mirrors/woodpecker
1
0
Fork 0
mirror of https://github.com/woodpecker-ci/woodpecker.git synced 2025-01-25 08:38:43 +00:00
Code Issues Projects Releases Wiki Activity

Revert rootful agent images again (#4683)

Browse source 
Co-authored-by: Robert Kaussow <mail@thegeeklab.de>
This commit is contained in:
Patrick Schratz 2025-01-08 21:35:57 +01:00 committed by GitHub
parent affc5eb8c6
commit 906176c64a
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
6 changed files with 16 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
.woodpecker/docker.yaml
View file

@ -212,7 +212,7 @@ steps:
image: *buildx_plugin image: *buildx_plugin
settings: settings:
repo: woodpeckerci/woodpecker-agent repo: woodpeckerci/woodpecker-agent
dockerfile: docker/Dockerfile.agent.alpine.multiarch.rootless dockerfile: docker/Dockerfile.agent.alpine.multiarch
platforms: *platforms_preview platforms: *platforms_preview
tag: pull_${CI_COMMIT_PULL_REQUEST}-alpine tag: pull_${CI_COMMIT_PULL_REQUEST}-alpine
build_args: *build_args build_args: *build_args
@ -226,7 +226,7 @@ steps:
settings: settings:
dry_run: true dry_run: true
repo: woodpeckerci/woodpecker-agent repo: woodpeckerci/woodpecker-agent
dockerfile: docker/Dockerfile.agent.multiarch.rootless dockerfile: docker/Dockerfile.agent.multiarch
platforms: *platforms_preview platforms: *platforms_preview
tag: pull_${CI_COMMIT_PULL_REQUEST} tag: pull_${CI_COMMIT_PULL_REQUEST}
build_args: *build_args build_args: *build_args
@ -241,7 +241,7 @@ steps:
image: *buildx_plugin image: *buildx_plugin
settings: settings:
repo: *publish_repos_agent repo: *publish_repos_agent
dockerfile: docker/Dockerfile.agent.multiarch.rootless dockerfile: docker/Dockerfile.agent.multiarch
platforms: *platforms_release platforms: *platforms_release
tag: [next, 'next-${CI_COMMIT_SHA:0:10}'] tag: [next, 'next-${CI_COMMIT_SHA:0:10}']
logins: *publish_logins logins: *publish_logins
@ -260,7 +260,7 @@ steps:
image: *buildx_plugin image: *buildx_plugin
settings: settings:
repo: *publish_repos_agent repo: *publish_repos_agent
dockerfile: docker/Dockerfile.agent.alpine.multiarch.rootless dockerfile: docker/Dockerfile.agent.alpine.multiarch
platforms: *platforms_alpine platforms: *platforms_alpine
tag: [next-alpine, 'next-${CI_COMMIT_SHA:0:10}-alpine'] tag: [next-alpine, 'next-${CI_COMMIT_SHA:0:10}-alpine']
logins: *publish_logins logins: *publish_logins
@ -276,7 +276,7 @@ steps:
image: *buildx_plugin image: *buildx_plugin
settings: settings:
repo: *publish_repos_agent repo: *publish_repos_agent
dockerfile: docker/Dockerfile.agent.multiarch.rootless dockerfile: docker/Dockerfile.agent.multiarch
platforms: *platforms_release platforms: *platforms_release
tag: ['${CI_COMMIT_TAG%%.*}', '${CI_COMMIT_TAG%.*}', '${CI_COMMIT_TAG}'] tag: ['${CI_COMMIT_TAG%%.*}', '${CI_COMMIT_TAG%.*}', '${CI_COMMIT_TAG}']
logins: *publish_logins logins: *publish_logins
@ -292,7 +292,7 @@ steps:
image: *buildx_plugin image: *buildx_plugin
settings: settings:
repo: *publish_repos_agent repo: *publish_repos_agent
dockerfile: docker/Dockerfile.agent.alpine.multiarch.rootless dockerfile: docker/Dockerfile.agent.alpine.multiarch
platforms: *platforms_alpine platforms: *platforms_alpine
tag: ['${CI_COMMIT_TAG%%.*}-alpine', '${CI_COMMIT_TAG%.*}-alpine', '${CI_COMMIT_TAG}-alpine'] tag: ['${CI_COMMIT_TAG%%.*}-alpine', '${CI_COMMIT_TAG%.*}-alpine', '${CI_COMMIT_TAG}-alpine']
logins: *publish_logins logins: *publish_logins

