir.
Todos:
fsGroup: 01000Notes:
--data-dir /home/atlantissince their random user won't have a home directory