Enable root user privileges to add custom binaries
You can install Harness Delegate with or without root user privileges. By default, the Harness Delegate container runs as root user.
The delegate installer provides the option to install the delegate with non-root user privileges. Non-root user access supports the security principle of minimum access. But without root user access, you cannot modify the delegate image with custom binaries.
This topic explains how to use the delegate installer to install with or without root user privileges. This topic also explains how to modify an installed delegate to enable root user privileges and the installation of custom binaries.
You might need additional permissions to execute commands in delegate scripts and create Harness users.
Delegate images
Harness provides the following delegate images. Each image includes a set of tools that target a particular scenario.
| Delegate Image | Description |
|---|---|
| harness/delegate:yy.mm.verno | Includes the delegate and its dependencies. Includes client tools such as kubectl, Helm, and ChartMuseum. |
| harness/delegate:yy.mm.verno.minimal | Includes the delegate and its dependencies. |
For detailed information on Docker delegate installation, go to Install a Docker delegate.
Set user privileges
- Kubernetes
- Amazon ECS or AWS Fargate
- Docker
You can set privileges in the Helm chart or the Kubernetes manifest.
Specify user privileges in delegate YAML
To add binaries to a delegate image that was installed without root user privileges, you can change the delegate manifest file to allow them. To do so, locate the container spec and ensure it includes the following securityContext object:
spec:
containers:
- image: harness/delegate:ng
imagePullPolicy: Always
name: harness-delegate-instance
securityContext:
allowPrivilegeEscalation: false
runAsUser: 0
You can set privileges in the task definition parameters with the user option. For more information, go to Task definition parameters in the AWS documentation.
You can set privileges in the docker run command with the --user option. For more information, go to docker run in the Docker documentation.
Use INIT_SCRIPT with the microdnf package manager
To add binaries, you must first install the microdnf package manager on the delegate image. This utility is required to run installations and other operations on images.
Use the INIT_SCRIPT environment variable to specify the custom binaries you want microdnf to install.
- name: INIT_SCRIPT
value: |-
microdnf install -y zip unzip
In this example, the value of INIT_SCRIPT is the microdnf install instruction that installs the zip and unzip packages.
Note that the apt-get command-line tool and profile scripts target an earlier Ubuntu-based image and are not supported for these images.