Skip to content

Allow non-root container #264

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Nov 21, 2025
Merged

Allow non-root container #264

merged 4 commits into from
Nov 21, 2025

Conversation

@nikola-jokic
Copy link
Collaborator

@nikola-jokic nikola-jokic commented Oct 22, 2025
edited
Loading

Fixes #257

@vvanouytsel vvanouytsel mentioned this pull request Nov 3, 2025
Closed
@nikola-jokic nikola-jokic force-pushed the nikola-jokic/allow-non-root-container branch from 7be250d to ef8e11f Compare November 10, 2025 14:02
@nikola-jokic nikola-jokic marked this pull request as ready for review November 21, 2025 12:09
@nikola-jokic nikola-jokic requested a review from a team as a code owner November 21, 2025 12:09
Copilot AI review requested due to automatic review settings November 21, 2025 12:09
Copilot finished reviewing on behalf of nikola-jokic November 21, 2025 12:11
Copilot AI reviewed Nov 21, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds support for running containers as non-root users by implementing proper volume permissions and security contexts. The changes address issue #257 by ensuring that file system operations work correctly when containers run with non-root user IDs (specifically user 1001).

Key changes:

  • Added security context with fsGroup: 1001 to pod specifications
  • Created new WORK_VOLUME for the work directory with proper permissions
  • Updated tar extraction to use --no-same-owner flag and explicit permission fixes
  • Modified init container to create and prepare all required directories

Reviewed Changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
packages/k8s/src/k8s/index.ts Implements core non-root container support with security contexts, volume mounts, and permission handling
packages/k8s/src/k8s/utils.ts Adds WORK_VOLUME constant and updates volume mount configurations
packages/k8s/tests/prepare-job-test.ts Adds test case for non-root container functionality
packages/k8s/tests/e2e-test.ts Formatting cleanup (whitespace only)
package.json Adds lint:fix script for convenience
Comments suppressed due to low confidence (1)

packages/k8s/src/k8s/index.ts:1

  • The mv command will fail if /home/runner/externals/ is empty because the glob pattern * won't match anything. This will cause the init container to fail. Consider adding || true at the end of the command or checking if the directory is not empty before moving: [ -n \"$(ls -A /home/runner/externals)\" ] && mv /home/runner/externals/* /mnt/externals/ || true
import * as core from '@actions/core'

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

packages/k8s/src/k8s/index.ts
Comment on lines +388 to +389
`find ${shlex.quote(containerPath)} -type f -exec chmod u+rw {} \\; 2>/dev/null; ` +
`find ${shlex.quote(containerPath)} -type d -exec chmod u+rwx {} \\; 2>/dev/null`
Copy link

Copilot AI Nov 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The three separate find commands can be inefficient for large directory trees. Consider combining them into a single find command with multiple -o (or) operators, or use find ... -type f -exec chmod u+rw {} + -o -type d -exec chmod u+rwx {} + to reduce process spawning overhead. The + instead of \\; will also batch file arguments for better performance.

Suggested change
`find ${shlex.quote(containerPath)} -type f -exec chmod u+rw {} \\; 2>/dev/null; ` +
`find ${shlex.quote(containerPath)} -type d -exec chmod u+rwx {} \\; 2>/dev/null`
`find ${shlex.quote(containerPath)} \\( -type f -exec chmod u+rw {} + -o -type d -exec chmod u+rwx {} + \\) 2>/dev/null`

Copilot uses AI. Check for mistakes.
@nikola-jokic nikola-jokic merged commit 15e8089 into main Nov 21, 2025
11 checks passed
@nikola-jokic nikola-jokic deleted the nikola-jokic/allow-non-root-container branch November 21, 2025 13:44
@zarko-a zarko-a mentioned this pull request Nov 21, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@densto88 densto88 densto88 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

cpToPod failed after 30 attempts (related to permission issue)

3 participants

@nikola-jokic @densto88