Skip to content

Running git cli container as a non root user#3476

Open
rcmadhankumar wants to merge 1 commit intomainfrom
non-root-git
Open

Running git cli container as a non root user#3476
rcmadhankumar wants to merge 1 commit intomainfrom
non-root-git

Conversation

@rcmadhankumar
Copy link
Contributor

@rcmadhankumar rcmadhankumar commented Feb 24, 2026

following scenarios were tested after the changes were made.

1.testing git init as root user, current user and non root user and group

podman run --rm --user 0:0 my-git:latest \
    /bin/sh -c "git init root-internal && ls -ld root-internal"

podman run --rm --user 1024:1025 my-git:latest     /bin/sh -c "git init root-internal && ls -ld root-internal"

podman run --rm --user $(id -u) my-git:latest     /bin/sh -c "git init root-internal && ls -ld root-internal"

2.Testing ssh key authentication

podman run --rm  --user 1001:1002   --userns=keep-id:uid=1001,gid=1002  -v ~/.ssh:/tmp/keys:ro,Z   git:neww ssh -i /tmp/keys/id_ed25519 -o StrictHostKeyChecking=no -T git@github.com

podman run --rm    -v ~/.ssh:/tmp/keys:ro,Z     git:neww ssh -i /tmp/keys/id_ed25519 -o StrictHostKeyChecking=no -T git@github.com

podman run --rm     --user $(id -u)     --userns=keep-id     -v ~/.ssh:/tmp/keys:ro,Z     git:neww ssh -i /tmp/keys/id_ed25519 -o StrictHostKeyChecking=no -T git@github.com

3.Testing clones

podman run --rm -it     --user 0:0     -v ~/.ssh:/tmp/keys:ro,Z     -v ./my-code:/workspace:Z     -e GIT_SSH_COMMAND="ssh -i /tmp/keys/id_ed25519 -o StrictHostKeyChecking=no"     git:neww git clone git@github.com:SUSE/bci-dockerfile-generator.git .
 
podman run --rm -it     -v ~/.ssh:/tmp/keys:ro,Z     -v ./my-code:/workspace:Z     -e GIT_SSH_COMMAND="ssh -i /tmp/keys/id_ed25519 -o StrictHostKeyChecking=no"     git:neww git clone git@github.com:SUSE/bci-dockerfile-generator.git .

podman run --rm -it     --user 1001:1002     --userns=keep-id:uid=1001,gid=1002     -v ~/.ssh:/tmp/keys:ro,Z     -v ./my-code:/workspace:Z     -e GIT_SSH_COMMAND="ssh -i /tmp/keys/id_ed25519 -o StrictHostKeyChecking=no"     git:neww git clone git@github.com:SUSE/bci-dockerfile-generator.git .

podman run --rm -it     --user $(id -u):$(id -g)     --userns=keep-id     -v ~/.ssh:/tmp/keys:ro,Z     -v ./my-code:/workspace:Z     -e GIT_SSH_COMMAND="ssh -i /tmp/keys/id_ed25519 -o StrictHostKeyChecking=no"     git:neww git clone git@github.com:SUSE/bci-dockerfile-generator.git .

bci-pushman pushed a commit that referenced this pull request Feb 24, 2026
Test build for #3476
b395ad6
bci-pushman pushed a commit that referenced this pull request Feb 24, 2026
Test build for #3476
a121749
bci-pushman pushed a commit that referenced this pull request Feb 24, 2026
Test build for #3476
844ad2b
bci-pushman pushed a commit that referenced this pull request Feb 24, 2026
Test build for #3476
6566c25
@github-actions
Copy link

github-actions bot commented Feb 24, 2026
edited
Loading

Created a staging project on OBS for Tumbleweed: home:pushman:BCI:Staging:Tumbleweed:Tumbleweed-3476
Changes pushed to branch Tumbleweed-3476 as commit a121749ba9c65d4892135c89cd466c2bef463b08
Build succeeded ✅

