option to run gitlab-runner as non-root user
Description
The gitlab-runner runs as root in a container and that should be configurable. According to the closed issue #263 (closed), this is made on purpose to make it simpler to manage service, make only daemon privilege to read /etc/gitlab-runner/config.toml and allow out of box support for Docker (if installed) and not expose it to shell executor.
But we would like to adhere to the principle of least privilege. I can not find a reason to run docker-runner as root, other than out of the box support for docker. But if you do use docker executers? If you run kubernetes? There is no need to run as root.
Also here is well explained why running is root is not a good idea. https://medium.com/@mccode/processes-in-containers-should-not-run-as-root-2feae3f0df3b
[root@0659bb5d82b3 /]# ps auxw
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 164 4 ? Ss Feb27 0:00 /usr/bin/dumb-init /entrypoint run --user=gitlab-runner --working-
root 5 0.1 0.0 61412 11648 ? Ssl Feb27 58:41 gitlab-runner run --user=gitlab-runner --working-directory=/home/g
root 13 0.6 0.0 11764 1832 ? Ss 16:29 0:00 bash
root 24 0.0 0.0 47416 1656 ? R+ 16:29 0:00 ps auxw
Proposal
I would like to propose a 'user' value in the global section of the GitLab Runner configuration which defaults to 'root' as which the gitlab-runner process needs to run. Out of the box, docker executers keep working.
Links to related issues and merge requests / references
https://medium.com/@mccode/processes-in-containers-should-not-run-as-root-2feae3f0df3b