ci: drop running COSA as UID 0 #1716
Open
+12
−9
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This becaome obsolete when buildPod was introduced in coreos/coreos-ci-lib@f2a82bd
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request aims to improve security by no longer running the COSA container as root. This is a great improvement. However, by removing the root privileges, the mechanism for using the newly built coreos-installer binary was removed but not replaced. My review includes a critical suggestion to fix this by updating the PATH environment variable, ensuring that the CI continues to test the correct binary.
dustymabe
added a commit
to dustymabe/coreos-assembler
that referenced
this pull request
Jan 9, 2026
Allow group write permissions on /usr/bin because in upstream project's CI we want to overwrite binaries for testing. The dir is owned by root:root and CI runs in openshift as a user that is a member of the `root` (GID: 0) group. See coreos/coreos-installer#1716
dustymabe
force-pushed
the
dusty-ci-as-root
branch
from
20af0f5 to
e60c306
Compare
Member
Author
|
Ok I think this should be ready to go. requires https://github.com/coreos/coreos-assembler/pull/4410/changes (please review) |
dustymabe
force-pushed
the
dusty-ci-as-root
branch
from
e60c306 to
697848f
Compare
We opened up the permissions when building the COSA container [1] so this isn't necessary any longer with a few adjustments here. [1] coreos/coreos-assembler#4410
dustymabe
force-pushed
the
dusty-ci-as-root
branch
from
697848f to
7994979
Compare
This issue should have been fixed a long time ago. Let's drop this old workaround.
dustymabe
force-pushed
the
dusty-ci-as-root
branch
from
7994979 to
ea2cdcc
Compare
dustymabe
added a commit
to dustymabe/coreos-assembler
that referenced
this pull request
Jan 16, 2026
Allow group write permissions on /usr/ because in upstream project's CI we want to overwrite software for testing. The directories are typically owned by root:root and CI runs in openshift as a user that is a member of the `root` (GID: 0) group. See coreos/coreos-installer#1716
dustymabe
added a commit
to dustymabe/coreos-assembler
that referenced
this pull request
Jan 16, 2026
Allow group write permissions on /usr/ because in upstream project's CI we want to overwrite software for testing. The directories are typically owned by root:root and CI runs in openshift as a user that is a member of the `root` (GID: 0) group. See coreos/coreos-installer#1716 Also add an exception for /etc/grub.d for OSTree upstream CI.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.