CI without root

How to avoid warnings like this one, in the simplest way possible?

WARNING: Running pip as the 'root' user can result in broken permissions
and conflicting behaviour with the system package manager. It is
recommended to use a virtual environment instead.

One of the things that you notice when using Docker, is that all commands you run from the Dockerfile with RUN or CMD are performed as the root user. This is not only a bad security practice for running internet facing services, it might even prevent certain applications from working properly.

‒ Gerard Braad

We will create a normal, non-root, user:

adduser --disabled-password --gecos "" user

The options added disable the requirement to set a password for the new user (--disabled-password), and disable prompts for user data (--gecos "").

Both options are relevant because we are creating a temporary user account for a single-time use within a CI container.

Finally, we will use that account to run later actions ‒ in this example, to run a test suite called run_all_tests:

su user -c ./run_all_tests

We use su, because sudo is not always readily available in container images.

If we find ourselves in need of installing a package with apt or dnf at some point, we can still do it as root before we call the non-root part with su.