Allow to run job script in a separate user.
Description
Problem to Solve
In the shell
executor, the user that runs the job script is the same user as the one that the runner runs at, so if the runner is running as root, the job is run as root.
At the time of writing, you can only choose between A or B in the following table:
Phase/User | Runner service/container user (e.g. root ) |
Runner-configured user (e.g. gitlab-runner ) |
---|---|---|
Pre (pre_clone_script , pre_build_script ) |
A | B |
User (before_script , jobs, after_script ) |
A | B |
Post (post_build_script ) |
A | B |
Use Cases
The specific use case is that I want to mount Docker Swarm secrets inside my runner with mode 0400 and owned by root. The secrets can be used to interface with an external system, fetch less privileged credentials specific to the pipeline user, and place them in the project checkout directory. Once the user starts the pipeline, their jobs can make use of those credentials. Once the pipeline ends, the credentials are removed by the post build script (post_build_script
, not after_script
).
If the user pipeline runs as root, however, the user could use those Swarm secrets to create credentials on behalf of other users, or just outright use the credentials to get privileged access to the external system.
With the current options, if the runner is configured with an unprivileged user, the pre_build_script
runs as that user and thus cannot access the Swarm secrets due to their owner and mode.
So it's either too restricted for the pre script to do it's thing, or too unrestricted to protect the secrets from overly curious users.
Examples of external systems:
-
HashiCorp Vault
-
Docker Universal Control Plane
Proposal
Introduce a separate configuration item to run the job script from .gitlab-ci.yml
file to run under a different user. That would allow the following choice of users:
Phase/User | Runner service/container user (e.g. root ) |
Runner-configured user (e.g. gitlab-runner ) |
---|---|---|
Pre (pre_clone_script , pre_build_script ) |
X | |
User (before_script , jobs, after_script ) |
X | |
Post (post_build_script ) |
X |