Currently when I start a build in GitlabCI it is running under gitlab-runner user. I want to change it the company's internal user. I didn't find any parameter to the /etc/gitlab-runner/config.toml which is solve that.
My current configuration:
concurrent = 1
[[runners]]
name = "deploy"
url = ""
token = ""
executor = "shell"
Running ps aux | grep gitlab you can see:
/usr/bin/gitlab-ci-multi-runner run --working-directory /home/gitlab-runner --config /etc/gitlab-runner/config.toml --service gitlab-runner --syslog --user gitlab-runner
Service is running with option --user.
So let's change this, it depends on what distro. you are running it. If systemd, there is a file:
/etc/systemd/system/gitlab-runner.service:
[Service]
StartLimitInterval=5
StartLimitBurst=10
ExecStart=/usr/bin/gitlab-ci-multi-runner "run" "--working-directory" "/home/gitlab-runner" "--config" "/etc/gitlab-runner/config.toml" "--se
Bingo, let's change this file now:
gitlab-runner uninstall
gitlab-runner install --working-directory /home/ubuntu --user ubuntu
reboot the machine or reload the service (i.e. systemctl daemon-reload), et voilà!
Note that when installing with a specific user (--user), whenever you update, it will revert back to the original systemd script and so, back to using gitlab-runner user.
in order to keep the user change across updates, using systemd overrides (centos7) you can use these steps (assuming service is at /etc/systemd/system/gitlab-runner.service):
Create a /etc/systemd/system/gitlab-runner.service.d directory.
Create a /etc/systemd/system/gitlab-runner.service.d/exec_start.conf file, with content:
[Service]
ExecStart=
ExecStart=/usr/lib/gitlab-runner/gitlab-runner "run" "--working-directory" "/home/ubuntu" "--config" "/etc/gitlab-runner/config.toml" "--service" "gitlab-runner" "--syslog" "--user" "ubuntu"
Execute systemctl daemon-reload
Now to check this is working, you can do this:
Reinstall GitLab Runner package gitlab-runner uninstall and then gitlab-runner install
Check ps aux | grep gitlab and confirm the right user is being used
source: https://gitlab.com/gitlab-org/gitlab-runner/issues/3675
Once the gitlab-runner is registered (yes, it will be installed under the user gitlab-runner and working directory /home/gitlab-runner ) you can execute the following to change the runner's user
gitlab-runner uninstall
gitlab-runner install --working-directory <existing-path> --user <any-existing-user>
# eg: gitlab-runner install --working-directory /home/ec2-user --user ec2-user
then restart the service
service gitlab-runner restart
NOTE: you don't need to edit /etc/systemd/system/gitlab-runner.service for this, as it is being updated once the service is restarted as above
to check if the configurations are reflecting, run
ps aux | grep gitlab
[DEPRECATED ANSWER]
I found a solution, which is not best pactrice but solved it. I need to use the ssh executer and ssh to localhost. It is require to add gitlab-runner id_rsa.pub to the user's authorized_keys what you want to use. There is my extended code:
concurrent = 1
[[runners]]
name = "deploy"
url = ""
token = ""
executor = "ssh"
[runners.ssh]
user = "user"
host = "localhost"
port = "22"
identity_file = "/home/gitlab-runner/.ssh/id_rsa"
Just for future reference, I was doing a test with a cloned version of my setup, if the domainname is not pointing to the server you are working with, gitlab might consider your runners offline. If you have another (copied) instance running at the ip the domain is pointing at and there is no firewall blocking, the gitlab-runner verify command will say your runners are alive.
a solution could be adding your domain pointing to 127.0.0.1 to your hosts file. you'll have to restart your gitlab instance and runners.
For recent version of gitlab-runner you should modify the system arguments in the /etc/default/gitlab-runner file.
Here example for docker gitlab-runner:
Build your own runner image based on Dockerfile with following content
FROM gitlab/gitlab-runner
# add new user (if needed)
RUN useradd -u 998 gitlab-www && mkdir /home/gitlab-www && \
chown gitlab-www /home/gitlab-www && chmod u+rwx /home/gitlab-www
# need to replace entrypoint to force new created user over gitlab-runner
ENTRYPOINT /usr/bin/dumb-init /entrypoint run --user=gitlab-www --working-directory=/home/gitlab-www
(update -u 998 and gitlab-www as you need)
.gitlab-ci.yml scripts are running as user gitlab-www now. If this one has same uid as host mounts, you are also able to deploy directly to host folders.
