Is there an easy way to change to a non-root user in Bitbucket Pipelines Docker container?
There's two things to address in this question.
To run as a non-root user in Bitbucket Pipelines, you can do exactly what you have suggested and use the USER Docker command. The node:6.2 image does not map to a non-root user, so if you would like to do so you can create a new Docker image with the following Dockerfile:
FROM node:6.2USER foo
The 500 error you are receiving appears to be an issue with YAML parsing on this line:
- chown -R node: /opt/atlassian/bitbucketci/agent/build
The ':' is a special character in the YAML format. Indicating a key-value pair. In order to fix this, put the contents on that line inside of quotes instead like this:
- "chown -R node: /opt/atlassian/bitbucketci/agent/build"
I would also suggest you use the new default environment variable for the build path now. $BITBUCKET_CLONE_DIR. So change the line to instead be
- "chown -R node: $BITBUCKET_CLONE_DIR"
Since the node image already creates a node user (at least in 6.9+), you don't need the useradd
. It also seems to work well without the chown. In the end, I have a script looking like this - and it appears to be just fine:
image: node:7pipelines: default: - step: script: - su -s /bin/bash -c "npm install" node - su -s /bin/bash -c "npm run build" node
The most comfortable solution I've found is to create a non-root user account only if it's not already included in the image and use the gosu utility to set it for executed commands.
Pipelines' build
step is already setting the chmod 777
on the $BUILD_DIR
so additional chown
is not required.
So, to be able to change to a non-root user in Bitbucket Pipelines Docker container you have to:
- add an additional shell script to your repository that installs the gosu utility (it can also be included directly as a step in Pipelies config)
- call the
install-gosu.sh
script as the first step in Pipelines config, - create a non-root user (checking whether it already exists first) with
id -u {user} &>/dev/null || useradd ...
, - use gosu to run commands as a non-root user.
install-gosu.sh
#!/bin/bashGOSU_VERSION=1.10GNUPGHOME="$(mktemp -d)"set -xapt-get update && apt-get install -y --no-install-recommends ca-certificates wget && rm -rf /var/lib/apt/lists/* \&& dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')" \&& wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch" \&& wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc" \&& gpg --keyserver ha.pool.sks-keyservers.net --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 \&& gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu \&& rm -r "$GNUPGHOME" /usr/local/bin/gosu.asc \&& chmod +x /usr/local/bin/gosu \&& gosu nobody true \&& apt-get purge -y --auto-remove ca-certificates wget
bitbucket-pipelines.yml
image: node:6pipelines: default: - step: script: - bash $BITBUCKET_CLONE_DIR/install-gosu.sh - id -u node &>/dev/null || useradd --user-group --create-home --shell /bin/false node - gosu node npm install - gosu node npm test
This can easily be adapted for other languages/users/commands. Just swap the node
user and npm
commands to whatever you need.
I've tested this method with nodejs
and python
images.