Is there an easy way to change to a non-root user in Bitbucket Pipelines Docker container?

There's two things to address in this question.

To run as a non-root user in Bitbucket Pipelines, you can do exactly what you have suggested and use the USER Docker command. The node:6.2 image does not map to a non-root user, so if you would like to do so you can create a new Docker image with the following Dockerfile:

FROM node:6.2USER foo

The 500 error you are receiving appears to be an issue with YAML parsing on this line:

- chown -R node: /opt/atlassian/bitbucketci/agent/build

The ':' is a special character in the YAML format. Indicating a key-value pair. In order to fix this, put the contents on that line inside of quotes instead like this:

- "chown -R node: /opt/atlassian/bitbucketci/agent/build"

I would also suggest you use the new default environment variable for the build path now. $BITBUCKET_CLONE_DIR. So change the line to instead be

- "chown -R node: $BITBUCKET_CLONE_DIR"

Since the node image already creates a node user (at least in 6.9+), you don't need the useradd. It also seems to work well without the chown. In the end, I have a script looking like this - and it appears to be just fine:

image: node:7pipelines:  default:    - step:        script:          - su -s /bin/bash -c "npm install" node          - su -s /bin/bash -c "npm run build" node

The most comfortable solution I've found is to create a non-root user account only if it's not already included in the image and use the gosu utility to set it for executed commands.

Pipelines' build step is already setting the chmod 777 on the $BUILD_DIR so additional chown is not required.

So, to be able to change to a non-root user in Bitbucket Pipelines Docker container you have to:

1. add an additional shell script to your repository that installs the gosu utility (it can also be included directly as a step in Pipelies config)
2. call the install-gosu.sh script as the first step in Pipelines config,
3. create a non-root user (checking whether it already exists first) with id -u {user} &>/dev/null || useradd ...,
4. use gosu to run commands as a non-root user.

install-gosu.sh

#!/bin/bashGOSU_VERSION=1.10GNUPGHOME="$(mktemp -d)"set -xapt-get update && apt-get install -y --no-install-recommends ca-certificates wget && rm -rf /var/lib/apt/lists/* \&& dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')" \&& wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch" \&& wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc" \&& gpg --keyserver ha.pool.sks-keyservers.net --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 \&& gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu \&& rm -r "$GNUPGHOME" /usr/local/bin/gosu.asc \&& chmod +x /usr/local/bin/gosu \&& gosu nobody true \&& apt-get purge -y --auto-remove ca-certificates wget

bitbucket-pipelines.yml

image: node:6pipelines:  default:    - step:        script:          - bash $BITBUCKET_CLONE_DIR/install-gosu.sh          - id -u node &>/dev/null || useradd --user-group --create-home --shell /bin/false node          - gosu node npm install          - gosu node npm test

This can easily be adapted for other languages/users/commands. Just swap the node user and npm commands to whatever you need.

I've tested this method with nodejs and python images.