Hello, I’m trying to solve the following problem. Configuration:
- A pipeline produces 2 artifacts: docker image and nomad job definition for it. Both are immutable, versioned and stored on artifact repo. There are reasons for such setup, but basically job definition should stay immutable.
- Both artifacts are promoted through environments, each running under different users.
Problem: I’d like to ensure that whichever environment the job is running in, that user will be the user who starts the process inside the container.
First I looked at templating the user, but template stanza works only inside task stanza, while container user is defined in job stanza.
Then I checked Docker plugin configuration on nomad client, but it doesn’t have an option to use default user either, thus USER statement from image is applied (or root if none)
The user from the image doesn’t have privileges that nomad user does.
This is definitely possible from Docker API perspective because docker-compose does exactly that (actually, it’s even better because it can use UID/GID only and unlike Nomad, doesn’t require the account to be pre-created inside the image)
Furthermore, docker-compose v2 has “group_add” statement, which would be really useful in Nomad as well…
Is there any other way to achieve that apart from tinkering with entrypoints, sudoers and other impractical workarounds?