Azure pipeline container jobs with non-root Docker containers

(10. Juli 2023, en)

Once in a while you may need to run a container job in an Azure pipeline using a custom container. At the same time you need to pass the vulnerability scan that flags containers running as root.

Let’s assume you have the following setup:

resources:
  containers:
    - container: customImage
      image: kaboom.azurecr.io/c4:latest
      endpoint: ...

stages:
  - stage: UseImage
    displayName: use custom runner image
    jobs:
      - job: use_image
        container: customImage
        pool:
          vmImage: "ubuntu-latest"
        steps: ...

Then you might have luck with trying to trick the vulnerability scanner into believing that you are not running as root. The trick is that you prepare the user that the Azure pipeline is using so far that the pipeline runs through. But still, the agent might want to call su, groupadd or usermod, so we link these files to /usr/bin/true:

FROM ...

RUN useradd -m -u 1001 vsts_VSTSContainer && \
    groupadd azure_pipelines_sudo && \
    usermod -a -G azure_pipelines_sudo vsts_VSTSContainer && \
    echo '%azure_pipelines_sudo ALL=(ALL:ALL) NOPASSWD:ALL' >> /etc/sudoers && \
    ln -sf /usr/bin/true /usr/bin/su  && \
    ln -sf /usr/bin/true /usr/sbin/groupadd  && \
    ln -sf /usr/bin/true /usr/sbin/usermod

At least for me that worked. If not, you might have to look at the azure pipeline source code to figure out what is needed.

The big elephant in the room remains: is this a good idea from a security point of view?