Using drone as non-root user

I use drone since 1 year on an enterprise onpremise kubernetes environment, it works very well, I love the possibility to have all my CICD pipeline calling some containerized images. I understand that all images have to be used as root user. The master, the runner and the images called within steps. ~I did some tries to use non-root but I noticed that when drone call an image, all folders appears as “root” property, even if they are not (if I lauch same docker image not using drone but docker, I see my folders for example as git in my alpine-git image, in my /home/git folder)

I have some security considerations, regarding the root usage. My droneCI solution has to pass Clair CVE scanners and I must to use non-root user to validate it.
So I have a big question for you, and I’m scared I know the answer, Is it possible to lauch drone-master, drone-runner and all images called in pipeline with non-root user?

Thank you for attention.

Drone clones all source code to a volume that is shared by all pipeline containers. Docker does not support mounting volumes as non-root which causes significant issues when trying to use non-root users with Drone (they cannot read or write volumes, and therefore cannot access the cloned code) which is the reason Drone runs as root by default. See

However, the good news is that Docker has a setting that allows you to globally map root users to non-root users at the docker daemon level with userns remapping. This is your best (and only) option. You can read more about this here:


Thank you for your quick reply, I apologize for my slow one :wink:
I understand that It is not impossible to launch the drone bin using non-root user and if it works, docker images spawned by drone should not be mount/run as root but using the user I used to exec the drone bin. Am I right?

My plan:
First step I have to test the drone-master behaviour when using a non-root user. I will add user called “drone” in the docker image and give it full rights chmod/chown on /bin
Second step, I will load this image in my Kubernetes environment and watch what happen.

Best regards


I succedeed to use a non-root user if I disable default clone step and make a custom one, using updated dron/git image:

$ docker build -t - << 'EOF'
FROM drone/git:linux-amd64

RUN adduser -s /bin/sh -D -u 1500 testuser
RUN install -d -o testuser -g testuser /app

USER testuser:testuser

And to updating the .drone.yml like that:

kind: pipeline
name: backend3

  base: /app

  disable: true

  - name: clone
      #GIT_SSL_NO_VERIFY: true

  - name: build
      - build/
      - pip install -e .
      - build/

In this case the /app folder is owned by testuser and every step can use it with non-root user having id = 1500.

IMHO it is a good option, too.