I am working on setting up an Azure DevOps pipelines agent within an Azure Container Instance. I have been advised that running the Docker instance with root privileges can pose a security risk. Therefore, I am attempting to configure the Docker instance to run as a non-root user.
Following this guide, I have created a self-hosted agent. Here is the Dockerfile I am using:
FROM ubuntu:20.04
ENV DEBIAN_FRONTEND=noninteractive
ENV NODE_MAJOR=18
SHELL ["/bin/bash", "-o", "pipefail", "-c"]
RUN apt-get update && \
apt-get upgrade -y && \
apt-get install -y --no-install-recommends \
apt-transport-https=2.0.9 \
ca-certificates=20230311ubuntu0.20.04.1 \
curl=7.68.0-1ubuntu2.19 \
gpg=2.2.19-3ubuntu2.2 \
gnupg=2.2.19-3ubuntu2.2 \
lsb-release=11.1.0ubuntu2 \
software-properties-common=0.99.9.12 \
zip=3.0-11build1 \
&& rm -rf /var/lib/apt/lists/*
RUN curl -fsSL https://apt.releases.hashicorp.com/gpg | gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg && \
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/hashicorp.list
RUN mkdir -p /etc/apt/keyrings && \
curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg && \
echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_$NODE_MAJOR.x nodistro main" | tee /etc/apt/sources.list.d/nodesource.list
RUN apt-get update && \
apt-get install -y --no-install-recommends \
apt-utils=2.0.9 \
git=1:2.25.1-1ubuntu3.11 \
iputils-ping=3:20190709-3 \
jq=1.6-1ubuntu0.20.04.1 \
terraform=1.5.7-1 \
nodejs=18.18.0-1nodesource1 \
&& rm -rf /var/lib/apt/lists/*
RUN npm install --global yarn@^1.x.x
RUN curl -fsSL https://download.red-gate.com/maven/release/org/flywaydb/enterprise/flyway-commandline/9.17.0/flyway-commandline-9.17.0-linux-x64.tar.gz | tar -xvz && \
ln -s "$(pwd)/flyway-9.17.0/flyway" /usr/local/bin
RUN curl -sL https://aka.ms/InstallAzureCLIDeb | bash
ENV TARGETARCH=linux-x64
WORKDIR /azp
COPY ./start.sh .
RUN chmod +x start.sh
ENTRYPOINT [ "./start.sh" ]
HEALTHCHECK --interval=1m --timeout=10s --start-period=5s --retries=3 \
CMD pgrep -F /var/run/azp_agent.pid || exit 1
When I try to add a non-root user, I encounter build errors due to permission issues with the apt-get command. Moreover, running the container in rootless mode seems to cause additional issues.
I am seeking help with the following:
- How can I modify the Dockerfile to avoid permission denied errors when installing packages as a non-root user?
- Are there known solutions or workarounds for the issues encountered when running the container in rootless mode?
I tried doing
RUN useradd -ms /bin/bash nonroot
USER nonroot
But on docker build I get:
=> ERROR [ 3/12] RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends apt-transport-https=2.0.9 ca-certificates=20230311ubuntu0.20.04.1 curl=7.68.0-1ubuntu2.19 gpg=2.2.19-3ubuntu2.2 gnupg=2 0.4s
------
> [ 3/12] RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends apt-transport-https=2.0.9 ca-certificates=20230311ubuntu0.20.04.1 curl=7.68.0-1ubuntu2.19 gpg=2.2.19-3ubuntu2.2 gnupg=2.2.19-3ubuntu2.2 lsb-release=11.1.0ubuntu2 software-properties-common=0.99.9.12 zip=3.0-11build1 && rm -rf /var/lib/apt/lists/*:
#6 0.318 Reading package lists...
#6 0.422 E: List directory /var/lib/apt/lists/partial is missing. - Acquire (13: Permission denied)
------
executor failed running [/bin/bash -o pipefail -c apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends apt-transport-https=2.0.9 ca-certificates=20230311ubuntu0.20.04.1 curl=7.68.0-1ubuntu2.19 gpg=2.2.19-3ubuntu2.2 gnupg=2.2.19-3ubuntu2.2 lsb-release=11.1.0ubuntu2 software-properties-common=0.99.9.12 zip=3.0-11build1 && rm -rf /var/lib/apt/lists/*]: exit code: 100
I can't use sudo for the same security concenrns of course.