2
docker/Dockerfile.agent.alpine.multiarch.rootless → docker/Dockerfile.agent.alpine.multiarch
View file

@ -21,7 +21,5 @@ EXPOSE 3000
COPY --from=build /src/dist/woodpecker-agent /bin/ COPY --from=build /src/dist/woodpecker-agent /bin/
USER woodpecker
HEALTHCHECK CMD ["/bin/woodpecker-agent", "ping"] HEALTHCHECK CMD ["/bin/woodpecker-agent", "ping"]
ENTRYPOINT ["/bin/woodpecker-agent"] ENTRYPOINT ["/bin/woodpecker-agent"]

2
docker/Dockerfile.agent.multiarch.rootless → docker/Dockerfile.agent.multiarch
View file

@ -26,7 +26,5 @@ COPY --from=build /etc/woodpecker /etc
COPY --from=build /etc/passwd /etc/passwd COPY --from=build /etc/passwd /etc/passwd
COPY --from=build /etc/group /etc/group COPY --from=build /etc/group /etc/group
USER woodpecker
HEALTHCHECK CMD ["/bin/woodpecker-agent", "ping"] HEALTHCHECK CMD ["/bin/woodpecker-agent", "ping"]
ENTRYPOINT ["/bin/woodpecker-agent"] ENTRYPOINT ["/bin/woodpecker-agent"]

2
docs/docs/30-administration/04-image-variants.md
View file

@ -8,7 +8,7 @@ This was done to prevent accidental major version upgrades.
- `vX.Y.Z`: SemVer tags for specific releases, no entrypoint shell (scratch image) - `vX.Y.Z`: SemVer tags for specific releases, no entrypoint shell (scratch image)
- `vX.Y` - `vX.Y`
- `vX` - `vX`
- `vX.Y.Z-alpine`: SemVer tags for specific releases, based on Alpine, rootless (as of v3.0). - `vX.Y.Z-alpine`: SemVer tags for specific releases, based on Alpine, rootless for Server and CLI (as of v3.0).
- `vX.Y-alpine` - `vX.Y-alpine`
- `vX-alpine` - `vX-alpine`
- `next`: Built from the `main` branch - `next`: Built from the `main` branch

2
docs/docs/92-development/07-guides.md
View file

@ -55,7 +55,7 @@ You can try to use the `build-server` rule instead, however this one fails for s
make build-agent make build-agent
### build the image ### build the image
docker buildx build --platform linux/amd64 -t username/repo:tag -f docker/Dockerfile.agent.multiarch.rootless --push . docker buildx build --platform linux/amd64 -t username/repo:tag -f docker/Dockerfile.agent.multiarch --push .
``` ```
### CLI ### CLI

9
docs/src/pages/migrations.md
View file

@ -176,9 +176,16 @@ The following restructuring was done to achieve a more consistent grouping:
#### Rootless images #### Rootless images
All Woodpecker images now use a non-privileged user (`woodpecker`) by default. The `server` and `cli` images now use a non-privileged user (`woodpecker`) by default.
If you have volume mounts attached to containers, you might need to update the ownership of these directories from `root` to `woodpecker`. If you have volume mounts attached to containers, you might need to update the ownership of these directories from `root` to `woodpecker`.
:::note
The agent image must remain rootful by default to be able to mount the Docker socket when Woodpecker is used with the `docker` backend.
The helm chart will start to use a non-privileged user by utilizing `securityContext`.
Running a completely rootless agent with the `docker` backend may be possible by using a rootless docker daemon.
However, this requires more work and is currently not supported.
:::
## 2.7.2 ## 2.7.2
To secure your instance, set `WOODPECKER_PLUGINS_PRIVILEGED` to only allow specific versions of the `woodpeckerci/plugin-docker-buildx` plugin, use version 5.0.0 or above. This prevents older, potentially unstable versions from being privileged. To secure your instance, set `WOODPECKER_PLUGINS_PRIVILEGED` to only allow specific versions of the `woodpeckerci/plugin-docker-buildx` plugin, use version 5.0.0 or above. This prevents older, potentially unstable versions from being privileged.