incubator-devlake: [Bug][External Plugins] External plugins' scripts cannot run as non-root

Search before asking

  • I had searched in the issues and found no similar issues.

What happened

Devlake cannot be run as non-root. When trying to run DevLake backend as non-root, it tries to load the external plugins by running some scripts (i.e. azuredevops/run.sh ) and fails with “Permission denied” message.

time="2023-05-08 09:53:17" level=info msg="Loading remote plugins"
time="2023-05-08 09:53:17" level=error msg="./run.sh: 20: poetry: Permission denied"
time="2023-05-08 09:53:17" level=error msg="failed to load plugins
	caused by: Error calling plugin-info
	Wraps: (2) get error when invoking remote function plugin-info
	Wraps: (3) remote error response:
	  | ./run.sh: 20: poetry: Permission denied
	Wraps: (4) exit status 127
	Wraps: (5) exit status 127
	Error types: (1) *hintdetail.withDetail (2) *hintdetail.withDetail (3) *hintdetail.withDetail (4) *hintdetail.withDetail (5) *exec.ExitError"
panic: Error calling plugin-info
Wraps: (2) get error when invoking remote function plugin-info
Wraps: (3) remote error response:
  | ./run.sh: 20: poetry: Permission denied
Wraps: (4) exit status 127
Wraps: (5) exit status 127
Error types: (1) *hintdetail.withDetail (2) *hintdetail.withDetail (3) *hintdetail.withDetail (4) *hintdetail.withDetail (5) *exec.ExitError

goroutine 1 [running]:
github.com/apache/incubator-devlake/server/services.Init()
	/app/server/services/init.go:90 +0x225
github.com/apache/incubator-devlake/server/api.CreateApiService()
	/app/server/api/api.go:61 +0x2e
main.main()
	/app/server/main.go:39 +0x7e

What do you expect to happen

DevLake should be able to run as non-root.

How to reproduce

Deploy Devlake in a kubernetes cluster (minikube) with helm adding these values:

lake:
  securityContext:
    fsGroup: 101
    runAsGroup: 1000
    runAsNonRoot: true
    runAsUser: 101
  
  containerSecurityContext: 
    allowPrivilegeEscalation: false
    capabilities:
      drop: 
          - all

You can also try to run it with Docker setting a non-root user.

Anything else

I think it should be easy to fix by changing the ownership of the app folder in the Dockerfile. Maybe you could setup a specific non-root user to run the application.

Version

main

Are you willing to submit PR?

  • Yes I am willing to submit a PR!

Code of Conduct

About this issue

  • Original URL
  • State: closed
  • Created a year ago
  • Comments: 15 (8 by maintainers)

Most upvoted comments

For those running into this on the Helm/K8s side of things, this set of env vars does the trick:

lake:
  envs:
    - name: REMOTE_PLUGIN_DIR
      value: ""
    - name: DISABLED_REMOTE_PLUGINS
      value: "true"
+2
cicdguy on Jul 26, 2023
Read more comments on GitHub
← incubator-devlake: [Bug][Devlake] Can't edit scope config (TypeError: Cannot read properties of null (reading 'map'))
incubator-devlake: [Bug][Gitex] Unable to cancel gitextractor when preparing data  →