Build Results

Repository images in home:pushman:BCI:Staging:Tumbleweed:Tumbleweed-3476 for x86_64: current state: published
Build results:

package name status build log
git-image ⛔ excluded live log

Repository images in home:pushman:BCI:Staging:Tumbleweed:Tumbleweed-3476 for aarch64: current state: published
Build results:

package name status build log
git-image ⛔ excluded live log

Repository containerfile in home:pushman:BCI:Staging:Tumbleweed:Tumbleweed-3476 for x86_64: current state: published
Build results:

package name status build log
git-image ✅ succeeded live log

Repository containerfile in home:pushman:BCI:Staging:Tumbleweed:Tumbleweed-3476 for aarch64: current state: published
Build results:

package name status build log
git-image ✅ succeeded live log

Build succeeded ✅

To run BCI-tests against this PR, use the following command:

OS_VERSION=tumbleweed TARGET=custom BASEURL=registry.opensuse.org/home/pushman/bci/staging/tumbleweed/tumbleweed-3476/ tox -- -n auto
The following images can be pulled from the staging project:
  • registry.opensuse.org/home/pushman/bci/staging/tumbleweed/tumbleweed-3476/containerfile/opensuse/git:latest

@github-actions
Copy link

github-actions bot commented Feb 24, 2026
edited
Loading

Created a staging project on OBS for 16.0: home:pushman:BCI:Staging:16.0:16.0-3476
Changes pushed to branch 16.0-3476 as commit 186bcd7baf723b6aa24f39010a890391fcaaa530
Build succeeded ✅

Build Results

Repository containerkiwi in home:pushman:BCI:Staging:16.0:16.0-3476 for x86_64: current state: published
Build results:

package name status build log
git-image ⛔ excluded live log

Repository containerkiwi in home:pushman:BCI:Staging:16.0:16.0-3476 for aarch64: current state: published
Build results:

package name status build log
git-image ⛔ excluded live log

Repository containerkiwi in home:pushman:BCI:Staging:16.0:16.0-3476 for s390x: current state: published
Build results:

package name status build log
git-image ⛔ excluded live log

Repository containerkiwi in home:pushman:BCI:Staging:16.0:16.0-3476 for ppc64le: current state: published
Build results:

package name status build log
git-image ⛔ excluded live log

Repository containerfile in home:pushman:BCI:Staging:16.0:16.0-3476 for x86_64: current state: published
Build results:

package name status build log
git-image ✅ succeeded live log

Repository containerfile in home:pushman:BCI:Staging:16.0:16.0-3476 for aarch64: current state: published
Build results:

package name status build log
git-image ✅ succeeded live log

Repository containerfile in home:pushman:BCI:Staging:16.0:16.0-3476 for s390x: current state: published
Build results:

package name status build log
git-image ✅ succeeded live log

Repository containerfile in home:pushman:BCI:Staging:16.0:16.0-3476 for ppc64le: current state: published
Build results:

package name status build log
git-image ✅ succeeded live log

Build succeeded ✅

To run BCI-tests against this PR, use the following command:

OS_VERSION=16.0 TARGET=custom BASEURL=registry.opensuse.org/home/pushman/bci/staging/16.0/16.0-3476/ tox -- -n auto
The following images can be pulled from the staging project:
  • registry.opensuse.org/home/pushman/bci/staging/16.0/16.0-3476/containerfile/suse/git:2

@github-actions
Copy link

github-actions bot commented Feb 24, 2026
edited
Loading

Created a staging project on OBS for 16.1: home:pushman:BCI:Staging:16.1:16.1-3476
Changes pushed to branch 16.1-3476 as commit 02ecc2e46383a8bae734dbfcebbf947a8a2b54f7
Build succeeded ✅

