Background / Motivation
The Woodpecker server images under build/docker/ (ubuntu22.04, ubuntu20.04, amazonlinux2023, rockylinux8) currently create a dedicated woodpecker user (uid 1000) and switch to it via USER woodpecker.
For our operational model this adds complexity without real benefit:
- Anyone with exec access to a pod already has root-equivalent access, so a non-root container user provides little additional protection.
- Running as root keeps file permissions / volume ownership simple and avoids uid-mismatch headaches on mounted volumes.
Proposed change
Make the server containers run as root by default by cleaning up the non-root setup in all four Dockerfiles:
- Remove the
USER woodpecker directive.
- Remove the
useradd user creation and the chown -R woodpecker:root / chmod -R g=u of /woodpecker.
- Drop
--chown=woodpecker:root from the COPY instructions (keep --chmod=755).
- Remove the now-unused
shadow-utils package from the amazonlinux2023 and rockylinux8 builds.
Scope / out of scope
- Only the data-plane server images under
build/docker/ are affected.
- The operator/controller-manager image (
deployments/operator/Dockerfile, distroless nonroot) and config/manager/manager.yaml (runAsNonRoot: true) are intentionally left unchanged.
- The operator sets no
securityContext/runAsUser on the Woodpecker workload, so removing the image USER is sufficient for the pods to run as root.
Note
Namespaces enforcing Pod Security Standards restricted (or OpenShift's default SCC) require non-root and would reject these images. This is acceptable for our deployment model.
Background / Motivation
The Woodpecker server images under
build/docker/(ubuntu22.04,ubuntu20.04,amazonlinux2023,rockylinux8) currently create a dedicatedwoodpeckeruser (uid 1000) and switch to it viaUSER woodpecker.For our operational model this adds complexity without real benefit:
Proposed change
Make the server containers run as root by default by cleaning up the non-root setup in all four Dockerfiles:
USER woodpeckerdirective.useradduser creation and thechown -R woodpecker:root/chmod -R g=uof/woodpecker.--chown=woodpecker:rootfrom theCOPYinstructions (keep--chmod=755).shadow-utilspackage from theamazonlinux2023androckylinux8builds.Scope / out of scope
build/docker/are affected.deployments/operator/Dockerfile, distrolessnonroot) andconfig/manager/manager.yaml(runAsNonRoot: true) are intentionally left unchanged.securityContext/runAsUseron the Woodpecker workload, so removing the imageUSERis sufficient for the pods to run as root.Note
Namespaces enforcing Pod Security Standards
restricted(or OpenShift's default SCC) require non-root and would reject these images. This is acceptable for our deployment model.