securityContext UID conflict between deployment and images
gitlab-runner:ubuntu image has a user named gitlab-runner user with uid 999
gitlab-runner:ubuntu image has a user named _apt user with uid 100
gitlab-runner:alpine image has a gitlab-runner user with uid 100
sudo docker run -it --entrypoint "/bin/bash" gitlab/gitlab-runner:ubuntu
root@433d5c100dfb:/# cat /etc/passwd
...
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
gitlab-runner:x:999:999:GitLab Runner:/home/gitlab-runner:/bin/bash
https://gitlab.com/gitlab-org/charts/gitlab-runner/blob/master/templates/deployment.yaml#L28 specifies that that security context should be uid 100. However if you attempt to use Ubuntu as your runner.image you will get permission denied failures when making files and copying over configurations.
workaround: updating deployment.yaml to have the image use uid 999 instead of 100 results in successfully deploying a new runner. however it will then presumable break the alpine image.
I believe the easiest and consistent way forward is to change the deployment.yaml SecurityContext: runasUser to be 999 and have alpine image to have gitlab-runner user == 999.
The harder way would be to change uid based on the image dynamic or make it some sort of option in the template but I have no idea if that is possible or even desirable.
Porposal
- Solve gitlab-org/gitlab-runner#4695 (closed) to update the alpine image to use the same UID as ubuntu
- Update the deployment to have the same UID