Build Results

Repository containerkiwi in home:pushman:BCI:Staging:16.1:16.1-3476 for x86_64: current state: published
Build results:

package name status build log
git-image ⛔ excluded live log

Repository containerkiwi in home:pushman:BCI:Staging:16.1:16.1-3476 for aarch64: current state: published
Build results:

package name status build log
git-image ⛔ excluded live log

Repository containerkiwi in home:pushman:BCI:Staging:16.1:16.1-3476 for s390x: current state: published
Build results:

package name status build log
git-image ⛔ excluded live log

Repository containerkiwi in home:pushman:BCI:Staging:16.1:16.1-3476 for ppc64le: current state: published
Build results:

package name status build log
git-image ⛔ excluded live log

Repository containerfile in home:pushman:BCI:Staging:16.1:16.1-3476 for x86_64: current state: published
Build results:

package name status build log
git-image ✅ succeeded live log

Repository containerfile in home:pushman:BCI:Staging:16.1:16.1-3476 for aarch64: current state: published
Build results:

package name status build log
git-image ✅ succeeded live log

Repository containerfile in home:pushman:BCI:Staging:16.1:16.1-3476 for s390x: current state: published
Build results:

package name status build log
git-image ✅ succeeded live log

Repository containerfile in home:pushman:BCI:Staging:16.1:16.1-3476 for ppc64le: current state: published
Build results:

package name status build log
git-image ✅ succeeded live log

Build succeeded ✅

To run BCI-tests against this PR, use the following command:

OS_VERSION=16.1 TARGET=custom BASEURL=registry.opensuse.org/home/pushman/bci/staging/16.1/16.1-3476/ tox -- -n auto
The following images can be pulled from the staging project:
  • registry.opensuse.org/home/pushman/bci/staging/16.1/16.1-3476/containerfile/suse/git:2

@github-actions
Copy link

github-actions bot commented Feb 24, 2026
edited
Loading

Created a staging project on OBS for 7: home:pushman:BCI:Staging:SLE-15-SP7:7-3476
Changes pushed to branch 7-3476 as commit e0ec8c1315acf7468fb26293130078057026c109
Build succeeded ✅

Build Results

Repository images in home:pushman:BCI:Staging:SLE-15-SP7:7-3476 for x86_64: current state: published
Build results:

package name status build log
git-image ⛔ excluded live log

Repository images in home:pushman:BCI:Staging:SLE-15-SP7:7-3476 for aarch64: current state: published
Build results:

package name status build log
git-image ⛔ excluded live log

Repository images in home:pushman:BCI:Staging:SLE-15-SP7:7-3476 for s390x: current state: published
Build results:

package name status build log
git-image ⛔ excluded live log

Repository images in home:pushman:BCI:Staging:SLE-15-SP7:7-3476 for ppc64le: current state: published
Build results:

package name status build log
git-image ⛔ excluded live log

Repository containerfile in home:pushman:BCI:Staging:SLE-15-SP7:7-3476 for x86_64: current state: published
Build results:

package name status build log
git-image ✅ succeeded live log

Repository containerfile in home:pushman:BCI:Staging:SLE-15-SP7:7-3476 for aarch64: current state: published
Build results:

package name status build log
git-image ✅ succeeded live log

Repository containerfile in home:pushman:BCI:Staging:SLE-15-SP7:7-3476 for s390x: current state: published
Build results:

package name status build log
git-image ✅ succeeded live log

Repository containerfile in home:pushman:BCI:Staging:SLE-15-SP7:7-3476 for ppc64le: current state: published
Build results:

package name status build log
git-image ✅ succeeded live log

Build succeeded ✅

To run BCI-tests against this PR, use the following command:

OS_VERSION=15.7 TARGET=custom BASEURL=registry.opensuse.org/home/pushman/bci/staging/sle-15-sp7/7-3476/ tox -- -n auto
The following images can be pulled from the staging project:
  • registry.opensuse.org/home/pushman/bci/staging/sle-15-sp7/7-3476/containerfile/suse/git:latest

bci-pushman pushed a commit that referenced this pull request Feb 24, 2026
Test build for #3476
02ecc2e
bci-pushman pushed a commit that referenced this pull request Feb 24, 2026
Test build for #3476
e0ec8c1
bci-pushman pushed a commit that referenced this pull request Feb 24, 2026
Test build for #3476
186bcd7
dirkmueller
dirkmueller requested changes Feb 24, 2026
View reviewed changes
Copy link
Member

@dirkmueller dirkmueller left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

might be useful to update the README.md.j2

also, it needs to be a VOLUME so that selinux permissions work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dirkmueller dirkmueller dirkmueller requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rcmadhankumar @dirkmueller