diff --git a/.woodpecker/docker.yaml b/.woodpecker/docker.yaml index e49cc9d5e..4072c78fc 100644 --- a/.woodpecker/docker.yaml +++ b/.woodpecker/docker.yaml @@ -212,7 +212,7 @@ steps: image: *buildx_plugin settings: repo: woodpeckerci/woodpecker-agent - dockerfile: docker/Dockerfile.agent.alpine.multiarch.rootless + dockerfile: docker/Dockerfile.agent.alpine.multiarch platforms: *platforms_preview tag: pull_${CI_COMMIT_PULL_REQUEST}-alpine build_args: *build_args @@ -226,7 +226,7 @@ steps: settings: dry_run: true repo: woodpeckerci/woodpecker-agent - dockerfile: docker/Dockerfile.agent.multiarch.rootless + dockerfile: docker/Dockerfile.agent.multiarch platforms: *platforms_preview tag: pull_${CI_COMMIT_PULL_REQUEST} build_args: *build_args @@ -241,7 +241,7 @@ steps: image: *buildx_plugin settings: repo: *publish_repos_agent - dockerfile: docker/Dockerfile.agent.multiarch.rootless + dockerfile: docker/Dockerfile.agent.multiarch platforms: *platforms_release tag: [next, 'next-${CI_COMMIT_SHA:0:10}'] logins: *publish_logins @@ -260,7 +260,7 @@ steps: image: *buildx_plugin settings: repo: *publish_repos_agent - dockerfile: docker/Dockerfile.agent.alpine.multiarch.rootless + dockerfile: docker/Dockerfile.agent.alpine.multiarch platforms: *platforms_alpine tag: [next-alpine, 'next-${CI_COMMIT_SHA:0:10}-alpine'] logins: *publish_logins @@ -276,7 +276,7 @@ steps: image: *buildx_plugin settings: repo: *publish_repos_agent - dockerfile: docker/Dockerfile.agent.multiarch.rootless + dockerfile: docker/Dockerfile.agent.multiarch platforms: *platforms_release tag: ['${CI_COMMIT_TAG%%.*}', '${CI_COMMIT_TAG%.*}', '${CI_COMMIT_TAG}'] logins: *publish_logins @@ -292,7 +292,7 @@ steps: image: *buildx_plugin settings: repo: *publish_repos_agent - dockerfile: docker/Dockerfile.agent.alpine.multiarch.rootless + dockerfile: docker/Dockerfile.agent.alpine.multiarch platforms: *platforms_alpine tag: ['${CI_COMMIT_TAG%%.*}-alpine', '${CI_COMMIT_TAG%.*}-alpine', '${CI_COMMIT_TAG}-alpine'] logins: *publish_logins diff --git a/docker/Dockerfile.agent.alpine.multiarch.rootless b/docker/Dockerfile.agent.alpine.multiarch similarity index 97% rename from docker/Dockerfile.agent.alpine.multiarch.rootless rename to docker/Dockerfile.agent.alpine.multiarch index 011c5dda2..68a2c36ce 100644 --- a/docker/Dockerfile.agent.alpine.multiarch.rootless +++ b/docker/Dockerfile.agent.alpine.multiarch @@ -21,7 +21,5 @@ EXPOSE 3000 COPY --from=build /src/dist/woodpecker-agent /bin/ -USER woodpecker - HEALTHCHECK CMD ["/bin/woodpecker-agent", "ping"] ENTRYPOINT ["/bin/woodpecker-agent"] diff --git a/docker/Dockerfile.agent.multiarch.rootless b/docker/Dockerfile.agent.multiarch similarity index 98% rename from docker/Dockerfile.agent.multiarch.rootless rename to docker/Dockerfile.agent.multiarch index e0cb739a1..91e208124 100644 --- a/docker/Dockerfile.agent.multiarch.rootless +++ b/docker/Dockerfile.agent.multiarch @@ -26,7 +26,5 @@ COPY --from=build /etc/woodpecker /etc COPY --from=build /etc/passwd /etc/passwd COPY --from=build /etc/group /etc/group -USER woodpecker - HEALTHCHECK CMD ["/bin/woodpecker-agent", "ping"] ENTRYPOINT ["/bin/woodpecker-agent"] diff --git a/docs/docs/30-administration/04-image-variants.md b/docs/docs/30-administration/04-image-variants.md index 1885eb4d8..2d946a9df 100644 --- a/docs/docs/30-administration/04-image-variants.md +++ b/docs/docs/30-administration/04-image-variants.md @@ -8,7 +8,7 @@ This was done to prevent accidental major version upgrades. - `vX.Y.Z`: SemVer tags for specific releases, no entrypoint shell (scratch image) - `vX.Y` - `vX` -- `vX.Y.Z-alpine`: SemVer tags for specific releases, based on Alpine, rootless (as of v3.0). +- `vX.Y.Z-alpine`: SemVer tags for specific releases, based on Alpine, rootless for Server and CLI (as of v3.0). - `vX.Y-alpine` - `vX-alpine` - `next`: Built from the `main` branch diff --git a/docs/docs/92-development/07-guides.md b/docs/docs/92-development/07-guides.md index eaff951ee..c8612f576 100644 --- a/docs/docs/92-development/07-guides.md +++ b/docs/docs/92-development/07-guides.md @@ -55,7 +55,7 @@ You can try to use the `build-server` rule instead, however this one fails for s make build-agent ### build the image -docker buildx build --platform linux/amd64 -t username/repo:tag -f docker/Dockerfile.agent.multiarch.rootless --push . +docker buildx build --platform linux/amd64 -t username/repo:tag -f docker/Dockerfile.agent.multiarch --push . ``` ### CLI diff --git a/docs/src/pages/migrations.md b/docs/src/pages/migrations.md index ff0180318..a6e3d4ccd 100644 --- a/docs/src/pages/migrations.md +++ b/docs/src/pages/migrations.md @@ -176,9 +176,16 @@ The following restructuring was done to achieve a more consistent grouping: #### Rootless images -All Woodpecker images now use a non-privileged user (`woodpecker`) by default. +The `server` and `cli` images now use a non-privileged user (`woodpecker`) by default. If you have volume mounts attached to containers, you might need to update the ownership of these directories from `root` to `woodpecker`. +:::note +The agent image must remain rootful by default to be able to mount the Docker socket when Woodpecker is used with the `docker` backend. +The helm chart will start to use a non-privileged user by utilizing `securityContext`. +Running a completely rootless agent with the `docker` backend may be possible by using a rootless docker daemon. +However, this requires more work and is currently not supported. +::: + ## 2.7.2 To secure your instance, set `WOODPECKER_PLUGINS_PRIVILEGED` to only allow specific versions of the `woodpeckerci/plugin-docker-buildx` plugin, use version 5.0.0 or above. This prevents older, potentially unstable versions from being privileged.