Related
I have an Azure Container Instance that has a non root user as default. For debugging and experimentation, I'd like to exec into the container like you would with a normal docker container: docker exec -u root ..., so that I have sudo permissions in the container. As detailed in Interacting with a container in Azure Container Instances, you can run exec commands through az container exec ..., but as was mentioned in Christian's answer, https://stackoverflow.com/a/50334426/17129046, there doesn't seem to be a way to add extra parameters, not just for the program being run, but there also doesn't seem to be support for any of the additional options you'd have with docker exec, including the -u option to change the user that logs in to the container when running docker exec -u root ... '/bin/bash'.
I have tried using su in the container, but it prompts for a password, and I don't know what that password would be, since the dockerfile that created the image this ACI uses doesn't set a password as far as I know (The image is created via bentoml). The default user is called bentoml. Result from running id:
uid=1034(bentoml) gid=1034(bentoml) groups=1034(bentoml)
Is there a workaround for this? Maybe a way to ssh into the container as root?
I tried to reproduce the issue and got the below output
I have pulled the docker image from the docker hub using below command
docker pull <image_name>
While pulling the image from docker we need to give the credentials if it ask
I have run the image using below command
docker run -it <image_id> /bin/bash
Here the container is running and I am not able to use root user commands
For accessing container as root use the below command
docker run -u 0 -it image_id /bin/bash
Here I can able to install all root packages now
You can use this docker file for setting the no password then it won't ask any password
RUN apt-get update \
&& apt-get install -y sudo
RUN adduser --disabled-password --gecos '' docker
RUN adduser docker sudo
RUN echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
USER docker
I can't run docker commands as my own user. But I know that the service is running because I can run commands as sudo:
$ docker ps
Cannot connect to the Docker daemon at unix:///run/user/1000/docker.sock. Is the docker daemon running?
$ sudo docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
(snip) (snip) (snip) 13 days ago Up 2 hours (healthy) 9000/tcp (snip)
I am successfully running a few containers, and they each work, but I have another not listed in 👆 that I need to run as my own user.
I am part of the docker group:
$ groups
docker www-data video tim
I'm not sure what else to check. I do have this:
$ echo $DOCKER_HOST
unix:///run/user/1000/docker.sock
Also:
$ uname -r
5.4.0-65-generic
$ docker --version
Docker version 19.03.6, build 369ce74a3c
This is on Ubuntu 18.04.5 LTS
As you followed all the post installation steps correctlly, as far as I can tell, my best guess is that has to do with the DOCKER_HOST environment variable.
Does it help if you unset DOCKER_HOST? (Perhaps you need to log out, so it has an effect.)
On my system, docker ps works with sudo, but once I set DOCKER_HOST=unix:///run/user/1000/docker.sock, I get the same error as you.
For some background, here is a question about the DOCKER_HOST variable. In essence, that variable should normally not be set.
Return to the default sock path (unix:///var/run/docker.sock), by unsetting DOCKER_HOST and removing an errant config files:
unset DOCKER_HOST
rm -r ~/.docker
The Docker Daemon must be restarted after creating the “docker” group:
sudo services docker restart
Then, ensure you add your current user to the group:
sudo usermod -a -G docker $USER
This will ensure your user has access to the socket file.
UPDATE: 12/2022
Recently had to do this on Ubuntu 22.04 LTS and ran into the login shell persisting the previous group.
Since the UI manages the login shell, a restart is either required, or you need to replace the process with exec. You can work around this issue, until you restart, by replacing your current shell process: (use $0 instead, if $SHELL doesn't match your preferred shell)
exec sudo -u $USER -E $SHELL
Company's PC is Win10 and can't bring self's LP, and I want to develop in Linux, So I'm preparing to install a docker on Windows and run a Linux container on whcih I perform my development.
