Shell-less containers

[wneirynck]

Currently the OCI container driver requires that /bin/sh is present in the image to execute the job along with the sidecar. This poses a problem for minimal images that do not provide this (like Kaniko). The OCI container instances currently have no way to create init containers, only simultaneously started containers. Possible solutions to this problem could be:

• Run these containers using another driver, like Kubernetes, that do allow init containers to prepare the workspace
• Don't support this and have the user use another (possibly derived) image that contains /bin/sh.
• Create a custom image at runtime (e.g. using buildah that adds the workspace files and then run this container.

All of the above require some intervention from the user, at the minimum by setting some flag to indicate to MonkeyCI that there is special treatment required. It is however possible to "inspect" image contents without executing it, to see if the shell executable is present. See this StackOverflow answer. This would at least allow us to avoid user intervention, at the cost of more complexity and performance.

[wneirynck]

Using buildah again requires privileged containers, or perhaps a lot of fiddling with permissions and setuid/setgid stuff. This could be possible if we set up some microservice whose responsability would be creating these custom containers.

[wneirynck]

Another possibility is to just allow this, but disallow the :script tag in that case. The build job could then only specify extra arguments to be passed to the container, along with any mounted files, but no custom scripts. In order to capture the output, we could still use the sidecar, and pipe the output to mounted files. This is similar to the script we're already using and it would make it possible to use shell-less containers without much hassle.

In other words, if the user specifies a :script, then we assume there is a /bin/sh executable present.

[wneirynck]

Using a build agent solves this problem. See #205