git clone via ssh fails when running task as non-root

[hudac]

Issue

When running the task as non-root, as in task/git-clone/git-clone.yaml:

securityContext:
  runAsNonRoot: true
  runAsUser: 65532

It will fail when cloning a repo via SSH:

Error running git [fetch --recurse-submodules=yes ...]: exit status 128\nNo user exists for uid 65532\r\nfatal: Could not read from remote repository...

The reason is that SSH expects the user to exist, i.e. in /etc/passwd, see openssh.

Reproduce

docker run -u 65532 --rm -it --entrypoint=sh ghcr.io/tektoncd-catalog/git-clone:v1.2.0 -c "ssh -vvv git@github.com"

will fail with:

No user exists for uid 65532

Workaround

Run task as root (remove the securityContext).

[MarcusElevait]

I think i can contribute here, as it's probably just adapting the docker image to create the user, but any idea where to find the Dockerfile for the image?

[hudac]

@MarcusElevait as far as I can see, there is no Dockerfile. It is built via https://github.com/ko-build/setup-ko

git-clone/.github/workflows/release.yaml

Line 39 in b538d80

- uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9

[MarcusElevait]

Yes i also have seen this after my comment, thanks :-) but i don't understand how this works and currently have no time to get into this

[vdemeester]

Confirmed — the ko-built image runs as uid 65532 but has no /etc/passwd entry for that uid. OpenSSH requires the user to exist in passwd (openssh source).

This needs a change to the container base image or ko build configuration to either:

1. Add a passwd entry for uid 65532 (e.g. via .ko.yaml or a custom base image with the user pre-created)
2. Or use a base image that already has the user configured

Separate from #62 (which is about the /home/git directory not existing) — even if the directory exists, SSH will still fail without a passwd entry.

[vdemeester]

Partially addressed — the base image is now ghcr.io/tektoncd/plumbing/alpine-git-nonroot which includes openssh and a nonroot user (uid 1000) in /etc/passwd.

However, the task's securityContext still defaults to runAsUser: 65532, and that uid doesn't have a passwd entry. SSH will fail unless the user overrides runAsUser to 1000.

Workaround (now works without running as root):

podTemplate:
  securityContext:
    runAsNonRoot: true
    runAsUser: 1000

A follow-up change to align the task's default runAsUser with the image's nonroot user (1000) would fully resolve this.

[MarcusElevait]

However, the task's securityContext still defaults to runAsUser: 65532, and that uid doesn't have a passwd entry.

But when i build the new image and run it there is a user entry for this in /etc/passwd?

[MarcusElevait]

And another question, when will the resource be released?

[vdemeester]

@MarcusElevait yes, the current base image has uid 65532 in /etc/passwd (added via adduser -D -u 65532 in our custom Dockerfile). My earlier comment was about an intermediate state that's no longer relevant.

This is released as of v1.7.0 (just shipped today). SSH as non-root should work out of the box now.

[MarcusElevait]

Okay thanks for the quick response. But when is the 1.7 image for the step available?
I can see the version, but not the actual artifact. (same vor 1.6)

[vdemeester]

Okay thanks for the quick response. But when is the 1.7 image for the step available? I can see the version, but not the actual artifact. (same vor 1.6)

Yeah, artifacthub scans repositories, about every 30 minutes or so, it is available now : https://artifacthub.io/packages/tekton-task/git-clone/git-clone, it just took a bit of time to appear.