FIPS build cannot run shell executor by default
As described in gitlab#418292, running the FIPS image with a shell executor fails out of the box for two reasons:
- In the prep job it's throwing
mkdir: cannot create directory '/builds': Permission denied
- In the build jobs it's throwing
Password: su: Authentication failure
.
This happens because due to 51d5167c:
- The image runs as UID 1001 by default (a non-existent user). This user doesn't have the ability to
mkdir /builds
. -
--user=gitlab-runner
is passed to the runner. This causes the shell executor to runsu
: https://gitlab.com/gitlab-org/gitlab-runner/-/blob/f29584e83f2b39572d44cc15efbced87a928d1b4/shells/bash.go#L361-375. However, normallysu
can only be run byroot
, so the we get thePassword: su: Authentication failure
error.
@ratchade Was UID 1001 supposed to be gitlab-runner
? UPDATE: Yes, for OpenShift (gitlab-org/charts/gitlab#1069 (comment 282334875)), and therefore we need --user=root
in the arguments. On the FIPS image, it appears UID 998 belongs to gitlab-runner
.
Perhaps we should consider making USER a configurable value and the entrypoint conditional on whether it is already gitlab-runner
.
Edited by Stan Hu