Azure pipeline container jobs with non-root Docker containers
Once in a while you may need to run a container job in an Azure pipeline using a custom container. At the same time you need to pass the vulnerability scan that flags containers running as root.
Let’s assume you have the following setup:
resources:
containers:
- container: customImage
image: kaboom.azurecr.io/c4:latest
endpoint: ...
stages:
- stage: UseImage
displayName: use custom runner image
jobs:
- job: use_image
container: customImage
pool:
vmImage: "ubuntu-latest"
steps: ...
Then you might have luck with trying to trick the vulnerability scanner into believing
that you are not running as root. The trick is that you prepare the user that the Azure
pipeline is using so far that the pipeline runs through. But still, the agent might want
to call su
, groupadd
or usermod
, so we link these files to /usr/bin/true
:
FROM ...
RUN useradd -m -u 1001 vsts_VSTSContainer && \
groupadd azure_pipelines_sudo && \
usermod -a -G azure_pipelines_sudo vsts_VSTSContainer && \
echo '%azure_pipelines_sudo ALL=(ALL:ALL) NOPASSWD:ALL' >> /etc/sudoers && \
ln -sf /usr/bin/true /usr/bin/su && \
ln -sf /usr/bin/true /usr/sbin/groupadd && \
ln -sf /usr/bin/true /usr/sbin/usermod
At least for me that worked. If not, you might have to look at the azure pipeline source code to figure out what is needed.
The big elephant in the room remains: is this a good idea from a security point of view?