I want to spin up a Testcontainer for a microservice in order to perform an IT on another microservice I'm currently developing. Now, when I'm launching the test, it fails because of a "permission denied" exception. This is because I'm on Linux and I need root permissions to execute docker commands (including startup of containers), which is of course something I cannot grant in a non interactive integration test. To "solve" this problem, it is generally said you should add your user to a dedicated docker group. This, however, basically gives the user passwordless root permissions... which is considered a security issue I want to avoid. So, are there any workarounds for this problem? How am I supposed to setup Testcontainers for ITs without exposing my system to this (potentially severe) security problem?
1 Answer
If you aren't on a system where you can have root access, then you and the administrator would need to install docker in rootless mode. This has lots of implications for networking and filesystem access, breaking lots of workflows, so you will want to configure and test it independent of testcontainers.
Comments
docker run -v /:/host -u root busybox ...you can do pretty much anything you want on the host as root if you can use Docker at all. Also see Docker daemon attach service in the core Docker documentation. The problem the asker highlights is in fact a significant problem with Testcontainers, and it's kind of intrinsic to the setup – the CI system does need to be given root-equivalent permissions for Testcontainers to work at all and that can be a problem.dockercommand at all, you can take over the host system. That's true whether you're runningdockeras root or as a non-root user who can still access the Docker socket. (This is one of a couple of reasons I try to avoid testcontainers.)