--- background ---
I've installed a Docker Desktop for Windows(19.03.8) in Win10 and pull a Ubuntu image.
I start the Ubuntu container with -v to mount my win10's host_dir to container's slave_dir.
The host_dir before mount has already been a git repo with a .git directory in host_dir.
Through ssh with root user, I edit the file in slave_dir in container and when I want to commit the changes, the following error appears:
root#5f8d7d02ee70:~/slave_dir# git status
fatal: failed to read object 36fa53e7ecb9d1daa454fc82f7bd7310afa335b7: Operation not permitted
I guess something is wrong with the git Authority between Win10 and my Linux-container
Linux-container's slave_dir:
Win10's host_dir:
And I've got a similar circumstance, in which the blogger said You should run the docker with --user, and the --user's param should be the same with you login on the host
So I tried as follows:
docker run -it --name test --user Leo -p 127.0.0.1:5001 -v host_dir:slave_dir image_name /bin/bash
Unfortunately, the slave_dir's uid and gid are still root.
With cygwin on Win10, I use id to find my login user's uid and gid,
and retry run docker with uid/gid directly.
docker run -it --name test --user 4344296:1049089 -p 127.0.0.1:5001 -v host_dir:slave_dir image_name /bin/bash
OMG, still not work! Still root! ... ...
I'm wondering whether my operation is wrong or window's Docker-Desktop-For-Windows has some tricks with Authority when mounting.
Thanks all!
It looks like a problem with Docker 2.2.0.4. A fix to this problem can be found at this link (It worked for me).
TL;DR: Remove the read-only permission from .git folder in windows.
I have Ubuntu 18.04. and after installing docker i added my user to docker group with the command
sudo usermod -aG docker ${USER}
and logged in
su - ${USER}
and if I check id, my user is added to docker group.
But when I reopen the terminal i cant do docker commands without sudo unless i explicitly do su ${USER}
also, I can't find docker group with the default user.
What am I missing here?
#larsks already replied to the main question in a comment, however I would like to elaborate on the implications of that change (adding your default user to the docker group).
Basically, the Docker daemon socket is owned by root:docker, so in order to use the Docker CLI commands, you need either to be in the docker group, or to prepend all docker commands by sudo.
As indicated in the documentation of Docker, it is risky to follow the first solution on your personal workstation, because this just amounts to providing the default user with root permissions without sudo-like password prompt protection. Indeed, users in the docker group are de facto root on the host. See for example this article and that one.
Instead, you may want to follow the second solution, which can be somewhat simplified by adding to your ~/.bashrc file an alias such as:
alias docker="sudo /usr/bin/docker"
Thus, docker run --rm -it debian will be automatically expanded to sudo /usr/bin/docker run --rm -it debian, thereby preserving sudo’s protection for your default user.
I have a cron job that needs to be run under ec2-user on my EC2 instance and it needs to be able to write to the standard log files for my web app. However, the log files are owned by webapp (as per normal).
I've successfully changed the permissions on the log files so that they are accessible by both the owner and the group webapp:webapp. But where I'm running into trouble is when I try to add the ec2-user to the webapp group.
I can do it fine in SSH with sudo usermod -a -G webapp ec2-user but when I try to add this command via EB container-commands, I get an error saying that you must have a tty to run sudo. Running the command without sudo gives me /bin/sh: usermod: command not found.
Anybody know of any other way to be able to add ec2-user to the webapp group via the Elastic Beanstalk deployment config.
Not sure about the issue with the sudoers file, but generally a cleaner way to add a user to a group (than manually executing a command) is to use the users section of the .ebextensions file. For example, in .ebextensions/something.config:
users:
ec2-user:
groups:
- webapp
You should not use sudo, the deploy script is ran by root.
Also, this is a server command, do it in the commands section instead of container commands section.
commands:
01_set_user_role:
command: "usermod -a -G webapp ec2-user"
You need to run this command from a container_command before executing any commands with sudo:
echo Defaults:root \!requiretty >> /etc/sudoers
In context (in .ebextensions/yourconf.config)
container_commands:
001-enableroot:
command: echo Defaults:root \!requiretty >> /etc/sudoers #disables error related to needing a tty for sudo, allows running without cli